Information Security 28th Edition (Fall 2010)

Fall 2010 Information Security 28th Edition

This section provides an introduction to the types of security measures that  should be considered in supporting enterprise operations. Implementation needs vary based on the type of operations and the associated threat environment.

Enterprise security can be a challenge for IT architects and security specialists. Until the last few years, entire IT systems were frequently designed around a  single mission objective and a single "community of interest" normally  supported with physically isolated systems, each with its own data  stores and applications. New emerging standards are supported with more mature communication environments, more intelligent operating systems,  and a variety of standard integration protocols enabling IT architects  to design and maintain comprehensive organization-wide interactive  enterprise solutions.

Recent industry advancements, especially in the areas of Web service standards and service-oriented  architectures, are enabling architects to more effectively satisfy  enterprise security objectives. ESRI's careful attention to these standards, coupled with an overall philosophy of providing highly  interoperable software, provides security architects with a high level  of flexibility, thus establishing trust for all ESRI components  contained in an enterprise solution.

A full discussion on enterprise security is beyond the scope of this document. The ArcGIS Security Resource Center provides unified access to Security  related information for enterprise solutions using ESRI products.

Security and Control
Information security controls, safeguards, threats, vulnerabilities and security processes can all be measured in terms of  their impact on Confidentiality, Integrity, and Availability (CIA). Figure 7-1 provides an overview of the three CIA tenets. The primary focus of information security is to avoid unauthorized information  disclosure, prevent unauthorized data modifications, and ensure reliable  and timely access to data.

 Enterprise protection is provided through multiple levels of security controls. No security solution is infallible, and protection can only be achieved through a layered defense. Levels of defense include physical controls, administrative controls, and  technical controls that work together to provide a secure environment. Figure 7-2 presents an overview of the types of security controls.

Information security includes multiple layers of technical controls, implemented through several layers of  authentication and validation defense measures. The configuration layers can be grouped as application controls, host/device controls, network  controls, and data controls. Figure 7-3 provides examples of the types of controls available for each system technical layer.

Application Security encompasses measures taken to prevent exceptions in the  security policy of applications or the underlying system  (vulnerabilities) through flaws in the design, development, or  deployment of the application. The development of security and control procedures for the custom applications are based on COTS functionality  provided by Windows OS, ArcGIS, RDBMS, and HTTP protocols:

Windows Access Control List (ACL), which provides for mandatory system wide  access control through role based access control where permissions are  assigned to roles and roles are assigned to users.

Thorough ACL's for file systems Access Control Entries (ACE) can be defined  for group rights to specific system objects, such as applications,  processes or files. These privileges or permissions determine specific access rights, such as whether a user can read from, write to, execute  or delete an object.

ArcGIS controls for client or web applications are mechanisms implemented either through ArcGIS  out-of-the-box configuration, custom application enhancement (using  ArcObjects) or ArcGIS Web client. The following application controls are available in the ArcGIS enterprise environment: Custom Control  extensions can be utilized to implement technologies such as Identity  Management (IM) and access control. ArcGIS custom control extensions are developed using the ArcObjects development interface. ArcGIS gives the user the ability to restrict ArcGIS client operations (edit, copy, save,  print) or controls users access to various data assets based on their  role.

GML is an XML schema used for modeling, transporting, and storing geographic information. ArcObjects, utilizing GML and RDBMS storage functionality, offers a framework and method for  auditing controls in ArcGIS multi-user geodatabase environments. A detailed history of GIS workflow activities can be recorded in a GML  structure and stored in the RDBMS. In addition to recording who performed the edit, activities can be supplemented with comments and  notes to provide a traceable, documented, activity log containing  before-edit, after-edit, and edit justification history.

Integrated operating system authentication and single sign-on (SSO) are two  security infrastructures that can be leveraged by ArcObjects  applications to authenticate against and connect to ArcGIS products  using user names and passwords managed in a centralized location. This location can be an encrypted file, an RDBMS table, a Lightweight  Directory Access Protocol (LDAP) server, or a combination of RDBMS  tables and an LDAP server. The primary intent is to insulate users from having to continually authenticate themselves. This technique relies on users' authentication into their desktop workstation (integrated  operating system authentication) or the organization's SSO  infrastructure.

Native authentication by ArcSDE and RDBMS; Strong authentication controls can be established between  ArcGIS and system components through the use of native authentication  allowing the user to be authorized by downstream systems. ArcSDE utilizing the direct connect architecture supports native Windows  authentication from the ArcGIS client connecting to the RDBMS. The direct connect configuration allows ArcGIS clients to leverage RDBMS  connectivity functionality. Deployed utilizing two-tier ArcSDE architecture configured with a RDBMS SSL transport layer, native  authentication provides an encrypted communication channel between the  trusted operating system and the RDBMS.

SSL is a protocol that communicates over the network through the use of public  key encryption. SSL establishes a secure communication channel between the client and server. Encryption functionality of the RDBMS converts clear text into cipher text that is transmitted across the network. Each new session initiated between the RDBMS and the client creates a new  public key, affording increased protection. Utilizing ArcSDE in a direct connect configuration eliminates the use of the ArcSDE application tier  by moving the ArcSDE functionality from the server to the ArcGIS  client. By moving the ArcSDE functionality from the server to the client (dynamic link library), the client application is enabled to  communicate directly to the RDBMS through the RDBMS client software. ArcSDE interpretations are performed on the client before communication to the RDBMS. This provides the client application the ability to leverage network encryption controls supplied by the RDBMS client.

IPSec is a set of protocols that secures the exchange of packets between the  ArcGIS client and the RDBMS server at the IP level. IPSec uses two protocols to provide IP communication security controls: authentication  header (AH) and encapsulation security payload (ESP). The AH offers integrity and data origin authentication. The ESP protocol offers confidentiality.

Intrusion detection is available for ArcGIS users: Network based intrusion detection analyzing network  packages flowing through the network or host based intrusion monitoring  operation on a specific host.

Feature level security implemented in parallel with ArcSDE allows the Lands  Department to assign privileges at the feature level, restricting data  access within the geodatabase object. RDBMS Feature-level security is based on the concept of adding a column to a table that assigns a  sensitivity level for that particular row. Based on the value in that column, the RDBMS determines, through an established policy, whether the  requesting user has access to that information. If the sensitivity level is met, the RDBMS allows access to the data; otherwise, access is  denied.

Data file encryption can be used by the ArcSDE direct connect architecture by using a data encryption "add-in"  in the RDBMS which works with ArcGIS products accessing an RDBMS as a  data store, custom ArcObjects applications, and custom non-ESRI  technology-based applications using the ArcSDE C and Java APIs to access  non-versioned data.

RDBMS privileges; RDBMS assigns SELECT, UPDATE, INSERT, and DELETE privileges to either a user  or role. The ArcSDE command line and ArcCatalog leverage the RDBMS privilege assignment functionality and provide an interface that allows  the administrator to assign privileges.

HTTP authentication is a mechanism by which an HTTP authentication method  is used to verify that someone is who they claim to be. The standard methods of HTTP authentication integrated with ArcGIS Web applications  are the basic, digest, form, and client certificate methods. Basic authentication involves protecting an HTTP resource and requiring a  client to provide a user name and password to view that resource. Digest authentication also involves protecting an HTTP resource by requesting  that a client provide user name and password credentials; however, the  digest mechanism encrypts the password provided by the client to the  server. Form-based authentication is identical to basic except that the application programmer provides the authentication interface using a  standard HTML form. Client certificate is the most secure authentication method in that it uses the organizational PKI environment to provide  and authenticate digital certificates for both client and server.

5.2 Enterprise Security Strategies

Business operations today are exposed to a variety of information security threats. These threats can be generated by friendly and unfriendly sources and may include both  internal and external users. Threats can be intentional or inadvertent, but in either case, they can result in loss of resources, compromise of  critical information, or denial of service. Figure 7-4 provides an overview of security options available for client/server, Web  application, and Web services architecture.

Client/Server Architecture
Desktop and network operating systems should require user identification and  password based on defined system access privileges. Networks can include firewalls that restrict and monitor content of communications,  establishing different levels of access criteria for message traffic. Communication packets can be encrypted (Secure Sockets Layer [SSL]) to deny unauthorized information access, even if the data is captured or  lost during transmission. Specific content exchange criteria can be established between servers (IPSec) to restrict communication flow and  to validate traffic sources. Traffic activity can be monitored (intrusion detection) to identify attempts to overcome security  protection. Data can be protected on disk to avoid corruption or prevent access as appropriate (encryption). Database environments provide access control (privileges) and row-level security. A combination of these security techniques throughout the information flow can provide  the highest level of protection.

Web Application Architecture
Standard firewall, SSL, IPSec, intrusion detection, data file encryption, and  RDBMS security solutions continue to support Web operations. Additional security can be implemented to protect and control HTTP communications;  basic and digest authentication and implementation of digital  certificate authentication (PKI) procedures promote secure  communications and support restricted user access to published Web  applications. Secure HTTP protocols (HTTPS) encrypt data transfers supporting a higher level of communication protection. Web applications can assume user rights for data access (impersonation), and options for  passing user authentication (single sign-on [SSO]) for database access  enhance security and control access to the data source.

Web Services Architecture
The most security controls are available when deploying an enterprise  service-oriented architecture. Protection provided by the Web application architecture supports an SOA, and additional options are  available to enhance access controls. Client applications can include additional security features to ensure proper use and control. Additional Web services security (WS-Security) solutions can be implemented to support user authentication and restrict access to Web  services. Web services extensions (WSE) are specific Web services security implementations supported through Web server technology. Secure HTTP communications encrypt data transmissions and improve  communication security.

Selecting the Right Security Solution
Security solutions are unique to each client situation. The right security solution depends on your enterprise risks and your selection of  enterprise controls. The challenge is to implement reasonable and appropriate security controls. It is important to maintain and support a current security risk assessment, establish security guidelines and  controls, and perform on-going security audits to ensure objectives are  being maintained.

Figure 7-5 provides a list of standard risk management frameworks that can be used to develop and support a  security risk management program. These are provided by trusted industry experts, and include Gartner's Simple Enterprise Risk Management  Framework, Microsoft Risk Assessment Guide for Microsoft centric  customers and the National Institute for Standards and Technology  providing a baseline for security certification and accreditation of  federal government sites.  The most common security risks are identified in Figure 7-6. Over 30 percent of the 2006 risk was virus contamination, followed with over 20 percent from unauthorized access to information. Unauthorized access increased dramatically in 2005 and continued to increase in 2006. Laptop theft has also increased making it rise to the number 3 risk in 2006.

 The most common security controls are highlighted in Figure 7-7. Firewall technology holds a slight lead over anti-virus software. Anti-spyware technology has increased dramatically over the past year. A diverse range of controls are available to address security concerns.

Security comes with a price. Understanding the specific security risk and applying the appropriate security controls can reduce overall cost and provide the best  operational solution. 

Web Firewall Configuration Alternatives
Firewall configurations are provided to support communication between various  levels of security. A number of firewall configuration options are identified here, based on the location of the ArcIMS or ArcGIS Server  software components. ArcGIS Server [Firewall security ports] are identified on the ESRI Enterprise  Resource Center.

Figure 7-8 provides an overview of default TCP ports used with ArcIMS and ArcGIS Server firewall configurations. ArcIMS firewall configuration ports are provided between each of the software  configuration layers. ArcGIS Server communications between the Web application server and server object container use the Distributed  Component Object Model (DCOM) protocols. The use of DCOM involves dynamically acquiring TCP/IP ports for communication between components,  and separation of these components over a firewall configuration is not  recommended.

The remaining discussion addresses available Web services firewall configuration strategies. Advantages and disadvantages of each configuration are discussed. Understanding the available configuration options and associated implications can help the  security architect select the best solution for supporting enterprise  security needs.



Web Services with Proxy Server
Figure 7-9 shows interface with intranet Web application configuration supported by a proxy server. This solution provides private network security through a reverse proxy server and  supports the complete Web services configuration on the private network. This configuration enables full management of the Web site on the private network. This is the preferred configuration for ArcGIS Server deployment.



Web Application in the DMZ, Remainder of the Web Services Components on the Secure Network
Figure 7-10 shows the Web application server located in the DMZ, with the map server/container machine and data server located on  the secure network. The service manager and spatial services must be located on the internal network for this configuration to be acceptable. The output file, located on the Web server, must be shared with the map server. This disk mount will support one-way access from the map server through the firewall to the Web server. This configuration is not recommended for ArcGIS Server.



All Web Services Components in DMZ
The most secure solution provides physical separation of the secure network from all ArcIMS software components. Figure 7-11 shows the Web application, service manager, spatial services, and data source are all located outside the secure network  firewall and within the demilitarized zone (DMZ). This configuration requires maintenance of duplicate copies of the GIS data. Data must be replicated from the internal GIS data server to the external data server  supporting the ArcIMS services.



All Web Services Components in DMZ except Data Server
Figure 7-12 shows the Web application, service manager, and spatial services located in the  DMZ, accessing the internal ArcSDE data server located on the secure  network. Port 5151 access through the secure firewall allows limited access to the ArcSDE DBMS data server. A high volume of traffic must be supported between the spatial services and the data source. Any network disconnects with the data server would generate delays while all publish  service connections are reestablished.



All Web Services Components on the Secure Network
Figure 7-13 shows the Web application, map server/container machine, and data server components  all inside the firewall on the secure network. Port 80 must be open to allow HTTP traffic to pass through the firewall. Many organizations are not comfortable with this level of security (this is not a recommended  solution - does not provide secure access control)



Security is everybody's job, there is no exception. The world is not a secure environment, and we need to keep our eyes and minds open to the threats around us. There is no single solution for security. There are costs and trade-offs that must be made to support an optimum solution. Too much security controls can reduce productivity and increase cost. Too little attention and control can result in loss of property and the ability to perform. Finding the right balance is important, and the right solution can be a moving target. figure 7-14 provides emphasizes the importance of providing security in depth at  several points throughout the solution architecture.



Previous Editions
[Spring 2010 Information Security 27th Edition]

Page Footer Specific license terms for this content System Design Strategies 26th edition - An Esri ® Technical Reference  Document • 2009 (final PDF release)