1 / 61

Designing an Enterprise GIS Security Strategy

July 26, 2012. Designing an Enterprise GIS Security Strategy. Michael E Young. Agenda. Introduction Strategy Trends Mechanisms ArcGIS Server Mobile Cloud Compliance. Security. Introduction. Michael E Young Esri Principal Security Architect

marcus
Download Presentation

Designing an Enterprise GIS Security Strategy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. July 26, 2012 Designing an Enterprise GIS Security Strategy Michael E Young

  2. Agenda • Introduction • Strategy • Trends • Mechanisms • ArcGIS Server • Mobile • Cloud • Compliance Security

  3. Introduction • Michael E Young • Esri Principal Security Architect • Certified Information Systems Security Professional (CISSP)

  4. Introduction What is a secure GIS?

  5. Introduction Sign in Japan Narita Airport - May 2011 Context is key for identifying the appropriate secure GIS solution for your organization

  6. Introduction What is “The” Answer? Risk Vulnerability Threat Impact

  7. Introduction Where Are the Vulnerabilities? * SANS Relative Vulnerabilities

  8. Strategy

  9. Strategy • Identify your Security Needs • Assess your environment • Datasets, Systems • Sensitivity, Categorization • Understand Security Options • Enterprise GIS Resource Center • Enterprise-wide Security Mechanisms • Application Specific Options • Utilize patterns • Implement Security as a Business Enabler • Improve appropriate availability of information

  10. Strategy Enterprise GIS Security Strategy Security Risk Management Process Diagram - Microsoft

  11. Strategy Esri’s Security Strategy Evolution Solution Enterprise Product Isolated Systems 3rd Party Security Integrated Systems Embedded Security Cloud Managed Security

  12. Strategy Esri Products and Solutions Secure Products Trusted geospatial services Individual to organizations Extending validation Secure Enterprise Guidance Enterprise Resource Center Patterns Online Help Secure Solution Management SaaS Functions & Controls ArcGIS Online Security Overview

  13. Strategy Expanded Security Online Help and Papers

  14. Strategy Security Implementation Patterns Risk based 3 categories / NIST alignment Selection process Formal – NIST 800-60 Informal To prioritize information security and privacy initiatives, organizations must assess their business needs and risks

  15. Strategy Security Principles CIA Security Triad Defense in Depth

  16. Strategy Defense in Depth

  17. Trends

  18. Trends Perception End-User Perception I don’t ever hear about Virus issues in our company anymore Reality Modern attacks are not as much about being visible Layers of exploits deployed Goal is to obtain your company’s most value information

  19. Trends Modern Attack Don’t rely on Anti-Virus and Firewalls Alone to Protect Your Organization Websense 2012 Threat Report

  20. Trends Reverse Proxy’s Need to Be Maintained Apache Reverse Proxy Exploit – Oct 2011 Allows unauthenticated access to information that should be confidential Commonly overlooked component for updates CVE-2011-3368 Update Your Reverse Proxy!

  21. Trends End of Browser Plug-ins? • Migration away from Flash and Silverlight Plug-ins • Security experts ready to unload plug-ins • HTML5 limitation inconsistencies across browsers slowing migration

  22. Trends Mobile Security • iPhone Twitter PII compromised • Mobile device data not secure by default Enterprise Mobile Security Solutions can help

  23. Trends Cloud Data breeches of 2011 #1 Sony – PlayStation Cloud 100+ mill #2 Epsilon – Email Cloud 60+ mill #6 Nasdaq – Dashboard Cloud 10k+ Sr. Execs *http://informationweek.com/news/security/attacks/232301079 An Enterprise Security Strategy can help through cloud data mitigation controls and cloud security policies

  24. Trends Events over the last month US loses $250 billion annually in IP theft $338 billion annually in financial theft Result of cyber espionage is the "greatest transfer of wealth in history."

  25. Mechanisms

  26. Mechanisms Authentication Authorization Filters Logging/Auditing Encryption

  27. Mechanisms Authentication Pre-10.1 Options Web Traffic via HTTP Web Services Web Applications Intranet Traffic via DCOM Local Connections

  28. Mechanisms Authentication *PKI / Smartcard Validation Environment Recently Stood up

  29. Mechanisms Authorization – Role Based Access Control Esri COTS Assign access with ArcGIS Manager Service Level Authorization across web interfaces Services grouped in folders utilizing inheritance 3rd Party RDBMS – Row Level or Feature Class Level Versioning with Row Level degrades RDBM performance Alternative - SDE Views Custom - Limit GUI Rich Clients via ArcObjects Web Applications Sample code Links in ERC Microsoft’s AzMan tool

  30. Mechanisms Filters – 3rd Party Options Firewalls Reverse Proxy Web Application Firewall Open Source option ModSecurity Anti-Virus Software Intrusion Detection / Prevention Systems Limit applications able to access geodatabase

  31. Mechanisms Filters – Firewall Friendly Scenario Web Application Firewall in DMZ File Geodatabase (FGDB) in DMZ One-way replication via HTTP(s) Deployed to each web server for performance Internet users access to subset of Geodatabase Same replication model could be used to push data to cloud Internet DMZ Intranet Web Web WAF HTTP GIS GIS HTTP DCOM HTTP Author & Publish SQL FGDB Database Use

  32. Mechanisms Filters Why no Reverse Proxy in DMZ? One-off component / no management, minimal filtering Multi-Function Web Service Gateways Store SSL Certificates / SSL Acceleration URL Rewrite Web Application Firewall External Internal DMZ

  33. Mechanisms Encryption – 3rd Party Options Network IPSec (VPN, Internal Systems) SSL (Internal and External System) Cloud Encryption Gateways Only encrypted datasets sent to cloud File Based Operating System – BitLocker GeoSpatially enabled PDF’s combined with Certificates Hardware (Disk) RDBMS Transparent Data Encryption Low Cost Portable Solution - SQL Express 2008 w/TDE

  34. Mechanisms Logging/Auditing Esri COTS Geodatabase history May be utilized for tracking changes ArcGIS Workflow Manager Track Feature based activities ArcGIS Server 10+ Logging “User” tag tracks user requests 3rd Party Web Server, RDBMS, OS, Firewall Consolidate with a SIEM

  35. ArcGIS Server

  36. ArcGIS Server Public Facing Architecture Public HTTP(s) HTTP(s) WEB WAF Reverse Proxy DMZ Web Adaptor HTTP(s) HTTP(s) WEB Private SOM GIS Server DCOM 10.1 10 DBclient SOC DBclient SQL SQL SvrDir SvrDir DBMS DBMS

  37. ArcGIS Server 10.1 Changes http://host/arcgis/rest • Goodbye DCOM issues! • Token Security enabled by default • Added Publisher Role • AGSAdmin / AGSUser OS Roles dropped • All tier capabilities installed by default • Web, application, data • Ready to run developer platform • Deploy Web Adapter to web server for production • Editor feature service tracking • Owner based control • Integrated Security Model still available • Administrator API IIS or Apache Web Adaptor Primary Site Admin Acct GIS Server OS Service Acct Config Store Server Directories ArcGIS Server Site

  38. ArcGIS Server 10.1 Deployment Want to know more about ArcGIS Server 10.1 Security? Checkout: 3:15-4:30pm - Building Secure Applications – Room 32B

  39. Mobile

  40. Mobile Just Secure the Web Service Endpoints, Right?

  41. Mobile OWASP Top 10 Mobile Issues

  42. Mobile Phone Security ArcGIS Mobile Security Touch Points Communication Device access Storage Server authentication SDE permissions Project access Data access Service authorization

  43. Mobile Enterprise Mobile Security Built-in device capabilities Can store features iOS5 encrypted with Flex 3.0 API Enterprise device solutions (InTune, AirWatch, Good, MaaS360) Benefits: Secure email, browser, remote wipe, app distribution Application specific solutions Benefits: Secure connections and offline device data Esri iOS SDK + Security SDK

  44. Cloud

  45. Cloud Is cloud right for you? Common deployment delays Analysis paralysis Complex Proof-of-Concepts (POC) Technical details primary focus Security & performance Cost predictability concerns What type of cloud Deployment model (where it’s located) Service model (How much it does)

  46. Cloud Responsibility across cloud service models IaaS ArcGIS Server for Amazon CSP -> Infrastructure Cust -> CSP Config, OS, Apps • SaaS • ArcGIS Online • CSP -> Infrastructure • Esri -> CSP Config, OS, Apps • Cust -> App Config

  47. Cloud Deployment models

  48. Cloud SaaS Deployment options Three ArcGIS Online patterns Store data and publish service to cloud Only publish service metadata to cloud Deploy solution on-premises

  49. Cloud Amazon

  50. Cloud Going Beyond 1 Tier in Amazon

More Related