![Page 1: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/1.jpg)
Designing an Enterprise GIS
Security Strategy
Michael E. Young
![Page 2: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/2.jpg)
Agenda
• Introduction
• Strategy
• Trends
• Mechanisms
• ArcGIS Server
• Mobile
• Cloud
• Compliance
![Page 3: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/3.jpg)
Introduction
- Michael E Young
- Esri Senior Enterprise Security Architect
- FISMA C&A Application Security Officer
- Certified Information Systems Security Professional (CISSP)
![Page 4: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/4.jpg)
Introduction
What is a secure GIS?
![Page 5: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/5.jpg)
Introduction
Sign in Japan Narita Airport - May 2011
Context is key for identifying the appropriate secure GIS
solution for your organization
![Page 6: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/6.jpg)
Introduction
What is “The” Answer?
Risk
Impact
![Page 7: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/7.jpg)
Introduction
Where Are the Vulnerabilities?
* SANS Relative Vulnerabilities
![Page 8: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/8.jpg)
Strategy
![Page 9: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/9.jpg)
Strategy
• Identify your Security Needs
- Assess your environment
- Datasets, Systems
- Sensitivity, Categorization
• Understand Security Options
- Enterprise GIS Resource Center
- Enterprise-wide Security Mechanisms
- Application Specific Options
- Utilize patterns
• Implement Security as a Business Enabler
- Improve appropriate availability of information
![Page 10: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/10.jpg)
Strategy
Enterprise GIS Security Strategy
Security Risk Management Process Diagram - Microsoft
![Page 11: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/11.jpg)
Strategy
Esri’s Security Strategy Evolution
Product
Enterprise Solution
Isolated Systems
3rd Party Security
Integrated Systems
Embedded Security
Cloud
Managed Security
![Page 12: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/12.jpg)
Strategy
Esri Products and Solutions
• Secure Products
- Trusted geospatial services
- Individual to organizations
- Extending validation
• Secure Enterprise Guidance
- Enterprise Resource Center
- Patterns
• Secure Solution Management
- SaaS Functions & Controls
![Page 13: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/13.jpg)
Strategy
Security Implementation Patterns
• Risk based
• 3 categories / NIST alignment
• Selection process
- Formal – NIST 800-60
- Informal
To prioritize information security and privacy initiatives, organizations must
assess their business needs and risks
![Page 14: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/14.jpg)
Strategy
Security Principles
• CIA Security Triad
• Defense in Depth
![Page 15: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/15.jpg)
Strategy
Defense in Depth
TechnicalControls
PolicyControls
Physical Controls
Data and
Assets
Authentication
Authorization
Encryption
Filters
Logging
![Page 16: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/16.jpg)
Trends
![Page 17: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/17.jpg)
Trends
Vulnerabilities / Compromises 2011
• Large-scale breaches dropped
dramatically
• Small attacks increased
• Hacking and malware is the
most popular attack method
• Stolen passwords and
credentials are out of control
Verizon 2011 Data Breach Report
![Page 18: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/18.jpg)
Trends
Reverse Proxy’s Need to Be Maintained
• Oct 2011 – Apache Reverse
Proxy Exploit
• Allows unauthenticated access
to information that should be
confidential
• Commonly overlooked
component for updates CVE-2011-3368
Update Your Reverse Proxy!
![Page 19: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/19.jpg)
Trends
End of Browser Plug-ins?
• Migration away from Flash and Silverlight Plug-ins has begun
• Security experts ready to unload plug-ins
• HTML5 limitation inconsistencies across browsers will slow migration
![Page 20: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/20.jpg)
Trends
Mobile Security
• iPhone Twitter PII compromised
• Mobile device data not secure by default
Enterprise Mobile Security Solutions can help
![Page 21: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/21.jpg)
Trends
Cloud
• Data breeches of 2011
- #1 Sony – PlayStation Cloud
- 100+ mill
- #2 Epsilon – Email Cloud
- 60+ mill
- #6 Nasdaq – Dashboard Cloud
- 10k+ Sr. Execs
*http://informationweek.com/news/security/attacks/232301079
An Enterprise Security Strategy can help through cloud data mitigation controls
and cloud security policies
![Page 22: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/22.jpg)
Mechanisms
![Page 23: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/23.jpg)
Mechanisms
![Page 24: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/24.jpg)
Mechanisms
Authentication
• Three ArcGIS Authentication Schemes
- Web Traffic via HTTP
1. Web Services
2. Web Applications
- Intranet Traffic via DCOM
3. Local Connections
![Page 25: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/25.jpg)
Mechanisms
Authentication
Access
Restricted
Authentication
Method Description Encryption
Web Service or
Web Application
None Default Internet Connections N/A
Basic
Digest
Windows Integrated
Browser built-in pop-up logon Basic None,
unless using SSL
Java EE Container Web container challenge Container
Managed
PKI / Smartcards Public key certificate* PKI Managed
Web
Application
Only
.NET Form-based Custom login and error pages. None,
unless using SSL
Java ArcGIS Managed ArcGIS Server provides login None,
unless using SSL
Web Service
Only Esri Token Cross Platform, Cross API AES-128bit
Local DCOM Windows Integrated OS Groups
AGSUser. AGSAdmin OS Managed
*PKI / Smartcard Validation Environment Recently Stood up
![Page 26: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/26.jpg)
Mechanisms
Authorization – Role Based Access Control
• Esri COTS
- Assign access with ArcGIS Manager
- Service Level Authorization across web interfaces
- Services grouped in folders utilizing inheritance
• 3rd Party
- RDBMS – Row Level or Feature Class Level
- Versioning with Row Level degrades RDBM performance
- Alternative - SDE Views
• Custom - Limit GUI
- Rich Clients via ArcObjects
- Web Applications
- Sample code Links in ERC
- Microsoft’s AzMan tool
![Page 27: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/27.jpg)
Mechanisms
Filters – 3rd Party Options
• Firewalls
• Reverse Proxy
• Web Application Firewall
- Open Source option ModSecurity
• Anti-Virus Software
• Intrusion Detection / Prevention Systems
• Limit applications able to access geodatabase
![Page 28: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/28.jpg)
Mechanisms
Filters – Firewall Friendly Scenario
• Web Application Firewall in DMZ
• File Geodatabase (FGDB) in DMZ
• One-way replication via HTTP(s)
• Deployed to each web server for performance
• Internet users access to subset of Geodatabase
• Same replication model could be used to push data to cloud
WAF
Intranet DMZ
Database
Web
GIS
HTTP
DCOM
SQL
Use
Author &
Publish FGDB
Web
GIS
Internet
HTTP
HTTP
![Page 29: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/29.jpg)
Mechanisms
Filters
• Why no Reverse Proxy in DMZ?
- One-off component / no management, minimal filtering
• Multi-Function Web Service Gateways
- Store SSL Certificates / SSL Acceleration
- URL Rewrite
- Web Application Firewall
External Internal
DM
Z
![Page 30: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/30.jpg)
Mechanisms
Encryption – 3rd Party Options
• Network
- IPSec (VPN, Internal Systems)
- SSL (Internal and External System)
- Cloud Encryption Gateways
- Only encrypted datasets sent to cloud
• File Based
- Operating System – BitLocker
- GeoSpatially enabled PDF’s combined with Certificates
- Hardware (Disk)
• RDBMS
- Transparent Data Encryption
- Low Cost Portable Solution - SQL Express 2008 w/TDE
![Page 31: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/31.jpg)
Mechanisms
Logging/Auditing
• Esri COTS
- Geodatabase history
- May be utilized for tracking changes
- ArcGIS Workflow Manager
- Track Feature based activities
- ArcGIS Server 10 Logging
- “User” tag tracks user requests
• 3rd Party
- Web Server, RDBMS, OS, Firewall
- Consolidate with a SIEM
![Page 32: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/32.jpg)
Mechanisms
Questions?
• What mechanisms are you struggling with?
• Where can we provide further guidance?
![Page 33: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/33.jpg)
ArcGIS Server
![Page 34: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/34.jpg)
ArcGIS Server
Public Facing Architecture
WEB
WAF
Web Adaptor Reverse Proxy
WEB
SvrDir DBMS SvrDir
DMZ
Private
Public
10 10.1
DBMS
GIS Server
DBclient
SOM
SOC
DBclient
![Page 35: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/35.jpg)
GIS Server
http://host/arcgis/rest
OS Service Acct
Primary Site Admin Acct
Config Store
Server Directories
ArcGIS Server Site
IIS or Apache
Web Adaptor
ArcGIS 10.1
• Goodbye DCOM issues!
• Token Security enabled by default
• Added Publisher Role
• AGSAdmin / AGSUser OS Roles dropped
• All tier capabilities installed by default
- Web, application, data
- Ready to run developer platform
• Deploy Web Adapter to web server for production
• Editor feature service tracking
- Owner based control
• Integrated Security Model still available
• Administrator API
![Page 36: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/36.jpg)
Mobile
![Page 37: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/37.jpg)
Mobile
Just Secure the Web Service Endpoints, Right?
![Page 38: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/38.jpg)
Mobile
OWASP Top 10 Mobile Issues
Issue Solution Question
Physical Loss Device Security Options?
Malicious App What app stores allowed?
Rooted Device Encryption/Strength?
Patches How enforced?
Insecurely Written App How is code tested?
Compromised Password How secured/encrypted?
Unprotected Transport TLS/SSL Utilized?
Weak Session Management Tokens always passed?
Unprotected Services Hardening Guidance?
Internal Resource Access VPN Options?
![Page 39: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/39.jpg)
Mobile Phone Security
ArcGIS Mobile Security Touch Points
Communication
Service
authorization
Device
access
Project
access
Data
access
Server
authentication SDE
permissions Storage
![Page 40: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/40.jpg)
Mobile
• Enterprise Mobile Security Validation Efforts
- Enterprise device solutions
- Benefits: Secure email, browser, remote wipe, app distribution
- Application specific solutions
- Benefits: Secure connections and offline device data
- Esri iOS SDK + Security SDK
![Page 41: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/41.jpg)
Mobile
Questions?
• Are there particular mobile security concerns you
would like Esri to address more?
![Page 42: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/42.jpg)
The Cloud
![Page 43: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/43.jpg)
The Cloud
Who is Responsible for Security Controls?
• IaaS
- ArcGIS Server for Amazon
- CSP -> Infrastructure
- Agency -> CSP Config, OS, Apps
• SaaS
- ArcGIS Online
- CSP -> Infrastructure
- Esri -> CSP Config, OS, Apps
- Agency -> App Config
![Page 44: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/44.jpg)
The Cloud
Choice of deployment models
![Page 45: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/45.jpg)
The Cloud
Amazon Options
![Page 46: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/46.jpg)
The Cloud
Going Beyond 1 Tier
![Page 47: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/47.jpg)
The Cloud
IaaS - ArcGIS Server in Amazon – Deployment Options
• Ease Deployment
- New Cloud Builder 10.1 Tool
- Default not hardened
• Offload Management (Cloud Broker Role)
- Esri Managed Services
• Simplify FISMA
- GeoCloud – GSA / FGDC Initiative
- Security hardened AMI
- Shared security certification focus this year
![Page 48: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/48.jpg)
The Cloud
SaaS - ArcGIS online for Organizations
• Organization Administrator options
- Require SSL encryption
- Allow anonymous access to org site
• Consume Token Secured ArcGIS Server services
- 10 SP1 and later
- User name and password prompts upon adding the
service to a map, and viewing
• Upcoming
- Operation Transparency pages (Trust.Salesforce.com)
- Federated Identities (SAML/ADFS)
- FISMA Certification and Accreditation
![Page 49: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/49.jpg)
Compliance and Standards
![Page 50: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/50.jpg)
Compliance
• FDCC
- Desktop products 9.3-10
• USGCB
- Planned Desktop products 10.1
• SSAE 16 Type 1 – Previously SAS 70
- Esri Data Center Operations
![Page 51: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/51.jpg)
Cloud / SaaS Compliance Efforts
• FISMA
- ArcGIS online for Organizations coming soon
• FedRAMP
- Actively aligning with requirements
• Cloud Security Forum Participation
- Lack of segmentation guidance
FY12 – Initial Ops FY13 – Fully Op FY14 – Sustained Ops
![Page 52: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/52.jpg)
Compliance Workarounds
• Password Management
- Prevent saving in MXD files
- Registry entry
- http://support.esri.com/en/knowledgebase/techarticles/detail/36695
• FIPS Compliance
- Additional steps necessary for .NET server 9.3-10
- http://support.esri.com/en/bugs/nimbus/role/beta10_1/TklNMDQ1MjA5
![Page 53: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/53.jpg)
Compliance
Questions?
• Any compliance questions or suggestions?
![Page 54: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/54.jpg)
Summary & Next Steps
![Page 55: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/55.jpg)
Summary
• Security is NOT about just a technology
- Understand your organizations GIS risk level
- Utilize Defense-In-Depth
• Secure Best Practice Guidance is Available
- Check out the Enterprise GIS Resource Center!
- Drill into details by mechanism or application type
![Page 56: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/56.jpg)
What is still needed?
Your Input is Crucial
• Your Feedback and Insight Today is Essential
- Current Security Issues
- Upcoming Security Requirements
- Areas of concern Not addressed Today
Contact Us At:
Enterprise Security [email protected]
![Page 57: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/57.jpg)
March 8 - MeetUp at Esri (Vienna, VA)
April 12 - MeetUp in DC area (location TBD)
Mar 24-27 – Esri Partner Conference (Palm Springs, CA)
Mar 26-29 – Esri Developer Summit (Palm Springs, CA)
July 21-24 – Esri Homeland Security Summit (San Diego, CA)
July 23-27 – Esri International User Conference (San Diego, CA)
Upcoming Events (www.esri.com/events)
![Page 58: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/58.jpg)
.
Friday Closing Session and Hosted Lunch
• Join conference attendees for lunch and closing session
• 11:30 am – 1:30 pm
• Ballrooms A-C, Third Level
• Closing Speaker – Chris Smith, United States Department
of Agriculture
• Wrap-up and request for feedback with Jack Dangermond
of closing session.
.
![Page 59: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/59.jpg)
Thank You
Please complete session evaluation form
![Page 60: Designing an Enterprise GIS Security Strategy - Esridownloads2.esri.com/resources/enterprisegis/FedUC2012Security.pdf · Introduction -Michael E Young -Esri Senior Enterprise Security](https://reader031.vdocuments.site/reader031/viewer/2022013006/5afc24817f8b9a434e8bbb20/html5/thumbnails/60.jpg)