Esri Managed Cloud Services and FedRAMP

Federal GIS Conference February 9 10, 2015 Washington, DC Esri Managed Cloud Services and FedRAMP Erin Ross & Michael Young

Agenda Esri Managed Services Program Overview Example Deployments New FedRAMP Compliant Option Esri Managed Cloud Services FedRAMP Process Esri Managed Cloud Services Security Infrastructure How to Get Started Summary

Program Overview

ArcGIS Cloud Options SaaS PaaS ArcGIS Online or Custom Esri Apps and Data on fully Managed Cloud Services ArcGIS for Server on Esri managed cloud infrastructure IaaS ArcGIS for Server images available to use on cloud infrastructure

ArcGIS for Server on [Fill in the Blank] Supported on multiple cloud platforms - Virtual or bare metal Full ArcGIS for Server capabilities User-provisioned cloud infrastructure resources Pay for what you use BYOL or ArcGIS term licensing available

ArcGIS Online Create, share, collaborate Subscription-based - Named User - Credits pay as you go Updates and enhancements occur behind the scenes

Esri Managed Cloud Services Cloud-based GIS infrastructure support, including: - Enterprise system design - Infrastructure management - Software (Esri & 3 rd Party) Installation, updates and patching - Application deployment - Database management - 24/7 support and monitoring

ArcGIS Deployment Models Users Apps Anonymous Access Portal ArcGIS Online Server On-Premises Portal Server Esri Managed Cloud Services

Benefits of Esri Managed Cloud Services Increase efficiency and business focus High availability, quality and performance Reduce internal costs Preserves data integrity, privacy and availability Increase usage and productivity Cloud GIS experts managing your critical apps and content

How is it delivered? Available on GSA

Basic Packages Sandbox Ready to use cloud instance of ArcGIS for Server Remote access provided to user Ideal for development, prototyping...

Standard, Advanced, Advanced Plus Packages Esri loads, publishes and deploys on behalf of customer 24/7 system monitoring and support Ideal for production systems (internal or public facing) Staging Production Test Dev

Example Deployments

USGS Historical Topographic Maps More than 175,000 topographic maps published by the USGS since 1884 22 TB data x 2 for redundancy 1.6 million hits during Esri User Conference Consumed by several apps; premium service available in ArcGIS Online

Constellation Brands Improve sales by leveraging tools to drive volume and revenue 4 th of July deadline 2.7M records updated 2x / week via scripted tools Equipping staff with valuable information to increase sales

Power Outage Viewers Highly available, scalable systems ready to perform during major events Frequent, automated data updates Bringing critical outage information to the general public

Hurricane Sandy 14 additional servers (17 total) Central Maine Power - 34 million hits over 3 days New York State Electric & Gas 76 million hits over 3 days 2/10/2014-11:30 am Peak Sandy Hours

Maine October 29

Maine October 30

Maine Ocbober 31

Maine November 1

Maine November 2

Who else uses Esri Managed Cloud Services? 80+ customers Leveraged across many sectors Manage over 500 servers, several TB of data

New FedRAMP Compliant Offering Michael Young

Federal Geospatial Cloud Security Compliance Roadmap 2002 FISMA Law Established Required security baselines for Federal systems Feb 2010 Kundra Announces FedRAMP Security Working Group concept announced May 2013 First Agency Authorization HHS Issues ATO to Amazon June 2014 OMB FedRAMP Mandate FedRAMP now required for all cloud solutions covered by policy memo Planned ArcGIS Online FedRAMP Authorization 2002 2005 2010 2011 2012 2013 2014 2015 2016 Aug 2005 Esri GOS2 FISMA Authorization DOI Issues ATO to Esri May 2010 Esri Participates in First Cloud Computing Forum Esri begins active involvement in cloud standards & security programs Dec 2011 Esri Federal Cloud Computing Security Workshop Esri works with Agencies & FedRAMP to plan SaaS Compliance June 2014 ArcGIS Online FISMA Authorization USDA Issues ATO to Esri Jan 2015 EMCS FedRAMP Compliant Signoff by FedRAMP Director Planned for 2015 ArcGIS Online Hosted Feature Services Authorization DOI working with Esri towards Authorization Esri has actively participated in hosting and advancing secure compliant solutions for over a decade

FedRAMP What does FedRAMP do? - Replace varied and duplicative procedures across government by providing agencies with a standard approach for conducting security assessments of cloud services What is core of FedRAMP? - An accepted set of baseline security controls and consistent processes that have been vetted and agreed upon by agencies across the government Why did Esri pursue FedRAMP Compliance? - Customers demanded FedRAMP compliance before rolling out future production operations - Customer risk has been increasing rapidly without security infrastructure - OMB mandate all low and moderate impact cloud services leveraged by more than one office or agency must comply with FedRAMP requirements Accelerates Review and Acceptance of Cloud Based Services

FedRAMP Government Entities Cross Government Support

EMCS FedRAMP Benefits What does EMCS provide? Contingency planning and risk management Patch and key management Data encryption and intrusion detection System logging and reporting Centralized identity and access management Regular security audits Well documented policies and procedures What are the benefits? Preserve data integrity Protect sensitive datasets Ensure availability and reliability Builds assurance and awareness Save costs by embracing Cloud First Shift the burden of managing enterprise GIS systems to the experts Penetration testing and vulnerability scanning CONTINUOUS MONITORING!

FedRAMP What is the process? Risk Management Framework (RMF) centric process

Esri Managed Cloud Services FedRAMP Documentation FIPS 199 Control Implementation Summary (CIS) System Security Plan (SSP) Information System Security Policies User Guide E-Authentication Template Privacy Threshold Analysis (PTA) Rules of Behavior (ROB) IT Contingency Plan Security Assessment Plan (SAP) Test Case Workbook Security Assessment Report (SAR) Plan of Action and Milestone (POA&M) Policies and procedures Business Impact Analysis Configuration Management Plan Incident Response Plan Interconnection Security Agreement (ISA / MOU) Penetration Test Plan 1000 s of pages ensuring rigorous security

EMCS FedRAMP Assessment Cloud Security Assessor Veris Group - Third Party Assessment Organization (3PAO) accredited by FedRAMP - 1 st to successfully inspect FedRAMP CSP Supplied, JAB, and Agency Approved Solutions - 5 month engagement - Three months of active Technical and Documentation assessments - System level scans - Web Interface scans - Database scans - Penetration testing FedRAMP Advisor Relevant Technologies - Laura Taylor - Wrote the initial Guide to Understanding FedRAMP Great advisors and skilled assessors keep the effort focused

EMCS FedRAMP Authorization 3 Baseline Security Control Levels - Low, Moderate*, High in draft 3 Status Levels - Ready, In Process, Compliant* 3 FedRAMP Authorization Levels - Cloud Service Provider (CSP) Supplied* - Agency Authorization To Operate (ATO) - Joint Agency Board (JAB) Provisional Authority To Operate Esri Managed Cloud Services is - FedRAMP Moderate - FedRAMP Compliant - CSP Supplied offering EMCS CSP Supplied Package can be consumed by your Agency

EMCS FedRAMP Continuous Monitoring FedRAMP Reporting Workflow Monitoring Workflow Ensures maintenance of acceptable risk posture

Esri Managed Cloud Services Security Infrastructure

Esri Managed Cloud Services - Security Infrastructure Overview Most government systems - Require moderate security baseline controls Most geospatial information sets - Only require low baseline controls - ArcGIS Online Low FISMA is adequate for many customer use cases Esri Managed Cloud Services FedRAMP Infrastructure Design Goals - Consumable by the widest range of customers - Amazon East-West Regions Not limited to GovCloud - Drive down customer expenses for secure, compliant geospatial services - Customer s can choose level of multi-tenancy vs dedicated services they are comfortable with - Meet and exceed current rigorous FedRAMP requirements for cloud services - First geospatial platform to be compliant with FedRAMP Rev 4 requirements A balance of robust security and business requirements drove infrastructure choices

Esri Managed Cloud Services - Security Infrastructure AWS Customer Infrastructure Active/Active Redundant across two Cloud Data Centers End Users Public-Facing Gateway Web Application Firewall WAF ArcGIS for Portal DMZ Security Ops Center (SOC) Security Service Gateway Intrusion Detection IDS / SIEM ArcGIS Server Cloud Infrastructure Centralized Management Backup, CM, AV, Patch, Monitor Hypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware Bastion Gateway MFA Relational Database File Servers Authentication/Authorization LDAP, DNS, PKI Dedicated Customer Application Infrastructure Common Security Infrastructure Esri Administrators Esri Admin Gateway Cloud Infrastructure Hypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware Common Cloud Infrastructure Legend Agency Application Cloud Provider Security

Esri Managed Cloud Services - Security Infrastructure Foundation built on FedRAMP Rev 4 Security controls First Geospatial solution to be assessed for compliance against latest cloud security controls

Esri Managed Cloud Services - Security Infrastructure (cont.) Technical, Operational, and Managerial Components Formalize Policies and Procedures Incorporate Security Components - Intrusion Detection System (IDS) - Web Application Firewall (WAF) - Multi-factor Authentication NSA Suite B alignment - Bastion Gateway / Jump Hosts Reduce administrative interface attack surface - Centralized advanced server and application monitoring and updates Incorporate Security Hardening Standards - Utilize pre-existing Center for Internet Security (CIS) benchmarks as feasible - Create a draft ArcGIS Server 10.3 STIG

Esri Managed Cloud Services - Security Infrastructure (cont.) DISA STIG for ArcGIS Server 10.3 Draft STIG Settings Provided to DISA - Undergoing SME Review

Esri Managed Cloud Services - Security Infrastructure (cont.) Separation of duties Security Operating Center backed by Certified Security Experts Applications managed by Certified ArcGIS Platform Experts Managed by certified experts in their field

How to get started

How do I get started? Express an interest in service offering and let your security team know EMCS is FedRAMP compliant Agency Authorized FedRAMP Approver can facilitate download and review of FedRAMP package for EMCS @ - http://cloud.cio.gov/fedramp/agency - If you are unsure of your FedRAMP approver email the FedRAMP PMO: info@fedramp.gov What else is available outside FedRAMP repository? - Cloud Security Alliance (CSA) answers for EMCS coming Complete Agency Authority To Operate (ATO) - Utilize pre-existing EMCS and AWS FedRAMP moderate docs Simplifies obtaining an ATO for your organization

Summary Erin Ross

Summary Esri Managed Cloud Services is FedRAMP compliant Esri has experts available to support your cloud GIS and security infrastructure Esri Managed Cloud Services has a range of options available to meet your operational needs Customer s can now visit the FedRAMP repository and request our Esri Managed Cloud Services security package

Federal GIS Conference February 9 10, 2015 Washington, DC Don t forget to complete a session evaluation form!