ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Similar documents
ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

ArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith

ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Enterprise Security. Gregory Ponto & Jeff Smith

Administering Your ArcGIS Enterprise Portal Bill Major Craig Cleveland

Securing ArcGIS Services

Securing ArcGIS Server Services An Introduction

ArcGIS for Server: Security

ArcGIS Online A Security, Privacy, and Compliance Overview. Andrea Rosso Michael Young

ArcGIS Enterprise: Portal Administration BILL MAJOR CRAIG CLEVELAND

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

ArcGIS Enterprise: Performance and Scalability Best Practices. Darren Baird, PE, Esri

Configuring ArcGIS Enterprise in Disconnected Environments

Implementing a Hybrid Approach to ArcGIS. Philip McNeilly and Margaret Jen

Android Team Awareness Kit (ATAK) and ArcGIS

Introduction to Your First ArcGIS Enterprise Deployment. Thomas Edghill & Jonathan Quinn

How To Configure & Use Insights for ArcGIS ARAVIND SIVASAILAM MATT THOMAS

Creating Geoprocessing Services and Web Tools. Darren Baird, PE, Esri

All about SAML End-to-end Tableau and OKTA integration

Web AppBuilder Presented by

High Availability & Disaster Recovery. Witt Mathot

ArcGIS Enterprise: Advanced Topics in Administration. Thomas Edghill & Moginraj Mohandas

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Portal for ArcGIS. Matthias Schenker, Esri Switzerland

Survey123 for ArcGIS: An Introduction. James Tedrick Erin Densford

Collector for ArcGIS: What s New. Chris LeSueur & James Tedrick

Sharing Web Layers and Services in the ArcGIS Platform. Melanie Summers and Ty Fitzpatrick

Solutions Business Manager Web Application Security Assessment

ArcGIS Server Components: An Introduction to Server IT

ArcGIS Enterprise: Architecture & Deployment. Anthony Myers

Application of GIS to Cybersecurity. Brian Biesecker Ken Mitchell

ArcGIS Enterprise Administration

ArcGIS for Server: What s New. Philip Heede, Jay Theodore

ArcGIS for Server: Administration and Security. Amr Wahba

ArcGIS Enterprise: Configuring Backups, Disaster Recovery, and Replication. Harrold Sompotan and Patrick Jackson

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

ArcGIS Enterprise Performance and Scalability Best Practices. Andrew Sakowicz

SAML-Based SSO Solution

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

TECHNICAL GUIDE SSO SAML Azure AD

Data Store Management Best Practices. Bill Major Laurence Clinton

W H IT E P A P E R. Salesforce Security for the IT Executive

Security+ SY0-501 Study Guide Table of Contents

ICAP - Intelligence Configuration for ArcGIS Pro. Natalie Feuerstein Dan Barnes Joe Bayles

Liferay Security Features Overview. How Liferay Approaches Security

Architect your deployment using Chef

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

SAML-Based SSO Solution

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Introducing Survey123 For ArcGIS

What s New in ArcGIS 10.3 for Server. Tom Shippee Esri Training Services

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Designing an Enterprise GIS Security Strategy

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Securing your Standards Based Services. Rüdiger Gartmann (con terra GmbH) Satish Sankaran (Esri)

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

Deliver and manage customer VIP POCs. The lab will be directed and provide you with step-by-step walkthroughs of key features.

VMware Identity Manager Administration

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

SAP Single Sign-On 2.0 Overview Presentation

High Availability and Disaster Recovery. Cherry Lin, Jonathan Quinn

ArcGIS Enterprise Portal for ArcGIS

Setting Up Resources in VMware Identity Manager

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Colligo Console. Administrator Guide

Cloud Operations Using Microsoft Azure. Nikhil Shampur

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Security overview Setup and configuration Securing GIS Web services. Securing Web applications. Web ADF applications

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

What Makes a good content item GREAT?

ArcGIS Viewer for Microsoft Silverlight An Introduction

Single Sign-On for PCF. User's Guide

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Authentication. Katarina

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

What is new in ArcGIS 10.2.x for Server

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Scientific and Multidimensional Raster Support in ArcGIS

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

ArcGIS GeoEvent Server: Making 3D Scenes Come Alive with Real-Time Data

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Xerox Connect for Dropbox App

Data encryption & security. An overview

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Safelayer's Adaptive Authentication: Increased security through context information

Office 365 and Azure Active Directory Identities In-depth

SAML-Based SSO Configuration

An Introduction to Using Lidar with ArcGIS and 3D Analyst

70-742: Identity in Windows Server Course Overview

ArcGIS GeoEvent Server: Leveraging Stream Services. Ken Gorton RJ Sunderman

TRAINING GUIDE. Lucity GIS. Web Administration

Cloud Access Manager Configuration Guide

SINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS

EnterSpace Data Sheet

Transcription:

ArcGIS Enterprise Security: An Introduction Randall Williams Esri PSIRT

Agenda ArcGIS Enterprise Security for *BEGINNING to INTERMIDIATE* users ArcGIS Enterprise Security Model Portal for ArcGIS Authentication and Authorization: ArcGIS Tokens Building the Enterprise Encryption (HTTPS) Defense in Depth - Threat Prevention, Mitigation, and Regulatory Compliance Summary

ArcGIS Enterprise Logical Architecture ArcGIS Web Adaptor Portal for ArcGIS Focus ArcGIS Web Adaptor ArcGIS Server ArcGIS Data Store (relational + tile cache)

ArcGIS Enterprise Security Model Protect your Assets Control Access and Set Permissions

ArcGIS Enterprise Security Model Authentication vs. Authorization

ArcGIS Enterprise Security Model token

ArcGIS Enterprise Security Model The token is your access key into ArcGIS Maps Insights Collector Portal Geocoding Analysis Living Survey Enrichment for Atlas Desktop Pro Online Server 123 PowerBI Sharepoint Office ArcGIS

ArcGIS Enterprise Security Model The token is your access key into ArcGIS Enterprise

ArcGIS Enterprise Security Model OK. So what is a token?

ArcGIS Enterprise Security Model A token represents your login credentials (1AyZcQDO6xJjtWyycn206filCzn) and must be passed to with any request for secured content

ArcGIS Enterprise Security Model A token represents your login credentials and other attributes to make them randomized, unique and scoped.

ArcGIS Enterprise Security Model Good news ArcGIS Enterprise handles this transparently for you

ArcGIS Enterprise Security Model Lets see how this works

ArcGIS Enterprise Security Model 1. User requests access to Service

ArcGIS Enterprise Security Model 1. User requests access to Service 2. Service sends user to Token Service Service Token Service

ArcGIS Enterprise Security Model 1. User requests access to Service 2. Service sends user to Token Service 3. User Authenticates to Token Service User Token Service Token Service

ArcGIS Enterprise Security Model 1. User requests access to Service 2. Service sends user to Token Service 3. User Authenticates to Token Service 4. Token Service issues Token to User User Token Service Token Service

ArcGIS Enterprise Security Model 1. User requests access to Service 2. Service sends user to Token Service 3. User Authenticates to Token Service 4. Token Service issues Token to User 5. User passes Token to Service Token Service

ArcGIS Enterprise Security Model 1. User requests access to Service 2. Service sends user to Token Service 3. User Authenticates to Token Service 4. Token Service issues Token to User 5. User passes Token to Service 6. Service grants access Content Service

ArcGIS Enterprise Security Model But what about Forms Single Smart Active Sign Cards Auth Directory On

ArcGIS Enterprise Security Model All authentication methods ultimately deliver a token

ArcGIS Enterprise Security Model the token is your key into ArcGIS Enterprise

ArcGIS Enterprise ArcGIS Portal ArcGIS Server ArcGIS DataStore

package service item layer web map

content item=

How do we grant access to items?

user group item access

Access Portal for ArcGIS - Permissions set by item owner - Can be changed by administrators Portal Items Web map Data Web app ArcGIS Server - Permissions can be set by any publisher/administrator Web Services

What security options are available?

Flexible Security Options with ArcGIS Enterprise ArcGIS Enterprise ArcGIS Enterprise Supports Enterprise Groups LDAP OAuth SAML CAC Cards IWA Forms Auth Single Sign On NTLM HTTP Auth Built-In Accounts Smart Cards Certificates PKI Active Directory Kerberos Custom Roles

Single Web Sign On through SAML (Security Assertion Markup Language) Industry standard for SSO

SAML login User Experience With SAML authentication enabled, user will be prompted by IDP to login Use IDP login or built-in login

SAML Conceptual Workflow 1. User attempts to login 3. User sends login credentials to IDP ArcGIS Enterprise 2. Redirected to IDP Client 4. IDP authenticates user and sends SAML response to browser Identity Provider (IDP) 3 rd party 6. Portal verifies SAML response and user is logged in 5. Browser sends SAML response to Portal

SAML Conceptual Workflow But what about the token?!

SAML Conceptual Workflow 1. User attempts to login 3. User sends login credentials to IDP ArcGIS Enterprise 2. Portal redirects client to IDP Client 4. IDP authenticates user and sends SAML response to browser Identity Provider (IDP) 3 rd party 6. Portal verifies SAML response and user is logged in 5. Browser sends SAML response to Portal Token You Token ArcGIS Server

Groups vs Roles

Groups user group item access

Roles As an administrator I can Roles are privileges As a user I can As a viewer I can As a publisher I can

Permissions Roles Permissions for Portal users defined by roles 4 default roles 1. Administrator 2. Publisher 3. User 4. Viewer

Portal for ArcGIS: Custom Roles Provide more flexibility to enable fine grained control on what members can do My Organization page > Edit Settings > Roles > Create Role

Enterprise Groups Enabled when Portal is configured with Windows Active Directory or LDAP

Building the Enterprise 1. Registering services 2. Federating a Server Portal for ArcGIS ArcGIS Server

Building the Enterprise Portal for ArcGIS + ArcGIS Server Portal for ArcGIS Item A Registered web service ArcGIS Server site 1 Identity Store Identity Store

Demo Registering a Service

Building the Enterprise Portal for ArcGIS + ArcGIS Server Portal for ArcGIS Item A Registered web service ArcGIS Server site 1 Identity Store Identity Store

Implementation Patterns Portal for ArcGIS + ArcGIS Server Portal for ArcGIS Item A Item B Registered web service Federated Server ArcGIS Server site 1 ArcGIS Server site 2 Identity Store Identity Store

Encryption and HTTPS Securing communication protocols

Sensitive Content Is the service valid? HTTPS Can I trust the content? What happens to my password? Is the data secure?

Implementing HTTPS Web Adaptor Load Balancer Portal for ArcGIS Web Adaptor Load Balancer ArcGIS Server ArcGIS Data Store (relational + tile cache)

How do you set up a Security Certificate? 1. Generate a Certificate Signing Request (CSR) 2. Send CSR for signing - By a domain or well-known Certificate Authority 3. Import signed certificate

Production Considerations for Threat Mitigation and Regulatory Compliance A Brief Intro

Threat Mitigation, Prevention, and Regulatory Compliance Defense in Depth Paradigm Disable Services and Portal Directories Restrict Cross Domain (CORS) Requests Restrict ArcGIS Server System Folder Permissions Disable PSA Account Scan Server / Scan Portal Scripts HTTPS: Protocol and Cipher Configuration

Defense In Depth Paradigm Security plans have many layers multiple levels of security Layered security mechanisms increase the security of the system as a whole Each feature discussed is considered a layer

How to Disable the Services Directory Server Administrator Directory - System > Handlers > Rest > Servicesdirectory > edit - Uncheck Services Directory Enabled option Help topic: Disable the Services Directory

Disable ArcGIS Portal Directory https://<machinename>.domain.com/arcgis/sharing Provides a browsable HTML-based representation of all of Portal items - services, web maps, and content Recommend disable this to reduce the chance that your items can be browsed, found in a web search, or queried through HTML forms Before After

How to Disable ArcGIS Portal Directory Access the Portal Administrator Directory - Security > Config > Update Security Configuration - Set property = true

Restrict System Folder Permissions in Manager Verify System folder permissions are limited to Administrators and Publishers only - Prevents potential Denial of Service due to resource consumption, service deletion, etc. - Usually changed from default when troubleshooting

Restrict Cross-Domain (CORS) Requests enterprise.arcgis.com > Search cross-domain requests For JavaScript applications, a common method used to make cross domain requests is called a CORS request (cross origin resource sharing) Required when making POST requests to Feature or GP services on a different server Client Web Browser JavaScript Web Application ArcGIS Server

Restrict Cross-Domain (CORS) Requests enterprise.arcgis.com > Search cross-domain requests For JavaScript applications, a common method used to make cross domain requests is called a CORS request (cross origin resource sharing) Required when making POST requests to Feature or GP services on a different server Client Web Browser JavaScript Web Application ArcGIS Server

Disable Primary Site Administrator (PSA) Account Recommend disable the PSA account to remove an alternate method of administering ArcGIS Server outside of your enterprise users Access the Server Administrator Directory - Security > PSA > disable PSA account

Scan ArcGIS Enterprise for Security Checks serverscan.py is a script in the Server installation directory - Located: <install directory>\arcgis\server\tools\admin portalscan.py is a script in the Portal installation directory - Location: <install_directory>\arcgis\portal\tools\security Scripts check for security settings generates a report that makes recommendations to improve security. *Protip run as scheduled tasks, output to web server directory, view online.

SSL Protocol Configurations https://www.ssllabs.com/ssltest/clients.html In 10.4, both Server and Portal can be configured to limit which SSL protocol is accepted and used. SSLv3 is *NOT* an option at ArcGIS 10.3+ For organizations that are very security-aware and/or compliance focus, restricting Server and Portal to TLS 1.2 is highly recommended TLS (and it predecessor SSL) are cryptographic protocols designed to provide secure network communication between a client and a server TLS 1.0 Client App TLS 1.2 Ports: 6443 7443 Portal for ArcGIS

SSL Protocols and Cipher Suites Portal Administrator Directory - Security > SSLCertificates Server Administrator Directory - Security > Config

Compliance ArcGIS Online: TRUST.ArcGIS.com Compliance Documentation (Cloud Security Alliance, NIST 800-53, GDPR, etc.) FedRAMP Tailored Low (Updated Boundary) Expected Q2 ArcGIS Enterprise: Esri Managed Cloud Services: FedRAMP MODERATE Authorized (Advanced Plus Offering) 10.6 STIG ArcGIS Server Stand Alone complete. 10.3 STIG still valid. ArcGIS Enterprise validated, not published (yet)

Security Findings? Esri PSIRT! https://doc.arcgis.com/en/trust/ Vulnerability - report a vulnerability found in our site or application. Suspicious E-mail from Esri - if you believe you were targeted by a possible phishing attack from an Esri e-mail address, or have received other suspicious e-mail correspondence from Esri. Privacy Issue - if you have a privacy concern related to our application or organization. Other - for all other security, privacy or compliance related concerns.

Summary Tokens are the Foundation of the ArcGIS Enterprise Security Model ArcGIS Enterprise Supports many Authentication Options Use SAML if you can HTTPS *Everywhere* Use CA Signed Certificates Federate Server with Portal to Fully Enable the ArcGIS Enterprise Use Security Scan tools to validate your baseline Review advanced options to achieve compliance

Print Your Certificate of Attendance Print stations located in the 140 Concourse Tuesday 12:30 pm 6:30 pm GIS Solutions Expo Hall B Wednesday 10:30 am 5:15 pm GIS Solutions Expo Hall B 5:00 pm 6:30 pm GIS Solutions Expo Social Hall B 6:30 pm 9:00 pm Networking Reception Smithsonian National Portrait Gallery

Download the Esri Events app and find your event Please Take Our Survey in the Esri Events App Select the session you attended Scroll down to find the feedback section Complete answers and select Submit

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback