00:01Today's session on designing a secure enterprise GIS, we'll be talking about Esri's security strategy…

00:07…assessing your particular security needs…

00:10…various security trends out there that will affect potentially your design and applications and solutions.

00:17We'll talk about mechanisms that can be deployed across your enterprise, and then we'll also talk more about…

00:22…product-specific implementation options.

00:25And last, but not least, we'll get into a little bit about cloud computing security.

00:32So myself, I'm a senior enterprise security architect within Esri. I work for our Professional Services Division.

00:39I'm also a FISMA certification and accreditation application security officer.

00:45So, and to back that up a little bit, I'm a certified Information System Security Professional.

00:52So this is a question I commonly ask in a conference type of environment to see where people are at with their current feelings…

01:02…about their environments and their configurations. So, quick pop quiz question for you, Are you currently happy with your security…

01:10…in your organization? How many people here are good to go?

01:14Okay, we've got maybe one and a half. Okay.

01:17So in 2009, the Department of Energy National Lab came up with a security maxim list.

01:24So these are sayings that are true typically 80 to 90 percent of the time.

01:30They call it the So We're in Agreement maxim. What is that?

01:33If you're happy with your security, so are the bad guys. Now, another interesting aspect about that…

01:41I first brought this question up last year's User Conference.

01:43…is of course there's been some recent events with even the Department of Energy in the last year.

01:50The most recent one was within the last month.

01:53So that just says a little bit about the context of where we're at with security right now.

02:01What does a secure GIS mean to you? Is it, I need to enable the token security service?

02:10That is one aspect; that's one option. Is that everything in a solution? Does that provide you the right context?

02:16If somebody just comes to me and says, Just tell me how to secure an ArcGIS Server implementation; just tell me the answer…

02:24…there's not one particular answer for all organizations.

02:26There's a lot of permutations on the number of configurations, of choices in your environment…

02:32…be it Java, your database infrastructure, your directory services available.

02:37Do you have particular standards and certifications that you need to align with, or regulations out there?

02:43It's a bunch of alphabet soup, basically.

02:47There's also different consequences for different user interfaces.

02:50So let's take Adobe Flex. So Adobe Flex and PDFs, last year and still a little bit into this year…

02:59…were one of the number one areas to attempt to compromise an infrastructure and a solution.

03:07So they had click jacking and other various items.

03:11So that's why some organizations are somewhat more hesitant on particular browser plug-ins.

03:17So you want to account for those types of things in your solutions.

03:21There's also this idea of, how much security I want to utilize of, in this case, Esri products, built into our applications…

03:29…versus actually going out and purchasing separate third-party security software to do the same function…

03:35…except designed for a larger enterprise organization.

03:40Then there's a question of how much you put into processes, procedures, and governance.

03:46So the key thing here is, security is not just about implementing a single silver bullet. I don't have that individual answer for you.

03:54It's going to be unique to your organization.

04:00So if it's unique to your organization, well, I guess I can just say, I'm done, and that's good enough for today.

04:07No. So, identifying your particular security needs.

04:11So, I just opened up a Pandora's box, saying, Hey, so there's a whole bunch of permutations, and I don't have a specific answer.

04:16So how do I go about figuring out an answer?

04:19So you want to start with assessing your environment, incorporating and understanding the datasets that you have out there…

04:26…the systems involved. The sensitivity of these datasets and the systems that you've identified to store those.

04:33Categorization, we'll talk about that, and a little bit of best practice guidance through patterns.

04:41So you also need to understand the security options available to you out there.

04:45We've made some resources available in the Enterprise Resource Center…

04:48…we also provide guidance on these enterprise-wide security mechanisms and also more application-specific ones.

04:58It's also key to start understanding that security doesn't have to be…its primary function is to reduce access to information.

05:07It's not necessarily the case, especially in geospatial information.

05:11Most of our customers are about attempting to share relatively public information sets.

05:18So how does security fit into that, and why do I talk about security as a business enabler? I see many cases where…

05:26…there's organizations with geospatial datasets that have some that are sensitive, and they partition those off to the side.

05:35They're not connected to anything. So when somebody needs that information in a crisis, nobody can get to that information.

05:41It's not being made available to the right people, to the right resources at the right time.

05:50So to design an enterprise GIS security strategy, you need multiple people and roles in your organization involved.

05:58Ideally, you have an executive sponsor - somebody who's going to determine how much risk is acceptable to your organization.

06:05This is not your typical engineer who makes this decision.

06:10So what do I mean, determining risk? Well, security you could say, well, I just want everything.

06:16That's not even affordable by our government groups, to afford everything. So you have to make decisions…

06:22…what is acceptable or not.

06:25You have an information security group, ideally identified, that actually assesses the risks, and we'll talk a little bit about that…

06:33…defining some security requirements, that's fed into a design and build of security solutions by your IT team, and that…

06:41…goes into operations and maintenance.

06:46So Esri security strategy. There's two primary reinforcing trends.

06:50Our products, we have discrete products, we had discrete products and services, with third-party security, primarily.

06:58We didn't have security embedded into our products. Now we've moved more into a realm of an enterprise suite and solution…

07:06…where we do have some security embedded into our products. And you can utilize that.

07:11And it can be supplemented with third-party security products.

07:15On the IT side of things, we've moved from more isolated systems to more integrated systems.

07:22Be it the cloud, or between multiple organizations or multiple divisions in an organization, with discretionary access amongst them.

07:33So we create secure GIS products that incorporate security industry best practices, and we create…

07:40…trusted geospatial services across the globe for both individual users and entire organizations.

07:47Now we do provide some security guidance in the Enterprise Resource Center. I'll pull that up here.

07:54So this is the Enterprise Resource Center main home page.

07:58Now enterprise GIS is a function. I'm not the one who categorizes it as such, but that's where it is, and so in enterprise GIS…

08:07…you'll see there's three primary areas, architecture, security, and performance, and so security…

08:14Each one of these breaks out into a significant area, so it might not look initially like it has too much content…

08:20…but inside each one of these, so you can actually look at high-level strategy statements, mechanisms.

08:25You can drill in further into each one of these various areas, if you have compliance questions…

08:31…or questions about particular patterns we'll talk about today, there's some information in there.

08:35There's the mechanisms we're going to talk about that you can deploy across your enterprise…

08:40…and then also more product-specific options.

08:44It's also version managed, so as we have significant differences in security, let's say between 9.3, 10, and then 10.1…

08:53…you'll be able to select up top there a version specific to the version that you have in your organization.

09:06So we have some foundational security principles that we base our guidance and solutions on.

09:13So we have the CIA security triad, which is confidentiality, integrity, and availability.

09:20Many times, initially, a geospatial analyst will, if they've been told they need to secure their solution…

09:27…they're assuming that the primary reason was for confidentiality, that I need to hide information…

09:34…from other people in my organization, when I would say the majority of the time, for geospatial customers…

09:41…it's not as much about confidentiality, because the majority of our datasets are public.

09:47It's more about integrity. Why is integrity important?

09:51Let's take the case of, we have a lot of customers exposing datasets and services out to the public.

09:57Those can be compromised. Somebody could change those datasets, via…

10:03…let's take the use case of what's called an advanced, persistent threat nowadays.

10:08So an advanced, persistent threat means somebody's going in to access your solutions and collect information…

10:17…or do things in your environment without you knowing it, without your IT team knowing it…

10:22…and not giving indicators that they're making changes. So you can have information out there, your datasets…

10:28…that you're exposing to the public, and those can be wrong datasets all of a sudden.

10:32You could actually be misinforming public, users (so depending on who those are), with incorrect information.

10:40That may or may not be significant for your organization.

10:44Availability is also a key aspect too. So defense in depth, this is about adding layers of security into your enterprise.

10:54So layers of security. You have your data and assets at the core; you protect them with physical controls, let's say walls…

11:03…or your data center with biometric security to get access to your data center…

11:09…you have policy controls, so complexity of passwords and the length of those.

11:15I'm not going to stand here and tell you that you need to build a seven-foot wall or how complex your passwords should be.

11:21Those are very organization specific and not as much related directly to our product as the technical controls.

11:29So the technical controls is where we provide most of our guidance…

11:33…on authentication, authorization, filtering mechanisms, encryption, and logging.

11:39And we'll go into each one of those a little bit.

11:42So for our security patterns, they're based on…they're…they are best practice security guidance for our customers.

11:50And they leverage the National Institute of Standards and Technology guidelines…the 853 guidelines.

11:58And they're based on the amount of risk.

12:01Remember I talked about that executive sponsor determining the amount of risk for your organization…

12:06…that you determine that, and you can figure out roughly what types of things you need in your organization.

12:16So first you have to identify your particular security needs.

12:20And you've heard some of this before…assessing your environment, the datasets, systems, users, and the sensitivity of those.

12:27So how do I do this? How do I assess my solutions for security, or my environment?

12:34Ideally, you start by choosing a security standard.

12:37You don't just go out there and try to make your amalgamation of, you know, 20 of those standards on your own…

12:44…if you're just starting up. You might do that if you get more advanced.

12:48A starting point, usually choose some relatively common and most practiced guidelines.

12:55So the Consensus Audit Guidelines, now called the critical, the 20 Critical Security Controls…

13:02…are out of an organization called SANS, and they were put together by the State of New York and other states' became rolled in too…

13:11…also federal guidelines, and are used by some private industry, too.

13:16You also have ones…SCAP is an automation protocol for automating security validation…

13:24…NIST is a variety of hundreds of security control recommendations, FISMA is just the law…

13:32…and then you have a variety of others, be it ISO 27000, and others for international customers.

13:40So once you choose a particular standard to align to, you need to start figuring out, well…

13:47…what is considered a sensitive geospatial dataset in my organization?

13:52And it's somewhat of an open-ended question many times.

13:54But there's more and more documentation coming together.

13:59Actually, I ran into one of the people from the working group that put some of these guidelines together…

14:05…for best practices for sharing sensitive environmental geospatial data.

14:11These guidelines are fairly useful as a good start for many of our customers for when you do an assessment of your datasets…

14:18…hopefully you do…that you can start flagging ones that might be considered sensitive.

14:24So, legislation, you have a lot of Privacy Act concerns right now.

14:28You have…where the individual can be identified, either directly, by georeferenced information, or indirect, by amalgamation.

14:37And we'll talk about this security and amalgamation issue. It's quite difficult in the geospatial realm…

14:44…but it's actually becoming a lot more real this year; you'll see…I'll talk about some tools that are being used to facilitate that.

14:53Confidentiality, natural resource protection, cultural protection, safety, security are some other aspects.

15:02So we chose a standard, we've identified sensitive datasets, now we need to start thinking about how we're going to actually…

15:10…categorize our solution, as, you know, what type of amount of risk level we're willing to take.

15:17So there's a formal process provided by NIST…there's full documentation in their 800 series of documents…

15:23…this one, in particular, is called the 800-60.

15:28We also have a more informal process.

15:31First, the groups that are going to be doing the formal process are primarily our federal customers.

15:35They pretty much have to do it. Not everyone has to do that, and it's a lot of work, so we make this informal process available.

15:44So a basic pattern. What is it? So you have no sensitive data, and it's primarily public information that you're exposing out there.

15:54And all the architectural tiers can technically be rolled up into a single physical box; you don't have to split out the tiers necessarily…

16:02…of your environment for security needs.

16:06In the standard environment, there's more moderate consequences for data loss or integrity.

16:11And the architectural tiers, you want to start thinking about breaking these apart onto separate systems.

16:16And there's a potential need for federated services in the organization.

16:21And last, but not least, is advanced security needs. This is where you have significant sensitive datasets…

16:28…and all the components need to be redundant. Remember that availability aspect for security.

16:33You need to think a lot more about third-party enterprise security components for your organization.

16:41So what does a basic security solution, roughly, look like?

16:45And you might have seen representations somewhat like this before out of Esri.

16:52This is where you can utilize data and API downloads from public clouds.

16:57Public clouds, a lot of them, let's take ArcGIS Online, you don't have an SLA with them; if they go down…

17:03…well, yes, it's going to affect your infrastructure. Is it critical? At a basic level, you're saying…

17:10…no, it's not critical; it's down for a little bit. So you also want to secure your services with the ArcGIS token service, at this level.

17:19And you can…still want to separate your internal systems from Internet access with a DMZ.

17:26And a reverse proxy can be utilized to avoid DCOM across firewalls.

17:32Too much text here. So, standard security environment.

17:37The reality is, I'd love to make architectural representations of the standard and advanced…I just have not had a chance.

17:44Lot of components of each of these. You want to start thinking about things like a web application firewall…have dynamic tokens.

17:51Remember I talked about separating out the tiers. You not only do that for the hardware components…

17:56…but also the networking infrastructure. And how you starting grouping out systems into what's called virtual LANs or VLANs.

18:06Multifactor authentication might come into play. Smart cards or public key infrastructure.

18:11Sometimes for public sites, one mechanism that's being used for some organizations is a phone that you need…

18:20…to get a unique number. Your phone calls you, and you get a unique number; you need to enter that into your system.

18:30For more advanced security needs, this is where you have separate datasets for public employees, employee subsets…

18:38…you might be doing label security, as it's called, explicit labels…

18:43…you need to cluster your database infrastructure. You might be encrypting your actual databases…transparent data encryption.

18:50We'll talk a little bit about that.

18:52This is also where you might utilize IPsec between your back-end server environment.

18:59So for server-to-server communication, you want to ensure that somebody can't come in and sniff that traffic between those systems.

19:08By default, all our traffic is clear text between our system-to-system communication. So if you want to encrypt that…

19:14…IPsec might be a way to facilitate.

19:19So what are some of the security trends out there right now?

19:23And how do they affect you related to our solutions?

19:27Well, let's just look at 2011. This is only a couple of them. So we'll start with Citigroup - 360,000, and it wasn't just…

19:36…credit card accounts…that was actually 360,000 Citigroup accounts, which had both bank and credit card accounts.

19:45They have Sony. Over a hundred million accounts compromised.

19:51Couple months back, they had already spent $200 million on trying to recover, and I know they've spent a lot more than that since.

19:59RSA, one of the leading security companies out there, that creates what's called two-factor tokens…

20:06…so there are these little devices that give you a new number every once in a while.

20:11More secured environments use them, like, for example, the one right beneath it, Lockheed. What happened in that case?

20:19RSA got compromised. The hackers took that information and then, within a month or two, ended up hacking an organization…

20:27…like Lockheed to get to the real information they wanted.

20:32Then you have Department of Energy labs, via simple mechanisms, what's called spearfishing…

20:38…so going after important individuals in your organization who have a lot of access to sensitive datasets.

20:46They…it's not the Viagra type of e-mails they get…they get an e-mail that looks like it's about their Salesforce account…

20:56…or something very direct to that individual.

21:00They do a lot of reconnaissance and figure out what's appropriate…and we'll talk a little bit…

21:04…how some of these organizations are doing reconnaissance via geospatial means, too.

21:11So you have FBI, CIA, PBS; I still am interested why they attacked the Public Broadcasting System.

21:21Seems like [they] should give them a break.

21:23Then there's Electronic Arts, and others.

21:27So, interesting thing from security expert standpoint.

21:32So last week, SANS is a group that has…provides a lot of the training and guidance for security people out there.

21:41And they're saying the cost of a successful attack against targets of choice has fallen dangerously low. So what does this mean?

21:48This means, really, if a hacker wants to go after your organization, it's typically pretty easy to get in right now.

21:58So that's what they mean by targets of choice.

22:03So what's going on? Why is this happening? These hackers are not necessarily after just a little bit of fame.

22:10They're after more. They're after harming an organization. They're after gaining money; Citigroup.

22:18They're after retribution for something; the Sony case. Very interesting case, where you have somebody…

22:25…who hacked a PlayStation 3 station, tried to make it open.

22:31Sony decided to sue that individual, take him to court.

22:34Soon as it was wrapped up in court, Sony got magically hacked, and it happened for months after that.

22:45So in 2010, CSI does a survey every year (Computer Security Institute), and they've worked with the FBI…

22:53…and other organizations in tracking these trends.

22:57There's a continuing increase in what's called the phishing attacks with e-mail and in malware infections.

23:04Now, what are some of the responses and some of the options organizations are implementing to help offset this?

23:10Log management and dashboards. We'll talk a little bit about that. Why is that?

23:16Information security guys for the most part are in information overload. They have millions of log files…

23:23…there's no cross-correlation going on, and they're missing, and not discovering, that they're being hacked.

23:33So the security technologies utilized. [Of] course, top ones are antivirus, firewall, antispyware stuff…

23:41…and down at the bottom here is one that, unlike the others, is actually increasing in 2010 still.

23:47So, and it's been increasing a good chunk every year.

23:51And that's application firewalls. And we'll talk about the importance of those in your organization relative to our web software.

24:01So, how is cybersecurity evolving?

24:04There's a viewpoint of compliance. So a lot of organizations…I mentioned FISMA…

24:10…they create a lot of documents. Every once a year, once every three years, to prove that hey…

24:18…they provide a big huge stack of paperwork to say, you know, our environment's secure.

24:23But there's no real ongoing validation, and that's one of the changes, that they're saying…

24:28…Hey, let's get out of this mode of creating a large stack of paperwork.

24:31Let's move and evolve toward something where we take something where we know the most critical areas…

24:37…like the 20 Critical Security Controls, remember I mentioned CAG, Consensus Audit Guidelines, same thing…

24:45…that provide you the ability to have automated management of and monitoring of the top concerns in an organization.

24:56So location and privacy concerns. So more applications are utilizing current user location to deliver content…

25:05…geospatial information. So, in response to this, there's been bills proposed, and also the European Union…

25:13…has actually already passed some, concerning data privacy.

25:17So our users and people implementing new solutions need to be aware that they're going to need to start informing users more…

25:26…about what type of information's being collected, obtaining permission from consumers before sharing geolocation information.

25:34So I see a lot of cool applications right now that people post information about their site, that they're located for…

25:43…something occurred at this location. But now, it's going to be an interesting context.

25:48How do you get that permission for when that's shared out in a social site with other people?

25:57Geolocation aggregation; it's a very interesting one. Saw a great tool called Creepy. Came out this year.

26:05And what Creepy does is, it goes out and pinpoints the locations of targeted individuals.

26:12So if I was to take somebody's user name tag here, type their name in, it would go out to all the social networking sites…

26:20…look at any pictures you've ever posted, see if there's any geotagged location information in there…

26:26…and it would actually make you a nice little map that shows where that person's been over time.

26:33So you can understand where that person goes to lunch, where they work, where they live, where they go to vacation. It's creepy.

26:44Yeah. So the guy who wrote it said the reason he wrote it was not to stalk people…

26:51…he said it was to let…provide people an awareness that this could be done.

26:58Yes. So…you're aware.

27:03So, what is your response to all these different trends out there and what's happening?

27:07So, can cybersecurity accomplish what it needs to do purely on a technical basis?

27:13I need to turn on the token service, and I'm good to go for my solution.

27:17I don't need to know where the datasets are; I don't care about that; I just need to stick a firewall or something in front of my solution.

27:25Those are technical aspects, and they're not going to protect you when you get more into the cloud…

27:30…and have interdependent components in your organization.

27:34So cybersecurity is moving to a business process, where IT and security teams must now know where the data resides.

27:41[It's] sometimes difficult in the cloud right now.

27:44Where it moves to, and how to protect it during all that time.

27:49So this requires comprehensive data security practices for an organization, where security teams will become business process experts…

27:57…to keep the bad guys disarmed while keeping the good guys productive.

28:04So enough about trends and creepy things. Let's move on to some things you can do in your organization…

28:10…where you can apply some technologies across your enterprise.

28:18So authentication. Do I have Bob or Jane accessing my system?

28:24Authorization. Okay, Bob got in; he's allowed; he's been authorized; he's only allowed to have access to one map service.

28:34Bob wants to do something bad. Do you have something in your organization to stop those bad requests?

28:43If Bob wants to access datasets he really shouldn't have access to…they should be encrypted, potentially…

28:50…and then last, but not least, how do you know what Bob did to your systems over time, even if he got authorized…

28:56…and what if he decided to do something bad, if you don't have appropriate logging and auditing…

29:02…you won't know what was potentially compromised, and you won't be able to prove what he did.

29:10So, for authentication. We'll start at that. And the mechanisms developed with ArcGIS Server and our suite of products.

29:17For web services, we have HTTP, you know, for web services and web applications, up top.

29:25And then, in our internal environment, we have local connections, which primarily have a lot of DCOM currently in our product.

29:33We'll talk a little bit about how that changes with 10.1, also.

29:37So, a nice matrix, to make you go cross-eyed.

29:43The main aspect here…I don't expect you to write this down, frankly, right now…this presentation will be available online…

29:49…is that you have a lot of authentication options; by default, up top, none.

29:54These options also vary depending upon are you building just a web application, are you exposing web services…

30:01…or is it just local connections? So each option has different choices.

30:09So for authentication, you have…our product is a role-based solution.

30:15So you need to have storage of user accounts, users, and what types of roles they have in your organization.

30:22On the Java side of our product currently, it's stored in Apache Derby by default.

30:27You could point it to a SQL database or Oracle database.

30:32You could also utilize an LDAP, a directory service in your organization, or Microsoft Active Directory.

30:40On the .NET side, the default is called Windows Users and Groups.

30:45What does that mean? Actually that name creates a little bit of confusion in itself.

30:48It's really…you have a choice of utilizing domain account users and groups or a local server's user and groups. It's up to you.

31:02You also can point your solution to a SQL Server instance for the storage of users and roles.

31:09And last but not least, we have a custom provider option for other permutations.

31:17So, authorization. Now that we've done authentication, moving to authorization. Talked about its role-based access control…

31:25…you assign this within ArcGIS Manager, and you can provide service-level authorization…

31:30…across the web service interfaces, and the services are grouped in folders, utilizing inheritance.

31:38So how do I get more granular than just service-level security?

31:43What's service-level security? It's really equivalent to exposing a MXD or an MSD file.

31:52If I want to get more granular, I can…one option is to utilize relational database infrastructure…

31:58…going all the way down to what's called role-level security, or feature class level.

32:04Be aware that if you're implementing versioning with that, with role-level security, your performance will be horrendous.

32:12So we highly recommend not doing that.

32:15An alternative may be utilizing SDE views.

32:19We also have users that want to limit what the user sees in the graphical user interface, a GUI.

32:25So you have rich clients can utilize ArcObjects in web applications.

32:30We have a variety of sample code links in the Enterprise Resource Center (ERC).

32:35And there's also this AzMan tool, for authorization management.

32:42So for filtering mechanisms. Primarily third party. Esri's not doing the security filtering aspect in our solutions.

32:52So firewalls, reverse proxies, you've heard that, I'm sure, plenty. There's Microsoft's IIS.

32:58Starting in 7 they have a free reverse proxy.

33:02Web application firewall. Recommend having something like that in there. One open-source free solution is ModSecurity.

33:10You also want to have antivirus, of course; intrusion detection and prevention, ideally; and you can also limit applications' access…

33:17…to the geodatabase.

33:20So of this list of six items, would you say your organization…would anybody here say their organization implements all six?

33:31Okay, well, that's impressive. So that's good, that's even better than yesterday's session, 'cause nobody raised their hand…

33:38…although I think some people might not be clear on even the bottom bullet and what that entails, but I won't pick hairs…

33:46…but that's good to hear. How about at least three of these items?

33:51Raise your hand if you have at least three of these items in your organization.

33:56I would say that's a good call, to have at least three of those in your organization.

34:02So for filtering. What's a firewall-friendly scenario? That's been historically a concern with our products because of DCOM.

34:12Now in this case, we have a web application firewall in the DMZ.

34:16We also have a file geodatabase in the DMZ; it's not a SQL Server uncensored database server instance.

34:23We're utilizing one-way replication from the internal operations…

34:28…through the firewall via the geodata service replication over HTTP or HTTPS to a file geodatabase.

34:38Why do we do this? Multiple reasons. So one is, I'm not using SQL Server communication across a firewall.

34:46Two is, I can actually get better performance by not having end users on the web hitting my internal database infrastructure, and…

34:56…I can spin up a separate file geodatabase on every web server I add to the DMZ.

35:03And there's no additional licensing cost. And last but not least, from a security standpoint…

35:10…a very important aspect is that I'm not replicating my full database instance from this internal database to the file geodatabase.

35:18I'm only replicating information sets that I want publicly exposed.

35:24So my sensitive stuff remains on my internal database system, and only public-facing information gets pushed out into the DMZ.

35:36So why was there no reverse proxy in the DMZ in this picture?

35:41Well, so one thing we've noticed is that a reverse proxy many times for our customers becomes a one-off component…

35:48…with no management and minimal filtering of security issues going on.

35:54So what are some customers looking at more instead? Multifunction web service gateways…

36:01…which can store your SSL certificates. They can perform what's called SSL acceleration.

36:07So not having your web server perform SSL; you have this device perform it.

36:14And so you've lightened the load on your web server.

36:17The URL rewrite function. Reverse proxy types of functions can be done by it…

36:23…and it can also perform web application firewall functions.

36:28For encryption, you have a variety of third-party options. For your network, you have IPsec, commonly used…

36:35…for your VPN tunnels and connections; you can also use it, as I mentioned, from server-to-server communication.

36:42And SSL. It's very commonly used for protecting, you know, HTTPS for your login information for geospatial information, so…

36:52…you're not necessarily…you don't necessarily need to use HTTPS for your whole application…

36:56…your datasets are not that sensitive…but you at least want to encrypt that login session information.

37:02Or, if you have a token, you ideally want to protect that too.

37:06And then, when I mentioned internal systems communication, that's that scenario that I have, let's say…

37:14…ArcMap accessing my database system, and it's using what's called direct connect.

37:19That's where I go through the database client using SSL from my client to the database.

37:27For file-based encryption options, you have operating system, you have BitLocker, and there's also some customers…

37:33…enabling geospatially enabled PDFs combined with certificates.

37:37So they're basically creating a PDF, encrypting it, and then the only people who can access it must have a certificate.

37:46And the most…the fastest one is hardware-based encryption.

37:50This is where the hard drive itself can encrypt the information, and has less than a 5 percent performance hit.

38:00Last but not least, you can encrypt at the relational database level.

38:03I mentioned TDE, transparent data encryption. And one lower-cost solution…

38:08…for if you have multiple mobile users across remote, is where they have sensitive datasets out there…

38:17…you can use SQL Server Express with transparent data encryption; they have nice secure dataset…

38:24…and then they replicate that up to the public and their primary infrastructure.

38:31So for logging and auditing, what's available to you? You have geodatabase history…

38:38…you have the ArcGIS Workflow Manager extension, which…

38:40…you can track feature-based activities and export even GML, Geographic Markup Language, if you'd like.

38:49And last but not least is, built into ArcGIS Server 10, when you enable security, there's a new user tag that was not in 9.3.1…

38:57…that allows tracking of user requests, as shown in the little picture there.

39:04You also have a variety of third-party logs, so you have your web server logs, relational database, operating system, firewall…

39:11…not to mention all the network infrastructure components, too.

39:15So, remember what I mentioned about IT guys are into information overload with logs right now?

39:21So Verizon's…they do a data breach summary report every year.

39:26So 86 percent of the victims had evidence of their breach in their logs.

39:31Yet the majority, by far, their internal operations didn't find it.

39:36Some third-party external group notified them they had been hacked.

39:41So they have all of this information in their organization, right in front of them…

39:46…but it's so buried in so many things they don't know about it.

39:49So this is where a security information event manager solution might come into play, a SIEM.

39:57By the way, we're selling one now. No, just kidding. Yeah, that would be funny, huh?

40:03So product security options…what you can do with particular products and solutions from Esri.

40:09So I'll talk briefly about rich client security. In yesterday's session, you know, I did a brief query before we started up…

40:16…of you know, how many people were interested in which of these different product realms…

40:21…and only one person raised her hand for rich client security, so keep it brief.

40:26This is a client, typically, with the most access to sensitive data, however.

40:31And there's a variety of system connections. Direct connect to the relational database over SQL.

40:36You have application connect, which utilizes a proprietary protocol from Esri to SDE.

40:43You also have web service communication, which can be protected with integration with the token service or…

40:51…Windows native authentication.

40:54And lastly, there's ArcObjects development options, where you can record user-initiated GIS transactions…

41:01…and have fine-grained access control, so limiting what functions users can make use of in the end user interface.

41:09So that becomes more of a custom type of thing.

41:12So another thing to be aware of, even when you're using relatively simple rich clients, is, let's take…

41:18…ArcGIS Explorer and how it might be communicating to various systems in your organization.

41:24You might be mapping a drive, you might be making a universal naming convention connection.

41:29And more commonly, for your external users, you have web traffic occurring.

41:35So you need to account for each one of these different types of communication models in your organization.

41:41So let's move on to mobile phone security, a very interesting realm right now, because there's more platforms…

41:49…ArcPad, mobile, iPhone, Android, Windows Phone 7…and you have expanding functionality and storage options…

41:57…and a large, much larger user base. So what's this resulted in? It's led to increased hacker attention.

42:06So when was the last iPhone critical vulnerability? Oh, it was last Friday. You open up a PDF, you're hacked.

42:14So, anyhow, I can't cure that. It's just an awareness of where we're at with issues.

42:23You can't say, Oh, yeah, I have an iPad, and I'm just fine.

42:27When I say iPhone, that's just as applicable to the iPad, by the way.

42:32So what can you do in what you think about for your mobile solutions?

42:37Well, you have your SDE permissions. That's a whole…that's your database, SDE and so forth.

42:42You have server authentication options. Those are the ones we talked about earlier, with a large number of permutations.

42:49And service authorizations; so, which services somebody's allowed to access…

42:53…the types of communication going on between the mobile device and the server…

42:58…might be over VPN or something otherwise, and we'll talk a little bit more about that.

43:03The actual device itself…which devices are allowed to access it? You can limit that.

43:08And there's something to identify each one of those.

43:11You also have different storage options, and you can provide either project or data access permissions on that phone.

43:19So what are some of the more technical aspects of that?

43:23So that communication between the server and the mobile client, what's commonly done?

43:30Utilize HTTPS or a VPN tunnel. VPN tunnels are sort of interesting right now because not all mobile phones have VPN clients.

43:42So you can use a cell VPN, potentially, for some; just be aware it can't necessarily be used with all applications.

43:51So right now the mobile field and security is relatively immature, especially on particular phone devices.

44:01Some phone devices, like the Windows Phone 7, is actually labeled by Microsoft a consumer device.

44:09It's not currently considered an enterprise device.

44:13So you also have web service authentication and authorization options.

44:19You can do Windows authentication or a token service…

44:23…or you could filter by the operating system, the IP address utilized, or a unique device identifier.

44:29Unique device identifier seems like, Hey, that would be the one I could really lock down.

44:34Unfortunately, of course, that was the first thing that was hacked on an iPad.

44:38But…So make sure you just don't limit yourself to checking for one thing.

44:43So you can also potentially encrypt your data at rest. So the older Windows Phone devices, pre-7…

44:50…allowed for utilizing Windows Mobile CryptoAPI.

44:54You could utilize a Secure Digital card, or you could utilize third-party tools for encrypting the entire storage system.

45:03Windows Phone 7, [I] started to rag on Microsoft on this particular device, just want you guys to have an awareness, is that…

45:10…you can't encrypt information on that device yet. It's a consumer device. You will be able to in the future.

45:17So what do you do for the deficiencies in the devices currently out there?

45:23You ideally implement a mobile device management solution, if you're going for a full enterprise rollout.

45:31One such solution is called Good Technology. I remember the first time I heard them, I was like…

45:38…somebody asked, So, do you guys support Good Technology? And I'm like, I think it's spectacular technology, but, you know…

45:46…but yes, so Good Technology is an interesting company. There's also one other one that we've…

45:52…is currently actively working with our federal customers in solutions that work with the cloud.

45:58I don't know their name offhand, but if you ask me I will follow up on that for you.

46:04So for ArcGIS Server security. One question I like to ask early on…

46:10…Is communication across the wire secure by default for ArcGIS Server?

46:15Who thinks it is? Dang, I can't catch anyone first thing in the morning…come on.

46:20Okay, no, it's not. That's good that you know that. That's good that that message is getting out there right now.

46:26If that option is not acceptable to your organization, and you want to see more of a secure by default model from Esri…

46:35…we need to hear a lot more communication on that.

46:38Right now, and this goes back to what's the most common best practice and basic pattern for our customers…

46:46…and that is relatively public information, and about information dissemination…

46:50…and not about a secure by default model.

46:55So if that's to change, it's going to have to come from the customers to let us know that.

47:01So communication to ArcGIS Server…to all clients is clear text by default.

47:06You can secure the web communication SSL certificates…

47:10…or that internal communication to your organization with IPsec.

47:15So another question that sometimes gets tangled up here is…

47:20…Is a reverse proxy required to create a public-facing, secure web solution with ArcGIS Server?

47:28Who thinks a reverse proxy is required to do that?

47:32Man, nobody's going to raise their hand! Come on!

47:37So that's good. So some customers implement…

47:41…let's first step with…and understand why a reverse proxy's being recommended for these environments.

47:48Was it first and foremost to improve security in an organization? No.

47:52It was first and foremost recommended to eliminate DCOM traffic across firewalls.

47:59So, basically, you come into the DMZ, it's a reverse proxy…

48:02…it's able to get through the firewall to your internal systems without DCOM.

48:09So, however, if you want to significantly and potentially improve your security posture more…

48:15…you'll want to start thinking about something like a web application firewall.

48:20So is there security hardening guidance from Esri available?

48:24Who thinks there is? OK, well, I guess I got most people on that one.

48:30So there is actually some guidance available. We have it in the Enterprise Resource Center…

48:36….there's an area called the Implementation Gallery in the Enterprise Resource Center.

48:42And so this information is currently for 9.3.1, Windows 2003.

48:50I am definitely overdue on getting it up-to-date for, you know, Windows 2008 and ArcGIS 10…

48:59…and we'll have that done, I'm hoping, in the next couple months here.

49:04So if you want to see that, let me know, and that will just raise the priority of when I get that to you guys.

49:10So this is a setup question of ArcGIS Server, how I configure it once I've enabled security.

49:17So should I assign the Everyone group, in the root, to ArcGIS Manager?

49:22I see one person, two people shaking their head no, two people say yes, I should, so…

49:29This is interesting, because it goes back to the security posture and usability of our customers and what they expect…

49:36…and what they need. So if you do this, everyone will have access to your services by default.

49:43It's actually terrible from a security perspective, but spectacular from a usability perspective.

49:51So it's okay for basic security environments.

49:55So if you're at that level, you could potentially do that, if you have those types of needs.

50:00I definitely don't recommend it for any higher-level security native standard or advanced…

50:05…where you should start thinking more about deny by default, for use in higher-risk environments.

50:13So can I provide security more granular than the service level with ArcGIS Server? Yes or no? Or are your arms just tired at this point?

50:26There are some people who raised their hands.

50:28Yes, you can. There's a variety of mechanisms. One is SDE views, which I mentioned a little bit before.

50:34You can also supplement with third-party software. So con terra makes a solution called securityManager.

50:42It's a filtering mechanism for web services. And you can get feature-based security and some other aspects and options.

50:51Did you have a question back there?

50:53[Inaudible audience question]

50:57We'll get into the details of that one later. 'Cause it's actually not the easiest thing to do, right?

51:02So I think that's a good offline question. I'm going to be pressured to make sure everybody has enough time…

51:09…so I get questions in at the end here. But I'll follow up with you on that.

51:13There's also an integrated security model, which might be an easier way, depending on how granular you want to get.

51:21So, integrated security model - What is it?

51:24This is the idea of flowing your user context from the web application to the application server down to the database.

51:34So when John logs in into the web application, that same user is hitting the database in the end.

51:40Why is this good? Couple aspects. One is logging, accountability of user actions. John's actions are now logged…

51:48…all the way through down to the database tier. Another aspect is, you can provide granularity to the…

51:54…and provide row-level security. This is a database-driven security model.

52:00So what's the status of this? And going on with our customers right now, we collected customer scenarios, and we started with…

52:09…doing some performance validation tests with what I would call simple, layer-level security, as opposed to service level.

52:16And…but basically you set the security in the database, and it's real easy, at the table level.

52:22And that gives me equivalent, for some of our customer scenarios, layer-level security.

52:27You get a performance consequence for this; 10 to 20 percent hit for that.

52:32Now we are going to also do some validation of more complex scenarios, too.

52:38We have some basic documentation of this, online, for the Java ArcGIS Server solution, if you just query in there, integrated security.

52:49So what did this initial configuration look like?

52:52We had an IIS web server, we had an application server with Java ArcGIS 10, an LDAP Derby engine instance…

52:59…which is the default with ArcGIS Server for our users and groups, and an Oracle database instance.

53:05Right now, it makes use of what's called Oracle user proxy sessions.

53:11And so these are proxy users, and we made use of table-level access, which I said…

53:18…in many scenarios is equivalent to layer security.

53:23So one interesting aspect about this, is that this not only affects potentially your web browser clients…

53:33…but also consumption, let's say, in ArcCatalog.

53:35So in this case, I've logged in as an administrator, and I have access to both the red and green features.

53:42I simply log in as a different user to that same service. Now I only have access to the green features.

53:50Of course, in a roads network, it's sort of interesting, and that's a paradox comment…

53:55…is that I can fill in with my mind, missing road segments.

53:59One of the interesting aspects of geospatial information is our mind can visually sometimes pick up cues…

54:06…on missing components. So you could actually be giving away more information by hiding information in this case.

54:14That…somebody who gets access to this would go…

54:17…Well, geez, something significant must be occurring where this little blank is between that road segment and that road segment.

54:28We don't have an answer for that right offhand.

54:31That comes down to thinking about and organizing how you disseminate information. That's not a technology issue.

54:38So security model. So for web services and other components. On ArcGIS Server we expose REST APIs, SOAP APIs…

54:46…and it can be protected with a token service, which goes against users and roles, that can be stored wherever you want…

54:55…connected to a server object manager, what's called server object containers, in the background.

55:01You also have your internal connections and your external web connections.

55:06So for Windows devices, these can be managed by the operating system of the server object manager.

55:13On the Solaris and Linux platforms, users are managed, ArcGIS Manager, and really it's a relatively simplistic amount of access…

55:22…that you have available; it's either none, read, or full. So AGS users have read, AGS admin have full, others have no access.

55:34So what about the datasets, and what type of access and permissions need to be provided?

55:39So the SOC account needs read or write permission to a particular folder where a dataset's stored, and for a database, geodatabase…

55:49…I'd need read or write permissions for the SOC account to those (server object container).

55:56So we also expose a variety of what I classify as management user interfaces.

56:01And whenever I think about a management user interface, and that's why I've grouped these together…

56:08…it's something I think about as, should be useful for internal operations…

56:12…but not necessarily something you want to expose for external operations.

56:17So the services directory, it's available part of ArcGIS Server installation, turned on by default…

56:22…you don't want to typically expose this, for standard security needs, to the public.

56:28Why don't you? You're increasing your attack surface significantly by exposing that particular service.

56:36So the REST API admin. This also manages access to the ArcGIS directory services right above…

56:44…and you can simply disable it in there if you choose to.

56:48Maintains a REST cache, requires membership in the AGS admin group…

56:53…and once again, we recommend to configure this for no public access.

56:58Great for your internal operations; don't expose it. I don't see a need to ever expose that out to the public…

57:05…unless you want to give a hacker attempt to just go to your user login account…

57:10…and keep on trying over and over again different accounts until they finally get in.

57:15Same for ArcGIS Manager. You should not be exposing this to the public, only internal users.

57:23So enough about, you know, the management interface. What are the different types of security aspects and levels can I secure to?

57:31I talked about local security with AGS admin, AGS users.

57:38Services capabilities. So I compose a web service or a mapping service operation, as a variety of what are called capabilities inside those.

57:46Different capabilities expose different types of, well, a larger attack surface, more functionality.

57:54So it's up to you to expose which ones you choose.

57:59And then you have web security. So something that controls access of your HTTP or HTTPS traffic to ArcGIS Server…

58:07…for both Internet and intranet access. And that gets us into this token security model that you may have heard about before.

58:19So to implement web access control, ideally, implement a SSL…you want to have HTTPS utilized for this information.

58:28You need to choose a user role store; I've talked about Active Directory, LDAP, and others.

58:33Or, you can store in a database. Need to assign the users to roles as necessary. If you already have an infrastructure…

58:39…all the roles are assigned, hey, that part of your job's done.

58:43Then you need to, in ArcGIS Manager, assign the roles to the various services or sets of services, and folders that they have access to.

58:52And last, but not least, enable the security function in ArcGIS Server. So that's pretty high level.

58:58So, what is a token? Nice little set of gobbledygook. Why do you need it? Why would I need to send something like that around?

59:09Services don't have a user interface for somebody to go in and type in, I'm John, with this password.

59:16We're sending…the services are being sent back, gobbledygook, to have access instead.

59:23So how's it work? ArcGIS Server has this token service, and where can you get a token?

59:28From that same token service. There's an interface for that.

59:33So how are tokens most commonly utilized with our products right now? You can embed that token into the client application.

59:45Who thinks that's a recommended security model?

59:47I see a thumbs-down. That's good.

59:52It's very easy to implement, a very common implementation.

59:57You know, it…if your security posture doesn't…is extremely low risk, then, and you're not really looking at improving…

1:00:07…having a strong security posture, you might want to do it, but other than that, I would try to avoid it.

1:00:13So you can also bind the token in a proxy page, and this proxy page actually stores the token on the ArcGIS Server instance.

1:00:20The token never gets to the client.

1:00:24So…that's a key aspect, by the way. Any information sent to the client, even if you try to obfuscate it and hide it some way…

1:00:34…in the end, they're going to be able to view that information.

1:00:38So last, but not least, is the ability to write full login access to the service token…the token service…

1:00:46…and that's being done with our particular desktop products and others.

1:00:50So in version 10, what are some of the changes and enhancements that have occurred?

1:00:55In the ArcGIS Server Manager application, you have searchable users and roles…

1:00:59…and you also have application-level user logging, activity logging.

1:01:05So I showed you a little bit of that with Fred, who was tagged on an instance.

1:01:09On the database side, we now have the integrated security model, passing the user context all the way down to the database.

1:01:16We also have made some significant web service interface security improvements.

1:01:21So the more recent the service pack, even with 10, the better. Ideally you should be running 10 SP2 at this point.

1:01:29So what lies ahead with 10.1. So, goodbye to DCOM. Wow.

1:01:35That's actually been something a lot of our customers have been waiting for, for a while. There we go, yeah. Yay!

1:01:41Anyways, so, now you can actually focus on security some, when you get that component out of the way.

1:01:48So we've also added a publisher role.

1:01:52So one of the things you had in ArcGIS Server is you had a user, who couldn't make a service available, and…

1:01:57…you had an administrator, who was a person who could expose a service.

1:02:01Really you have a large number of users in your organizations you want to allow to publish a service, but…

1:02:06…you definitely don't want to have as an administrator. So that's a new role that's available to your organization.

1:02:12We're also providing administrative API access. So you can now get into automating and scripting…

1:02:20…requesting information out of ArcGIS Server on its status and statistics, and actually…

1:02:27…automate building of information in ArcGIS Server.

1:02:31So that'll be an interesting new option too.

1:02:36So moving on into geospatial cloud computing and security for it.

1:02:42So is cloud computing safe? Can I get a raise of hands? Nobody? Come on, somebody's got to say it's OK. Or, who knows, right?

1:02:53The answer is almost who knows, but we'll try to put a little bit more context around it, I think, than who knows.

1:02:58I would say it's close to, It depends on many aspects.

1:03:03So, security benefits of the cloud. There are some.

1:03:06Virtualization. I can stamp out images of a whole bunch of systems that are identical.

1:03:12Now, if they're not hardened in the first place and the security of that initial image is terrible…

1:03:17…well, guess what, all your systems are terrible, but if you get that right, on those initial systems, you can actually create…

1:03:23…identical systems that are quite secure.

1:03:27You need…you also have broad network access available, potential economies of scale, and self-servicing technologies available…

1:03:35…all potentially helping out and providing security benefits.

1:03:39There's a variety of risks associated. I guess ideally I would make each list the same length, you know, to be fair, but…

1:03:45So, what are some of the risks involved?

1:03:48Right now, there's vendor practice dependence. You don't necessarily know everything going on in these environments.

1:03:55There's no agreed-upon cloud security standard for these organizations right now…

1:04:00…and how they're ensuring the security of the environments.

1:04:04There's also a fair amount of vendor lock-in. Each cloud provider and their solution, infrastructure, Platform as a Service or…

1:04:11…Software as a Service…they're all, primarily right now, creating proprietary APIs and interfaces for exposing that information.

1:04:22Now, there are efforts to start standardizing those more, and you'll see some of those; you'll want to look for those.

1:04:30Also, sharing resources, multitenancy issues.

1:04:33So, you're storing information on the same systems and writing to the same drive, and potentially in the same drive location…

1:04:39…as somebody wrote something just two days ago. How is it ensured that that location, written to that particular drive…

1:04:47…actually got cleaned up? It's what's called a data remanence issue. So you want to ask a cloud provider an interesting question…

1:04:54…say, How are you resolving all of your data remanence issues?

1:04:59So deployment model threat and exposure levels.

1:05:02So the amount of threat exposure to your organization varies, depending on what's called a deployment.

1:05:07So you could have private, which has the least amount of exposure of information…

1:05:12…community and more, and highest, public. And we'll talk a little bit about each one of those.

1:05:19So cloud platforms utilized by Esri. So we have the systems administrator types of access to systems…

1:05:28…it's the Infrastructure as a Service solution; we have ArcGIS Server on Amazon EC2; we utilize Terremark cloud…

1:05:35…for some of our customers, now Verizon, bought out by Verizon; and a variety of private cloud implementations.

1:05:43One that is a fairly decent realization of a private cloud solution, to help facilitate that, VCE.

1:05:52I don't know if some of you heard about them at this conference, but it's a virtual cloud environment solution…

1:05:58…comes with hardware, software, allows you to get a rack of, basically, setting up a private cloud in your organization.

1:06:05Made by some very large vendors. Yes?

1:06:07[Inaudible audience question] Azure? Yes, I'm…there you go, developer access.

1:06:13So Azure is not an infrastructure as a service, it's a more of a Platform as a Service solution.

1:06:20So…and we also have some customers out there with Azure, right now, and we're going to be utilizing it, and do…

1:06:27…for our ArcGIS Online operations.

1:06:31And there's Software as a Service solutions - ArcGIS Online as a whole, Business Analyst Online, and ArcGIS Explorer.

1:06:41So how do I choose a cloud deployment model? Public, private, what's right?

1:06:47Primary driver behind this public-private thing is security, and the recognition is, organizations from the bin market up…

1:06:56…will really have a mix of these. It's not just going to be one way or another.

1:07:04So assessing your security needs for the cloud. Once again, some of these should be familiar…

1:07:09…because it's the same types of things you worried about, about your internal operations…

1:07:13…data sensitivity, do I have public domain information, sensitive information, classified.

1:07:19I have different types of users, public, internal. I need to categorize my security needs.

1:07:26Do I have basic, standard, or advanced needs?

1:07:29So, most public cloud implementations right now are considered a basic type of implementation…

1:07:35…where security is similar to social networking sites such as Facebook and others.

1:07:41Most GIS users have only basic security needs. There are some moderate implementations…

1:07:47…and I have not seen advanced implementations in public clouds yet.

1:07:54So some topics of concern, potentially, in going to the cloud? Data location.

1:08:00Our international customers are quite interested in how this is going to be addressed.

1:08:04So the idea is, if I choose to utilize a cloud provider, save my data.

1:08:09I don't know where it's really getting saved to. Is it getting saved…

1:08:12…if I'm in Europe, is it really getting saved somewhere in the United States?

1:08:15If it did get saved in the United States, all of a sudden it actually becomes available underneath the Patriot Act…

1:08:22…for our Department of Homeland Security or someone else to actually read that data.

1:08:27Microsoft just admitted to the European Union that that was even true for their Microsoft Azure environment…

1:08:35…creating some upset people. So some cloud providers right now don't provide assurance of location.

1:08:45So identity management. Not a simple item to take care of when you talk about large numbers of users.

1:08:52And we'll talk a little bit more about that in a bit.

1:08:55There's also a shared responsibility model. It's not…you don't have one throat to choke in this scenario…

1:09:01…because one of those throats is going to be your own, of what you expose into that cloud, and how you handle that information.

1:09:08So you can't completely delegate it to the cloud provider.

1:09:14So what are some best practices at a high level?

1:09:17So this is from CSO, and they put out guidance every once in a while…this is from the beginning of this year.

1:09:23This is a checklist of items. Software as a Service.

1:09:26First thing is the observation of one thing goes across all of those environments, at a high level, even…

1:09:33…and that's a protection of API keys. And what is that? It's equivalent to somewhat of a password for accessing the APIs…

1:09:42…of the providers. So you need to start thinking about how you're going to encrypt those…

1:09:47…potentially storing them in a hardware security management device.

1:09:51So right now, the practices behind those are fairly loose, and you'll see something about where that's become an issue.

1:09:59So you don't want to replicate your organization in the cloud. What do I mean by this?

1:10:03This comes back to the tens of thousands of users or thousands of users that you may have…

1:10:10…ideally you don't have to replicate all those users up in the cloud for people to access those systems.

1:10:16You might want to start thinking about a single sign-on, federated implementation…

1:10:21…so you start going into models that prevent you from having to establish domains and multiple clouds just to keep running.

1:10:31Platform as a Service solutions. You need to protect private information before sending it out into the cloud. So how do you do this?

1:10:39Well, this might be stripping out or obfuscating Social Security or credit card information before you store it out there.

1:10:47Who's responsible for a privacy leak? Is it the cloud provider or your organization?

1:10:54You won't be able to blame the cloud provider.

1:10:58So you do want to also maintain an audit trail of what users are doing in applications and which applications they're utilizing.

1:11:06This becomes difficult as organizations…

1:11:09And you also want accountability for the cloud provider saying, Hey, you used this much of our software.

1:11:16How do you know, and how do you really trust, that's how much of their solution you really utilized?

1:11:22This is where a cloud service broker, and that's one of the ideas they talk about in this article, comes in.

1:11:29So a cloud service broker can provide accountability for validating and audit records across multiple clouds…

1:11:38…and also validating how much usage is actually occurring.

1:11:42Last, but not least, on the infrastructure as a service side, you need to protect against rogue cloud usage.

1:11:48Users can spin up a bunch of AMIs, A-M-Is, in an organization and have a lot more additional cost to your organization.

1:11:58How do you start getting your head around that, especially as you get into not only just spinning up one cloud provider, but others?

1:12:04Once again, they point to a cloud broker to help facilitate with that.

1:12:11So Infrastructure as a Service. So how do I…What are some best practices at a high level for what I should roll out?

1:12:19I should really think about breaking up the tiers, at the same time I would for other security needs and other environments…

1:12:26…just like my internal operations. Also need to think more about protecting information in transit across the wire, as a cell…

1:12:33…protecting information at rest on the systems; encrypting information in the databases out there.

1:12:39Credential management. That's that API key concern I mentioned…

1:12:44…utilizing built-in operating system firewalls that are out there and the ArcGIS Server application security model.

1:12:52By default, we combine all the tiers, and you can scale it out with elastic load balancing.

1:12:58But what about the supporting infrastructure, and how do you protect it? You have all this remote desktop protocol access to systems.

1:13:05Do you want to expose all your systems via RDP? The answer's no. Ideally, you start thinking about a management instance…

1:13:12…a single system that people can hit with RDP, and then that can branch out into others.

1:13:19So Amazon provides secured facilities, logically secured EC2 instances, configurable firewall to control ingress…

1:13:26…that's a firewall that only controls one way…and standard ArcGIS Server security can be utilized…

1:13:33…multifactor authentication…but what about the users of EC2?

1:13:38So this is dated last month. The Amazon Web Services users are leaving security holes. How are they doing it?

1:13:46The same thing (that's funny enough), that API keys that was a best practices warning like, four months earlier…

1:13:55…they're not doing. People are storing their keys in the Amazon Machine Images, posting those into the cloud, and basically…

1:14:02…anyone who downloads that AMI can get access to web services exposed from those.

1:14:09So Amazon's started trying to help validate and make sure that those are not there, but really this comes down to…

1:14:16…there's guidelines available, it's just that it's a new technology, and people are not used to needing to check for this type of thing.

1:14:24So what does Esri provide? Our AMI's currently not hardened beyond the Windows 2008 Server defaults.

1:14:30We are in the process of creating a security-hardened AMI, it's called, Amazon Machine Image, part of the federal GeoCloud initiative.

1:14:40If you want to hear more about that, or have a strong need for that, let me know.

1:14:46We provide basic online guidance, and Amazon does too, and for online hosting operations, we recently passed a…

1:14:54…what's called SAS 70 Type II.

1:14:58So in summary, 'cause we're getting close to time here, in designing an enterprise geosecurity strategy…

1:15:04…it's about identifying your particular security needs; we talked about assessing your environment, patterns…

1:15:10…understanding current security trends, how that affects you, things like Creepy and others; and understanding security options…

1:15:18…Enterprise Resource Center's available, with a variety of security mechanisms deploying across the operations…

1:15:23…also more application-specific solutions.

1:15:27There's also implementing security as a business enabler…

1:15:29…and I expressed how key that is as opposed to something that is hampering operations.

1:15:36Security's not just about a technology.

1:15:39It's about understanding your organization's GIS risk level and utilizing defense in depth.

1:15:45We have secure best practice guidance available in the Enterprise Resource Center; you can drill into mechanisms or applications.

1:15:52We have Professional Services GIS security assessment available to your organizations.

1:15:58So cloud computing for GIS has arrived, and security is definitely evolving quickly.

1:16:04So security in the cloud is a shared responsibility; remember, one of those throats to choke is your own.

1:16:10So in summary, ArcGIS Server…well, that's for Thursday, so that is gone, but you can look at that if you have an interest in…

1:16:20…how the token security model works, and a demonstration of that, go ahead and check out online that information.

1:16:27As I mentioned, we have an enterprise GIS security review out of our Professional Services Group, and I have a variety of resources.