ArcGIS and Enterprise Security Leveraging ArcGIS in Cybersecurity Ken Stoni Secure Enterprise ArcGIS Best Practices Michael Young
Visualizing the Virtual: A geospatial approach to cyber operations and security Ken Stoni
The Problem Detection is Difficult, Cyber isn t enough Breach Timeline http://www.verizonenterprise.com/dbir/2013/ Our Goals: Compromise: Exfiltration: Discovery: Containment: 97% <= days 72% <= days 66% >= MONTHS 63% <= days 1) Detect early 2) Detect internally 3) Respond appropriately (maintenance vs security) **70% of breaches were discovered by external parties
Cyberspace Re-Considered It s Mappable Social / Persona Layer Device Layer Logical Network Layer Physical Network Layer Geographic Layer Each device in cyberspace is owned by someone (no global commons ) Electro-mechanical devices exist in space-time and interact with physical events Geography is required to integrate and align cyberspace with other data
Cybersecurity A common sequence of questions How should we respond? Intervention Hardening Remediation Mission Impact? Source WAN Destination Technical Impact? IDS IPS IT Inventory Compromise Detection attempted? Compromise Successful?
Four Design Patterns Signature Detection Data External Cyber Environment Internal Cyber Environment Anomaly Detection Mission Assurance Mission Assurance (Cyber Supply Line) WAN
Detection Selection & Trending at various scales Building City Firewall Campus Building Function IDS/IPS Geocoding 3 rd Party Geo-Locators Source IP Destination IP IT Inventory
Mission Impact The Cyber Supply Line Mission Data Flow LAN Bldg Net DISA WAN Mission Data Flow AT&T LAN Campus #1 Campus #2 Verizon WAN Cyber Supply Line Bldg Net 1. Cyber Supply Line (CSL) is a consistent path through the infrastructure 2. CSL focuses resources on only the devices that are critical 3. Managing data flows is similar to traffic routing; an Esri core competency
The CSL and Risk Mission Assurance R A = f(v, T) R = Risk, A = Asset, V = Vulnerability, T = Threat Asset = Data, Device, Sub-Net, Mission Cyber Supply Line Mitigation prioritized Likelihood & Consequence (of failure)
Effect Propagation Multi-level Model of Data Flow Cyber Supply Line Maintain Data Flow Mission Assurance
When Support to all stages of development Existing Data Dashboard MS-Office Briefing Book Data Workflow Information Product (Monitoring) Information Product (Reporting) Start from Scratch Data Workflow Information Product (Monitoring) Information Product (Reporting) Improve SA Geo-Coding Data Workflow Information Product (Monitoring) Information Product (Reporting) Improve Reporting Data Workflow Information Product (Monitoring) Information Product (Reporting) Improve Performance (cheaper, quicker, more accurate) Design -- Build Cost/Schedule IT Inventory MaxMind Operate -- Maintain Status Monitor -- Respond Risk
How Recommended Approach MS-Office Briefing Book Reporting Dashboard Existing Enterprise Apps Monitoring Visualization Visualization Visualization Visualization Visualization Visualization Analysis Analysis Analysis APIs Analysis Widget Database Database Database Query Widget Collector Collector Collector Portal Existing Enterprise Network Environmental Data Auxiliary Data
Why Information sharing leading to coordinated action Reporting Executives Monitoring Enterprise Ops Center Analysis & Planning Best Practices (e.g. NIST Framework) Network Engineers Performance Optimization Net Model Determine Attack Indicators Net Security Division Threat Data Security Community (e.g. McAfee) Net Ops Data Net Security Data Observe & Assess Network Activities Network Ops Hunt Teams Adversary
Secure Enterprise ArcGIS Best Practices Michael E Young Esri Principal Security Architect
What is a secure GIS?
Introduction What is The Answer? Risk Impact
Trends Controls by Industry Industry risk patterns Focus security controls Energy Sector High Risk Areas Web Application Attacks Crimeware Denial of Service (DoS) attacks * Verizon 2014 DBIR
Trends Open source security component vulnerability affects 2/3 rd of web services Scenario OpenSSL vulnerability (HeartBleed) ArcGIS Online indirectly exposed through Amazon s Elastic Load Balancer Patched by Amazon within a day of vulnerability announcement Many pre 10.3 ArcGIS components contain vulnerable version, but don t utilize vulnerable function ArcGIS Server for Linux before 10.3 was vulnerable (Patch available for 10.1SP1 and later) Lessons learned 3 rd party / open source components are immersive across cloud and on-premises Many organizations still don t have effective patch management for these underlying components No individual layer is full-proof Esri s first cross-product vulnerability status KBA minimized confusion Utilize Trust.ArcGIS.com site Expect More Issues with OpenSSL throughout 2015
Trends 2015 and beyond Focus shifting from network perimeter to data - Drives need for stronger authentication of who is accessing the data Mobile malware continues to grow APTs and malware diversification Unpatched systems (Windows XP end-of-life) Hacking the Internet of Things
Strategy
Strategy A better answer Identify your security needs - Assess your environment - Datasets, systems, users - Data categorization and sensitivity - Understand your industry attacker motivation Understand security options - Trust.arcgis.com - Enterprise-wide security mechanisms - Application specific options Implement security as a business enabler - Improve appropriate availability of information - Safeguards to prevent attackers, not employees
Strategy Enterprise GIS Security Strategy Security Risk Management Process Diagram - Microsoft
Strategy Esri Products and Solutions Secure Products - Trusted geospatial services - Individual to organizations - 3 rd party assessments ArcGIS Secure Enterprise Guidance - Trust.ArcGIS.com site - Online Help Secure Platform Management - SaaS Functions & Controls - Certifications / Compliance
Strategy Security Principles CIA Security Triad Availability
Strategy Defense in Depth More layers does NOT guarantee more security Understand how layers/technologies integrate Simplify Balance People, Technology, and Operations Holistic approach to security Data and Assets Physical Controls Policy Controls Technical Controls
Mechanisms
Mechanisms
Mechanisms Authentication GIS Tier (Default) - Built-in User store - Enterprise (AD / LDAP) - ArcGIS Tokens Web, mobile, and desktop clients Web server Web Adaptor Web Tier (Add web adaptor) - Enterprise (AD / LDAP) - Any authentication supported by web server - HTTP Basic / Digest - PKI - Windows Integrated ArcGIS for Desktop users GIS Server administrators Publish Services Connect to ArcGIS Server Manager + GIS server(s) Data server
Mechanisms Authorization Role-Based Access Control Esri COTS - Assign access with ArcGIS Manager - Service Level Authorization across web interfaces - Services grouped in folders utilizing inheritance 3 rd Party - Web Services - Conterra s Security Manager (more granular) - RDBMS - Row Level or Feature Class Level - Versioning with Row Level degrades performance - Alternative - SDE Views - URL Based - Web Servers & Intercept offerings such as CA s SiteMinder
Mechanisms Filters 3 rd Party Options Firewalls Reverse Proxy Web Application Firewall Anti-Virus Software Intrusion Detection / Prevention Systems
Mechanisms Encryption 3 rd Party Options Network - IPSec (VPN, Internal Systems) - SSL/TLS (Internal and External System) - Cloud Encryption Gateways - Only encrypted datasets sent to cloud File Based - Operating System BitLocker - GeoSpatial PDF with Certificates - Hardware (Disk) RDBMS - Transparent Data Encryption (TDE)
Mechanisms Logging/Auditing Esri COTS - Geodatabase history - Track changes - ArcGIS Workflow Manager - Track detailed Feature based activities - ArcGIS Server 10+ Logging - User tag added 3 rd Party - Logs - Web Server, RDBMS, OS, Firewall - Consolidate with a SIEM - Geospatial monitors - Upcoming GIS Management pack for MS System Center - Esri System Monitor - Vestra GeoSystems Monitor - Geocortex Optimizer
ArcGIS Server
ArcGIS Server Enterprise Deployment WAF, SSL Accel Load Balancer Network Load Balancing 443 Firewall Internet Port: 443 Port: 80 Port: 80 IIS/Java Web Server IIS/Java Web Server IIS/Java Web Server ADFS Proxy Web Apps Web Adaptor Web Adaptor Web Apps Auth Web Server Web Server A Web Server B Firewall Supporting Infrastructure ArcGIS Site ADFS / SAML 2.0 Port: 6080 Web Adaptor Round-Robin Port: 6080 AD/ LDAP SQL ArcGIS for Server GIS Services GIS Server A Server Request Load Balancing GIS Services ArcGIS for Server GIS Server B Clustered HA NAS Config Store HA DB1 HA DB2 Directories FGDB
ArcGIS Server Minimize Attack Surface Don t expose Server Manager to public Disable Services Directory Disable Service Query Operation (as feasible) Enable Web Service Request Filtering - Windows 2008 R2+ Request Filtering - XML Security Gateway Better Attack surface Attack surface over time Time Limit utilization of commercial databases under website - File GeoDatabase can be a useful intermediary (SQL injection does not work) Require authentication to services
ArcGIS Server New Security Hardening Guidelines Establishing guidelines with DISA - Create a Security Technical Implementation Guides (STIGs) - First STIG will be Windows based ArcGIS Server 10.3 - Other STIGs will be performed based on demand Expected completion in 2015 Post STIG completion - STIG will be an input for an ArcGIS Server Security Hardening guide for general distribution - Additional enterprise component integration testing and best practice recommendations to be incorporated
ArcGIS Server Awareness of Relative Risk New relative risk insights for geospatial services Optional mitigation measures to reduce risk Service Map Map Feature Feature Feature Geocoding Geodata Geodata Geodata Geoprocessing Image Image Image Relative Service Risk Capability Mapping Query Read Edit Sync Geocode Query Data Extraction Replica Geoprocessing Imaging Edit Upload Default when Enabled Security Hardened Security Hardened Settings Red = Higher risk Yellow = Average risk Green = Low risk
ArcGIS Server Enhancements Single-Sign-On (SSO) for Windows Integrated Authentication - Works across ArcGIS for Server, Portal, and Desktop Stronger PKI validation - Leverage multi-factor authentication when accessing applications, computers, and devices - Web adaptor deployed to web server forwards to AGS the request and username Integrated account management and publishing capabilities - Across ArcGIS for Server and Portal in a federated configuration Key SQL Injection vulnerabilities addressed since 10.2 with Standardized Queries Add support for - Active Directory nested groups & domain forests - Configuring Private and Public services within the same ArcGIS Server site
ArcGIS Server Single ArcGIS Server machine Desktop, Web, and Mobile Clients Desktop, Web, and Mobile Clients 80/443 Web Adaptor 6080/6443 6080/6443 Site Administrators Connect to Manager GIS server, Data, Server directories, Configuration Store Site Administrators Connect to Manager GIS server, Data, Server directories, Configuration Store Front-ending GIS Server with Reverse Proxy or Web Adaptor
ArcGIS Server ArcGIS Server HA - Sites independent of each other Desktop, Web, and Mobile Clients Active-active configuration is shown - Active-passive is also an option Separate configuration stores and management Network Load Balancer (NLB) - Scripts can be used to synchronize Cached map service for better performance 80 80 Web Adaptors (optional) 6080 6080 Load balancer to distribute load Site Administrators Connect to Manager ArcGIS Server site ArcGIS Server site Site Administrators Connect to Manager Server directories, Configuration Store (duplicated between sites)
ArcGIS Server ArcGIS Server HA Shared configuration store Desktop, Web, and Mobile Clients Shared configuration store Network Load Balancer (NLB) Web Adaptor will correct if server fails 80 80 Web Adaptors Config change affects whole site - Example: publishing a service 6080 6080 GIS servers Test configuration changes Site Administrators Connect to Manager Data server, Data (enterprise geodatabase), Server directories, Configuration Store
Cloud
Cloud Service Models On-Premises - Traditional systems infrastructure deployment - Portal for ArcGIS & ArcGIS Server IaaS - Portal for ArcGIS & ArcGIS Server - Some Citrix / Desktop SaaS - ArcGIS Online - Esri Managed Cloud Services Customer Responsible End to End Decreasing Customer Responsibility Customer Responsible For Application Settings
Cloud Deployment Models Online Online Intranet Intranet Intranet Server Portal Server Public ArcGIS Online + On-Prem On- Prem Online Server Server Server Read-only Basemaps Intranet Intranet Portal Server Cloud ArcGIS Online + EMCS On-Prem + On-premise
Cloud Management Models Self-Managed - Your responsibility for managing IaaS deployment security Provider Managed - Esri Managed Cloud Services - New FedRAMP Moderate Compliant (part of Advanced Plus option)
Cloud Responsibility Across Deployment Options On-premises Esri Images & Cloud Builder Esri Managed Cloud Services FedRAMP Moderate Compliant ArcGIS Online FISMA Low ATO ArcGIS ArcGIS ArcGIS ArcGIS Online OS/DB/Network OS/DB/Network OS/DB/Network OS/DB/Network Security Infrastructure No Security Infrastructure by default Security Infrastructure Security Infrastructure Esri Compliance & ATO Scope Virtual / Physical Servers Cloud Infrastructure (IaaS) Cloud Infrastructure (IaaS) Cloud Infrastructure (IaaS) IaaS ATO Scope Customer Responsibility Esri Responsibility CSP Responsibility
EMCS Security Infrastructure AWS Customer Infrastructure Active/Active Redundant across two Cloud Data Centers End Users Public-Facing Gateway Web Application Firewall WAF ArcGIS for Portal DMZ Security Ops Center (SOC) Security Service Gateway Intrusion Detection IDS / SIEM ArcGIS Server Cloud Infrastructure Centralized Management Backup, CM, AV, Patch, Monitor Hypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware Bastion Gateway MFA Relational Database File Servers Authentication/Authorization LDAP, DNS, PKI Dedicated Customer Application Infrastructure Common Security Infrastructure Esri Administrators Esri Admin Gateway Cloud Infrastructure Hypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware Common Cloud Infrastructure Legend Agency Application Cloud Provider Security
Cloud Hybrid deployment combinations Users Apps Anonymous Access On-Premises Ready in months/years Behind your firewall You manage & certify Esri Managed Cloud Services Ready in days All ArcGIS capabilities at your disposal in the cloud Dedicated services FedRAMP Moderate ArcGIS Online Ready in minutes Centralized geo discovery Segment anonymous access from your systems FISMA Low... All models can be combined or separate
Cloud Standards Enterprise Logins - SAML 2.0 - Provides federated identity management - Integrate with your enterprise LDAP / AD - Added to Portal for ArcGIS 10.3 API s to Manage users & app logins - Developers can utilize OAuth 2-based API s - https://developers.arcgis.com/en/authentication/
Compliance
Compliance Products and Services ArcGIS Online - FISMA Low Authority To Operate (ATO) by USDA - FedRAMP - Upcoming Esri Managed Cloud Services (EMCS) - FedRAMP Moderate (Jan 2015) ArcGIS Desktop - FDCC (versions 9.3-10) - USGCB (versions 10.1+) - ArcGIS Pro (Expected Q1 2015)
Compliance Corporate Operations ISO 27001 - Esri s Corporate Security Charter Privacy Assurance - US EU/Swiss SafeHarbor self-certified - TRUSTed cloud certified SSAE 16 Type 1 Previously SAS 70 - Esri Data Center Operations - Expanded to Managed Services in 2012
Compliance Cloud Infrastructure Providers ArcGIS Online Utilizes World-Class Cloud Infrastructure Providers - Microsoft Azure - Amazon Web Services Cloud Infrastructure Security Compliance SSAE16 SOC1 Type2 Moderate
Compliance ArcGIS Online Assurance Layers Customer Web App Consumption ArcGIS Management Esri Web Server & DB software AGOL SaaS FISMA Low (USDA) SafeHarbor (TRUSTe) Operating system Instance Security Management Cloud Provider ISO 27001 SSAE16 FedRAMP Mod Cloud Providers Hypervisor Physical
Summary
Summary Geospatial solutions can facilitate cybersecurity Security demands rapidly evolving - Prioritize efforts according to your industry and needs - Don t just add components, simplified Defense In Depth Secure Best Practice Guidance is Available - Check out the ArcGIS Trust Site! - ArcGIS Security Architecture Workshop - SecureSoftwareServices@esri.com
Thank you! Give us your feedback! www.esri.com/ratemypugsession
Thank you! Give us your feedback! www.esri.com/ratemypugsession