Designing an Enterprise GIS Security Strategy

Michael Young discusses the principles, patterns, and mechanisms involved in creating an enterprise GIS security strategy.

Jul 15th, 2011

Start From:
Player Color:

Right-click on these links to download and save this video.


00:01Today's session on designing a secure enterprise GIS, we'll be talking about Esri's security strategy…

00:07…assessing your particular security needs…

00:10…various security trends out there that will affect potentially your design and applications and solutions.

00:17We'll talk about mechanisms that can be deployed across your enterprise, and then we'll also talk more about…

00:22…product-specific implementation options.

00:25And last, but not least, we'll get into a little bit about cloud computing security.

00:32So myself, I'm a senior enterprise security architect within Esri. I work for our Professional Services Division.

00:39I'm also a FISMA certification and accreditation application security officer.

00:45So, and to back that up a little bit, I'm a certified Information System Security Professional.

00:52So this is a question I commonly ask in a conference type of environment to see where people are at with their current feelings…

01:02…about their environments and their configurations. So, quick pop quiz question for you, Are you currently happy with your security…

01:10…in your organization? How many people here are good to go?

01:14Okay, we've got maybe one and a half. Okay.

01:17So in 2009, the Department of Energy National Lab came up with a security maxim list.

01:24So these are sayings that are true typically 80 to 90 percent of the time.

01:30They call it the So We're in Agreement maxim. What is that?

01:33If you're happy with your security, so are the bad guys. Now, another interesting aspect about that…

01:41I first brought this question up last year's User Conference.

01:43…is of course there's been some recent events with even the Department of Energy in the last year.

01:50The most recent one was within the last month.

01:53So that just says a little bit about the context of where we're at with security right now.

02:01What does a secure GIS mean to you? Is it, I need to enable the token security service?

02:10That is one aspect; that's one option. Is that everything in a solution? Does that provide you the right context?

02:16If somebody just comes to me and says, Just tell me how to secure an ArcGIS Server implementation; just tell me the answer…

02:24…there's not one particular answer for all organizations.

02:26There's a lot of permutations on the number of configurations, of choices in your environment…

02:32…be it Java, your database infrastructure, your directory services available.

02:37Do you have particular standards and certifications that you need to align with, or regulations out there?

02:43It's a bunch of alphabet soup, basically.

02:47There's also different consequences for different user interfaces.

02:50So let's take Adobe Flex. So Adobe Flex and PDFs, last year and still a little bit into this year…

02:59…were one of the number one areas to attempt to compromise an infrastructure and a solution.

03:07So they had click jacking and other various items.

03:11So that's why some organizations are somewhat more hesitant on particular browser plug-ins.

03:17So you want to account for those types of things in your solutions.

03:21There's also this idea of, how much security I want to utilize of, in this case, Esri products, built into our applications…

03:29…versus actually going out and purchasing separate third-party security software to do the same function…

03:35…except designed for a larger enterprise organization.

03:40Then there's a question of how much you put into processes, procedures, and governance.

03:46So the key thing here is, security is not just about implementing a single silver bullet. I don't have that individual answer for you.

03:54It's going to be unique to your organization.

04:00So if it's unique to your organization, well, I guess I can just say, I'm done, and that's good enough for today.

04:07No. So, identifying your particular security needs.

04:11So, I just opened up a Pandora's box, saying, Hey, so there's a whole bunch of permutations, and I don't have a specific answer.

04:16So how do I go about figuring out an answer?

04:19So you want to start with assessing your environment, incorporating and understanding the datasets that you have out there…

04:26…the systems involved. The sensitivity of these datasets and the systems that you've identified to store those.

04:33Categorization, we'll talk about that, and a little bit of best practice guidance through patterns.

04:41So you also need to understand the security options available to you out there.

04:45We've made some resources available in the Enterprise Resource Center…

04:48…we also provide guidance on these enterprise-wide security mechanisms and also more application-specific ones.

04:58It's also key to start understanding that security doesn't have to be…its primary function is to reduce access to information.

05:07It's not necessarily the case, especially in geospatial information.

05:11Most of our customers are about attempting to share relatively public information sets.

05:18So how does security fit into that, and why do I talk about security as a business enabler? I see many cases where…

05:26…there's organizations with geospatial datasets that have some that are sensitive, and they partition those off to the side.

05:35They're not connected to anything. So when somebody needs that information in a crisis, nobody can get to that information.

05:41It's not being made available to the right people, to the right resources at the right time.

05:50So to design an enterprise GIS security strategy, you need multiple people and roles in your organization involved.

05:58Ideally, you have an executive sponsor - somebody who's going to determine how much risk is acceptable to your organization.

06:05This is not your typical engineer who makes this decision.

06:10So what do I mean, determining risk? Well, security you could say, well, I just want everything.

06:16That's not even affordable by our government groups, to afford everything. So you have to make decisions…

06:22…what is acceptable or not.

06:25You have an information security group, ideally identified, that actually assesses the risks, and we'll talk a little bit about that…

06:33…defining some security requirements, that's fed into a design and build of security solutions by your IT team, and that…

06:41…goes into operations and maintenance.

06:46So Esri security strategy. There's two primary reinforcing trends.

06:50Our products, we have discrete products, we had discrete products and services, with third-party security, primarily.

06:58We didn't have security embedded into our products. Now we've moved more into a realm of an enterprise suite and solution…

07:06…where we do have some security embedded into our products. And you can utilize that.

07:11And it can be supplemented with third-party security products.

07:15On the IT side of things, we've moved from more isolated systems to more integrated systems.

07:22Be it the cloud, or between multiple organizations or multiple divisions in an organization, with discretionary access amongst them.

07:33So we create secure GIS products that incorporate security industry best practices, and we create…

07:40…trusted geospatial services across the globe for both individual users and entire organizations.

07:47Now we do provide some security guidance in the Enterprise Resource Center. I'll pull that up here.

07:54So this is the Enterprise Resource Center main home page.

07:58Now enterprise GIS is a function. I'm not the one who categorizes it as such, but that's where it is, and so in enterprise GIS…

08:07…you'll see there's three primary areas, architecture, security, and performance, and so security…

08:14Each one of these breaks out into a significant area, so it might not look initially like it has too much content…

08:20…but inside each one of these, so you can actually look at high-level strategy statements, mechanisms.

08:25You can drill in further into each one of these various areas, if you have compliance questions…

08:31…or questions about particular patterns we'll talk about today, there's some information in there.

08:35There's the mechanisms we're going to talk about that you can deploy across your enterprise…

08:40…and then also more product-specific options.

08:44It's also version managed, so as we have significant differences in security, let's say between 9.3, 10, and then 10.1…

08:53…you'll be able to select up top there a version specific to the version that you have in your organization.

09:06So we have some foundational security principles that we base our guidance and solutions on.

09:13So we have the CIA security triad, which is confidentiality, integrity, and availability.

09:20Many times, initially, a geospatial analyst will, if they've been told they need to secure their solution…

09:27…they're assuming that the primary reason was for confidentiality, that I need to hide information…

09:34…from other people in my organization, when I would say the majority of the time, for geospatial customers…

09:41…it's not as much about confidentiality, because the majority of our datasets are public.

09:47It's more about integrity. Why is integrity important?

09:51Let's take the case of, we have a lot of customers exposing datasets and services out to the public.

09:57Those can be compromised. Somebody could change those datasets, via…

10:03…let's take the use case of what's called an advanced, persistent threat nowadays.

10:08So an advanced, persistent threat means somebody's going in to access your solutions and collect information…

10:17…or do things in your environment without you knowing it, without your IT team knowing it…

10:22…and not giving indicators that they're making changes. So you can have information out there, your datasets…

10:28…that you're exposing to the public, and those can be wrong datasets all of a sudden.

10:32You could actually be misinforming public, users (so depending on who those are), with incorrect information.

10:40That may or may not be significant for your organization.

10:44Availability is also a key aspect too. So defense in depth, this is about adding layers of security into your enterprise.

10:54So layers of security. You have your data and assets at the core; you protect them with physical controls, let's say walls…

11:03…or your data center with biometric security to get access to your data center…

11:09…you have policy controls, so complexity of passwords and the length of those.

11:15I'm not going to stand here and tell you that you need to build a seven-foot wall or how complex your passwords should be.

11:21Those are very organization specific and not as much related directly to our product as the technical controls.

11:29So the technical controls is where we provide most of our guidance…

11:33…on authentication, authorization, filtering mechanisms, encryption, and logging.

11:39And we'll go into each one of those a little bit.

11:42So for our security patterns, they're based on…they're…they are best practice security guidance for our customers.

11:50And they leverage the National Institute of Standards and Technology guidelines…the 853 guidelines.

11:58And they're based on the amount of risk.

12:01Remember I talked about that executive sponsor determining the amount of risk for your organization…

12:06…that you determine that, and you can figure out roughly what types of things you need in your organization.

12:16So first you have to identify your particular security needs.

12:20And you've heard some of this before…assessing your environment, the datasets, systems, users, and the sensitivity of those.

12:27So how do I do this? How do I assess my solutions for security, or my environment?

12:34Ideally, you start by choosing a security standard.

12:37You don't just go out there and try to make your amalgamation of, you know, 20 of those standards on your own…

12:44…if you're just starting up. You might do that if you get more advanced.

12:48A starting point, usually choose some relatively common and most practiced guidelines.

12:55So the Consensus Audit Guidelines, now called the critical, the 20 Critical Security Controls…

13:02…are out of an organization called SANS, and they were put together by the State of New York and other states' became rolled in too…

13:11…also federal guidelines, and are used by some private industry, too.

13:16You also have ones…SCAP is an automation protocol for automating security validation…

13:24…NIST is a variety of hundreds of security control recommendations, FISMA is just the law…

13:32…and then you have a variety of others, be it ISO 27000, and others for international customers.

13:40So once you choose a particular standard to align to, you need to start figuring out, well…

13:47…what is considered a sensitive geospatial dataset in my organization?

13:52And it's somewhat of an open-ended question many times.

13:54But there's more and more documentation coming together.

13:59Actually, I ran into one of the people from the working group that put some of these guidelines together…

14:05…for best practices for sharing sensitive environmental geospatial data.

14:11These guidelines are fairly useful as a good start for many of our customers for when you do an assessment of your datasets…

14:18…hopefully you do…that you can start flagging ones that might be considered sensitive.

14:24So, legislation, you have a lot of Privacy Act concerns right now.

14:28You have…where the individual can be identified, either directly, by georeferenced information, or indirect, by amalgamation.

14:37And we'll talk about this security and amalgamation issue. It's quite difficult in the geospatial realm…

14:44…but it's actually becoming a lot more real this year; you'll see…I'll talk about some tools that are being used to facilitate that.

14:53Confidentiality, natural resource protection, cultural protection, safety, security are some other aspects.

15:02So we chose a standard, we've identified sensitive datasets, now we need to start thinking about how we're going to actually…

15:10…categorize our solution, as, you know, what type of amount of risk level we're willing to take.

15:17So there's a formal process provided by NIST…there's full documentation in their 800 series of documents…

15:23…this one, in particular, is called the 800-60.

15:28We also have a more informal process.

15:31First, the groups that are going to be doing the formal process are primarily our federal customers.

15:35They pretty much have to do it. Not everyone has to do that, and it's a lot of work, so we make this informal process available.

15:44So a basic pattern. What is it? So you have no sensitive data, and it's primarily public information that you're exposing out there.

15:54And all the architectural tiers can technically be rolled up into a single physical box; you don't have to split out the tiers necessarily…

16:02…of your environment for security needs.

16:06In the standard environment, there's more moderate consequences for data loss or integrity.

16:11And the architectural tiers, you want to start thinking about breaking these apart onto separate systems.

16:16And there's a potential need for federated services in the organization.

16:21And last, but not least, is advanced security needs. This is where you have significant sensitive datasets…

16:28…and all the components need to be redundant. Remember that availability aspect for security.

16:33You need to think a lot more about third-party enterprise security components for your organization.

16:41So what does a basic security solution, roughly, look like?

16:45And you might have seen representations somewhat like this before out of Esri.

16:52This is where you can utilize data and API downloads from public clouds.

16:57Public clouds, a lot of them, let's take ArcGIS Online, you don't have an SLA with them; if they go down…

17:03…well, yes, it's going to affect your infrastructure. Is it critical? At a basic level, you're saying…

17:10…no, it's not critical; it's down for a little bit. So you also want to secure your services with the ArcGIS token service, at this level.

17:19And you can…still want to separate your internal systems from Internet access with a DMZ.

17:26And a reverse proxy can be utilized to avoid DCOM across firewalls.

17:32Too much text here. So, standard security environment.

17:37The reality is, I'd love to make architectural representations of the standard and advanced…I just have not had a chance.

17:44Lot of components of each of these. You want to start thinking about things like a web application firewall…have dynamic tokens.

17:51Remember I talked about separating out the tiers. You not only do that for the hardware components…

17:56…but also the networking infrastructure. And how you starting grouping out systems into what's called virtual LANs or VLANs.

18:06Multifactor authentication might come into play. Smart cards or public key infrastructure.

18:11Sometimes for public sites, one mechanism that's being used for some organizations is a phone that you need…

18:20…to get a unique number. Your phone calls you, and you get a unique number; you need to enter that into your system.

18:30For more advanced security needs, this is where you have separate datasets for public employees, employee subsets…

18:38…you might be doing label security, as it's called, explicit labels…

18:43…you need to cluster your database infrastructure. You might be encrypting your actual databases…transparent data encryption.

18:50We'll talk a little bit about that.

18:52This is also where you might utilize IPsec between your back-end server environment.

18:59So for server-to-server communication, you want to ensure that somebody can't come in and sniff that traffic between those systems.

19:08By default, all our traffic is clear text between our system-to-system communication. So if you want to encrypt that…

19:14…IPsec might be a way to facilitate.

19:19So what are some of the security trends out there right now?

19:23And how do they affect you related to our solutions?

19:27Well, let's just look at 2011. This is only a couple of them. So we'll start with Citigroup - 360,000, and it wasn't just…

19:36…credit card accounts…that was actually 360,000 Citigroup accounts, which had both bank and credit card accounts.

19:45They have Sony. Over a hundred million accounts compromised.

19:51Couple months back, they had already spent $200 million on trying to recover, and I know they've spent a lot more than that since.

19:59RSA, one of the leading security companies out there, that creates what's called two-factor tokens…

20:06…so there are these little devices that give you a new number every once in a while.

20:11More secured environments use them, like, for example, the one right beneath it, Lockheed. What happened in that case?

20:19RSA got compromised. The hackers took that information and then, within a month or two, ended up hacking an organization…

20:27…like Lockheed to get to the real information they wanted.

20:32Then you have Department of Energy labs, via simple mechanisms, what's called spearfishing…

20:38…so going after important individuals in your organization who have a lot of access to sensitive datasets.

20:46They…it's not the Viagra type of e-mails they get…they get an e-mail that looks like it's about their Salesforce account…

20:56…or something very direct to that individual.

21:00They do a lot of reconnaissance and figure out what's appropriate…and we'll talk a little bit…

21:04…how some of these organizations are doing reconnaissance via geospatial means, too.

21:11So you have FBI, CIA, PBS; I still am interested why they attacked the Public Broadcasting System.

21:21Seems like [they] should give them a break.

21:23Then there's Electronic Arts, and others.

21:27So, interesting thing from security expert standpoint.

21:32So last week, SANS is a group that has…provides a lot of the training and guidance for security people out there.

21:41And they're saying the cost of a successful attack against targets of choice has fallen dangerously low. So what does this mean?

21:48This means, really, if a hacker wants to go after your organization, it's typically pretty easy to get in right now.

21:58So that's what they mean by targets of choice.

22:03So what's going on? Why is this happening? These hackers are not necessarily after just a little bit of fame.

22:10They're after more. They're after harming an organization. They're after gaining money; Citigroup.

22:18They're after retribution for something; the Sony case. Very interesting case, where you have somebody…

22:25…who hacked a PlayStation 3 station, tried to make it open.

22:31Sony decided to sue that individual, take him to court.

22:34Soon as it was wrapped up in court, Sony got magically hacked, and it happened for months after that.

22:45So in 2010, CSI does a survey every year (Computer Security Institute), and they've worked with the FBI…

22:53…and other organizations in tracking these trends.

22:57There's a continuing increase in what's called the phishing attacks with e-mail and in malware infections.

23:04Now, what are some of the responses and some of the options organizations are implementing to help offset this?

23:10Log management and dashboards. We'll talk a little bit about that. Why is that?

23:16Information security guys for the most part are in information overload. They have millions of log files…

23:23…there's no cross-correlation going on, and they're missing, and not discovering, that they're being hacked.

23:33So the security technologies utilized. [Of] course, top ones are antivirus, firewall, antispyware stuff…

23:41…and down at the bottom here is one that, unlike the others, is actually increasing in 2010 still.

23:47So, and it's been increasing a good chunk every year.

23:51And that's application firewalls. And we'll talk about the importance of those in your organization relative to our web software.

24:01So, how is cybersecurity evolving?

24:04There's a viewpoint of compliance. So a lot of organizations…I mentioned FISMA…

24:10…they create a lot of documents. Every once a year, once every three years, to prove that hey…

24:18…they provide a big huge stack of paperwork to say, you know, our environment's secure.

24:23But there's no real ongoing validation, and that's one of the changes, that they're saying…

24:28…Hey, let's get out of this mode of creating a large stack of paperwork.

24:31Let's move and evolve toward something where we take something where we know the most critical areas…

24:37…like the 20 Critical Security Controls, remember I mentioned CAG, Consensus Audit Guidelines, same thing…

24:45…that provide you the ability to have automated management of and monitoring of the top concerns in an organization.

24:56So location and privacy concerns. So more applications are utilizing current user location to deliver content…

25:05…geospatial information. So, in response to this, there's been bills proposed, and also the European Union…

25:13…has actually already passed some, concerning data privacy.

25:17So our users and people implementing new solutions need to be aware that they're going to need to start informing users more…

25:26…about what type of information's being collected, obtaining permission from consumers before sharing geolocation information.

25:34So I see a lot of cool applications right now that people post information about their site, that they're located for…

25:43…something occurred at this location. But now, it's going to be an interesting context.

25:48How do you get that permission for when that's shared out in a social site with other people?

25:57Geolocation aggregation; it's a very interesting one. Saw a great tool called Creepy. Came out this year.

26:05And what Creepy does is, it goes out and pinpoints the locations of targeted individuals.

26:12So if I was to take somebody's user name tag here, type their name in, it would go out to all the social networking sites…

26:20…look at any pictures you've ever posted, see if there's any geotagged location information in there…

26:26…and it would actually make you a nice little map that shows where that person's been over time.

26:33So you can understand where that person goes to lunch, where they work, where they live, where they go to vacation. It's creepy.

26:44Yeah. So the guy who wrote it said the reason he wrote it was not to stalk people…

26:51…he said it was to let…provide people an awareness that this could be done.

26:58Yes. So…you're aware.

27:03So, what is your response to all these different trends out there and what's happening?

27:07So, can cybersecurity accomplish what it needs to do purely on a technical basis?

27:13I need to turn on the token service, and I'm good to go for my solution.

27:17I don't need to know where the datasets are; I don't care about that; I just need to stick a firewall or something in front of my solution.

27:25Those are technical aspects, and they're not going to protect you when you get more into the cloud…

27:30…and have interdependent components in your organization.

27:34So cybersecurity is moving to a business process, where IT and security teams must now know where the data resides.

27:41[It's] sometimes difficult in the cloud right now.

27:44Where it moves to, and how to protect it during all that time.

27:49So this requires comprehensive data security practices for an organization, where security teams will become business process experts…

27:57…to keep the bad guys disarmed while keeping the good guys productive.

28:04So enough about trends and creepy things. Let's move on to some things you can do in your organization…

28:10…where you can apply some technologies across your enterprise.

28:18So authentication. Do I have Bob or Jane accessing my system?

28:24Authorization. Okay, Bob got in; he's allowed; he's been authorized; he's only allowed to have access to one map service.

28:34Bob wants to do something bad. Do you have something in your organization to stop those bad requests?

28:43If Bob wants to access datasets he really shouldn't have access to…they should be encrypted, potentially…

28:50…and then last, but not least, how do you know what Bob did to your systems over time, even if he got authorized…

28:56…and what if he decided to do something bad, if you don't have appropriate logging and auditing…

29:02…you won't know what was potentially compromised, and you won't be able to prove what he did.

29:10So, for authentication. We'll start at that. And the mechanisms developed with ArcGIS Server and our suite of products.

29:17For web services, we have HTTP, you know, for web services and web applications, up top.

29:25And then, in our internal environment, we have local connections, which primarily have a lot of DCOM currently in our product.

29:33We'll talk a little bit about how that changes with 10.1, also.

29:37So, a nice matrix, to make you go cross-eyed.

29:43The main aspect here…I don't expect you to write this down, frankly, right now…this presentation will be available online…

29:49…is that you have a lot of authentication options; by default, up top, none.

29:54These options also vary depending upon are you building just a web application, are you exposing web services…

30:01…or is it just local connections? So each option has different choices.

30:09So for authentication, you have…our product is a role-based solution.

30:15So you need to have storage of user accounts, users, and what types of roles they have in your organization.

30:22On the Java side of our product currently, it's stored in Apache Derby by default.

30:27You could point it to a SQL database or Oracle database.

30:32You could also utilize an LDAP, a directory service in your organization, or Microsoft Active Directory.

30:40On the .NET side, the default is called Windows Users and Groups.

30:45What does that mean? Actually that name creates a little bit of confusion in itself.

30:48It's really…you have a choice of utilizing domain account users and groups or a local server's user and groups. It's up to you.

31:02You also can point your solution to a SQL Server instance for the storage of users and roles.

31:09And last but not least, we have a custom provider option for other permutations.

31:17So, authorization. Now that we've done authentication, moving to authorization. Talked about its role-based access control…

31:25…you assign this within ArcGIS Manager, and you can provide service-level authorization…

31:30…across the web service interfaces, and the services are grouped in folders, utilizing inheritance.

31:38So how do I get more granular than just service-level security?

31:43What's service-level security? It's really equivalent to exposing a MXD or an MSD file.

31:52If I want to get more granular, I can…one option is to utilize relational database infrastructure…

31:58…going all the way down to what's called role-level security, or feature class level.

32:04Be aware that if you're implementing versioning with that, with role-level security, your performance will be horrendous.

32:12So we highly recommend not doing that.

32:15An alternative may be utilizing SDE views.

32:19We also have users that want to limit what the user sees in the graphical user interface, a GUI.

32:25So you have rich clients can utilize ArcObjects in web applications.

32:30We have a variety of sample code links in the Enterprise Resource Center (ERC).

32:35And there's also this AzMan tool, for authorization management.

32:42So for filtering mechanisms. Primarily third party. Esri's not doing the security filtering aspect in our solutions.

32:52So firewalls, reverse proxies, you've heard that, I'm sure, plenty. There's Microsoft's IIS.

32:58Starting in 7 they have a free reverse proxy.

33:02Web application firewall. Recommend having something like that in there. One open-source free solution is ModSecurity.

33:10You also want to have antivirus, of course; intrusion detection and prevention, ideally; and you can also limit applications' access…

33:17…to the geodatabase.

33:20So of this list of six items, would you say your organization…would anybody here say their organization implements all six?

33:31Okay, well, that's impressive. So that's good, that's even better than yesterday's session, 'cause nobody raised their hand…

33:38…although I think some people might not be clear on even the bottom bullet and what that entails, but I won't pick hairs…

33:46…but that's good to hear. How about at least three of these items?

33:51Raise your hand if you have at least three of these items in your organization.

33:56I would say that's a good call, to have at least three of those in your organization.

34:02So for filtering. What's a firewall-friendly scenario? That's been historically a concern with our products because of DCOM.

34:12Now in this case, we have a web application firewall in the DMZ.

34:16We also have a file geodatabase in the DMZ; it's not a SQL Server uncensored database server instance.

34:23We're utilizing one-way replication from the internal operations…

34:28…through the firewall via the geodata service replication over HTTP or HTTPS to a file geodatabase.

34:38Why do we do this? Multiple reasons. So one is, I'm not using SQL Server communication across a firewall.

34:46Two is, I can actually get better performance by not having end users on the web hitting my internal database infrastructure, and…

34:56…I can spin up a separate file geodatabase on every web server I add to the DMZ.

35:03And there's no additional licensing cost. And last but not least, from a security standpoint…

35:10…a very important aspect is that I'm not replicating my full database instance from this internal database to the file geodatabase.

35:18I'm only replicating information sets that I want publicly exposed.

35:24So my sensitive stuff remains on my internal database system, and only public-facing information gets pushed out into the DMZ.

35:36So why was there no reverse proxy in the DMZ in this picture?

35:41Well, so one thing we've noticed is that a reverse proxy many times for our customers becomes a one-off component…

35:48…with no management and minimal filtering of security issues going on.

35:54So what are some customers looking at more instead? Multifunction web service gateways…

36:01…which can store your SSL certificates. They can perform what's called SSL acceleration.

36:07So not having your web server perform SSL; you have this device perform it.

36:14And so you've lightened the load on your web server.

36:17The URL rewrite function. Reverse proxy types of functions can be done by it…

36:23…and it can also perform web application firewall functions.

36:28For encryption, you have a variety of third-party options. For your network, you have IPsec, commonly used…

36:35…for your VPN tunnels and connections; you can also use it, as I mentioned, from server-to-server communication.

36:42And SSL. It's very commonly used for protecting, you know, HTTPS for your login information for geospatial information, so…

36:52…you're not necessarily…you don't necessarily need to use HTTPS for your whole application…

36:56…your datasets are not that sensitive…but you at least want to encrypt that login session information.

37:02Or, if you have a token, you ideally want to protect that too.

37:06And then, when I mentioned internal systems communication, that's that scenario that I have, let's say…

37:14…ArcMap accessing my database system, and it's using what's called direct connect.

37:19That's where I go through the database client using SSL from my client to the database.

37:27For file-based encryption options, you have operating system, you have BitLocker, and there's also some customers…

37:33…enabling geospatially enabled PDFs combined with certificates.

37:37So they're basically creating a PDF, encrypting it, and then the only people who can access it must have a certificate.

37:46And the most…the fastest one is hardware-based encryption.

37:50This is where the hard drive itself can encrypt the information, and has less than a 5 percent performance hit.

38:00Last but not least, you can encrypt at the relational database level.

38:03I mentioned TDE, transparent data encryption. And one lower-cost solution…

38:08…for if you have multiple mobile users across remote, is where they have sensitive datasets out there…

38:17…you can use SQL Server Express with transparent data encryption; they have nice secure dataset…

38:24…and then they replicate that up to the public and their primary infrastructure.

38:31So for logging and auditing, what's available to you? You have geodatabase history…

38:38…you have the ArcGIS Workflow Manager extension, which…

38:40…you can track feature-based activities and export even GML, Geographic Markup Language, if you'd like.

38:49And last but not least is, built into ArcGIS Server 10, when you enable security, there's a new user tag that was not in 9.3.1…

38:57…that allows tracking of user requests, as shown in the little picture there.

39:04You also have a variety of third-party logs, so you have your web server logs, relational database, operating system, firewall…

39:11…not to mention all the network infrastructure components, too.

39:15So, remember what I mentioned about IT guys are into information overload with logs right now?

39:21So Verizon's…they do a data breach summary report every year.

39:26So 86 percent of the victims had evidence of their breach in their logs.

39:31Yet the majority, by far, their internal operations didn't find it.

39:36Some third-party external group notified them they had been hacked.

39:41So they have all of this information in their organization, right in front of them…

39:46…but it's so buried in so many things they don't know about it.

39:49So this is where a security information event manager solution might come into play, a SIEM.

39:57By the way, we're selling one now. No, just kidding. Yeah, that would be funny, huh?

40:03So product security options…what you can do with particular products and solutions from Esri.

40:09So I'll talk briefly about rich client security. In yesterday's session, you know, I did a brief query before we started up…

40:16…of you know, how many people were interested in which of these different product realms…

40:21…and only one person raised her hand for rich client security, so keep it brief.

40:26This is a client, typically, with the most access to sensitive data, however.

40:31And there's a variety of system connections. Direct connect to the relational database over SQL.

40:36You have application connect, which utilizes a proprietary protocol from Esri to SDE.

40:43You also have web service communication, which can be protected with integration with the token service or…

40:51…Windows native authentication.

40:54And lastly, there's ArcObjects development options, where you can record user-initiated GIS transactions…

41:01…and have fine-grained access control, so limiting what functions users can make use of in the end user interface.

41:09So that becomes more of a custom type of thing.

41:12So another thing to be aware of, even when you're using relatively simple rich clients, is, let's take…

41:18…ArcGIS Explorer and how it might be communicating to various systems in your organization.

41:24You might be mapping a drive, you might be making a universal naming convention connection.

41:29And more commonly, for your external users, you have web traffic occurring.

41:35So you need to account for each one of these different types of communication models in your organization.

41:41So let's move on to mobile phone security, a very interesting realm right now, because there's more platforms…

41:49…ArcPad, mobile, iPhone, Android, Windows Phone 7…and you have expanding functionality and storage options…

41:57…and a large, much larger user base. So what's this resulted in? It's led to increased hacker attention.

42:06So when was the last iPhone critical vulnerability? Oh, it was last Friday. You open up a PDF, you're hacked.

42:14So, anyhow, I can't cure that. It's just an awareness of where we're at with issues.

42:23You can't say, Oh, yeah, I have an iPad, and I'm just fine.

42:27When I say iPhone, that's just as applicable to the iPad, by the way.

42:32So what can you do in what you think about for your mobile solutions?

42:37Well, you have your SDE permissions. That's a whole…that's your database, SDE and so forth.

42:42You have server authentication options. Those are the ones we talked about earlier, with a large number of permutations.

42:49And service authorizations; so, which services somebody's allowed to access…

42:53…the types of communication going on between the mobile device and the server…

42:58…might be over VPN or something otherwise, and we'll talk a little bit more about that.

43:03The actual device itself…which devices are allowed to access it? You can limit that.

43:08And there's something to identify each one of those.

43:11You also have different storage options, and you can provide either project or data access permissions on that phone.

43:19So what are some of the more technical aspects of that?

43:23So that communication between the server and the mobile client, what's commonly done?

43:30Utilize HTTPS or a VPN tunnel. VPN tunnels are sort of interesting right now because not all mobile phones have VPN clients.

43:42So you can use a cell VPN, potentially, for some; just be aware it can't necessarily be used with all applications.

43:51So right now the mobile field and security is relatively immature, especially on particular phone devices.

44:01Some phone devices, like the Windows Phone 7, is actually labeled by Microsoft a consumer device.

44:09It's not currently considered an enterprise device.

44:13So you also have web service authentication and authorization options.

44:19You can do Windows authentication or a token service…

44:23…or you could filter by the operating system, the IP address utilized, or a unique device identifier.

44:29Unique device identifier seems like, Hey, that would be the one I could really lock down.

44:34Unfortunately, of course, that was the first thing that was hacked on an iPad.

44:38But…So make sure you just don't limit yourself to checking for one thing.

44:43So you can also potentially encrypt your data at rest. So the older Windows Phone devices, pre-7…

44:50…allowed for utilizing Windows Mobile CryptoAPI.

44:54You could utilize a Secure Digital card, or you could utilize third-party tools for encrypting the entire storage system.

45:03Windows Phone 7, [I] started to rag on Microsoft on this particular device, just want you guys to have an awareness, is that…

45:10…you can't encrypt information on that device yet. It's a consumer device. You will be able to in the future.

45:17So what do you do for the deficiencies in the devices currently out there?

45:23You ideally implement a mobile device management solution, if you're going for a full enterprise rollout.

45:31One such solution is called Good Technology. I remember the first time I heard them, I was like…

45:38…somebody asked, So, do you guys support Good Technology? And I'm like, I think it's spectacular technology, but, you know…

45:46…but yes, so Good Technology is an interesting company. There's also one other one that we've…

45:52…is currently actively working with our federal customers in solutions that work with the cloud.

45:58I don't know their name offhand, but if you ask me I will follow up on that for you.

46:04So for ArcGIS Server security. One question I like to ask early on…

46:10…Is communication across the wire secure by default for ArcGIS Server?

46:15Who thinks it is? Dang, I can't catch anyone first thing in the morning…come on.

46:20Okay, no, it's not. That's good that you know that. That's good that that message is getting out there right now.

46:26If that option is not acceptable to your organization, and you want to see more of a secure by default model from Esri…

46:35…we need to hear a lot more communication on that.

46:38Right now, and this goes back to what's the most common best practice and basic pattern for our customers…

46:46…and that is relatively public information, and about information dissemination…

46:50…and not about a secure by default model.

46:55So if that's to change, it's going to have to come from the customers to let us know that.

47:01So communication to ArcGIS Server…to all clients is clear text by default.

47:06You can secure the web communication SSL certificates…

47:10…or that internal communication to your organization with IPsec.

47:15So another question that sometimes gets tangled up here is…

47:20…Is a reverse proxy required to create a public-facing, secure web solution with ArcGIS Server?

47:28Who thinks a reverse proxy is required to do that?

47:32Man, nobody's going to raise their hand! Come on!

47:37So that's good. So some customers implement…

47:41…let's first step with…and understand why a reverse proxy's being recommended for these environments.

47:48Was it first and foremost to improve security in an organization? No.

47:52It was first and foremost recommended to eliminate DCOM traffic across firewalls.

47:59So, basically, you come into the DMZ, it's a reverse proxy…

48:02…it's able to get through the firewall to your internal systems without DCOM.

48:09So, however, if you want to significantly and potentially improve your security posture more…

48:15…you'll want to start thinking about something like a web application firewall.

48:20So is there security hardening guidance from Esri available?

48:24Who thinks there is? OK, well, I guess I got most people on that one.

48:30So there is actually some guidance available. We have it in the Enterprise Resource Center…

48:36….there's an area called the Implementation Gallery in the Enterprise Resource Center.

48:42And so this information is currently for 9.3.1, Windows 2003.

48:50I am definitely overdue on getting it up-to-date for, you know, Windows 2008 and ArcGIS 10…

48:59…and we'll have that done, I'm hoping, in the next couple months here.

49:04So if you want to see that, let me know, and that will just raise the priority of when I get that to you guys.

49:10So this is a setup question of ArcGIS Server, how I configure it once I've enabled security.

49:17So should I assign the Everyone group, in the root, to ArcGIS Manager?

49:22I see one person, two people shaking their head no, two people say yes, I should, so…

49:29This is interesting, because it goes back to the security posture and usability of our customers and what they expect…

49:36…and what they need. So if you do this, everyone will have access to your services by default.

49:43It's actually terrible from a security perspective, but spectacular from a usability perspective.

49:51So it's okay for basic security environments.

49:55So if you're at that level, you could potentially do that, if you have those types of needs.

50:00I definitely don't recommend it for any higher-level security native standard or advanced…

50:05…where you should start thinking more about deny by default, for use in higher-risk environments.

50:13So can I provide security more granular than the service level with ArcGIS Server? Yes or no? Or are your arms just tired at this point?

50:26There are some people who raised their hands.

50:28Yes, you can. There's a variety of mechanisms. One is SDE views, which I mentioned a little bit before.

50:34You can also supplement with third-party software. So con terra makes a solution called securityManager.

50:42It's a filtering mechanism for web services. And you can get feature-based security and some other aspects and options.

50:51Did you have a question back there?

50:53[Inaudible audience question]

50:57We'll get into the details of that one later. 'Cause it's actually not the easiest thing to do, right?

51:02So I think that's a good offline question. I'm going to be pressured to make sure everybody has enough time…

51:09…so I get questions in at the end here. But I'll follow up with you on that.

51:13There's also an integrated security model, which might be an easier way, depending on how granular you want to get.

51:21So, integrated security model - What is it?

51:24This is the idea of flowing your user context from the web application to the application server down to the database.

51:34So when John logs in into the web application, that same user is hitting the database in the end.

51:40Why is this good? Couple aspects. One is logging, accountability of user actions. John's actions are now logged…

51:48…all the way through down to the database tier. Another aspect is, you can provide granularity to the…

51:54…and provide row-level security. This is a database-driven security model.

52:00So what's the status of this? And going on with our customers right now, we collected customer scenarios, and we started with…

52:09…doing some performance validation tests with what I would call simple, layer-level security, as opposed to service level.

52:16And…but basically you set the security in the database, and it's real easy, at the table level.

52:22And that gives me equivalent, for some of our customer scenarios, layer-level security.

52:27You get a performance consequence for this; 10 to 20 percent hit for that.

52:32Now we are going to also do some validation of more complex scenarios, too.

52:38We have some basic documentation of this, online, for the Java ArcGIS Server solution, if you just query in there, integrated security.

52:49So what did this initial configuration look like?

52:52We had an IIS web server, we had an application server with Java ArcGIS 10, an LDAP Derby engine instance…

52:59…which is the default with ArcGIS Server for our users and groups, and an Oracle database instance.

53:05Right now, it makes use of what's called Oracle user proxy sessions.

53:11And so these are proxy users, and we made use of table-level access, which I said…

53:18…in many scenarios is equivalent to layer security.

53:23So one interesting aspect about this, is that this not only affects potentially your web browser clients…

53:33…but also consumption, let's say, in ArcCatalog.

53:35So in this case, I've logged in as an administrator, and I have access to both the red and green features.

53:42I simply log in as a different user to that same service. Now I only have access to the green features.

53:50Of course, in a roads network, it's sort of interesting, and that's a paradox comment…

53:55…is that I can fill in with my mind, missing road segments.

53:59One of the interesting aspects of geospatial information is our mind can visually sometimes pick up cues…

54:06…on missing components. So you could actually be giving away more information by hiding information in this case.

54:14That…somebody who gets access to this would go…

54:17…Well, geez, something significant must be occurring where this little blank is between that road segment and that road segment.

54:28We don't have an answer for that right offhand.

54:31That comes down to thinking about and organizing how you disseminate information. That's not a technology issue.

54:38So security model. So for web services and other components. On ArcGIS Server we expose REST APIs, SOAP APIs…

54:46…and it can be protected with a token service, which goes against users and roles, that can be stored wherever you want…

54:55…connected to a server object manager, what's called server object containers, in the background.

55:01You also have your internal connections and your external web connections.

55:06So for Windows devices, these can be managed by the operating system of the server object manager.

55:13On the Solaris and Linux platforms, users are managed, ArcGIS Manager, and really it's a relatively simplistic amount of access…

55:22…that you have available; it's either none, read, or full. So AGS users have read, AGS admin have full, others have no access.

55:34So what about the datasets, and what type of access and permissions need to be provided?

55:39So the SOC account needs read or write permission to a particular folder where a dataset's stored, and for a database, geodatabase…

55:49…I'd need read or write permissions for the SOC account to those (server object container).

55:56So we also expose a variety of what I classify as management user interfaces.

56:01And whenever I think about a management user interface, and that's why I've grouped these together…

56:08…it's something I think about as, should be useful for internal operations…

56:12…but not necessarily something you want to expose for external operations.

56:17So the services directory, it's available part of ArcGIS Server installation, turned on by default…

56:22…you don't want to typically expose this, for standard security needs, to the public.

56:28Why don't you? You're increasing your attack surface significantly by exposing that particular service.

56:36So the REST API admin. This also manages access to the ArcGIS directory services right above…

56:44…and you can simply disable it in there if you choose to.

56:48Maintains a REST cache, requires membership in the AGS admin group…

56:53…and once again, we recommend to configure this for no public access.

56:58Great for your internal operations; don't expose it. I don't see a need to ever expose that out to the public…

57:05…unless you want to give a hacker attempt to just go to your user login account…

57:10…and keep on trying over and over again different accounts until they finally get in.

57:15Same for ArcGIS Manager. You should not be exposing this to the public, only internal users.

57:23So enough about, you know, the management interface. What are the different types of security aspects and levels can I secure to?

57:31I talked about local security with AGS admin, AGS users.

57:38Services capabilities. So I compose a web service or a mapping service operation, as a variety of what are called capabilities inside those.

57:46Different capabilities expose different types of, well, a larger attack surface, more functionality.

57:54So it's up to you to expose which ones you choose.

57:59And then you have web security. So something that controls access of your HTTP or HTTPS traffic to ArcGIS Server…

58:07…for both Internet and intranet access. And that gets us into this token security model that you may have heard about before.

58:19So to implement web access control, ideally, implement a SSL…you want to have HTTPS utilized for this information.

58:28You need to choose a user role store; I've talked about Active Directory, LDAP, and others.

58:33Or, you can store in a database. Need to assign the users to roles as necessary. If you already have an infrastructure…

58:39…all the roles are assigned, hey, that part of your job's done.

58:43Then you need to, in ArcGIS Manager, assign the roles to the various services or sets of services, and folders that they have access to.

58:52And last, but not least, enable the security function in ArcGIS Server. So that's pretty high level.

58:58So, what is a token? Nice little set of gobbledygook. Why do you need it? Why would I need to send something like that around?

59:09Services don't have a user interface for somebody to go in and type in, I'm John, with this password.

59:16We're sending…the services are being sent back, gobbledygook, to have access instead.

59:23So how's it work? ArcGIS Server has this token service, and where can you get a token?

59:28From that same token service. There's an interface for that.

59:33So how are tokens most commonly utilized with our products right now? You can embed that token into the client application.

59:45Who thinks that's a recommended security model?

59:47I see a thumbs-down. That's good.

59:52It's very easy to implement, a very common implementation.

59:57You know, it…if your security posture doesn't…is extremely low risk, then, and you're not really looking at improving…

1:00:07…having a strong security posture, you might want to do it, but other than that, I would try to avoid it.

1:00:13So you can also bind the token in a proxy page, and this proxy page actually stores the token on the ArcGIS Server instance.

1:00:20The token never gets to the client.

1:00:24So…that's a key aspect, by the way. Any information sent to the client, even if you try to obfuscate it and hide it some way…

1:00:34…in the end, they're going to be able to view that information.

1:00:38So last, but not least, is the ability to write full login access to the service token…the token service…

1:00:46…and that's being done with our particular desktop products and others.

1:00:50So in version 10, what are some of the changes and enhancements that have occurred?

1:00:55In the ArcGIS Server Manager application, you have searchable users and roles…

1:00:59…and you also have application-level user logging, activity logging.

1:01:05So I showed you a little bit of that with Fred, who was tagged on an instance.

1:01:09On the database side, we now have the integrated security model, passing the user context all the way down to the database.

1:01:16We also have made some significant web service interface security improvements.

1:01:21So the more recent the service pack, even with 10, the better. Ideally you should be running 10 SP2 at this point.

1:01:29So what lies ahead with 10.1. So, goodbye to DCOM. Wow.

1:01:35That's actually been something a lot of our customers have been waiting for, for a while. There we go, yeah. Yay!

1:01:41Anyways, so, now you can actually focus on security some, when you get that component out of the way.

1:01:48So we've also added a publisher role.

1:01:52So one of the things you had in ArcGIS Server is you had a user, who couldn't make a service available, and…

1:01:57…you had an administrator, who was a person who could expose a service.

1:02:01Really you have a large number of users in your organizations you want to allow to publish a service, but…

1:02:06…you definitely don't want to have as an administrator. So that's a new role that's available to your organization.

1:02:12We're also providing administrative API access. So you can now get into automating and scripting…

1:02:20…requesting information out of ArcGIS Server on its status and statistics, and actually…

1:02:27…automate building of information in ArcGIS Server.

1:02:31So that'll be an interesting new option too.

1:02:36So moving on into geospatial cloud computing and security for it.

1:02:42So is cloud computing safe? Can I get a raise of hands? Nobody? Come on, somebody's got to say it's OK. Or, who knows, right?

1:02:53The answer is almost who knows, but we'll try to put a little bit more context around it, I think, than who knows.

1:02:58I would say it's close to, It depends on many aspects.

1:03:03So, security benefits of the cloud. There are some.

1:03:06Virtualization. I can stamp out images of a whole bunch of systems that are identical.

1:03:12Now, if they're not hardened in the first place and the security of that initial image is terrible…

1:03:17…well, guess what, all your systems are terrible, but if you get that right, on those initial systems, you can actually create…

1:03:23…identical systems that are quite secure.

1:03:27You need…you also have broad network access available, potential economies of scale, and self-servicing technologies available…

1:03:35…all potentially helping out and providing security benefits.

1:03:39There's a variety of risks associated. I guess ideally I would make each list the same length, you know, to be fair, but…

1:03:45So, what are some of the risks involved?

1:03:48Right now, there's vendor practice dependence. You don't necessarily know everything going on in these environments.

1:03:55There's no agreed-upon cloud security standard for these organizations right now…

1:04:00…and how they're ensuring the security of the environments.

1:04:04There's also a fair amount of vendor lock-in. Each cloud provider and their solution, infrastructure, Platform as a Service or…

1:04:11…Software as a Service…they're all, primarily right now, creating proprietary APIs and interfaces for exposing that information.

1:04:22Now, there are efforts to start standardizing those more, and you'll see some of those; you'll want to look for those.

1:04:30Also, sharing resources, multitenancy issues.

1:04:33So, you're storing information on the same systems and writing to the same drive, and potentially in the same drive location…

1:04:39…as somebody wrote something just two days ago. How is it ensured that that location, written to that particular drive…

1:04:47…actually got cleaned up? It's what's called a data remanence issue. So you want to ask a cloud provider an interesting question…

1:04:54…say, How are you resolving all of your data remanence issues?

1:04:59So deployment model threat and exposure levels.

1:05:02So the amount of threat exposure to your organization varies, depending on what's called a deployment.

1:05:07So you could have private, which has the least amount of exposure of information…

1:05:12…community and more, and highest, public. And we'll talk a little bit about each one of those.

1:05:19So cloud platforms utilized by Esri. So we have the systems administrator types of access to systems…

1:05:28…it's the Infrastructure as a Service solution; we have ArcGIS Server on Amazon EC2; we utilize Terremark cloud…

1:05:35…for some of our customers, now Verizon, bought out by Verizon; and a variety of private cloud implementations.

1:05:43One that is a fairly decent realization of a private cloud solution, to help facilitate that, VCE.

1:05:52I don't know if some of you heard about them at this conference, but it's a virtual cloud environment solution…

1:05:58…comes with hardware, software, allows you to get a rack of, basically, setting up a private cloud in your organization.

1:06:05Made by some very large vendors. Yes?

1:06:07[Inaudible audience question] Azure? Yes, I'm…there you go, developer access.

1:06:13So Azure is not an infrastructure as a service, it's a more of a Platform as a Service solution.

1:06:20So…and we also have some customers out there with Azure, right now, and we're going to be utilizing it, and do…

1:06:27…for our ArcGIS Online operations.

1:06:31And there's Software as a Service solutions - ArcGIS Online as a whole, Business Analyst Online, and ArcGIS Explorer.

1:06:41So how do I choose a cloud deployment model? Public, private, what's right?

1:06:47Primary driver behind this public-private thing is security, and the recognition is, organizations from the bin market up…

1:06:56…will really have a mix of these. It's not just going to be one way or another.

1:07:04So assessing your security needs for the cloud. Once again, some of these should be familiar…

1:07:09…because it's the same types of things you worried about, about your internal operations…

1:07:13…data sensitivity, do I have public domain information, sensitive information, classified.

1:07:19I have different types of users, public, internal. I need to categorize my security needs.

1:07:26Do I have basic, standard, or advanced needs?

1:07:29So, most public cloud implementations right now are considered a basic type of implementation…

1:07:35…where security is similar to social networking sites such as Facebook and others.

1:07:41Most GIS users have only basic security needs. There are some moderate implementations…

1:07:47…and I have not seen advanced implementations in public clouds yet.

1:07:54So some topics of concern, potentially, in going to the cloud? Data location.

1:08:00Our international customers are quite interested in how this is going to be addressed.

1:08:04So the idea is, if I choose to utilize a cloud provider, save my data.

1:08:09I don't know where it's really getting saved to. Is it getting saved…

1:08:12…if I'm in Europe, is it really getting saved somewhere in the United States?

1:08:15If it did get saved in the United States, all of a sudden it actually becomes available underneath the Patriot Act…

1:08:22…for our Department of Homeland Security or someone else to actually read that data.

1:08:27Microsoft just admitted to the European Union that that was even true for their Microsoft Azure environment…

1:08:35…creating some upset people. So some cloud providers right now don't provide assurance of location.

1:08:45So identity management. Not a simple item to take care of when you talk about large numbers of users.

1:08:52And we'll talk a little bit more about that in a bit.

1:08:55There's also a shared responsibility model. It's not…you don't have one throat to choke in this scenario…

1:09:01…because one of those throats is going to be your own, of what you expose into that cloud, and how you handle that information.

1:09:08So you can't completely delegate it to the cloud provider.

1:09:14So what are some best practices at a high level?

1:09:17So this is from CSO, and they put out guidance every once in a while…this is from the beginning of this year.

1:09:23This is a checklist of items. Software as a Service.

1:09:26First thing is the observation of one thing goes across all of those environments, at a high level, even…

1:09:33…and that's a protection of API keys. And what is that? It's equivalent to somewhat of a password for accessing the APIs…

1:09:42…of the providers. So you need to start thinking about how you're going to encrypt those…

1:09:47…potentially storing them in a hardware security management device.

1:09:51So right now, the practices behind those are fairly loose, and you'll see something about where that's become an issue.

1:09:59So you don't want to replicate your organization in the cloud. What do I mean by this?

1:10:03This comes back to the tens of thousands of users or thousands of users that you may have…

1:10:10…ideally you don't have to replicate all those users up in the cloud for people to access those systems.

1:10:16You might want to start thinking about a single sign-on, federated implementation…

1:10:21…so you start going into models that prevent you from having to establish domains and multiple clouds just to keep running.

1:10:31Platform as a Service solutions. You need to protect private information before sending it out into the cloud. So how do you do this?

1:10:39Well, this might be stripping out or obfuscating Social Security or credit card information before you store it out there.

1:10:47Who's responsible for a privacy leak? Is it the cloud provider or your organization?

1:10:54You won't be able to blame the cloud provider.

1:10:58So you do want to also maintain an audit trail of what users are doing in applications and which applications they're utilizing.

1:11:06This becomes difficult as organizations…

1:11:09And you also want accountability for the cloud provider saying, Hey, you used this much of our software.

1:11:16How do you know, and how do you really trust, that's how much of their solution you really utilized?

1:11:22This is where a cloud service broker, and that's one of the ideas they talk about in this article, comes in.

1:11:29So a cloud service broker can provide accountability for validating and audit records across multiple clouds…

1:11:38…and also validating how much usage is actually occurring.

1:11:42Last, but not least, on the infrastructure as a service side, you need to protect against rogue cloud usage.

1:11:48Users can spin up a bunch of AMIs, A-M-Is, in an organization and have a lot more additional cost to your organization.

1:11:58How do you start getting your head around that, especially as you get into not only just spinning up one cloud provider, but others?

1:12:04Once again, they point to a cloud broker to help facilitate with that.

1:12:11So Infrastructure as a Service. So how do I…What are some best practices at a high level for what I should roll out?

1:12:19I should really think about breaking up the tiers, at the same time I would for other security needs and other environments…

1:12:26…just like my internal operations. Also need to think more about protecting information in transit across the wire, as a cell…

1:12:33…protecting information at rest on the systems; encrypting information in the databases out there.

1:12:39Credential management. That's that API key concern I mentioned…

1:12:44…utilizing built-in operating system firewalls that are out there and the ArcGIS Server application security model.

1:12:52By default, we combine all the tiers, and you can scale it out with elastic load balancing.

1:12:58But what about the supporting infrastructure, and how do you protect it? You have all this remote desktop protocol access to systems.

1:13:05Do you want to expose all your systems via RDP? The answer's no. Ideally, you start thinking about a management instance…

1:13:12…a single system that people can hit with RDP, and then that can branch out into others.

1:13:19So Amazon provides secured facilities, logically secured EC2 instances, configurable firewall to control ingress…

1:13:26…that's a firewall that only controls one way…and standard ArcGIS Server security can be utilized…

1:13:33…multifactor authentication…but what about the users of EC2?

1:13:38So this is dated last month. The Amazon Web Services users are leaving security holes. How are they doing it?

1:13:46The same thing (that's funny enough), that API keys that was a best practices warning like, four months earlier…

1:13:55…they're not doing. People are storing their keys in the Amazon Machine Images, posting those into the cloud, and basically…

1:14:02…anyone who downloads that AMI can get access to web services exposed from those.

1:14:09So Amazon's started trying to help validate and make sure that those are not there, but really this comes down to…

1:14:16…there's guidelines available, it's just that it's a new technology, and people are not used to needing to check for this type of thing.

1:14:24So what does Esri provide? Our AMI's currently not hardened beyond the Windows 2008 Server defaults.

1:14:30We are in the process of creating a security-hardened AMI, it's called, Amazon Machine Image, part of the federal GeoCloud initiative.

1:14:40If you want to hear more about that, or have a strong need for that, let me know.

1:14:46We provide basic online guidance, and Amazon does too, and for online hosting operations, we recently passed a…

1:14:54…what's called SAS 70 Type II.

1:14:58So in summary, 'cause we're getting close to time here, in designing an enterprise geosecurity strategy…

1:15:04…it's about identifying your particular security needs; we talked about assessing your environment, patterns…

1:15:10…understanding current security trends, how that affects you, things like Creepy and others; and understanding security options…

1:15:18…Enterprise Resource Center's available, with a variety of security mechanisms deploying across the operations…

1:15:23…also more application-specific solutions.

1:15:27There's also implementing security as a business enabler…

1:15:29…and I expressed how key that is as opposed to something that is hampering operations.

1:15:36Security's not just about a technology.

1:15:39It's about understanding your organization's GIS risk level and utilizing defense in depth.

1:15:45We have secure best practice guidance available in the Enterprise Resource Center; you can drill into mechanisms or applications.

1:15:52We have Professional Services GIS security assessment available to your organizations.

1:15:58So cloud computing for GIS has arrived, and security is definitely evolving quickly.

1:16:04So security in the cloud is a shared responsibility; remember, one of those throats to choke is your own.

1:16:10So in summary, ArcGIS Server…well, that's for Thursday, so that is gone, but you can look at that if you have an interest in…

1:16:20…how the token security model works, and a demonstration of that, go ahead and check out online that information.

1:16:27As I mentioned, we have an enterprise GIS security review out of our Professional Services Group, and I have a variety of resources.

Copyright 2016 Esri
Auto Scroll (on)Enable or disable the automatic scrolling of the transcript text when the video is playing. You can save this option if you login


No comments. Be the first to write one below.

Comment on this Video