Designing an Enterprise GIS Security Strategy. Michael E Young CISSP

Transcription

1 Designing an Enterprise GIS Security Strategy Michael E Young CISSP

2 Agenda Introduction Esri s Security Strategy Federal Security Metric Tools Enterprise-Wide Security Mechanisms Product Security Cloud Computing Security Esri Security Compliance Summary and Next Steps

3 Introduction - Michael E Young - Esri Senior Enterprise Security Architect - FISMA C&A Application Security Officer - Certified Information Systems Security Professional (CISSP) Application Security Risks Diagram OWASP 2010

4 Introduction What is a secure GIS? Integration with other enterprise components? - Directory Services / LDAP / MS Active Directory Meeting security standards requirements? Security Certifications & Accreditations? - FDCC / FISMA / DIACAP User Application Interfaces? - ADF, MS Silverlight, Adobe Flex, JavaScript, Rich Clients Application built-in vs. separate security products? - ArcGIS Token Service / 3 rd Party Single-Sign-On products So far, nobody has found a silver bullet for security

5 Introduction Designing an Enterprise GIS Security Strategy Identify your Security Needs - Assess your environment - Datasets, Systems - Sensitivity, Categorization Understand Security Options - Enterprise GIS Resource Center - Enterprise-wide Security Mechanisms - Application Specific Options - Utilize patterns Implement Security as a Business Enabler - Improve appropriate availability of information

6 Introduction Designing an Enterprise GIS Security Strategy Security Risk Management Process Diagram - Microsoft

7 Esri s Security Strategy

8 Esri s Security Strategy Trends Esri Products Discrete products and services supplemented by 3 rd party security Enterprise system with embedded and 3 rd party security IT Trend Isolated Systems Integrated Systems with discretionary access

9 Esri s Security Strategy Secure GIS Products - Incorporate security industry best practices - Trusted geospatial services across the globe - Meet both individual user needs and entire organizations Secure GIS Solution Guidance - Enterprise Resource Center Website - Esri security patterns

10 Esri s Security Strategy Security Patterns Esri provides security implementation patterns - Best practice security guidance Leverages National Institute of Standards and Technology (NIST) Patterns based on risk level - Basic Security - Standard Security - Advanced Security Identify your risk level - Formal process NIST Informal process To prioritize information security and privacy initiatives, organizations must assess their business needs and risks

11 Esri s Security Strategy Foundational Security Principles CIA Security Triad Defense in Depth

12 Esri s Security Strategy Defense in Depth Authentication Authorization Data and Assets Physical Controls Policy Controls Technical Controls Filters Encryption Logging

13 Federal Security Metric Tools

14 Federal Security Metric Tools The 2010 State of Cybersecurity from the Federal CISO s Perspective

15 Federal Security Metric Tools CAG - Consensus Audit Guidelines 20 prioritized IT security controls - Automation is key - Map to NIST Let us know if this is important to your Agency US State Department demonstrated more than 80% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls

16 Federal Security Metric Tools SCAP Security Content Automation Protocol Standard to communicate vulnerability information - Automate compliance, manage vulnerabilities, perform security measurements - Evaluate policy compliance for standards Used by Esri as part of the FDCC self-certification

17 Federal Security Metric Tools NIST / FISMA FISMA C&A utilizes NIST security controls Esri security patterns based on these controls

18 Enterprise-wide Security Mechanisms

19 Enterprise-Wide Security Mechanisms Overview

20 Enterprise-Wide Security Mechanisms Authentication Three ArcGIS Authentication Schemes - Web Traffic via HTTP 1. Web Services 2. Web Applications - Intranet Traffic via DCOM 3. Local Connections

21 Enterprise-Wide Security Mechanisms Authentication Access Restricted Authentication Method Protocol Description Encryption None HTTP Default Internet Connections N/A Web Service or Web Application Basic Digest Windows Integrated Java EE Container HTTP (SSL optional) HTTP (SSL optional) Browser built-in pop-up login dialog box. Web container provides challenge for credentials Basic None, unless using SSL Container Managed Client Certificates PKI Smart Cards HTTPS Server authenticates client using a public key certificate PKI Managed Web Application Only.NET Form-based Java ArcGIS Managed HTTP (SSL optional) HTTP (SSL optional) Application provides its own custom login and error pages. ArcGIS Server provides login page for Java Web App None, unless using SSL None, unless using SSL Web Service Only Esri Token HTTP (SSL optional) Local Windows Integrated DCOM Cross Platform, Cross API Authentication Default Local Connections OS Groups AGSUser. AGSAdmin AES-128bit OS Managed

22 Enterprise-Wide Security Mechanisms Authentication User and Role Storage Options Java Options - Default Apache Derby - External Database - LDAP - MS Active Directory John Cindy Jim Limited Admin Regions.NET Options - Default - Windows Users and Groups - MS SQL Server Express - Custom Provider Users Roles - Instructions for Active Directory and Oracle Providers available

23 Enterprise-Wide Security Mechanisms Authorization Role Based Access Control Esri COTS - Assign access with ArcGIS Manager - Service Level Authorization across web interfaces - Services grouped in folders utilizing inheritance 3 rd Party - RDBMS Row Level or Feature Class Level - Versioning with Row Level degrades RDBM performance - Alternative - SDE Views Custom - Limit GUI - Rich Clients via ArcObjects - Web Applications - Sample code Links in ERC - Microsoft s AzMan tool

24 Enterprise-Wide Security Mechanisms Filters 3 rd Party Options Firewalls Reverse Proxy - MS free reverse proxy for IIS 7 (Windows 2008) Web Application Firewall - Open Source option ModSecurity Anti-Virus Software Intrusion Detection / Prevention Systems Limit applications able to access geodatabase

25 Enterprise-Wide Security Mechanisms Filters Firewall Friendly Scenario Web Application Firewall in DMZ File Geodatabase in DMZ One-way replication via HTTP(s) Deployed to each web server for performance Internet users access to subset of Geodatabase Internet DMZ Intranet WAF Web Web HTTP HTTP GIS GIS DCOM Use Database HTTP Database SQL Author & Publish

26 Enterprise-Wide Security Mechanisms Filters Why no Reverse Proxy in DMZ? - One-off component / no management, minimal filtering Multi-Function Web Service Gateways - Store SSL Certificates / SSL Acceleration - URL Rewrite - Web Application Firewall External Internal DMZ

27 Enterprise-Wide Security Mechanisms Encryption 3 rd Party Options Network - IPSec (VPN, Internal Systems) - SSL (Internal and External System) File Based - Operating System BitLocker - GeoSpatially enabled PDF s combined with Certificates - Hardware (Disk) RDBMS - Transparent Data Encryption - Low Cost Portable Solution - SQL Express 2008 w/tde

28 Enterprise-Wide Security Mechanisms Logging/Auditing Esri COTS - Geodatabase history - May be utilized for tracking changes - ArcGIS Workflow Manager - Track Feature based activities - ArcGIS Server 10 Logging 3 rd Party - New user tag allows tracking of user requests - Web Server, RDBMS, OS, Firewall - Consolidate with a SIEM 86 % of victims had evidence of the breach in their logs, yet 61 % of the breaches were discovered by a third party *Verizon's 2010 Data Breach Investigations Report

29 Product Security Rich Client Mobile ArcGIS Server Cloud Services

30 Rich Client Security Desktop Explorer

31 Rich Client Security ArcGIS Desktop Client typically with most access to sensitive data Variety of system connections - Direct Connect RDBMS - Application Connect SDE - HTTP Service GeoData Service - Integration with Token Service - Windows native authentication - SSL and IPSec Utilization ArcObject Development Options - Record user-initiated GIS transactions - Fine-grained access control - Edit, Copy, Cut, Paste and Print

32 Rich Client Security ArcGIS Explorer Communication Explorers for different users or topics Focused data and functions in one place You manage and customize Sales Explorer Centrally managed configurations Marketing Explorer Your customers Explorer Your main office

33 Mobile Phone Security ArcPad ArcGIS Mobile

34 Mobile Phone Security More - Platforms - ArcPad - ArcGIS Mobile - iphone - Android - Windows - Functionality/Storage - User-base Leads to - Increased Hacker Attention

35 Mobile Phone Security ArcPad AXF Data file - Password protect and encrypt Memory Cards - Encrypt ArcGIS Server users and groups - Limit publishers Internet connection - Secure ArcPad synch traffic

36 Mobile Phone Security ArcGIS Mobile Security Touch Points SDE permissions Server authentication Communication Device access Storage Service authorization Project access Data access

37 Mobile Phone Security Mobile GeoData Service - HTTPS (SSL) or VPN tunnel Web Service - Credentials - Filter by OS / IP / Unique Device Identifier - Token Service Encrypt data at Rest - Windows Mobile Crypto API - 3 rd Party tools for entire storage system

38 ArcGIS Server Security

39 ArcGIS Server Security Pop Quiz Defaults Is Communication Across Wire Secure by Default? - No - Communication via ArcGIS Server and all clients is cleartext by default - Secure web communication with an SSL Certificate - Secure internal DCOM communication with IPSec

40 ArcGIS Server Security Pop Quiz - Filters Is a reverse proxy required for secure Internet facing deployments? - No - Some customers implement to eliminate DCOM traffic across firewalls - Used with Web Application Firewall improves security posture

41 ArcGIS Server Security Pop Quiz Guidance Is there Security Hardening Guidance? - Yes - Check out the ERC Implementation Gallery - Next update expected Q Version 10 Win 2k8

42 ArcGIS Server Security Pop Quiz - Configuration Should Everyone group be assigned to root in ArcGIS Manager? - Depends - Everyone will have access to your services by default - OK for Basic security risk environments - NOT recommended for any Standard or Advanced security - Deny by default used in higher risk environments

43 ArcGIS Server Security Security Model

44 ArcGIS Server Security User Local Access to SOM Windows - Access managed by operating system of SOM machine Solaris and Linux - Users managed by ArcGIS Server Manager Add users to appropriate group - Simplistic access levels (None, Read, Full) agsusers u View and access services agsadmin u Add, delete, or modify services u Start, stop, or pause services u Add, remove, or modify server directories u Create Web mapping applications u Add or remove SOC machines u View statistical information

45 ArcGIS Server Security Server Data Access Share folders that contain GIS resources - Grant SOC account Read and/or Write permission to the folder Add SOC as a user of your database - Grant SOC account Read and/or Write permission to each geodatabase

46 ArcGIS Server Security Management User Interface Access ArcGIS Services Directory - Available as part of ArcGIS Server installation - Typically not exposed for Standard security needs to public REST API Admin - Manages access to local ArcGIS Services Directory - Maintains REST cache - Requires membership in agsadmin group - Recommend to configure no public access ArcGIS Manager - Recommend to configure no public access

47 ArcGIS Server Security GIS resource access Local security Web security Internet Intranet Service capabilities Web editing ArcGIS Server

48 ArcGIS Server Security Implementing Web Access Control 1. Define user/role store 2. Assign users to roles 3. Assign roles to resources 4. Enable security

49 ArcGIS Server Security Authenticating to services with Token What is a token? Why do you need it? - Services don t have a logon user interface How does it work? - ArcGIS Server Token Service Where do you get it? - Request a Token from Token Service

50 ArcGIS Server Security Web Service API Security Options Embed Token Token Web Server ArcGIS SOAP/REST Bind token in a proxy page Proxy page Token Secured container Write full logon access to the token service (e.g., ArcGIS Desktop, custom application ) Token User Password Token server

51 ArcGIS Server Security Flowing web user identity down to the database Integrated Security Model (ISM) Flow web user identity to database via proxy user - Logging - Non-repudiation across all architecture tiers for high risk security environments - Row-Level Security - Database driven security model for high-risk security environments Current Status - Customer scenarios collected - Simple configuration performance validation completed % performance overhead - More complex scenarios to be validated next - Basic documentation online for Java ArcGIS Server

52 ArcGIS Server Security ISM Initial Validation Configuration - Web Server - MS IIS - Application Server - Java ArcGIS Server 10 - LDAP (Derby) Users & Groups Security Provider - Oracle Database - Proxy user sessions - Table level access

53 ArcGIS Server Security Row Level Security With ISM Virtual Private Database (VPD) - Transparently modifies requests Oracle Label Security (OLS) Optional add-on Provides interface for row-level security - Presents partial table view

54 ArcGIS Server Security Version 10 Security Enhancements AGS Manager - Searchable user/roles - Application Level User Activity Logging Database level security option - Added to REST API - Passes user context to database - Control all data access at data tier Web Service Interface Security Improvements

55 ArcGIS Server Security Amazon ArcGIS Server For Amazon - Esri built ArcGIS Server Amazon Machine Image (AMI) - Deploy to Amazon Elastic Compute Cloud (EC2) instance Addressing Security - Current AMI not hardened beyond Windows 2008 Server defaults - Typical Firewall Entries for Cloud implementations - ArcGIS Server - Port 80/443 for IIS & Remote desktop - Enterprise GeoDB AMI - Port 5151 Biggest Cloud Computing Concern is Security and Privacy

56 Cloud Computing Security

57 Cloud Computing Security Is Cloud computing safe? - Classic answer: It depends Security Benefits - Virtualization / Automation - Expedite secure configurations with images - Broad network access - Reduce removable media needs - Segmentation - Public data -> Cloud & sensitive -> Internal - Potential economies of scale - Lower cost backup copies of data - Self-service technologies - Apply security controls on demand

58 Cloud Computing Security 2010 Cloud Computing Risks

59 Cloud Computing Security Risks Vendor Practice Dependence - Potential sub-standard security controls - Loss of governance over data Vendor Lock-In - Services termination data loss - Portability - Lost internal capabilities to support Sharing resources (Multi-tenancy) - Access to other s data - Unclear security responsibilities - Increased data transmitted = Increased disclosure risk Deployment Model Threat Exposure Levels - Private = Lowest Community = More Highest = Public

60 Cloud Computing Security Which cloud service model? System Admin Access (IaaS) - ArcGIS Server on Amazon EC2 - Federal Terremark Cloud - Private Cloud Developer Access (PaaS) - Esri Web Mapping APIs (JavaScript, Flex, Silverlight) - Microsoft Azure ArcGIS Applications End User Solutions (SaaS) - ArcGIS.com - Business Analyst Online - ArcGIS Explorer Online

61 Cloud Computing Security Which cloud deployment model? Cloud Deployment Location - Public (e.g Amazon) - Private (e.g. Internal Corporate) Primary driver -> Security Agencies segmenting datasets to mitigate cloud risks - Public clouds for public datasets - Private clouds for sensitive datasets June 2010 IDC IT Executive Survey - Preference for using a private versus a public cloud - 55% - Private cloud was more appealing than a public cloud - 22% - Equally appealing Organizations from the midmarket up, will have a mix of public & private

62 Cloud Computing Security What are your security needs? Assess your security needs - Data sensitivity - Public domain, sensitive, classified - User types - Public, internal - Categorize security needs - Basic, standard, advanced Most public cloud implementations are basic - Security similar to social networking sites (Facebook) - Most GIS users have only basic security needs

63 Cloud Computing Security Best practices Similar to internal ops - Break up tiers - Protect in transit - Protect at rest - Credential management - Built-in OS Firewalls - AGS App Security

64 Cloud Computing Security ArcGIS Server on Amazon EC2 Default Deployment Default - Web and App Tiers combined Scaling out - Elastic Load Balancing - What about supporting infrastructure? Scaling Out

65 Cloud Computing Security ArcGIS Server on Amazon EC2 Minimize your administrative attack surface

66 Cloud Computing Security Amazon EC2 Security Secured physical facilities Logically secure EC2 instances Configurable firewall to control ingress access Standard ArcGIS Server security Optional multifactor authentication

67 Cloud Computing Security Cloud Directive White House urging Federal agencies to adopt - Clear focus on streamlining infrastructure management, improving service, and saving money - Security concerns continue to hold agencies back Cloud Security Status - Half of those who have implemented cloud apps DO NOT KNOW if they have experienced a breach Are government cloud information security standards available? - Requested by 91% of Agencies Statistics from 2010 Symantec Break in the Cloud Report

68 Cloud Computing Security FedRAMP Work in Progress Standard Cross-agency Cloud security C&A process - Initial standard for Low and Moderate security Esri actively engaged in working groups & commenting period Esri actively identifying interested Agencies - FedRAMP initially focused on large user base systems or used by multiple Federal agencies

69 Esri Security Compliance

70 Esri Security Compliance Security Patterns Esri security implementation patterns - Leverage NIST security controls - Based on same standards as FISMA C&A process - Not provided as full certification compliance representations As validated, patterns released in Enterprise GIS Resource Center

71 Esri Security Compliance Desktop Software FDCC (Federal Desktop Core Configuration) certified - Esri fully supports and tests product compatibility since Starting with Windows 7 name changing to USGCB - United States Government Configuration Baseline PKI (Public Key Infrastructure) w/ CAC or PIV - Common customer deployment

72 Esri Security Compliance ArcGIS Server Configurable for FIPS encryption requirements - ArcGIS Server.NET requires a workaround procedure Security hardening guidelines available - Whitepaper update in couple months - Win 2k8 and ArcGIS 10 - Based on in-the-field lessons learned and test environment

73 Esri Security Compliance Hosting Services 2010 SAS 70 type 1 audit of ArcGIS.com FISMA certification and accreditation - Esri hosts low risk category environments - Each solution currently requires a separate certification FedRAMP standard for cloud deployments - Actively reviewing / feedback this due this week - Let us know if you are interested

74 Esri Security Compliance Summary Esri provides security due diligence with our solutions, but is not a security software company Utilize 3 rd party security software for high level IA functions Many successful Esri high risk security deployments - International - ISO 17799/2700X, BS 7799, Common Criteria (CC) - Federal - FISMA (NIST), DITSCAP/DIACAP - Industry - HIPPA, SOX, PCI Esri is Fully Committed to Federal Security Requirements

75 Summary and Next Steps

76 Summary Security is NOT about just a technology - Understand your organizations GIS risk level - Utilize Defense-In-Depth Secure Best Practice Guidance is Available - Check out the Enterprise GIS Resource Center! - Drill into details by mechanism or application type - Professional Services Enterprise GIS Security Assessment Cloud Computing for GIS Has Arrived - Security is evolving quickly - Security in the cloud is a shared responsibility

77 Next Steps Supporting Secure Solutions Your Feedback and Insight Today is Essential - Current Security Issues - Upcoming Security Requirements - Feedback on Integrated Security Model - Suggestions for the Enterprise Resource Center - Areas of concern Not addressed Today Contact Us At: Enterprise Security esinfo@esri.com Michael Young myoung@esri.com

78 Session Evaluation Reminder Session Attendees: Please turn in your session evaluations.... Thank you

79