1 / 70

Enterprise GIS: Security Strategy

Explore the latest trends in enterprise GIS security and effective security strategies. Learn about vulnerabilities, real-world scenarios, and best practices for securing GIS data across servers, mobile devices, and the cloud.

cindyv
Download Presentation

Enterprise GIS: Security Strategy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect

  2. Agenda • Introduction • Trends • Strategy • Mechanisms • Server • Mobile • Cloud • Compliance

  3. Introduction What is a secure GIS?

  4. Introduction What is “The” Answer? Risk Threat Vulnerability Impact

  5. Introduction Where are the vulnerabilities? Core network component vulnerabilities were exposed last year, but application risks are still king *SANS Relative Vulnerabilities

  6. Current Real World Scenarios & Trends Michael Young

  7. Trends Web Application Attacks *Verizon 2015 DBIR

  8. Trends Mobile attacks • Number of mobile devices infected still relatively small • 96% targeted against Android platform • Mobile malware short lived • Piggybacks popular apps • Mobile SDK’s being attacked • Ensure apps built with latest SDK’s • What can help? • Enterprise Mobility Management enables control and visibility * Verizon 2015 DBIR

  9. Trends Trends by Industry • Frequency of incidents by pattern and industry • Identify hot spots for your specific industry • Prioritize security initiatives to mitigate against common threats * Verizon 2015 DBIR

  10. Real-world security scenarios Disaster communications modified Lack of strong governance leads to unexpected consequences • Scenario • Organization utilizes cloud based services for disseminating disaster communications • Required easy updates from home and at work • Drove allowing public access to modify service information • Lesson learned • Enforce strong governance processes for web publication • Don’t allow anonymous users to modify web service content • Minimize or eliminate “temporary” modification rights of anonymous users • If web services are exposed to the internet, just providing security at the application level does not prevent direct service access

  11. Real-world security scenarios Using same username and password between systems leads to compromise • Scenario • Hackers used a third-party vendor’s user name and password to enter network • Hackers managed to elevate rights and deploy malware on systems • Result • 56 million credit and debit cards compromised • 53 million email addresses disclosed • Lessons learned • Credential management and high-level of trust of “internal” users • Use an Identity Provider with SAML 2.0 for accessing cloud-based applications • Enforce 2-factor authentication – At a minimum administrators should do this

  12. Real-World Security Scenarios QUIZ – When was the last ArcGIS Security patch released? 99.9% of vulnerabilities are exploited more than a year after being released • Hint – The Trust.ArcGIS.com site will always have this answer handy…

  13. Trends Strategic Shifts in Security Priorities for 2015 and Beyond • Identity management priority increasing as security focus moves from network to data level • Advanced Persistent Threats driving shift from Protect to Detect • Encryption of Internet traffic via SSL v3 broken – Ensuring TLS utilized is necessary • Password protection is broken – Stronger mechanisms required such as 2-factor auth • Customers balancing security gateways for mobile solutions vs. VPN • Patching beyond Operating systems critical • End-of-life OS builds with XP and now Server 2003 present significant risk

  14. Strategy Michael Young

  15. Strategy A better answer Identify your security needs Assess your environment Datasets, systems, users Data categorization and sensitivity Understand your industry attacker motivation Understand security options Trust.arcgis.com Enterprise-wide security mechanisms Application specific options Implement security as a business enabler Improve appropriate availability of information Safeguards to prevent attackers, not employees

  16. Strategy Enterprise GIS Security Strategy Security Risk Management Process Diagram - Microsoft

  17. Strategy Evolution of Esri Products & Services Solution Enterprise Product Isolated Systems 3rd Party Security Integrated Systems Embedded Security Software as a Service Managed Security

  18. Strategy Esri Products and Solutions Secure Products Trusted geospatial services Individual to organizations 3rd party assessments Secure Platform Management Backed by Certifications / Compliance Secure Enterprise Guidance Trust.ArcGIS.com site Online Help ArcGIS

  19. Strategy Security Principles Confidentiality CIA Security Triad Integrity Availability

  20. Strategy Defense in Depth More layers does NOT guarantee more security Understand how layers/technologies integrate Simplify Balance People, Technology, and Operations Holistic approach to security Authentication Authorization Filters Encryption Logging/Auditing

  21. Mechanisms

  22. Mechanisms Authorization Authentication Filters Logging/Auditing Encryption

  23. Mechanisms • ArcGIS Server patterns • Server-tier Auth w/ Built-in users • Server-tier Auth w/ Enterprise Users • Web-tier Auth w/ Enterprise Users • Portal for ArcGIS patterns • Portal-tier Auth w/ Built-in users • Portal-tier Auth w/ Enterprise users • Web-tier Auth w/ Enterprise users • SAML 2.0 Auth w/ Enterprise Users • ArcGIS Online patterns • ArcGIS Online Auth w/ Built-in users • SAML 2.0 Auth w/ Enterprise users Users & Authentication User Store Options Built-in user store Server, Portal, ArcGIS Online Enterprise user store LDAP / Active Directory Authentication Options Built-in Token Service Server, Portal, ArcGIS online Web-tier (IIS/Apache) w/ Web Adaptor Windows Integrated Auth, PKI, Digest… Identity Provider (IdP) / Enterprise Logins SAML 2.0 for ArcGIS Online & Portal

  24. Mechanisms Authorization – Role-Based Access Control Out-of-box roles (level of permission) Administrators Publishers Users Custom – Only for Portal for ArcGIS & ArcGIS Online ArcGIS for Server – Web service authorization set by pub/admin Assign access with ArcGIS Manager Service Level Authorization across web interfaces Services grouped in folders utilizing inheritance Portal for ArcGIS – Item authorization set by item owner Web Map – Layers secured independently Packages & Data – Allow downloading Application – Allows opening app

  25. Mechanisms Authorization – Extending with 3rd Party components Web services Conterra’s Security Manager (more granular) Layer and attribute level security RDBMS Row Level or Feature Class Level Versioning with Row Level degrades performance Alternative – SDE Views URL Based Web Server filtering Security application gateways and intercepts

  26. Mechanisms Filters – 3rd Party Options Firewalls Host-based Network-based Reverse Proxy Web Application Firewall Open Source option ModSecurity Anti-Virus Software Intrusion Detection / Prevention Systems Limit applications able to access geodatabase

  27. Mechanisms Internet Filters - Web Application Firewall (WAF) Implemented in DMZ Protection from web-based attacks Monitors all incoming traffic at the application layer Protection for public facing applications Can be part of a security gateway SSL Certificates Load Balancer 443 Security Gateway WAF, SSL Accel, LB DMZ Web servers ArcGIS servers Internal Infrastructure

  28. Mechanisms Encryption – 3rd Party Options Network IPSec (VPN, Internal Systems) SSL/TLS (Internal and External System) Cloud Encryption Gateways Only encrypted datasets sent to cloud File Based Operating System – BitLocker GeoSpatially enabled PDF’s combined with Certificates Hardware (Disk) RDBMS Transparent Data Encryption Low Cost Portable Solution - SQL Express w/TDE

  29. Mechanisms Logging/Auditing Esri COTS Geodatabase history May be utilized for tracking changes ArcGIS Workflow Manager Track Feature based activities ArcGIS Server 10+ Logging “User” tag tracks user requests 3rd Party Web Server, RDBMS, OS, Firewall Consolidate with a SIEM Geospatial service monitors Esri – System Monitor Vestra – GeoSystems Monitor Geocortex Optimizer

  30. Mechanisms GIS monitoring with System Monitor Proactive Integrated Dashboards across all tiers End-to-End All tier monitoring Continuous %Coverage provided Extendable Custom queries

  31. ArcGIS Server Matt Lorrain

  32. ArcGIS Server 10.3 Enhancements ArcGIS Server Manager New dashboard for administrators Portal for ArcGIS extension is included with ArcGIS for Server Standard and Advanced licenses Support for SAML 2.0 authentication Management of group membership based on an enterprise identity store Custom roles to better control privileges of users Activity Dashboard to understand metrics for your portal More streamlined approach to configuring a high-availability portal configuration As of 10.3.1 Query and view portal logs using Portal Directory for identifying errors, issues or troubleshooting.

  33. Desktop, Web, and Mobile Clients ArcGIS Server Single ArcGIS Server machine Desktop, Web, and Mobile Clients 80/443 Reverse Proxy Server 6080/6443 6080/6443 Site Administrators Connect to Manager GIS server, Data, Server directories, Configuration Store Site Administrators Connect to Manager GIS server, Data, Server directories, Configuration Store Front-ending GIS Server with Reverse Proxy or Web Adapter

  34. ArcGIS Server ArcGIS Server HA - Sites independent of each other Active-active configuration is shown Active-passive is also an option Separate configuration stores and management Scripts can be used to synchronize Cached map service for better performance Load balancer to distribute load Desktop, Web, and Mobile Clients Network Load Balancer (NLB) 80 80 Web Adaptors (optional) 6080 6080 Site Administrators Connect to Manager Site Administrators Connect to Manager ArcGIS Server site ArcGIS Server site Server directories, Configuration Store (duplicated between sites)

  35. ArcGIS Server Desktop, Web, and Mobile Clients ArcGIS Server HA – Shared configuration store Shared configuration store Web Adaptor will correct if server fails Config change could affect whole site Example: publishing a service Test configuration changes Network Load Balancer (NLB) Web Adaptors 80 80 GIS servers 6080 6080 Site Administrators Connect to Manager Data server, Data (enterprise geodatabase), Server directories, Configuration Store

  36. Desktop, Web, and Mobile Clients ArcGIS Server ArcGIS Server HA – Clusters of Dedicated Services Shared configuration store Server clusters Perform same set of functions Example Cluster A handles geoprocessing services Cluster B handles less intensive services Network Load Balancer (NLB) Web Adaptors (optional) GIS servers 80 80 Cluster A Cluster B 6080 6080 6080 Site Administrators Connect to Manager Data server, Data (enterprise geodatabase), Server directories, Configuration Store

  37. Enterprise deployment Real Permutations Public Business Partner 1 Private IaaS Internal Portal ArcGIS Online Business Partner 2 Internal AGS External AGS Filtered Content File Geodatabase Database FieldWorker Public IaaS Enterprise Business

  38. ArcGIS Server WAF, SSL Accel Load Balancer 443 Internet DMZ Enterprise Deployment Port: 443 Port: 80 Port: 6080 IIS/Java Web Server IIS/Java Web Server ArcGIS for Server GIS Services ADFS Proxy Web Adaptor Web Apps GIS Server B Auth Web Server Public Web Server Supporting Infrastructure ArcGIS Site Network Load Balancing Port: 80 Port: 80 ADFS / SAML 2.0 IIS/Java Web Server IIS/Java Web Server AD/ LDAP Web Adaptor Web Apps Web Apps Web Adaptor Web Server B Web Server A HA NAS Config Store Clustered Directories Web Adaptor Round-Robin Port: 6080 Port: 6080 FGDB ArcGIS for Server ArcGIS for Server SQL GIS Services GIS Services HA DB2 HA DB1 Server Request Load Balancing GIS Server A GIS Server B

  39. ArcGIS Server Implementation Guidance Don’t expose Server Manager or Admin interfaces to public Disable Services Directory Disable Service Query Operation (as feasible) Limit utilization of commercial databases under website File GeoDatabase can be a useful intermediary Require authentication to services Deploy ArcGIS Server(s) to DMZ if external users require access One-way replication from enterprise database Restrict cross-domain requests Implement a whitelist of trusted domains for communications Attack surface over time Attack surface Time

  40. Mobile Matt Lorrain

  41. Mobile What are the mobile concerns? *OWASP Top Ten Mobile: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks

  42. Mobile Security Touch Points Server authentication Device access Communication SDE permissions Storage Service authorization Project access Data access

  43. Mobile Challenges Users are beyond corporate firewall To VPN or not to VPN? Authentication/Authorization challenges Disconnected editing Management of mobile devices Enterprise Mobility Management is the answer! Mobile Device Management Mobile Application Management Security Gateways Examples: MobileIron, MaaS360, Airwatch, and many more…

  44. Mobile Potential Access Patterns DMZ Web Adaptor IIS Security Gateway Portal VPN ArcGIS AD FS 2.0 ArcGIS Desktop ArcGIS Server NAS Shared config store Enterprise AD SQL Server External facing GIS

  45. Mobile Implementation Guidance Encrypt data-in-transit (HTTPS) via TLS Encrypt data-at-rest Segmentation Use ArcGIS Online, Cloud, or DMZ systems to disseminate public-level data Perform Authentication/Authorization Use an Enterprise Mobility Management (EMM) solution Secure e-mail Enforce encryption App distribution Remote wipe Control 3rd party apps & jailbreak detection

  46. Cloud Matt Lorrain

  47. Cloud Service Models Non-Cloud Traditional systems infrastructure deployment Portal for ArcGIS & ArcGIS Server IaaS Portal for ArcGIS & ArcGIS Server Some Citrix / Desktop SaaS ArcGIS Online Business Analyst Online Customer Responsible End to End Decreasing Customer Responsibility Customer Responsible For Application Settings

  48. Cloud Deployment Models Online Online Intranet Intranet Intranet Portal Server Server Public On- Premises Hybrid 1 Read-onlyBasemaps Server Online Server Server Intranet Intranet Portal Server On-Premises + Hybrid 2 On-premise Cloud

  49. Cloud Management Models Self-Managed Your responsibility for managing IaaS deployment security Security measures discussed later Provider Managed Esri Managed Services (Standard Offering) New Esri Managed Cloud Services (EMCS) Advanced Plus FedRAMP Moderate environment

  50. Cloud IaaS – Amazon Web Services 8 Security Areas to Address Virtual Private Cloud (VPC) Identity & Access Management (IAM) Administrator gateway instance(s) (Bastion) Reduce attack surface (Hardening) Security Information Event Management (SIEM) Patch management (SCCM) Centralized authentication/authorization Web application firewall (WAF)

More Related