ArcGIS Security Authorization Advancements

Full text

(1)Federal GIS Conference February 9–10, 2015 | Washington, DC. ArcGIS Security Authorization Advancements Michael Young & Erin Ross.

(2) Overview. •. Authorization Past & Present. •. Products. •. -. ArcGIS Server. -. ArcGIS Desktop. Solutions -. ArcGIS Online. -. Esri Managed Cloud Services -. •. New FedRAMP Moderate Option. Summary.

(3) Authorization Historical Issues. •. Every implementation undergoes separate security authorization processes. •. Federal and Defense utilized different frameworks -. Authorization (based on risk) vs. certification. •. Standard geospatial system security configurations not agreed upon by government. •. Above items drive deployment delays, stability, and issue reproduction problems -. E.g. Mitigating measures, waivers, policy refresh outages, and unable to reproduce issues.

(4) Authorization FISMA •. Federal Information Security Management Act (FISMA) 2002 -. All production US Federal government systems must be compliant/authorized. -. Enforced by the inspector general’s office of each agency. -. References NIST 800-53 Security Controls spanning 17 families including: -. Access Control, Training, Auditing, Maintenance, Integrity, Acquisition, Personnel Step 1 – Categorize Information. •. •. Three categorization levels -. Low – Non-sensitive information (100+). -. Moderate – Sensitive information (300+). -. High – Most sensitive information (350+). Collect System Information Perform Privacy Analysis Categorize System. Solutions are authorized, not individual products -. Datasets and workflows are part of the accreditation. Step 2 – Select Security Controls Identify Common Controls Select Remaining Controls Tailor and Document in SSP. Step 3 – Implement Security Controls Implement Security Controls Update the SSP. Develop CP, CMP and IRP. Step 3 Concurrency Review. Step 4 –Assess Security Controls Develop Test Plan Assess Security Controls Develop Reports and POA&Ms. Step 4 Concurrency Review. Step 5 – Authorize Security Controls Develop ATO Package AO Reviews POA&M and Risk AO Signs ATO / Denial of Operation. Step 6 – Monitor Security Controls Monitor for Major Changes Remediate POA&M Items Continuous Monitoring of Controls. ArcGIS Online’s Low Accreditation Aligns Well with Hybrid Deployments.

(5) Authorization FedRAMP. •. Relatively new authorization process aligning with FISMA law. •. Provides a stronger foundation of reciprocity for cloud based offerings. •. Same NIST 800-53 security controls with additional ones added for cloud. •. Security control baselines in place now for Low and Moderate, draft of High released Jan 2015 Cloud.CIO.gov – Excellent Resource for FedRAMP Details.

(6) Authorization Federal and Defense Security Strategy is Evolving. •. •. Federal -. FISMA -> FedRAMP. -. Drives improved efficiency of Federal security authorization process for cloud offerings. Defense -. DIACAP -> Risk Management Framework. -. Drives improved efficiency of defense and federal departments operating off a common framework and set of baseline security controls.

(7) Authorization Esri’s Security Strategy is Evolving. Solution Enterprise Product. ArcGIS. Isolated Systems. Integrated Systems. Cloud. 3rd Party Security. Embedded Security. Managed Security.

(8) Authorization Levels of authorization across software and systems. •. •. Product Based Initiatives -. ArcGIS Server. -. ArcGIS Desktop. Solution/Service Based Initiatives -. ArcGIS Online. -. Esri Managed Cloud Services.

(9) Product Based Security Initiatives ArcGIS Server & Desktop.

(10) Product Based Security Initiatives ArcGIS Server – DISA STIG •. Sponsored by government to work with DISA -. Create a Security Technical Implementation Guides (STIGs). -. Non-FOUO therefore information will be publically accessible. -. First STIG will be Windows based ArcGIS Server 10.3 -. Other STIGs will be performed based on demand. •. Expected completion by Esri International User Conference – July 2015. •. Post STIG completion -. STIG will be an input for an ArcGIS Server Security Hardening guide for general distribution. -. Enterprise component integration testing and best practice recommendations incorporated.

(11) Product Based Security Initiatives DISA STIG Creation Process. Draft STIG Settings Provided to DISA – Undergoing SME Review.

(12) Product Based Security Initiatives ArcGIS Server – Planned STIG Configuration. Legend Microsoft Component. Web Application Firewall. TCP 443. Privileged User. User. TCP 443. TCP 443. Windows Integrated Authentication Accept Client Certificates (PKI). Windows Integrated Authentication Accept Client Certificates (PKI). IIS SIEM Log Agent AD. SIEM Log Agent. IIS Web Adaptor (User). Web Adaptor (Admin). TCP 6443. SIEM Log Agent AD. AD. TCP 6443. ArcGIS Server Site. SMB CIFS. SMB CIFS. RDBMS Ports. SIEM Log Agent. Config-Store. SIEM Log Agent. File Store. SIEM Log Agent. RDBMS. SIEM Log Agent. ArcGIS Component Non-Specific Vendor Component.

(13) Product Based Security Initiatives ArcGIS Server – Awareness of Relative Risk. •. Security hardening best practices provide insights into relative risk of different services, and optional mitigation measures to reduce risk Relative Service Risk. Service. Capability. Map Map Feature Feature Feature Geocoding Geodata Geodata Geodata Geoprocessing Image Image Image. Mapping Query Read Edit Sync Geocode Query Data Extraction Replica Geoprocessing Imaging Edit Upload. Red = Higher risk Yellow = Average risk Green = Low risk. Default when Enabled. Security Hardened. Security Hardened Settings. Providing new insights.

(14) Product Based Security Initiatives Desktop. •. •. •. •. Esri performs self-certification of desktop products -. Ensures smooth deployments within security constraints of systems. -. ArcGIS Desktop with all extensions is primary focus. -. Typically completed within 6 months of product release. FDCC -. Federal Desktop Certified Configuration. -. Versions 9.3-10. -. Deprecated due to Windows XP focus. USGCB -. United States Government Configuration Baseline. -. Versions 10.1+. ArcGIS Pro (Expected Q1 2015) Eases your desktop deployment headaches.

(15) Solutions Based Security Initiatives.

(16) Solutions Based Security Initiatives Federal Geospatial Cloud Security Compliance Roadmap 2002. FISMA Law Established. Required security baselines for Federal systems. 2002…. 2005…. Aug 2005. Esri GOS2 FISMA Authorization. DOI Issues ATO to Esri. Feb 2010. Kundra Announces FedRAMP. First Agency Authorization. HHS Issues ATO to Amazon. Security Working Group concept announced. 2010. June 2014. May 2013. 2011. May 2010. Esri Participates in First Cloud Computing Forum Esri begins active involvement in cloud standards & security programs. 2012. OMB FedRAMP Mandate. FedRAMP now required for all cloud solutions covered by policy memo. 2013. 2014. Planned. ArcGIS Online FedRAMP Authorization 2015. Dec 2011. June 2014. Jan 2015. Esri works with Agencies & FedRAMP to plan SaaS Compliance. USDA Issues ATO to Esri. Signoff by FedRAMP Director. Esri Federal Cloud Computing Security Workshop. ArcGIS Online FISMA EMCS FedRAMP Compliant Authorization. 2016. Planned for 2015. ArcGIS Online Hosted Feature Services Authorization DOI working with Esri towards Authorization. Esri has actively participated in hosting and advancing secure compliant solutions for over a decade.

(17) Solutions Based Security Initiatives Esri Corporate Operations Compliance. •. ISO 27001 -. •. •. Esri’s Corporate Security Charter. Privacy Assurance -. US EU/Swiss SafeHarbor self-certified. -. TRUSTed cloud certified. SSAE 16 Type 1 – Previously SAS 70 -. Esri Data Center Operations. -. Expanded to Managed Services in 2012.

(18) Solutions Based Security Initiatives ArcGIS Online Cloud Infrastructure Provider Compliance. •. ArcGIS Online Utilizes World-Class Cloud Infrastructure Providers -. Microsoft Azure. -. Amazon Web Services. Cloud Infrastructure Security Compliance. SSAE16 SOC1 Type2. Moderate.

(19) Solutions Based Security Initiatives Mind the Authorization Gap. •. Common misconception -. •. •. A cloud providers authorization should be “good enough” to meet Agency security requirements. Useful facts -. The majority of vulnerabilities are at the application level. -. Cloud providers IaaS authorizations don’t cover the applications, or even operating system. Result -. There is a significant security authorization gap.

(20) Solutions Based Security Initiatives Options for Addressing the CSP Authorization Gap •. •. •. Generalized Expert Provider -. Equivalent to service provider middleware. -. Lack of depth with advanced API services such as ArcGIS increases both security/availability risks. Application Expert Provider -. Obtain solutions that incorporate security infrastructure having their own FISMA or FedRAMP compliance that layers on top of the CSP FedRAMP Authorization. -. Examples - ArcGIS Online and Esri Managed Cloud Services. Tunnel -. •. Do-It-Yourself -. •. Establish tunnel between on-Premises security infrastructure and cloud deployment Establish your own security infrastructure in the cloud to use with applications. Ostrich -. Stick head in sand and pretend not a big deal (not recommended).

(21) Solutions Based Security Initiatives Responsibility Across ArcGIS Deployment Options. On-premises. Esri Images & Cloud Builder. Esri Managed Cloud Services. ArcGIS Online. FedRAMP Moderate Compliant. FISMA Low ATO. ArcGIS Server. ArcGIS Server. ArcGIS Server. ArcGIS Online. OS/DB/Network. OS/DB/Network. OS/DB/Network. Security Infrastructure. No Security Infrastructure by default. Security Infrastructure. Security Infrastructure. Virtual / Physical Servers. Cloud Infrastructure (IaaS). Cloud Infrastructure (IaaS). Cloud Infrastructure (IaaS). Customer Responsibility. Esri Responsibility. OS/DB/Network Esri Compliance & ATO Scope IaaS ATO Scope. CSP Responsibility.

(22) Solutions Based Security Initiatives ArcGIS Online Assurance Layers Customer. Web App Consumption ArcGIS Management. Esri AGOL SaaS FISMA Low (USDA) SafeHarbor (TRUSTe). Web Server & DB software Operating system Instance Security Management. Cloud Provider ISO 27001 SSAE16 FedRAMP Mod. Cloud Providers. Hypervisor. Physical.

(23) Solutions Based Security Initiatives ArcGIS Online Federal Use Cases in FISMA Authorization Tiles. •. Use Case 1 – Public Dissemination. Agency Authoritative Source. -. Publish tiles for fast, scalable visualizations. -. Share information with the public. -. Can be used for mashing up services with external non-SSL sites Public Consumers. •. Use Case 2 – USG Operations -. Hybrid deployment of ArcGIS Server and ArcGIS Online. -. Share operational data within or between agencies. -. Sensitive data maintained on Agency premises or other authorized environment. -. ArcGIS Online operates as a discovery portal. -. Utilize Enterprise Logins. Agency Consumer. Metadata Agency Publisher. Server. ArcGIS Online.

(24) Solutions Based Security Initiatives ArcGIS Online – Meeting security needs with Hybrid deployments Users Anonymous Access. Apps. ArcGIS Online. On-Premises • • •. Ready in months/years Behind your firewall You manage & certify. •. Esri Managed Cloud Services •. Ready in days. •. All ArcGIS capabilities at your disposal in the cloud. •. Dedicated services. •. FedRAMP Moderate. • • •. Ready in minutes Centralized geo discovery Segment anonymous access from your systems FISMA Low. . . . All models can be combined or separate.

(25) Solutions Based Security Initiatives ArcGIS Online – Value Proposition of FISMA Low offering. •. •. Outreach and collaboration -. Provision of USG non-sensitive content to public, more sensitive content to authorized groups. -. Easy content discovery (via single metadata catalogue) and integration. Flexibility and agility -. •. Rapid stand-up of new content/services, accommodate surge. Efficiency -. Avoid development/implementation of one-off systems. -. Off-load systems operations onto more cost effective platform(s).

(26) Solutions Based Security Initiatives ArcGIS Online – Authorization efforts going forwards. •. •. •. Other agencies are pursuing ArcGIS Online Authorization -. DoI is looking into supplementing their Authorization with Hosted Feature Services. -. EPA & NOAA are also actively pursuing authorization. FedRAMP Agency-based Authorization -. Low or Moderate based on feedback being gathered from customers now. -. Is supplementing ArcGIS Online’s Low authorization, with a hybrid implementation combining EMCS moderate compliance, adequate for the majority of use-cases?. Further discussion in Panel session on Tuesday -. Panel being lead by DOI, with EPA and the FedRAMP Director from GSA. -. Tuesday 2:45pm – Room 102B Join us for shaping our future authorization plans.

(27) Solutions Based Security Initiatives ArcGIS Online – How can agencies obtain necessary assurance to authorize?. •. ArcGIS Platform Authorization Briefing flyer available during Tuesday panel session. •. ArcGIS Online. •. -. Esri can share current FISMA authorization materials with agencies under NDA. -. Contact [email protected]. Esri Managed Cloud Services (EMCS) -. •. Materials available through FedRAMP Repository. Public Info - Trust.ArcGIS.com -. Privacy, SLA, Terms of Service, Availability trends, and best practices available. -. Answers to the most common cloud security questions about ArcGIS Online are addressed in the Cloud Security Alliance matrix.

(28) Esri Managed Cloud Services Erin Ross.

(29) What is Esri Managed Cloud Services? Esri cloud GIS experts supporting customer apps & data in the cloud.

(30) ArcGIS Online and Esri Managed Cloud Services. Users. ArcGIS Online.  Desktop  Web  Mobile.  Online Basemaps  Geocoding, Routing  Hosted Feature & Tile Map Services  App Templates. Esri Managed Cloud Services     . Custom Web Apps GP, Reporting Services Imagery, Large Datasets Dynamic Map Services RDBMS (Oracle, SQL Server). ArcGIS Online front-end, Managed Cloud Services back-end.

(31) What is included?. •. Provide Cloud-based GIS infrastructure support, including: -. Enterprise system design. -. Infrastructure management. -. Software (Esri & 3rd Party) Installation, updates and patching. -. Application deployment. -. Database management. -. 24/7 support and monitoring.

(32) Benefits of Esri Managed Cloud Services. – Increase efficiency and business focus – – High availability, quality and performance – – Reduce internal costs – – Preserves data integrity, privacy and availability– – Increase usage and productivity –. Cloud GIS experts managing your critical apps and content.

(33) How is it delivered?. Available on GSA.

(34) Basic Packages “Sandbox”. •. Ready to use cloud instance of ArcGIS for Server. •. Remote access provided to user. Ideal for development, prototyping....

(35) Standard, Advanced, Advanced Plus Packages •. Esri loads, publishes and deploys on behalf of customer. •. 24/7 system monitoring and support. •. Ideal for production systems (internal or public facing). Production Staging Test Dev.

(36) Esri Managed Cloud Services Use Cases.

(37) USGS Historical Topographic Maps •. More than 175,000 topographic maps published by the USGS since 1884. •. 22 TB data x 2 for redundancy. •. 1.6 million hits during Esri User Conference. •. Consumed by several apps; premium service available in ArcGIS Online.

(38) Power Outage Viewers •. Highly available, scalable systems ready to perform during major events. •. Frequent, automated data updates. Bringing critical outage information to the general public.

(39) Constellation Brands •. Improve sales by leveraging tools to drive volume and revenue. •. 4th of July deadline. •. 2.7M records updated 2x / week via scripted tools. Equipping staff with valuable information to increase sales.

(40) Who else uses Esri Managed Cloud Services? •. Manage over 500 servers, many TB of data. •. 80+ customers. •. Leveraged across many sectors.

(41) EMCS FedRAMP Moderate Option Michael Young.

(42) EMCS FedRAMP Moderate Option •. Why did Esri pursue FedRAMP Compliance? -. Demand -. -. Risk -. -. Customers demanded FedRAMP compliance before rolling out future production operations. Customer risk increasing rapidly without security infrastructure. Mandate -. OMB mandate all low and moderate impact cloud services leveraged by more than one office or agency must comply with FedRAMP requirements. Accelerates Review and Acceptance of Cloud Based Services.

(43) EMCS FedRAMP Moderate Option FedRAMP Government Entities & Process. Cross Government Support & Standardized RMF Process.

(44) EMCS FedRAMP Moderate Option Documentation. •. FIPS 199. •. Security Assessment Plan (SAP). •. Control Implementation Summary (CIS). •. Test Case Workbook. •. System Security Plan (SSP). •. Security Assessment Report (SAR). •. Information System Security Policies. •. Plan of Action and Milestone (POA&M). •. User Guide. •. Policies and procedures. •. E-Authentication Template. •. Business Impact Analysis. •. Privacy Threshold Analysis (PTA). •. Configuration Management Plan. •. Rules of Behavior (ROB). •. Incident Response Plan. •. IT Contingency Plan. •. Interconnection Security Agreement (ISA / MOU). •. Penetration Test Plan. 1000’s of pages ensuring rigorous security.

(45) EMCS FedRAMP Moderate Option Assessment. •. •. Cloud Security Assessor Veris Group -. Third Party Assessment Organization (3PAO) accredited by FedRAMP. -. 1st to successfully inspect FedRAMP CSP Supplied, JAB, and Agency Approved Solutions. -. 5 month engagement. -. Three months of active Technical and Documentation assessments -. System level scans. -. Web Interface scans. -. Database scans. -. Penetration testing. FedRAMP Advisor – Relevant Technologies -. Laura Taylor - Wrote the initial Guide to Understanding FedRAMP Great advisors and skilled assessors keep the effort focused.

(46) EMCS FedRAMP Moderate Option Authorization •. 3 Baseline Security Control Levels -. •. 3 Status Levels -. •. •. Low, Moderate*, High in draft. Ready, In Process, Compliant*. 3 FedRAMP Authorization Levels -. Cloud Service Provider (CSP) Supplied*. -. Agency Authorization To Operate (ATO). -. Joint Agency Board (JAB) Provisional Authority To Operate. EMCS is -. FedRAMP Moderate. -. FedRAMP Compliant. -. CSP Supplied offering. EMCS CSP Supplied Package can be consumed by your Agency.

(47) EMCS FedRAMP Moderate Option Continuous Monitoring. Monitoring Workflow FedRAMP Reporting Workflow Ensures maintenance of acceptable risk posture.

(48) EMCS FedRAMP Moderate Option Security Infrastructure •. Most government systems -. •. •. Require moderate security baseline controls. Most geospatial information sets -. Only require low baseline controls. -. ArcGIS Online Low FISMA is adequate for many customer use cases. EMCS FedRAMP Infrastructure Design Goals -. Consumable by the widest range of customers -. -. Drive down customer expenses for secure, compliant geospatial services -. -. Amazon East-West Regions – Not limited to GovCloud Customer’s can choose level of multi-tenancy vs dedicated services they are comfortable with. Meet and exceed current rigorous FedRAMP requirements for cloud services -. First geospatial platform to be compliant with FedRAMP Rev 4 requirements A balance of robust security and business requirements drove infrastructure choices.

(49) EMCS Security Infrastructure AWS. Customer Infrastructure. Active/Active Redundant across two Cloud Data Centers Web Application Firewall. End Users. DMZ. WAF. Public-Facing Gateway. ArcGIS for Portal Dedicated Customer Application Infrastructure. ArcGIS Server. Security Ops Center (SOC). Security Service Gateway. File Servers. Relational Database Intrusion Detection IDS / SIEM. Centralized Management. Backup, CM, AV, Patch, Monitor. Cloud Infrastructure. Hypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware Authentication/Authorization Bastion Gateway MFA. Esri Administrators. Legend. Esri Admin Gateway. Agency. LDAP, DNS, PKI. Cloud Infrastructure. Hypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware. Application. Common Security Infrastructure. Cloud Provider. Common Cloud Infrastructure. Security.

(50) EMCS FedRAMP Moderate Option How do I get started?. •. Express an interest in service offering and let your security team know EMCS is FedRAMP compliant. •. Agency Authorized FedRAMP Approver can facilitate download and review of FedRAMP package for EMCS @. •. -. http://cloud.cio.gov/fedramp/agency. -. If you are unsure of your FedRAMP approver email the FedRAMP PMO: [email protected]. What else is available outside FedRAMP repository? -. •. Cloud Security Alliance (CSA) answers for EMCS coming. Complete Agency Authority To Operate (ATO) -. Utilize pre-existing EMCS and AWS FedRAMP moderate docs. Simplifies obtaining an ATO for your organization.

(51) Summary.

(52) Summary Resources Available for Agency Review. •. •. •. Cloud infrastructure provider -. SSAE16 and ISO27001. -. Report available from cloud providers under NDA. FedRAMP Repository -. EMCS FedRAMP Moderate Compliance Package. -. Cloud Service Provider FedRAMP Moderate Packages. Esri -. SSAE16 for Esri Datacenter Operations. -. System Security Plan (SSP) – Agency references removed. -. Reports available from Esri under NDA. -. Cloud Security Alliance (CSA) Answers Publically Available.

(53) Summary Solution/Services Accreditation Roadmap •. ArcGIS Online FISMA Low Accreditation -. •. •. Agency Authorization June 6, 2014. Esri Managed Cloud Services (EMCS) FedRAMP Moderate Compliance -. CSP Supplied Compliant Package Authorized January 29, 2015. -. Establishes validated secure clouds deployment patterns. -. Documentation and assessment materials enable FISMA or FedRAMP authorization. -. Initially AWS based, other cloud providers based on demand. Upcoming ArcGIS Online FedRAMP Agency Authorization -. Cross-cloud provider authorization Azure/AWS. -. Includes hosted feature services.

(54) Summary. •. Esri is working with security leaders to create standardized security hardened deployment guidance for our customers. •. Esri self-certifies desktop based products to ensure alignment with Federal security configurations. •. ArcGIS Online is FIMSA Low authorized and we can work with you to support your Agency’s authorization. •. Join the Tuesday Panel session to solidify your authorization roadmap. •. Esri will be pursuing FedRAMP authorization for ArcGIS Online. •. New Esri Managed Cloud Services FedRAMP moderate compliant option ready for your agency to review and authorize. •. Information readily available on Trust.ArcGIS.com We welcome your feedback concerning any authorization needs or gaps not addressed in this presentation.

(55) Summary Where do I go for more information? •. Trust.ArcGIS.com is no longer limited to primarily ArcGIS Online information. •. NEW site expansion rolled out this past weekend -. Server, Desktop, Mobile, ArcGIS Online and even the new EMCS FedRAMP compliant offering.

(56) Federal GIS Conference February 9–10, 2015 | Washington, DC. Don’t forget to complete a session evaluation form!.

(57)

(58)

No results found