Design: Delivering Secure Solutions

1
Design Delivering Secure Solutions

• Michael Young
• ESRI Senior Enterprise Architect
• Certified Information Systems Security
  Professional (CISSP)

Version 1.2
2
Agenda

• Intro
• ESRIs GIS Security Strategy
• Enterprise-wide Security Mechanisms
• Application Security
• Enterprise GIS Security Patterns
• Current Security Trends
• Scope of ESRI Security Efforts
• ESRIs Next Steps Supporting Secure Solutions

3
IntroGoals for this session

• Communicate ESRIs plans to meet your security
  needs
• Open discussions to incorporate your input

4
IntroSecurity Industry Challenges

• Service Oriented Architecture (SOA)
• Virtualized systems
• Cloud computing
• Application vulnerabilities

5
IntroGeneral Security Principles

• CIA Security Triad
• Confidentiality
• Prevent intentional or unintentional unauthorized
  disclosure
• Integrity
• Prevent unauthorized data modifications
• Availability
• Ensure reliable and timely access to data

6
IntroGeneral Security Principles

• Defense in depth
• Enterprise-Wide Initiative
• Multiple Layers
• Beyond Technology Solutions
• Security zone based architecture

7
IntroGeneral Security Principles

• Maintain Defenses Against Different Stages of
  Attack
• Initial Compromise
• Causing Damage
• Long-Term Recognizance

8
ESRIs GIS Security Strategy
9
ESRIs Security StrategyTwo Reinforcing Trends
Enterprise platform and services
Discrete products and services
ESRI
exploiting 3rd party security functionality
exploiting embedded and 3rd party security
functionality
Integrated systems with discretionary access
Isolated Systems
IT/Security
relying on product and solution security
validation
relying on solution security validation
10
ESRIs Security StrategyInterdependent
Capabilities

• Secure GIS products
• ESRI develops products incorporating security
  industry best practices and are trusted across
  the globe to provide geospatial services that
  meet the needs of individual users and entire
  organizations
• Secure GIS solution guidance
• July release of Enterprise GIS Resource Center
  containing security best practice guidance and
  documentation

11
Enterprise-wide Security Mechanisms
12
Enterprise-Wide Security MechanismsOverview

• Authentication
• Authorization
• Filters
• Encryption
• Logging/Auditing

13
Enterprise-Wide Security MechanismsAuthentication

• ArcGIS Authentication Options
• Default of none
• Local connection
• IIS Web Server Authentication
• JavaEE Container Managed
• Server Token Service
• Forms based
• Multiple concurrent methods
• ArcGIS 9.3 Token Service
• Cross-Platform - .NET Java
• Cross-API SOAP REST
• Cross-Product Desktop, Explorer, Web Service
  and Applications
• 3rd Party
• Public Key Infrastructure (PKI)
• Single Sign-On (SSO)
• Windows Integrated
• LDAP

Authentication Method Protocol Description User Credential Encryption
Basic Digest Windows Integrated HTTP (SSL optional) Uses the browsers built-in pop-up login dialog box. Basic None, unless using SSL
Form-based HTTP (SSL optional) Application provides its own custom login and error pages. None, unless using SSL
Client Certificate HTTPS (HTTP over SSL) Server authenticates the client using a public key certificate. SSL
ESRI Token HTTP (SSL optional) Cross Platform, Cross API Authentication AES-128bit
14
Enterprise-Wide Security MechanismsAuthorization

• Role Based Access Control (RBAC)
• ESRI COTS
• ArcGIS authorization across product lines to
  Service Level
• Use ArcGIS Manager to assign access to services
• Services can be grouped into folders which
  utilize inheritance to ease management
• 3rd Party
• RDBMS Row Level or Feature Class Level
• Multi-Versioned instances may significantly
  degrade RDBM performance
• Alternative is SDE Views
• Custom - Limit GUI
• Rich Clients via ArcObjects
• Web Applications
• Check out sample code - Google EDN Common
  Security
• Try out Microsofts AzMan tool

15
Enterprise-Wide Security MechanismsFilters

• 3rd Party
• Firewalls
• Reverse Proxy
• Common implementation option
• MS now has free reverse proxy code for IIS 7
  (Windows 2008)
• Looking into providing baseline filters
• Web Application Firewall
• Looking into providing baseline guidance for
  ModSecurity
• Anti-Virus Software
• Intrusion Detection / Prevention Systems
• Custom
• Limit applications able to access geodatabase

16
Enterprise-Wide Security MechanismsEncryption

• 3rd Party
• Network
• IPSec (VPN, Internal Systems)
• SSL (Internal and External System)
• File Based
• Operating System BitLocker
• GeoSpatially enabled PDFs
• Hardware (Disk)
• RDBMS
• Transparent Data Encryption
• Low Cost Portable Solution - SQL Express 2008
  w/TDE

17
Enterprise-Wide Security MechanismsLogging/Auditi
ng

• ESRI COTS
• Geodatabase history may be utilized for tracking
  changes
• JTX Workflow tracking of Feature based activities
• ArcGIS Server Logging
• Custom
• ArcObjects component output GML of Feature based
  activities
• 3rd Party
• Web Server
• RDBMS
• OS

18
Application Security
19
Application SecurityOverview

• Rich Client Applications
• Web Applications
• Web Services
• Online Services
• Mobile

20
Application SecurityRich Client Applications

• ArcObject Development Options
• Record user-initiated GIS transactions
• Fine-grained access control
• Edit, Copy, Cut, Paste and Print
• Interface with centrally managed security
  infrastructure (LDAP)
• Integration with server Token Authentication
  Service
• Windows native authentication
• Client Server Communication
• Direct Connect RDBMS
• Application Connect SDE
• HTTP Service GeoData Service
• SSL and IPSec Utilization

21
Application SecurityWeb Applications

• ArcGIS Server Manager
• Automates standard security configuration of web
  apps in ASP.NET and Java EE
• E.g. Modifies web.config file of ASP.NET
• Application Interfaces
• .NET and Java ADFs
• Out of the box integration with Token Security
  service
• REST APIs (JavaScript, Flex, Silverlight)
• Can embed in URL Simple
• Better solution is dynamically generate token
• Dont forget to protect access to your client code

22
Application SecurityWeb Services

• ArcGIS Server Manager
• Set permissions on folders as well as individual
  services
• Restricting access to some services but not
  others is only available through Internet
  connections
• Can remove Local service requests to ArcGIS
  Server by emptying AGSUsers group
• Secures access to all ArcGIS Server web
  interfaces
• REST
• Service directory is on by default, disable if
  you dont want it browsable
• SOAP
• WS-Security can be addressed by 3rd party
  XML/SOAP gateways
• OGC
• KML

23
Application SecurityOnline Services

• New ArcGIS Online Search and Share
• Central resource for easily accessing, storing
  and sharing maps
• A membership system
• You control access to items you share
• You are granted access to items shared by others
• You join and share information using groups
• Organizations self-administer their own users and
  groups
• Site security similar in approach with other
  social networking sites
• Not meant for highly confidential or proprietary
  data

24
Application SecurityMobile

• ArcPad
• Password protect and encrypt the AXF data file
• Encrypt mobile device memory cards
• Secure your ArcGIS Server environment with users
  and groups to limit who can publish ArcPad data
• Secure your internet connection used for
  synchronizing ArcPad data
• ArcGIS Mobile
• Encrypt communication via HTTPS (SSL) or VPN
  tunnel to GeoData Service
• Utilization of Token Service
• Web Service Credentials
• Consider utilization of Windows Mobile Crypto API
• Third party tools for entire storage system

25
Secure Enterprise GIS Patterns
26
Secure GIS Patterns

• ESRI is providing security implementation
  patterns to help solve recurring security
  problems in a proven, successful way
• ESRIs patterns leverage The National Institute
  of Standards and Technology (NIST) guidelines
  for securing information systems
• Patterns are based on risk for
• Basic Security Risk Implementations
• Standard Security Risk Implementations
• Advanced Security Risk Implementations

To prioritize information security and privacy
initiatives, organizations must assess their
business needs and risks
27
Secure GIS PatternsChoosing the appropriate Risk
Level Pattern

• How does a customer choose the right pattern?
• Formal NIST Security Categorization Process
• Informal Simple scenarios ESRI customers can
  relate to
• Formal Pattern Selection
• NIST SP 800-60 - Guide for Mapping Types of
  Information and Information Systems to Security
  Categories

28
Secure GIS PatternsInformation Pattern Selection
Basic

• Informal Pattern Selection
• Basic Risk Pattern
• No Sensitive data Public information
• All architecture tiers can be deployed to one
  physical box
• Standard Risk Pattern
• Moderate consequences for data loss or integrity
• Architecture tiers are separated to separate
  systems
• Potential need for Federated Services
• Advanced Risk Pattern
• Sensitive data
• All components redundant for availability
• 3rd party enterprise security components utilized

Standard
Advanced
29
Secure GIS PatternsBasic Security
Basic

• Common Basic Security Environment Attributes
• Utilize data and API downloads from cloud
  computing environments
• Secure services and web applications with ArcGIS
  Token Service
• Separate internal systems from Internet access
  with DMZ
• Utilize a Reverse Proxy to avoid DCOM across
  firewalls

30
Secure GIS PatternsStandard Security
Standard

• Common Standard Security Environment Attributes
• Authentication/Authorization
• No static storage of ArcGIS Token in application
  code
• Multi-Factor authentication utilized for remote
  system access
• Network
• Partitioning system functions such as Web,
  Database and Management by VLANs
• Servers have separate network connections for
  management traffic
• Add Application Security Firewall (ex. ModSec) to
  Reverse Proxy Server
• Utilize host-based firewalls on systems
• Systems Management
• Can utilize data from cloud computing
  environments, but have local copies
• Avoid usage of internal clients consuming
  external services for API downloads
• Redundant components for High Availability
• Can utilize low cost load balancers such as MS
  NLB
• Utilize Intrusion Prevention/Detection Systems
• Implement least privilege
• Ensure separation of duties
• Lock down system ports, protocols, and services
  (Whitepaper available)
• Standardize system images for clients and server
  (SMS)

31
Secure GIS PatternsAdvanced Security
Advanced

• Common Advanced Security Environment Attributes
• Minimal reliance on external data/systems
• Data Management
• Separate datasets (e.g. Public, Employees, Subset
  of Employees)
• Consider utilizing explicit labels on
  information, source and destination objects
• Clustered Database for High Availability
• Utilization of Transparent Data Encryption for
  storage of sensitive data
• Authentication/Authorization
• Utilize 3rd party security products for service
  and web application authentication and
  authorization
• Utilize Public Key Infrastructure (PKI) certs
• Multi-Factor Authentication required for Local
  Access, and for Remote system access Hardware
  Token Multi-Factor required
• Network configuration
• Redundant network connections between systems
• Secure communication via IPSec between backend
  systems
• Secure communication via SSL/TLS between Clients
  and Servers (Both web and Rich Clients)
• Partitioning system functions such as Web,
  Database and Management by VLANs
• Servers have separate network connections for
  management traffic
• Deploy Network Access Control (NAC) tools to
  verify security configuration and patch level
  compliance before granting access to a network

32
Current Security Trends
33
Current Security TrendsOld-Fashioned DOS Attacks
Still in Style

• July 4th started off with a bang of 50,000
  'zombies' triggering recent denial of service
  attacks
• High profile U.S. Web sites affected include
• The White House site
• The Department of Homeland Defense
• The State and the U.S. Treasury
• The Washington Post, among others
• Based on old virus - MyDoom.
• Patchwork of scripts No coding needed
• No attempt to avoid AV signatures
• Sad truth on protecting your site from this
• Batten the hatches, hunker down and work with
  your Internet Service Provider (ISP) to implement
  upstream filtering to cut down the massive online
  traffic overloading their network

34
Current Security TrendsRecent Surveys

• Increasing focus on degree to which security can
  be improved if applications used for business
  processes within enterprises were designed and
  programmed with fewer vulnerabilities to begin
  with
• DHS - Build Security In
• Consensus Audit Guidelines (CAG)
• SafeCode

• Application Firewalls have become commonplace
  with over ½ of organizations utilizing them

CSI 2008 Survey
35
Current Security TrendsCloud Computing

• A current IT hotspot
• Be careful of security façades that can be
  bypassed
• NIST Cloud Computing Security Whitepaper out soon
• The only secure cloud right now are private
  clouds

36
Scope of ESRI Security Efforts
37
Scope of ESRI Security EffortsCompliance and
certifications

• ESRI fully supports and tests product
  compatibility with FDCC (Federal Desktop Core
  Configuration) security settings
• ESRI hosts FISMA certified and accredited low
  risk category environments
• ESRIs Security Patterns are based on NIST/FISMA
  guidance
• Not provided as full certification compliance
  representations
• ESRI software products are successfully deployed
  in high risk security environments
• ESRI does not certify classified environment
  products and systems
• Function is performed by the system owner
• ESRI continues to evaluate the need for
  compliance and/or additional certifications

38
Scope of ESRI Security EffortsRegulations and
Standards

• ESRI patterns based on ISO / NIST guidance
• Contain the backbone of most security regulations
  and standards
• NIST Standards can operate as a baseline of
  security and then layer in applicable laws,
  regulations for compliance of an industry on top
• Referred to as a Unified approach to information
  security compliance

39
Scope of ESRI Security EffortsNEW Enterprise GIS
Resource Center
Incorporates IT Foundation Architecture Guidance
ESRI Provides GIS Best Practice Guidance
40
Scope of ESRI Security Efforts

• ESRI provides security due diligence with our
  products and solutions, but is not a security
  software company
• ESRI recognizes every security solution is unique
• Ultimately, certifications and accreditations are
  based on a customers mission area and
  circumstance
• Reference Implementations on Enterprise Resource
  Center
• Validate for performance and security

41
Next Steps Supporting Secure Solutions
42
Next Steps Supporting Secure Solutions

• Your feedback and insight today are essential
• Current security issues
• Upcoming security requirements
• Areas of concern not addressed today
• Contact Us At
• est_at_esri.com

43
Session Evaluation Reminder

• Session Attendees
• Please turn in your session evaluations.
• . . . Thank you

44
References

• ESRI Enterprise GIS Resource Center Website
• NEW JULY 2009
• Focused Enterprise GIS Technical Solutions
• http//resources.esri.com/enterprisegis/
• Consensus Audit Guidelines
• Released May 2009 (Version 2.0)
• http//www.sans.org/cag/guidelines.php
• SafeCode Guidelines
• http//www.safecode.org/
• MS Application Architecture Patterns
• Contains security guidance per application type
• http//www.codeplex.com/AppArchGuide