00:01Today's session on designing a secure enterprise GIS, we'll be talking about Esri's security strategy…
00:07…assessing your particular security needs…
00:10…various security trends out there that will affect potentially your design and applications and solutions.
00:17We'll talk about mechanisms that can be deployed across your enterprise, and then we'll also talk more about…
00:22…product-specific implementation options.
00:25And last, but not least, we'll get into a little bit about cloud computing security.
00:32So myself, I'm a senior enterprise security architect within Esri. I work for our Professional Services Division.
00:39I'm also a FISMA certification and accreditation application security officer.
00:45So, and to back that up a little bit, I'm a certified Information System Security Professional.
00:52So this is a question I commonly ask in a conference type of environment to see where people are at with their current feelings…
01:02…about their environments and their configurations. So, quick pop quiz question for you, Are you currently happy with your security…
01:10…in your organization? How many people here are good to go?
01:14Okay, we've got maybe one and a half. Okay.
01:17So in 2009, the Department of Energy National Lab came up with a security maxim list.
01:24So these are sayings that are true typically 80 to 90 percent of the time.
01:30They call it the So We're in Agreement maxim. What is that?
01:33If you're happy with your security, so are the bad guys. Now, another interesting aspect about that…
01:41I first brought this question up last year's User Conference.
01:43…is of course there's been some recent events with even the Department of Energy in the last year.
01:50The most recent one was within the last month.
01:53So that just says a little bit about the context of where we're at with security right now.
02:01What does a secure GIS mean to you? Is it, I need to enable the token security service?
02:10That is one aspect; that's one option. Is that everything in a solution? Does that provide you the right context?
02:16If somebody just comes to me and says, Just tell me how to secure an ArcGIS Server implementation; just tell me the answer…
02:24…there's not one particular answer for all organizations.
02:26There's a lot of permutations on the number of configurations, of choices in your environment…
02:32…be it Java, your database infrastructure, your directory services available.
02:37Do you have particular standards and certifications that you need to align with, or regulations out there?
02:43It's a bunch of alphabet soup, basically.
02:47There's also different consequences for different user interfaces.
02:50So let's take Adobe Flex. So Adobe Flex and PDFs, last year and still a little bit into this year…
02:59…were one of the number one areas to attempt to compromise an infrastructure and a solution.
03:07So they had click jacking and other various items.
03:11So that's why some organizations are somewhat more hesitant on particular browser plug-ins.
03:17So you want to account for those types of things in your solutions.
03:21There's also this idea of, how much security I want to utilize of, in this case, Esri products, built into our applications…
03:29…versus actually going out and purchasing separate third-party security software to do the same function…
03:35…except designed for a larger enterprise organization.
03:40Then there's a question of how much you put into processes, procedures, and governance.
03:46So the key thing here is, security is not just about implementing a single silver bullet. I don't have that individual answer for you.
03:54It's going to be unique to your organization.
04:00So if it's unique to your organization, well, I guess I can just say, I'm done, and that's good enough for today.
04:07No. So, identifying your particular security needs.
04:11So, I just opened up a Pandora's box, saying, Hey, so there's a whole bunch of permutations, and I don't have a specific answer.
04:16So how do I go about figuring out an answer?
04:19So you want to start with assessing your environment, incorporating and understanding the datasets that you have out there…
04:26…the systems involved. The sensitivity of these datasets and the systems that you've identified to store those.
04:33Categorization, we'll talk about that, and a little bit of best practice guidance through patterns.
04:41So you also need to understand the security options available to you out there.
04:45We've made some resources available in the Enterprise Resource Center…
04:48…we also provide guidance on these enterprise-wide security mechanisms and also more application-specific ones.
04:58It's also key to start understanding that security doesn't have to be…its primary function is to reduce access to information.
05:07It's not necessarily the case, especially in geospatial information.
05:11Most of our customers are about attempting to share relatively public information sets.
05:18So how does security fit into that, and why do I talk about security as a business enabler? I see many cases where…
05:26…there's organizations with geospatial datasets that have some that are sensitive, and they partition those off to the side.
05:35They're not connected to anything. So when somebody needs that information in a crisis, nobody can get to that information.
05:41It's not being made available to the right people, to the right resources at the right time.
05:50So to design an enterprise GIS security strategy, you need multiple people and roles in your organization involved.
05:58Ideally, you have an executive sponsor - somebody who's going to determine how much risk is acceptable to your organization.
06:05This is not your typical engineer who makes this decision.
06:10So what do I mean, determining risk? Well, security you could say, well, I just want everything.
06:16That's not even affordable by our government groups, to afford everything. So you have to make decisions…
06:22…what is acceptable or not.
06:25You have an information security group, ideally identified, that actually assesses the risks, and we'll talk a little bit about that…
06:33…defining some security requirements, that's fed into a design and build of security solutions by your IT team, and that…
06:41…goes into operations and maintenance.
06:46So Esri security strategy. There's two primary reinforcing trends.
06:50Our products, we have discrete products, we had discrete products and services, with third-party security, primarily.
06:58We didn't have security embedded into our products. Now we've moved more into a realm of an enterprise suite and solution…
07:06…where we do have some security embedded into our products. And you can utilize that.
07:11And it can be supplemented with third-party security products.
07:15On the IT side of things, we've moved from more isolated systems to more integrated systems.
07:22Be it the cloud, or between multiple organizations or multiple divisions in an organization, with discretionary access amongst them.
07:33So we create secure GIS products that incorporate security industry best practices, and we create…
07:40…trusted geospatial services across the globe for both individual users and entire organizations.
07:47Now we do provide some security guidance in the Enterprise Resource Center. I'll pull that up here.
07:54So this is the Enterprise Resource Center main home page.
07:58Now enterprise GIS is a function. I'm not the one who categorizes it as such, but that's where it is, and so in enterprise GIS…
08:07…you'll see there's three primary areas, architecture, security, and performance, and so security…
08:14Each one of these breaks out into a significant area, so it might not look initially like it has too much content…
08:20…but inside each one of these, so you can actually look at high-level strategy statements, mechanisms.
08:25You can drill in further into each one of these various areas, if you have compliance questions…
08:31…or questions about particular patterns we'll talk about today, there's some information in there.
08:35There's the mechanisms we're going to talk about that you can deploy across your enterprise…
08:40…and then also more product-specific options.
08:44It's also version managed, so as we have significant differences in security, let's say between 9.3, 10, and then 10.1…
08:53…you'll be able to select up top there a version specific to the version that you have in your organization.
09:06So we have some foundational security principles that we base our guidance and solutions on.
09:13So we have the CIA security triad, which is confidentiality, integrity, and availability.
09:20Many times, initially, a geospatial analyst will, if they've been told they need to secure their solution…
09:27…they're assuming that the primary reason was for confidentiality, that I need to hide information…
09:34…from other people in my organization, when I would say the majority of the time, for geospatial customers…
09:41…it's not as much about confidentiality, because the majority of our datasets are public.
09:47It's more about integrity. Why is integrity important?
09:51Let's take the case of, we have a lot of customers exposing datasets and services out to the public.
09:57Those can be compromised. Somebody could change those datasets, via…
10:03…let's take the use case of what's called an advanced, persistent threat nowadays.
10:08So an advanced, persistent threat means somebody's going in to access your solutions and collect information…
10:17…or do things in your environment without you knowing it, without your IT team knowing it…
10:22…and not giving indicators that they're making changes. So you can have information out there, your datasets…
10:28…that you're exposing to the public, and those can be wrong datasets all of a sudden.
10:32You could actually be misinforming public, users (so depending on who those are), with incorrect information.
10:40That may or may not be significant for your organization.
10:44Availability is also a key aspect too. So defense in depth, this is about adding layers of security into your enterprise.
10:54So layers of security. You have your data and assets at the core; you protect them with physical controls, let's say walls…
11:03…or your data center with biometric security to get access to your data center…
11:09…you have policy controls, so complexity of passwords and the length of those.
11:15I'm not going to stand here and tell you that you need to build a seven-foot wall or how complex your passwords should be.
11:21Those are very organization specific and not as much related directly to our product as the technical controls.
11:29So the technical controls is where we provide most of our guidance…
11:33…on authentication, authorization, filtering mechanisms, encryption, and logging.
11:39And we'll go into each one of those a little bit.
11:42So for our security patterns, they're based on…they're…they are best practice security guidance for our customers.
11:50And they leverage the National Institute of Standards and Technology guidelines…the 853 guidelines.
11:58And they're based on the amount of risk.
12:01Remember I talked about that executive sponsor determining the amount of risk for your organization…
12:06…that you determine that, and you can figure out roughly what types of things you need in your organization.
12:16So first you have to identify your particular security needs.
12:20And you've heard some of this before…assessing your environment, the datasets, systems, users, and the sensitivity of those.
12:27So how do I do this? How do I assess my solutions for security, or my environment?
12:34Ideally, you start by choosing a security standard.
12:37You don't just go out there and try to make your amalgamation of, you know, 20 of those standards on your own…
12:44…if you're just starting up. You might do that if you get more advanced.
12:48A starting point, usually choose some relatively common and most practiced guidelines.
12:55So the Consensus Audit Guidelines, now called the critical, the 20 Critical Security Controls…
13:02…are out of an organization called SANS, and they were put together by the State of New York and other states' became rolled in too…
13:11…also federal guidelines, and are used by some private industry, too.
13:16You also have ones…SCAP is an automation protocol for automating security validation…
13:24…NIST is a variety of hundreds of security control recommendations, FISMA is just the law…
13:32…and then you have a variety of others, be it ISO 27000, and others for international customers.
13:40So once you choose a particular standard to align to, you need to start figuring out, well…
13:47…what is considered a sensitive geospatial dataset in my organization?
13:52And it's somewhat of an open-ended question many times.
13:54But there's more and more documentation coming together.
13:59Actually, I ran into one of the people from the working group that put some of these guidelines together…
14:05…for best practices for sharing sensitive environmental geospatial data.
14:11These guidelines are fairly useful as a good start for many of our customers for when you do an assessment of your datasets…
14:18…hopefully you do…that you can start flagging ones that might be considered sensitive.
14:24So, legislation, you have a lot of Privacy Act concerns right now.
14:28You have…where the individual can be identified, either directly, by georeferenced information, or indirect, by amalgamation.
14:37And we'll talk about this security and amalgamation issue. It's quite difficult in the geospatial realm…
14:44…but it's actually becoming a lot more real this year; you'll see…I'll talk about some tools that are being used to facilitate that.
14:53Confidentiality, natural resource protection, cultural protection, safety, security are some other aspects.
15:02So we chose a standard, we've identified sensitive datasets, now we need to start thinking about how we're going to actually…
15:10…categorize our solution, as, you know, what type of amount of risk level we're willing to take.
15:17So there's a formal process provided by NIST…there's full documentation in their 800 series of documents…
15:23…this one, in particular, is called the 800-60.
15:28We also have a more informal process.
15:31First, the groups that are going to be doing the formal process are primarily our federal customers.
15:35They pretty much have to do it. Not everyone has to do that, and it's a lot of work, so we make this informal process available.
15:44So a basic pattern. What is it? So you have no sensitive data, and it's primarily public information that you're exposing out there.
15:54And all the architectural tiers can technically be rolled up into a single physical box; you don't have to split out the tiers necessarily…
16:02…of your environment for security needs.
16:06In the standard environment, there's more moderate consequences for data loss or integrity.
16:11And the architectural tiers, you want to start thinking about breaking these apart onto separate systems.
16:16And there's a potential need for federated services in the organization.
16:21And last, but not least, is advanced security needs. This is where you have significant sensitive datasets…
16:28…and all the components need to be redundant. Remember that availability aspect for security.
16:33You need to think a lot more about third-party enterprise security components for your organization.
16:41So what does a basic security solution, roughly, look like?
16:45And you might have seen representations somewhat like this before out of Esri.
16:52This is where you can utilize data and API downloads from public clouds.
16:57Public clouds, a lot of them, let's take ArcGIS Online, you don't have an SLA with them; if they go down…
17:03…well, yes, it's going to affect your infrastructure. Is it critical? At a basic level, you're saying…
17:10…no, it's not critical; it's down for a little bit. So you also want to secure your services with the ArcGIS token service, at this level.
17:19And you can…still want to separate your internal systems from Internet access with a DMZ.
17:26And a reverse proxy can be utilized to avoid DCOM across firewalls.
17:32Too much text here. So, standard security environment.
17:37The reality is, I'd love to make architectural representations of the standard and advanced…I just have not had a chance.
17:44Lot of components of each of these. You want to start thinking about things like a web application firewall…have dynamic tokens.
17:51Remember I talked about separating out the tiers. You not only do that for the hardware components…
17:56…but also the networking infrastructure. And how you starting grouping out systems into what's called virtual LANs or VLANs.
18:06Multifactor authentication might come into play. Smart cards or public key infrastructure.
18:11Sometimes for public sites, one mechanism that's being used for some organizations is a phone that you need…
18:20…to get a unique number. Your phone calls you, and you get a unique number; you need to enter that into your system.
18:30For more advanced security needs, this is where you have separate datasets for public employees, employee subsets…
18:38…you might be doing label security, as it's called, explicit labels…
18:43…you need to cluster your database infrastructure. You might be encrypting your actual databases…transparent data encryption.
18:50We'll talk a little bit about that.
18:52This is also where you might utilize IPsec between your back-end server environment.
18:59So for server-to-server communication, you want to ensure that somebody can't come in and sniff that traffic between those systems.
19:08By default, all our traffic is clear text between our system-to-system communication. So if you want to encrypt that…
19:14…IPsec might be a way to facilitate.
19:19So what are some of the security trends out there right now?
19:23And how do they affect you related to our solutions?
19:27Well, let's just look at 2011. This is only a couple of them. So we'll start with Citigroup - 360,000, and it wasn't just…
19:36…credit card accounts…that was actually 360,000 Citigroup accounts, which had both bank and credit card accounts.
19:45They have Sony. Over a hundred million accounts compromised.
19:51Couple months back, they had already spent $200 million on trying to recover, and I know they've spent a lot more than that since.
19:59RSA, one of the leading security companies out there, that creates what's called two-factor tokens…
20:06…so there are these little devices that give you a new number every once in a while.
20:11More secured environments use them, like, for example, the one right beneath it, Lockheed. What happened in that case?
20:19RSA got compromised. The hackers took that information and then, within a month or two, ended up hacking an organization…
20:27…like Lockheed to get to the real information they wanted.
20:32Then you have Department of Energy labs, via simple mechanisms, what's called spearfishing…
20:38…so going after important individuals in your organization who have a lot of access to sensitive datasets.
20:46They…it's not the Viagra type of e-mails they get…they get an e-mail that looks like it's about their Salesforce account…
20:56…or something very direct to that individual.
21:00They do a lot of reconnaissance and figure out what's appropriate…and we'll talk a little bit…
21:04…how some of these organizations are doing reconnaissance via geospatial means, too.
21:11So you have FBI, CIA, PBS; I still am interested why they attacked the Public Broadcasting System.
21:21Seems like [they] should give them a break.
21:23Then there's Electronic Arts, and others.
21:27So, interesting thing from security expert standpoint.
21:32So last week, SANS is a group that has…provides a lot of the training and guidance for security people out there.
21:41And they're saying the cost of a successful attack against targets of choice has fallen dangerously low. So what does this mean?
21:48This means, really, if a hacker wants to go after your organization, it's typically pretty easy to get in right now.
21:58So that's what they mean by targets of choice.
22:03So what's going on? Why is this happening? These hackers are not necessarily after just a little bit of fame.
22:10They're after more. They're after harming an organization. They're after gaining money; Citigroup.
22:18They're after retribution for something; the Sony case. Very interesting case, where you have somebody…
22:25…who hacked a PlayStation 3 station, tried to make it open.
22:31Sony decided to sue that individual, take him to court.
22:34Soon as it was wrapped up in court, Sony got magically hacked, and it happened for months after that.
22:45So in 2010, CSI does a survey every year (Computer Security Institute), and they've worked with the FBI…
22:53…and other organizations in tracking these trends.
22:57There's a continuing increase in what's called the phishing attacks with e-mail and in malware infections.
23:04Now, what are some of the responses and some of the options organizations are implementing to help offset this?
23:10Log management and dashboards. We'll talk a little bit about that. Why is that?
23:16Information security guys for the most part are in information overload. They have millions of log files…
23:23…there's no cross-correlation going on, and they're missing, and not discovering, that they're being hacked.
23:33So the security technologies utilized. [Of] course, top ones are antivirus, firewall, antispyware stuff…
23:41…and down at the bottom here is one that, unlike the others, is actually increasing in 2010 still.
23:47So, and it's been increasing a good chunk every year.
23:51And that's application firewalls. And we'll talk about the importance of those in your organization relative to our web software.
24:01So, how is cybersecurity evolving?
24:04There's a viewpoint of compliance. So a lot of organizations…I mentioned FISMA…
24:10…they create a lot of documents. Every once a year, once every three years, to prove that hey…
24:18…they provide a big huge stack of paperwork to say, you know, our environment's secure.
24:23But there's no real ongoing validation, and that's one of the changes, that they're saying…
24:28…Hey, let's get out of this mode of creating a large stack of paperwork.
24:31Let's move and evolve toward something where we take something where we know the most critical areas…
24:37…like the 20 Critical Security Controls, remember I mentioned CAG, Consensus Audit Guidelines, same thing…
24:45…that provide you the ability to have automated management of and monitoring of the top concerns in an organization.
24:56So location and privacy concerns. So more applications are utilizing current user location to deliver content…
25:05…geospatial information. So, in response to this, there's been bills proposed, and also the European Union…
25:13…has actually already passed some, concerning data privacy.
25:17So our users and people implementing new solutions need to be aware that they're going to need to start informing users more…
25:26…about what type of information's being collected, obtaining permission from consumers before sharing geolocation information.
25:34So I see a lot of cool applications right now that people post information about their site, that they're located for…
25:43…something occurred at this location. But now, it's going to be an interesting context.
25:48How do you get that permission for when that's shared out in a social site with other people?
25:57Geolocation aggregation; it's a very interesting one. Saw a great tool called Creepy. Came out this year.
26:05And what Creepy does is, it goes out and pinpoints the locations of targeted individuals.
26:12So if I was to take somebody's user name tag here, type their name in, it would go out to all the social networking sites…
26:20…look at any pictures you've ever posted, see if there's any geotagged location information in there…
26:26…and it would actually make you a nice little map that shows where that person's been over time.
26:33So you can understand where that person goes to lunch, where they work, where they live, where they go to vacation. It's creepy.
26:44Yeah. So the guy who wrote it said the reason he wrote it was not to stalk people…
26:51…he said it was to let…provide people an awareness that this could be done.
26:58Yes. So…you're aware.
27:03So, what is your response to all these different trends out there and what's happening?
27:07So, can cybersecurity accomplish what it needs to do purely on a technical basis?
27:13I need to turn on the token service, and I'm good to go for my solution.
27:17I don't need to know where the datasets are; I don't care about that; I just need to stick a firewall or something in front of my solution.
27:25Those are technical aspects, and they're not going to protect you when you get more into the cloud…
27:30…and have interdependent components in your organization.
27:34So cybersecurity is moving to a business process, where IT and security teams must now know where the data resides.
27:41[It's] sometimes difficult in the cloud right now.
27:44Where it moves to, and how to protect it during all that time.
27:49So this requires comprehensive data security practices for an organization, where security teams will become business process experts…
27:57…to keep the bad guys disarmed while keeping the good guys productive.
28:04So enough about trends and creepy things. Let's move on to some things you can do in your organization…
28:10…where you can apply some technologies across your enterprise.
28:18So authentication. Do I have Bob or Jane accessing my system?
28:24Authorization. Okay, Bob got in; he's allowed; he's been authorized; he's only allowed to have access to one map service.
28:34Bob wants to do something bad. Do you have something in your organization to stop those bad requests?
28:43If Bob wants to access datasets he really shouldn't have access to…they should be encrypted, potentially…
28:50…and then last, but not least, how do you know what Bob did to your systems over time, even if he got authorized…
28:56…and what if he decided to do something bad, if you don't have appropriate logging and auditing…
29:02…you won't know what was potentially compromised, and you won't be able to prove what he did.
29:10So, for authentication. We'll start at that. And the mechanisms developed with ArcGIS Server and our suite of products.
29:17For web services, we have HTTP, you know, for web services and web applications, up top.
29:25And then, in our internal environment, we have local connections, which primarily have a lot of DCOM currently in our product.
29:33We'll talk a little bit about how that changes with 10.1, also.
29:37So, a nice matrix, to make you go cross-eyed.
29:43The main aspect here…I don't expect you to write this down, frankly, right now…this presentation will be available online…
29:49…is that you have a lot of authentication options; by default, up top, none.
29:54These options also vary depending upon are you building just a web application, are you exposing web services…
30:01…or is it just local connections? So each option has different choices.
30:09So for authentication, you have…our product is a role-based solution.
30:15So you need to have storage of user accounts, users, and what types of roles they have in your organization.
30:22On the Java side of our product currently, it's stored in Apache Derby by default.
30:27You could point it to a SQL database or Oracle database.
30:32You could also utilize an LDAP, a directory service in your organization, or Microsoft Active Directory.
30:40On the .NET side, the default is called Windows Users and Groups.
30:45What does that mean? Actually that name creates a little bit of confusion in itself.
30:48It's really…you have a choice of utilizing domain account users and groups or a local server's user and groups. It's up to you.
31:02You also can point your solution to a SQL Server instance for the storage of users and roles.
31:09And last but not least, we have a custom provider option for other permutations.
31:17So, authorization. Now that we've done authentication, moving to authorization. Talked about its role-based access control…
31:25…you assign this within ArcGIS Manager, and you can provide service-level authorization…
31:30…across the web service interfaces, and the services are grouped in folders, utilizing inheritance.
31:38So how do I get more granular than just service-level security?
31:43What's service-level security? It's really equivalent to exposing a MXD or an MSD file.
31:52If I want to get more granular, I can…one option is to utilize relational database infrastructure…
31:58…going all the way down to what's called role-level security, or feature class level.
32:04Be aware that if you're implementing versioning with that, with role-level security, your performance will be horrendous.
32:12So we highly recommend not doing that.
32:15An alternative may be utilizing SDE views.
32:19We also have users that want to limit what the user sees in the graphical user interface, a GUI.
32:25So you have rich clients can utilize ArcObjects in web applications.
32:30We have a variety of sample code links in the Enterprise Resource Center (ERC).
32:35And there's also this AzMan tool, for authorization management.
32:42So for filtering mechanisms. Primarily third party. Esri's not doing the security filtering aspect in our solutions.
32:52So firewalls, reverse proxies, you've heard that, I'm sure, plenty. There's Microsoft's IIS.
32:58Starting in 7 they have a free reverse proxy.
33:02Web application firewall. Recommend having something like that in there. One open-source free solution is ModSecurity.
33:10You also want to have antivirus, of course; intrusion detection and prevention, ideally; and you can also limit applications' access…
33:17…to the geodatabase.
33:20So of this list of six items, would you say your organization…would anybody here say their organization implements all six?
33:31Okay, well, that's impressive. So that's good, that's even better than yesterday's session, 'cause nobody raised their hand…
33:38…although I think some people might not be clear on even the bottom bullet and what that entails, but I won't pick hairs…
33:46…but that's good to hear. How about at least three of these items?
33:51Raise your hand if you have at least three of these items in your organization.
33:56I would say that's a good call, to have at least three of those in your organization.
34:02So for filtering. What's a firewall-friendly scenario? That's been historically a concern with our products because of DCOM.
34:12Now in this case, we have a web application firewall in the DMZ.
34:16We also have a file geodatabase in the DMZ; it's not a SQL Server uncensored database server instance.
34:23We're utilizing one-way replication from the internal operations…
34:28…through the firewall via the geodata service replication over HTTP or HTTPS to a file geodatabase.
34:38Why do we do this? Multiple reasons. So one is, I'm not using SQL Server communication across a firewall.
34:46Two is, I can actually get better performance by not having end users on the web hitting my internal database infrastructure, and…
34:56…I can spin up a separate file geodatabase on every web server I add to the DMZ.
35:03And there's no additional licensing cost. And last but not least, from a security standpoint…
35:10…a very important aspect is that I'm not replicating my full database instance from this internal database to the file geodatabase.
35:18I'm only replicating information sets that I want publicly exposed.
35:24So my sensitive stuff remains on my internal database system, and only public-facing information gets pushed out into the DMZ.
35:36So why was there no reverse proxy in the DMZ in this picture?
35:41Well, so one thing we've noticed is that a reverse proxy many times for our customers becomes a one-off component…
35:48…with no management and minimal filtering of security issues going on.
35:54So what are some customers looking at more instead? Multifunction web service gateways…
36:01…which can store your SSL certificates. They can perform what's called SSL acceleration.
36:07So not having your web server perform SSL; you have this device perform it.
36:14And so you've lightened the load on your web server.
36:17The URL rewrite function. Reverse proxy types of functions can be done by it…
36:23…and it can also perform web application firewall functions.
36:28For encryption, you have a variety of third-party options. For your network, you have IPsec, commonly used…
36:35…for your VPN tunnels and connections; you can also use it, as I mentioned, from server-to-server communication.
36:42And SSL. It's very commonly used for protecting, you know, HTTPS for your login information for geospatial information, so…
36:52…you're not necessarily…you don't necessarily need to use HTTPS for your whole application…
36:56…your datasets are not that sensitive…but you at least want to encrypt that login session information.
37:02Or, if you have a token, you ideally want to protect that too.
37:06And then, when I mentioned internal systems communication, that's that scenario that I have, let's say…
37:14…ArcMap accessing my database system, and it's using what's called direct connect.
37:19That's where I go through the database client using SSL from my client to the database.
37:27For file-based encryption options, you have operating system, you have BitLocker, and there's also some customers…
37:33…enabling geospatially enabled PDFs combined with certificates.
37:37So they're basically creating a PDF, encrypting it, and then the only people who can access it must have a certificate.
37:46And the most…the fastest one is hardware-based encryption.
37:50This is where the hard drive itself can encrypt the information, and has less than a 5 percent performance hit.
38:00Last but not least, you can encrypt at the relational database level.
38:03I mentioned TDE, transparent data encryption. And one lower-cost solution…
38:08…for if you have multiple mobile users across remote, is where they have sensitive datasets out there…
38:17…you can use SQL Server Express with transparent data encryption; they have nice secure dataset…
38:24…and then they replicate that up to the public and their primary infrastructure.
38:31So for logging and auditing, what's available to you? You have geodatabase history…
38:38…you have the ArcGIS Workflow Manager extension, which…
38:40…you can track feature-based activities and export even GML, Geographic Markup Language, if you'd like.
38:49And last but not least is, built into ArcGIS Server 10, when you enable security, there's a new user tag that was not in 9.3.1…
38:57…that allows tracking of user requests, as shown in the little picture there.
39:04You also have a variety of third-party logs, so you have your web server logs, relational database, operating system, firewall…
39:11…not to mention all the network infrastructure components, too.
39:15So, remember what I mentioned about IT guys are into information overload with logs right now?
39:21So Verizon's…they do a data breach summary report every year.
39:26So 86 percent of the victims had evidence of their breach in their logs.
39:31Yet the majority, by far, their internal operations didn't find it.
39:36Some third-party external group notified them they had been hacked.
39:41So they have all of this information in their organization, right in front of them…
39:46…but it's so buried in so many things they don't know about it.
39:49So this is where a security information event manager solution might come into play, a SIEM.
39:57By the way, we're selling one now. No, just kidding. Yeah, that would be funny, huh?
40:03So product security options…what you can do with particular products and solutions from Esri.
40:09So I'll talk briefly about rich client security. In yesterday's session, you know, I did a brief query before we started up…
40:16…of you know, how many people were interested in which of these different product realms…
40:21…and only one person raised her hand for rich client security, so keep it brief.
40:26This is a client, typically, with the most access to sensitive data, however.
40:31And there's a variety of system connections. Direct connect to the relational database over SQL.
40:36You have application connect, which utilizes a proprietary protocol from Esri to SDE.
40:43You also have web service communication, which can be protected with integration with the token service or…
40:51…Windows native authentication.
40:54And lastly, there's ArcObjects development options, where you can record user-initiated GIS transactions…
41:01…and have fine-grained access control, so limiting what functions users can make use of in the end user interface.
41:09So that becomes more of a custom type of thing.
41:12So another thing to be aware of, even when you're using relatively simple rich clients, is, let's take…
41:18…ArcGIS Explorer and how it might be communicating to various systems in your organization.
41:24You might be mapping a drive, you might be making a universal naming convention connection.
41:29And more commonly, for your external users, you have web traffic occurring.
41:35So you need to account for each one of these different types of communication models in your organization.
41:41So let's move on to mobile phone security, a very interesting realm right now, because there's more platforms…
41:49…ArcPad, mobile, iPhone, Android, Windows Phone 7…and you have expanding functionality and storage options…
41:57…and a large, much larger user base. So what's this resulted in? It's led to increased hacker attention.
42:06So when was the last iPhone critical vulnerability? Oh, it was last Friday. You open up a PDF, you're hacked.
42:14So, anyhow, I can't cure that. It's just an awareness of where we're at with issues.
42:23You can't say, Oh, yeah, I have an iPad, and I'm just fine.
42:27When I say iPhone, that's just as applicable to the iPad, by the way.
42:32So what can you do in what you think about for your mobile solutions?
42:37Well, you have your SDE permissions. That's a whole…that's your database, SDE and so forth.
42:42You have server authentication options. Those are the ones we talked about earlier, with a large number of permutations.
42:49And service authorizations; so, which services somebody's allowed to access…
42:53…the types of communication going on between the mobile device and the server…
42:58…might be over VPN or something otherwise, and we'll talk a little bit more about that.
43:03The actual device itself…which devices are allowed to access it? You can limit that.
43:08And there's something to identify each one of those.
43:11You also have different storage options, and you can provide either project or data access permissions on that phone.
43:19So what are some of the more technical aspects of that?
43:23So that communication between the server and the mobile client, what's commonly done?
43:30Utilize HTTPS or a VPN tunnel. VPN tunnels are sort of interesting right now because not all mobile phones have VPN clients.
43:42So you can use a cell VPN, potentially, for some; just be aware it can't necessarily be used with all applications.
43:51So right now the mobile field and security is relatively immature, especially on particular phone devices.
44:01Some phone devices, like the Windows Phone 7, is actually labeled by Microsoft a consumer device.
44:09It's not currently considered an enterprise device.
44:13So you also have web service authentication and authorization options.
44:19You can do Windows authentication or a token service…
44:23…or you could filter by the operating system, the IP address utilized, or a unique device identifier.
44:29Unique device identifier seems like, Hey, that would be the one I could really lock down.
44:34Unfortunately, of course, that was the first thing that was hacked on an iPad.
44:38But…So make sure you just don't limit yourself to checking for one thing.
44:43So you can also potentially encrypt your data at rest. So the older Windows Phone devices, pre-7…
44:50…allowed for utilizing Windows Mobile CryptoAPI.
44:54You could utilize a Secure Digital card, or you could utilize third-party tools for encrypting the entire storage system.
45:03Windows Phone 7, [I] started to rag on Microsoft on this particular device, just want you guys to have an awareness, is that…
45:10…you can't encrypt information on that device yet. It's a consumer device. You will be able to in the future.
45:17So what do you do for the deficiencies in the devices currently out there?
45:23You ideally implement a mobile device management solution, if you're going for a full enterprise rollout.
45:31One such solution is called Good Technology. I remember the first time I heard them, I was like…
45:38…somebody asked, So, do you guys support Good Technology? And I'm like, I think it's spectacular technology, but, you know…
45:46…but yes, so Good Technology is an interesting company. There's also one other one that we've…
45:52…is currently actively working with our federal customers in solutions that work with the cloud.
45:58I don't know their name offhand, but if you ask me I will follow up on that for you.
46:04So for ArcGIS Server security. One question I like to ask early on…
46:10…Is communication across the wire secure by default for ArcGIS Server?
46:15Who thinks it is? Dang, I can't catch anyone first thing in the morning…come on.
46:20Okay, no, it's not. That's good that you know that. That's good that that message is getting out there right now.
46:26If that option is not acceptable to your organization, and you want to see more of a secure by default model from Esri…
46:35…we need to hear a lot more communication on that.
46:38Right now, and this goes back to what's the most common best practice and basic pattern for our customers…
46:46…and that is relatively public information, and about information dissemination…
46:50…and not about a secure by default model.
46:55So if that's to change, it's going to have to come from the customers to let us know that.
47:01So communication to ArcGIS Server…to all clients is clear text by default.
47:06You can secure the web communication SSL certificates…
47:10…or that internal communication to your organization with IPsec.
47:15So another question that sometimes gets tangled up here is…
47:20…Is a reverse proxy required to create a public-facing, secure web solution with ArcGIS Server?
47:28Who thinks a reverse proxy is required to do that?
47:32Man, nobody's going to raise their hand! Come on!
47:37So that's good. So some customers implement…
47:41…let's first step with…and understand why a reverse proxy's being recommended for these environments.
47:48Was it first and foremost to improve security in an organization? No.
47:52It was first and foremost recommended to eliminate DCOM traffic across firewalls.
47:59So, basically, you come into the DMZ, it's a reverse proxy…
48:02…it's able to get through the firewall to your internal systems without DCOM.
48:09So, however, if you want to significantly and potentially improve your security posture more…
48:15…you'll want to start thinking about something like a web application firewall.
48:20So is there security hardening guidance from Esri available?
48:24Who thinks there is? OK, well, I guess I got most people on that one.
48:30So there is actually some guidance available. We have it in the Enterprise Resource Center…
48:36….there's an area called the Implementation Gallery in the Enterprise Resource Center.
48:42And so this information is currently for 9.3.1, Windows 2003.
48:50I am definitely overdue on getting it up-to-date for, you know, Windows 2008 and ArcGIS 10…
48:59…and we'll have that done, I'm hoping, in the next couple months here.
49:04So if you want to see that, let me know, and that will just raise the priority of when I get that to you guys.
49:10So this is a setup question of ArcGIS Server, how I configure it once I've enabled security.
49:17So should I assign the Everyone group, in the root, to ArcGIS Manager?
49:22I see one person, two people shaking their head no, two people say yes, I should, so…
49:29This is interesting, because it goes back to the security posture and usability of our customers and what they expect…
49:36…and what they need. So if you do this, everyone will have access to your services by default.
49:43It's actually terrible from a security perspective, but spectacular from a usability perspective.
49:51So it's okay for basic security environments.
49:55So if you're at that level, you could potentially do that, if you have those types of needs.
50:00I definitely don't recommend it for any higher-level security native standard or advanced…
50:05…where you should start thinking more about deny by default, for use in higher-risk environments.
50:13So can I provide security more granular than the service level with ArcGIS Server? Yes or no? Or are your arms just tired at this point?
50:26There are some people who raised their hands.
50:28Yes, you can. There's a variety of mechanisms. One is SDE views, which I mentioned a little bit before.
50:34You can also supplement with third-party software. So con terra makes a solution called securityManager.
50:42It's a filtering mechanism for web services. And you can get feature-based security and some other aspects and options.
50:51Did you have a question back there?
50:53[Inaudible audience question]
50:57We'll get into the details of that one later. 'Cause it's actually not the easiest thing to do, right?
51:02So I think that's a good offline question. I'm going to be pressured to make sure everybody has enough time…
51:09…so I get questions in at the end here. But I'll follow up with you on that.
51:13There's also an integrated security model, which might be an easier way, depending on how granular you want to get.
51:21So, integrated security model - What is it?
51:24This is the idea of flowing your user context from the web application to the application server down to the database.
51:34So when John logs in into the web application, that same user is hitting the database in the end.
51:40Why is this good? Couple aspects. One is logging, accountability of user actions. John's actions are now logged…
51:48…all the way through down to the database tier. Another aspect is, you can provide granularity to the…
51:54…and provide row-level security. This is a database-driven security model.
52:00So what's the status of this? And going on with our customers right now, we collected customer scenarios, and we started with…
52:09…doing some performance validation tests with what I would call simple, layer-level security, as opposed to service level.
52:16And…but basically you set the security in the database, and it's real easy, at the table level.
52:22And that gives me equivalent, for some of our customer scenarios, layer-level security.
52:27You get a performance consequence for this; 10 to 20 percent hit for that.
52:32Now we are going to also do some validation of more complex scenarios, too.
52:38We have some basic documentation of this, online, for the Java ArcGIS Server solution, if you just query in there, integrated security.
52:49So what did this initial configuration look like?
52:52We had an IIS web server, we had an application server with Java ArcGIS 10, an LDAP Derby engine instance…
52:59…which is the default with ArcGIS Server for our users and groups, and an Oracle database instance.
53:05Right now, it makes use of what's called Oracle user proxy sessions.
53:11And so these are proxy users, and we made use of table-level access, which I said…
53:18…in many scenarios is equivalent to layer security.
53:23So one interesting aspect about this, is that this not only affects potentially your web browser clients…
53:33…but also consumption, let's say, in ArcCatalog.
53:35So in this case, I've logged in as an administrator, and I have access to both the red and green features.
53:42I simply log in as a different user to that same service. Now I only have access to the green features.
53:50Of course, in a roads network, it's sort of interesting, and that's a paradox comment…
53:55…is that I can fill in with my mind, missing road segments.
53:59One of the interesting aspects of geospatial information is our mind can visually sometimes pick up cues…
54:06…on missing components. So you could actually be giving away more information by hiding information in this case.
54:14That…somebody who gets access to this would go…
54:17…Well, geez, something significant must be occurring where this little blank is between that road segment and that road segment.
54:28We don't have an answer for that right offhand.
54:31That comes down to thinking about and organizing how you disseminate information. That's not a technology issue.
54:38So security model. So for web services and other components. On ArcGIS Server we expose REST APIs, SOAP APIs…
54:46…and it can be protected with a token service, which goes against users and roles, that can be stored wherever you want…
54:55…connected to a server object manager, what's called server object containers, in the background.
55:01You also have your internal connections and your external web connections.
55:06So for Windows devices, these can be managed by the operating system of the server object manager.
55:13On the Solaris and Linux platforms, users are managed, ArcGIS Manager, and really it's a relatively simplistic amount of access…
55:22…that you have available; it's either none, read, or full. So AGS users have read, AGS admin have full, others have no access.
55:34So what about the datasets, and what type of access and permissions need to be provided?
55:39So the SOC account needs read or write permission to a particular folder where a dataset's stored, and for a database, geodatabase…
55:49…I'd need read or write permissions for the SOC account to those (server object container).
55:56So we also expose a variety of what I classify as management user interfaces.
56:01And whenever I think about a management user interface, and that's why I've grouped these together…
56:08…it's something I think about as, should be useful for internal operations…
56:12…but not necessarily something you want to expose for external operations.
56:17So the services directory, it's available part of ArcGIS Server installation, turned on by default…
56:22…you don't want to typically expose this, for standard security needs, to the public.
56:28Why don't you? You're increasing your attack surface significantly by exposing that particular service.
56:36So the REST API admin. This also manages access to the ArcGIS directory services right above…
56:44…and you can simply disable it in there if you choose to.
56:48Maintains a REST cache, requires membership in the AGS admin group…
56:53…and once again, we recommend to configure this for no public access.
56:58Great for your internal operations; don't expose it. I don't see a need to ever expose that out to the public…
57:05…unless you want to give a hacker attempt to just go to your user login account…
57:10…and keep on trying over and over again different accounts until they finally get in.
57:15Same for ArcGIS Manager. You should not be exposing this to the public, only internal users.
57:23So enough about, you know, the management interface. What are the different types of security aspects and levels can I secure to?
57:31I talked about local security with AGS admin, AGS users.
57:38Services capabilities. So I compose a web service or a mapping service operation, as a variety of what are called capabilities inside those.
57:46Different capabilities expose different types of, well, a larger attack surface, more functionality.
57:54So it's up to you to expose which ones you choose.
57:59And then you have web security. So something that controls access of your HTTP or HTTPS traffic to ArcGIS Server…
58:07…for both Internet and intranet access. And that gets us into this token security model that you may have heard about before.
58:19So to implement web access control, ideally, implement a SSL…you want to have HTTPS utilized for this information.
58:28You need to choose a user role store; I've talked about Active Directory, LDAP, and others.
58:33Or, you can store in a database. Need to assign the users to roles as necessary. If you already have an infrastructure…
58:39…all the roles are assigned, hey, that part of your job's done.
58:43Then you need to, in ArcGIS Manager, assign the roles to the various services or sets of services, and folders that they have access to.
58:52And last, but not least, enable the security function in ArcGIS Server. So that's pretty high level.
58:58So, what is a token? Nice little set of gobbledygook. Why do you need it? Why would I need to send something like that around?
59:09Services don't have a user interface for somebody to go in and type in, I'm John, with this password.
59:16We're sending…the services are being sent back, gobbledygook, to have access instead.
59:23So how's it work? ArcGIS Server has this token service, and where can you get a token?
59:28From that same token service. There's an interface for that.
59:33So how are tokens most commonly utilized with our products right now? You can embed that token into the client application.
59:45Who thinks that's a recommended security model?
59:47I see a thumbs-down. That's good.
59:52It's very easy to implement, a very common implementation.
59:57You know, it…if your security posture doesn't…is extremely low risk, then, and you're not really looking at improving…
1:00:07…having a strong security posture, you might want to do it, but other than that, I would try to avoid it.
1:00:13So you can also bind the token in a proxy page, and this proxy page actually stores the token on the ArcGIS Server instance.
1:00:20The token never gets to the client.
1:00:24So…that's a key aspect, by the way. Any information sent to the client, even if you try to obfuscate it and hide it some way…
1:00:34…in the end, they're going to be able to view that information.
1:00:38So last, but not least, is the ability to write full login access to the service token…the token service…
1:00:46…and that's being done with our particular desktop products and others.
1:00:50So in version 10, what are some of the changes and enhancements that have occurred?
1:00:55In the ArcGIS Server Manager application, you have searchable users and roles…
1:00:59…and you also have application-level user logging, activity logging.
1:01:05So I showed you a little bit of that with Fred, who was tagged on an instance.
1:01:09On the database side, we now have the integrated security model, passing the user context all the way down to the database.
1:01:16We also have made some significant web service interface security improvements.
1:01:21So the more recent the service pack, even with 10, the better. Ideally you should be running 10 SP2 at this point.
1:01:29So what lies ahead with 10.1. So, goodbye to DCOM. Wow.
1:01:35That's actually been something a lot of our customers have been waiting for, for a while. There we go, yeah. Yay!
1:01:41Anyways, so, now you can actually focus on security some, when you get that component out of the way.
1:01:48So we've also added a publisher role.
1:01:52So one of the things you had in ArcGIS Server is you had a user, who couldn't make a service available, and…
1:01:57…you had an administrator, who was a person who could expose a service.
1:02:01Really you have a large number of users in your organizations you want to allow to publish a service, but…
1:02:06…you definitely don't want to have as an administrator. So that's a new role that's available to your organization.
1:02:12We're also providing administrative API access. So you can now get into automating and scripting…
1:02:20…requesting information out of ArcGIS Server on its status and statistics, and actually…
1:02:27…automate building of information in ArcGIS Server.
1:02:31So that'll be an interesting new option too.
1:02:36So moving on into geospatial cloud computing and security for it.
1:02:42So is cloud computing safe? Can I get a raise of hands? Nobody? Come on, somebody's got to say it's OK. Or, who knows, right?
1:02:53The answer is almost who knows, but we'll try to put a little bit more context around it, I think, than who knows.
1:02:58I would say it's close to, It depends on many aspects.
1:03:03So, security benefits of the cloud. There are some.
1:03:06Virtualization. I can stamp out images of a whole bunch of systems that are identical.
1:03:12Now, if they're not hardened in the first place and the security of that initial image is terrible…
1:03:17…well, guess what, all your systems are terrible, but if you get that right, on those initial systems, you can actually create…
1:03:23…identical systems that are quite secure.
1:03:27You need…you also have broad network access available, potential economies of scale, and self-servicing technologies available…
1:03:35…all potentially helping out and providing security benefits.
1:03:39There's a variety of risks associated. I guess ideally I would make each list the same length, you know, to be fair, but…
1:03:45So, what are some of the risks involved?
1:03:48Right now, there's vendor practice dependence. You don't necessarily know everything going on in these environments.
1:03:55There's no agreed-upon cloud security standard for these organizations right now…
1:04:00…and how they're ensuring the security of the environments.
1:04:04There's also a fair amount of vendor lock-in. Each cloud provider and their solution, infrastructure, Platform as a Service or…
1:04:11…Software as a Service…they're all, primarily right now, creating proprietary APIs and interfaces for exposing that information.
1:04:22Now, there are efforts to start standardizing those more, and you'll see some of those; you'll want to look for those.
1:04:30Also, sharing resources, multitenancy issues.
1:04:33So, you're storing information on the same systems and writing to the same drive, and potentially in the same drive location…
1:04:39…as somebody wrote something just two days ago. How is it ensured that that location, written to that particular drive…
1:04:47…actually got cleaned up? It's what's called a data remanence issue. So you want to ask a cloud provider an interesting question…
1:04:54…say, How are you resolving all of your data remanence issues?
1:04:59So deployment model threat and exposure levels.
1:05:02So the amount of threat exposure to your organization varies, depending on what's called a deployment.
1:05:07So you could have private, which has the least amount of exposure of information…
1:05:12…community and more, and highest, public. And we'll talk a little bit about each one of those.
1:05:19So cloud platforms utilized by Esri. So we have the systems administrator types of access to systems…
1:05:28…it's the Infrastructure as a Service solution; we have ArcGIS Server on Amazon EC2; we utilize Terremark cloud…
1:05:35…for some of our customers, now Verizon, bought out by Verizon; and a variety of private cloud implementations.
1:05:43One that is a fairly decent realization of a private cloud solution, to help facilitate that, VCE.
1:05:52I don't know if some of you heard about them at this conference, but it's a virtual cloud environment solution…
1:05:58…comes with hardware, software, allows you to get a rack of, basically, setting up a private cloud in your organization.
1:06:05Made by some very large vendors. Yes?
1:06:07[Inaudible audience question] Azure? Yes, I'm…there you go, developer access.
1:06:13So Azure is not an infrastructure as a service, it's a more of a Platform as a Service solution.
1:06:20So…and we also have some customers out there with Azure, right now, and we're going to be utilizing it, and do…
1:06:27…for our ArcGIS Online operations.
1:06:31And there's Software as a Service solutions - ArcGIS Online as a whole, Business Analyst Online, and ArcGIS Explorer.
1:06:41So how do I choose a cloud deployment model? Public, private, what's right?
1:06:47Primary driver behind this public-private thing is security, and the recognition is, organizations from the bin market up…
1:06:56…will really have a mix of these. It's not just going to be one way or another.
1:07:04So assessing your security needs for the cloud. Once again, some of these should be familiar…
1:07:09…because it's the same types of things you worried about, about your internal operations…
1:07:13…data sensitivity, do I have public domain information, sensitive information, classified.
1:07:19I have different types of users, public, internal. I need to categorize my security needs.
1:07:26Do I have basic, standard, or advanced needs?
1:07:29So, most public cloud implementations right now are considered a basic type of implementation…
1:07:35…where security is similar to social networking sites such as Facebook and others.
1:07:41Most GIS users have only basic security needs. There are some moderate implementations…
1:07:47…and I have not seen advanced implementations in public clouds yet.
1:07:54So some topics of concern, potentially, in going to the cloud? Data location.
1:08:00Our international customers are quite interested in how this is going to be addressed.
1:08:04So the idea is, if I choose to utilize a cloud provider, save my data.
1:08:09I don't know where it's really getting saved to. Is it getting saved…
1:08:12…if I'm in Europe, is it really getting saved somewhere in the United States?
1:08:15If it did get saved in the United States, all of a sudden it actually becomes available underneath the Patriot Act…
1:08:22…for our Department of Homeland Security or someone else to actually read that data.
1:08:27Microsoft just admitted to the European Union that that was even true for their Microsoft Azure environment…
1:08:35…creating some upset people. So some cloud providers right now don't provide assurance of location.
1:08:45So identity management. Not a simple item to take care of when you talk about large numbers of users.
1:08:52And we'll talk a little bit more about that in a bit.
1:08:55There's also a shared responsibility model. It's not…you don't have one throat to choke in this scenario…
1:09:01…because one of those throats is going to be your own, of what you expose into that cloud, and how you handle that information.
1:09:08So you can't completely delegate it to the cloud provider.
1:09:14So what are some best practices at a high level?
1:09:17So this is from CSO, and they put out guidance every once in a while…this is from the beginning of this year.
1:09:23This is a checklist of items. Software as a Service.
1:09:26First thing is the observation of one thing goes across all of those environments, at a high level, even…
1:09:33…and that's a protection of API keys. And what is that? It's equivalent to somewhat of a password for accessing the APIs…
1:09:42…of the providers. So you need to start thinking about how you're going to encrypt those…
1:09:47…potentially storing them in a hardware security management device.
1:09:51So right now, the practices behind those are fairly loose, and you'll see something about where that's become an issue.
1:09:59So you don't want to replicate your organization in the cloud. What do I mean by this?
1:10:03This comes back to the tens of thousands of users or thousands of users that you may have…
1:10:10…ideally you don't have to replicate all those users up in the cloud for people to access those systems.
1:10:16You might want to start thinking about a single sign-on, federated implementation…
1:10:21…so you start going into models that prevent you from having to establish domains and multiple clouds just to keep running.
1:10:31Platform as a Service solutions. You need to protect private information before sending it out into the cloud. So how do you do this?
1:10:39Well, this might be stripping out or obfuscating Social Security or credit card information before you store it out there.
1:10:47Who's responsible for a privacy leak? Is it the cloud provider or your organization?
1:10:54You won't be able to blame the cloud provider.
1:10:58So you do want to also maintain an audit trail of what users are doing in applications and which applications they're utilizing.
1:11:06This becomes difficult as organizations…
1:11:09And you also want accountability for the cloud provider saying, Hey, you used this much of our software.
1:11:16How do you know, and how do you really trust, that's how much of their solution you really utilized?
1:11:22This is where a cloud service broker, and that's one of the ideas they talk about in this article, comes in.
1:11:29So a cloud service broker can provide accountability for validating and audit records across multiple clouds…
1:11:38…and also validating how much usage is actually occurring.
1:11:42Last, but not least, on the infrastructure as a service side, you need to protect against rogue cloud usage.
1:11:48Users can spin up a bunch of AMIs, A-M-Is, in an organization and have a lot more additional cost to your organization.
1:11:58How do you start getting your head around that, especially as you get into not only just spinning up one cloud provider, but others?
1:12:04Once again, they point to a cloud broker to help facilitate with that.
1:12:11So Infrastructure as a Service. So how do I…What are some best practices at a high level for what I should roll out?
1:12:19I should really think about breaking up the tiers, at the same time I would for other security needs and other environments…
1:12:26…just like my internal operations. Also need to think more about protecting information in transit across the wire, as a cell…
1:12:33…protecting information at rest on the systems; encrypting information in the databases out there.
1:12:39Credential management. That's that API key concern I mentioned…
1:12:44…utilizing built-in operating system firewalls that are out there and the ArcGIS Server application security model.
1:12:52By default, we combine all the tiers, and you can scale it out with elastic load balancing.
1:12:58But what about the supporting infrastructure, and how do you protect it? You have all this remote desktop protocol access to systems.
1:13:05Do you want to expose all your systems via RDP? The answer's no. Ideally, you start thinking about a management instance…
1:13:12…a single system that people can hit with RDP, and then that can branch out into others.
1:13:19So Amazon provides secured facilities, logically secured EC2 instances, configurable firewall to control ingress…
1:13:26…that's a firewall that only controls one way…and standard ArcGIS Server security can be utilized…
1:13:33…multifactor authentication…but what about the users of EC2?
1:13:38So this is dated last month. The Amazon Web Services users are leaving security holes. How are they doing it?
1:13:46The same thing (that's funny enough), that API keys that was a best practices warning like, four months earlier…
1:13:55…they're not doing. People are storing their keys in the Amazon Machine Images, posting those into the cloud, and basically…
1:14:02…anyone who downloads that AMI can get access to web services exposed from those.
1:14:09So Amazon's started trying to help validate and make sure that those are not there, but really this comes down to…
1:14:16…there's guidelines available, it's just that it's a new technology, and people are not used to needing to check for this type of thing.
1:14:24So what does Esri provide? Our AMI's currently not hardened beyond the Windows 2008 Server defaults.
1:14:30We are in the process of creating a security-hardened AMI, it's called, Amazon Machine Image, part of the federal GeoCloud initiative.
1:14:40If you want to hear more about that, or have a strong need for that, let me know.
1:14:46We provide basic online guidance, and Amazon does too, and for online hosting operations, we recently passed a…
1:14:54…what's called SAS 70 Type II.
1:14:58So in summary, 'cause we're getting close to time here, in designing an enterprise geosecurity strategy…
1:15:04…it's about identifying your particular security needs; we talked about assessing your environment, patterns…
1:15:10…understanding current security trends, how that affects you, things like Creepy and others; and understanding security options…
1:15:18…Enterprise Resource Center's available, with a variety of security mechanisms deploying across the operations…
1:15:23…also more application-specific solutions.
1:15:27There's also implementing security as a business enabler…
1:15:29…and I expressed how key that is as opposed to something that is hampering operations.
1:15:36Security's not just about a technology.
1:15:39It's about understanding your organization's GIS risk level and utilizing defense in depth.
1:15:45We have secure best practice guidance available in the Enterprise Resource Center; you can drill into mechanisms or applications.
1:15:52We have Professional Services GIS security assessment available to your organizations.
1:15:58So cloud computing for GIS has arrived, and security is definitely evolving quickly.
1:16:04So security in the cloud is a shared responsibility; remember, one of those throats to choke is your own.
1:16:10So in summary, ArcGIS Server…well, that's for Thursday, so that is gone, but you can look at that if you have an interest in…
1:16:20…how the token security model works, and a demonstration of that, go ahead and check out online that information.
1:16:27As I mentioned, we have an enterprise GIS security review out of our Professional Services Group, and I have a variety of resources.