ArcGIS and Enterprise Security

Leveraging ArcGIS in CybersecurityKen Stoni

Secure Enterprise ArcGIS Best PracticesMichael Young

Visualizing the Virtual:A geospatial approach to cyber operations and security

Ken Stoni

The ProblemDetection is Difficult, Cyber isn’t enough

Breach Timeline

Compromise: 97% <= daysExfiltration: 72% <= daysDiscovery: 66% >= MONTHSContainment: 63% <= days

**70% of breaches were discovered by external parties

http://www.verizonenterprise.com/DBIR/2013/

Our Goals:

1) Detect early

2) Detect internally

3) Respond appropriately (maintenance vs security)

Cyberspace Re-ConsideredIt’s Mappable

Social / Persona Layer

Device Layer

Logical Network Layer

Physical Network Layer

Geographic Layer

• Each device in cyberspace is owned by someone (no ‘global commons’)

• Electro-mechanical devices exist in space-time and interact with physical events

• Geography is required to integrate and align cyberspace with other data

CybersecurityA common sequence of questions

Destination

Compromise attempted?

Compromise Successful?

TechnicalImpact?

Intervention

MissionImpact?

Source

WAN

How should we respond?

RemediationHardening

MissionImpact

IDSIPS IT Inventory

Detection

Four Design Patterns

WANMission Assurance(Cyber Supply Line)

Signature Detection

Anomaly Detection

External Cyber Environment Internal Cyber Environment

Mission Assurance

Data

DetectionSelection & Trending at various scales

Firewall

IDS/IPS

SourceIP

DestinationIP

Campus Building FunctionCityBuilding

ITInventory

3rd PartyGeo-LocatorsGeocoding

Mission ImpactThe Cyber Supply Line

LANBldgNet

BldgNet

LAN

Campus #1 Campus #2

1. Cyber Supply Line (CSL) is a consistent path through the infrastructure 2. CSL focuses resources on only the devices that are critical3. Managing data flows is similar to traffic routing; an Esri core competency

VerizonAT&TDISA

WAN

Mission Data Flow

Mission Data FlowWAN

Cyber Supply Line

The CSL and RiskMission Assurance

• RA = f(V, T)

• R = Risk, A = Asset, V = Vulnerability, T = Threat

• Asset = Data, Device, Sub-Net, Mission

• Mitigation prioritized Likelihood & Consequence (of failure)

Cyber Supply Line

Effect PropagationMulti-level Model of Data Flow

Maintain Data Flow Mission Assurance

Cyber Supply Line

‘When’Support to all stages of development

Information Product(Monitoring)WorkflowData

Data

Data

Information Product(Reporting)

Workflow

Workflow

Workflow

Data

Geo-Coding

IT Inventory MaxMind

‘Start from Scratch’

Information Product(Monitoring)

Information Product(Reporting) Improve SA

Information Product(Monitoring)

Information Product(Reporting)

Information Product(Monitoring)

Information Product(Reporting)

Improve Reporting

Improve Performance(cheaper, quicker, more accurate)

Dashboard MS-Office Briefing BookExisting Data

Operate -- MaintainMonitor -- Respond

Design -- BuildStatusRisk

Cost/Schedule

‘How’Recommended Approach

Collector

Database

Visualization

Analysis

Collector

Database

Visualization

Analysis

Collector

Database

Visualization

Analysis

QueryWidget

Visualization Visualization Visualization

AnalysisWidget

Existing Enterprise Network

Existing Enterprise Apps Monitoring

Environmental Data

Auxiliary Data

DashboardReporting

MS-Office Briefing Book

APIs

Portal

‘Why’Information sharing leading to coordinated action

Adversary

‘Hunt Teams’Network OpsNetwork Activities

Analysis & Planning Net SecurityDivision

Network Engineers

Net Security DataNet Ops Data

Monitoring

Reporting

PerformanceOptimization

Determine Attack Indicators

Security Community(e.g. McAfee)

Threat Data

Observe &Assess

Net Model

Best Practices(e.g. NIST Framework)

Enterprise OpsCenter

Executives

Secure Enterprise ArcGISBest Practices

Michael E YoungEsri Principal Security Architect

What is a secure GIS?

IntroductionWhat is “The” Answer?

Risk

Impact

TrendsControls by Industry

• Industry risk patterns

• Focus security controls

• Energy Sector High Risk Areas• Web Application Attacks• Crimeware• Denial of Service (DoS) attacks

* Verizon 2014 DBIR

Trends

• Scenario• OpenSSL vulnerability (HeartBleed)

• ArcGIS Online indirectly exposed through Amazon’s Elastic Load Balancer• Patched by Amazon within a day of vulnerability announcement

• Many pre 10.3 ArcGIS components contain vulnerable version, but don’t utilize vulnerable function

• ArcGIS Server for Linux before 10.3 was vulnerable (Patch available for 10.1SP1 and later)

• Lessons learned• 3rd party / open source components are immersive across cloud and on-premises

• Many organizations still don’t have effective patch management for these underlying components

• No individual layer is full-proof

• Esri’s first cross-product vulnerability status KBA minimized confusion

• Utilize Trust.ArcGIS.com site

Open source security component vulnerability affects 2/3rd of web services

Expect More Issues with OpenSSL throughout 2015

Trends2015 and beyond

• Focus shifting from network perimeter to data- Drives need for stronger authentication of who is accessing the data

• Mobile malware continues to grow

• APTs and malware diversification

• Unpatched systems (Windows XP end-of-life)

• Hacking the Internet of Things

Strategy

StrategyA better answer

• Identify your security needs- Assess your environment

- Datasets, systems, users- Data categorization and sensitivity- Understand your industry attacker motivation

• Understand security options- Trust.arcgis.com- Enterprise-wide security mechanisms- Application specific options

• Implement security as a business enabler- Improve appropriate availability of information- Safeguards to prevent attackers, not employees

StrategyEnterprise GIS Security Strategy

Security Risk Management Process Diagram - Microsoft

StrategyEsri Products and Solutions

• Secure Products- Trusted geospatial services- Individual to organizations- 3rd party assessments

• Secure Enterprise Guidance- Trust.ArcGIS.com site- Online Help

• Secure Platform Management- SaaS Functions & Controls- Certifications / Compliance

ArcGIS

StrategySecurity Principles

Availability

CIA Security

Triad

StrategyDefense in Depth

• More layers does NOT guarantee more security

• Understand how layers/technologies integrate

• Simplify

• Balance People, Technology, and Operations

• Holistic approach to security TechnicalControls

PolicyControls

Physical Controls

Data and

Assets

Mechanisms

Mechanisms

MechanismsAuthentication

• GIS Tier (Default)- Built-in User store- Enterprise (AD / LDAP)- ArcGIS Tokens

• Web Tier (Add web adaptor)- Enterprise (AD / LDAP)- Any authentication

supported by web server- HTTP Basic / Digest- PKI- Windows Integrated

+

PublishServices

Connect to ArcGIS Server Manager

Web, mobile, and desktop clients

GIS Serveradministrators

ArcGIS for Desktop users

Data server

GIS server(s)

Web serverWeb Adaptor

MechanismsAuthorization – Role-Based Access Control

• Esri COTS- Assign access with ArcGIS Manager - Service Level Authorization across web interfaces- Services grouped in folders utilizing inheritance

• 3rd Party- Web Services

- Conterra’s Security Manager (more granular)- RDBMS

- Row Level or Feature Class Level- Versioning with Row Level degrades performance

- Alternative - SDE Views

- URL Based- Web Servers & Intercept offerings such as CA’s SiteMinder

MechanismsFilters – 3rd Party Options

• Firewalls• Reverse Proxy• Web Application Firewall• Anti-Virus Software• Intrusion Detection / Prevention Systems

MechanismsEncryption – 3rd Party Options

• Network- IPSec (VPN, Internal Systems)- SSL/TLS (Internal and External System)- Cloud Encryption Gateways

- Only encrypted datasets sent to cloud

• File Based- Operating System – BitLocker- GeoSpatial PDF with Certificates- Hardware (Disk)

• RDBMS- Transparent Data Encryption (TDE)

MechanismsLogging/Auditing

• Esri COTS- Geodatabase history

- Track changes- ArcGIS Workflow Manager

- Track detailed Feature based activities- ArcGIS Server 10+ Logging

- “User” tag added

• 3rd Party- Logs - Web Server, RDBMS, OS, Firewall

- Consolidate with a SIEM- Geospatial monitors

- Upcoming – GIS Management pack for MS System Center- Esri – System Monitor- Vestra – GeoSystems Monitor- Geocortex Optimizer

ArcGIS Server

ArcGIS ServerEnterprise Deployment

WAF, SSL AccelLoad Balancer

ArcGIS Site

HA NAS

Config Store

Directories

IIS/Java Web Server

ArcGIS for Server

Web Apps

WebAdaptor

Web Apps

IIS/Java Web Server

FGDB

Web Adaptor Round-Robin

Network Load Balancing

Port: 80

WebAdaptor

Port: 80

ArcGIS for Server

GIS Services

GIS ServicesServer Request

Load Balancing

Port: 6080Port: 6080

GIS Server A GIS Server B

Web Server A Web Server B

Fire

wal

l

Internet443

Clustered

HA DB1 HA DB2

Supporting Infrastructure

AD/ LDAP

IIS/Java Web Server

Port: 443

Auth Web Server

Firewall

SQL

ADFS / SAML 2.0

ADFS Proxy

ArcGIS ServerMinimize Attack Surface

• Don’t expose Server Manager to public• Disable Services Directory• Disable Service Query Operation (as feasible)• Enable Web Service Request Filtering

- Windows 2008 R2+ Request Filtering- XML Security Gateway Better

• Limit utilization of commercial databases under website- File GeoDatabase can be a useful intermediary (SQL injection does not work)

• Require authentication to services

Attack surface over time

Atta

ck s

urfa

ce

Time

ArcGIS ServerNew Security Hardening Guidelines

• Establishing guidelines with DISA- Create a Security Technical Implementation Guides (STIGs)- First STIG will be Windows based ArcGIS Server 10.3

- Other STIGs will be performed based on demand

• Expected completion in 2015

• Post STIG completion- STIG will be an input for an ArcGIS Server Security Hardening guide for general distribution- Additional enterprise component integration testing and best practice recommendations to

be incorporated

ArcGIS Server

• New relative risk insights for geospatial services• Optional mitigation measures to reduce risk

Awareness of Relative Risk

Service Capability Default when Enabled

Security Hardened

Map MappingMap QueryFeature ReadFeature EditFeature SyncGeocoding GeocodeGeodata QueryGeodata Data ExtractionGeodata ReplicaGeoprocessing GeoprocessingImage ImagingImage EditImage Upload

Red = Higher riskYellow = Average riskGreen = Low risk

Security Hardened SettingsRelative Service Risk

ArcGIS ServerEnhancements

• Single-Sign-On (SSO) for Windows Integrated Authentication- Works across ArcGIS for Server, Portal, and Desktop

• Stronger PKI validation- Leverage multi-factor authentication when accessing applications, computers, and devices- Web adaptor deployed to web server forwards to AGS the request and username

• Integrated account management and publishing capabilities- Across ArcGIS for Server and Portal in a federated configuration

• Key SQL Injection vulnerabilities addressed since 10.2 with Standardized Queries

• Add support for - Active Directory nested groups & domain forests- Configuring Private and Public services within the same ArcGIS Server site

ArcGIS ServerSingle ArcGIS Server machine

Front-ending GIS Server with ReverseProxy or Web Adaptor

Site AdministratorsConnect to Manager

GIS server, Data, Server directories, Configuration Store

Desktop, Web, and Mobile Clients

6080/6443

Site AdministratorsConnect to Manager

GIS server, Data, Server directories, Configuration Store

Desktop, Web, and Mobile Clients

6080/6443

80/443 Web Adaptor

ArcGIS ServerArcGIS Server HA - Sites independent of each other

Site AdministratorsConnect to Manager

80

6080 6080

80

Server directories, Configuration Store

(duplicated between sites)

Site AdministratorsConnect to Manager

ArcGIS Server site ArcGIS Server site

Web Adaptors(optional)

Network Load Balancer (NLB)

Desktop, Web, and Mobile Clients

• Active-active configuration is shown- Active-passive is also an option

• Separate configuration stores and management

- Scripts can be used to synchronize

• Cached map service for better performance

• Load balancer to distribute load

ArcGIS ServerArcGIS Server HA – Shared configuration store

80

6080 6080

80

Site AdministratorsConnect to Manager

Web Adaptors

Network Load Balancer (NLB)

Desktop, Web, and Mobile Clients

GIS servers

Data server, Data (enterprise geodatabase), Server directories, Configuration Store

• Shared configuration store

• Web Adaptor will correct if server fails

• Config change affects whole site- Example: publishing a service

• Test configuration changes

Cloud

CloudService Models

• On-Premises- Traditional systems infrastructure deployment- Portal for ArcGIS & ArcGIS Server

• IaaS- Portal for ArcGIS & ArcGIS Server- Some Citrix / Desktop

• SaaS- ArcGIS Online- Esri Managed Cloud Services

Dec

reas

ing

Cus

tom

er R

espo

nsib

ility

Customer ResponsibleEnd to End

Customer ResponsibleFor Application Settings

CloudDeployment Models

Cloud On-premise

Intranet

Portal Server

On- Prem

Intranet

Portal Server

Read-only

Basemaps

On-Prem +

Intranet

Server

Online

ArcGIS Online + On-PremPublic

Intranet

Online

Intranet

Online ServerServerServer

ArcGIS Online + EMCS

CloudManagement Models

• Self-Managed- Your responsibility for managing IaaS deployment security

• Provider Managed- Esri Managed Cloud Services

- New FedRAMP Moderate Compliant (part of Advanced Plus option)

CloudResponsibility Across Deployment Options

On-premises Esri Images& Cloud Builder

Virtual / Physical Servers

Security Infrastructure

OS/DB/Network

ArcGIS

Cloud Infrastructure

(IaaS)

OS/DB/Network

ArcGIS

Esri ManagedCloud Services

FedRAMP ModerateCompliant

Cloud Infrastructure

(IaaS)

Security Infrastructure

OS/DB/Network

ArcGIS

No Security Infrastructure by

default

Cloud Infrastructure

(IaaS)

Security Infrastructure

OS/DB/Network

ArcGIS Online

ArcGIS OnlineFISMA Low

ATO

Customer Responsibility Esri Responsibility CSP Responsibility

Esri Compliance & ATO Scope

IaaS ATO Scope

Cloud InfrastructureHypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware

EMCS Security Infrastructure

Web Application FirewallWAF

ArcGIS for Portal

ArcGIS Server

Intrusion DetectionIDS / SIEM

Centralized ManagementBackup, CM, AV, Patch, Monitor

Authentication/AuthorizationLDAP, DNS, PKI

AWS

Customer Infrastructure

Public-FacingGateway

Security Ops Center(SOC)

Esri Administrators

End Users

Dedicated Customer Application

Infrastructure

Common SecurityInfrastructure

Active/Active Redundant across two Cloud Data Centers

Agency Application Security

Relational Database

Esri AdminGateway Common Cloud

Infrastructure

Bastion GatewayMFA

Security ServiceGateway

DMZ

File Servers

Legend Cloud Provider

Cloud InfrastructureHypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware

On-Premises

Users

AppsAnonymous

Access

Esri Managed Cloud Services

• Ready in days• All ArcGIS capabilities at

your disposal in the cloud• Dedicated services• FedRAMP Moderate

• Ready in months/years• Behind your firewall• You manage & certify

• Ready in minutes• Centralized geo discovery• Segment anonymous

access from your systems• FISMA Low

ArcGIS Online

CloudHybrid deployment combinations

. . . All models can be combined or separate

CloudStandards

• Enterprise Logins- SAML 2.0 - Provides federated identity management- Integrate with your enterprise LDAP / AD- Added to Portal for ArcGIS 10.3

• API’s to Manage users & app logins- Developers can utilize OAuth 2-based API’s- https://developers.arcgis.com/en/authentication/

Compliance

ComplianceProducts and Services

• ArcGIS Online- FISMA Low Authority To Operate (ATO) by USDA - FedRAMP - Upcoming

• Esri Managed Cloud Services (EMCS)- FedRAMP Moderate (Jan 2015)

• ArcGIS Desktop- FDCC (versions 9.3-10)- USGCB (versions 10.1+)- ArcGIS Pro (Expected Q1 2015)

ComplianceCorporate Operations

• ISO 27001- Esri’s Corporate Security Charter

• Privacy Assurance- US EU/Swiss SafeHarbor self-certified- TRUSTed cloud certified

• SSAE 16 Type 1 – Previously SAS 70- Esri Data Center Operations- Expanded to Managed Services in 2012

ComplianceCloud Infrastructure Providers

• ArcGIS Online Utilizes World-Class Cloud Infrastructure Providers- Microsoft Azure- Amazon Web Services

Cloud Infrastructure Security Compliance

SSAE16SOC1 Type2 Moderate

ComplianceArcGIS Online Assurance Layers

Web Server & DB software

Operating system

Instance Security

Management

Hypervisor

ArcGISManagement

Cloud Providers

Physical

Web App ConsumptionCustomer

Esri

Cloud ProviderISO 27001 SSAE16FedRAMP Mod

AGOL SaaSFISMA Low(USDA)SafeHarbor(TRUSTe)

Summary

Summary

• Geospatial solutions can facilitate cybersecurity

• Security demands rapidly evolving- Prioritize efforts according to your industry and needs- Don’t just add components, simplified Defense In Depth

• Secure Best Practice Guidance is Available- Check out the ArcGIS Trust Site!- ArcGIS Security Architecture Workshop

- SecureSoftwareServices@esri.com

Thank you! Give us your feedback!

www.esri.com/ratemyPUGsession

Thank you! Give us your feedback!

www.esri.com/ratemyPUGsession