Information Security - 27th Edition (Spring 2010)

Information Security - 27th Edition (Spring 2010)

This section provides an introduction to the types of security measures that should be considered in supporting enterprise operations. Implementation needs vary based on the type of operations and the associated threat environment.

Enterprise security can be a challenge for IT architects and security specialists. Until the last few years, entire IT systems were frequently designed around a single mission objective and a single "community of interest" normally supported with physically isolated systems, each with its own data stores and applications. New emerging standards are supported with more mature communication environments, more intelligent operating systems, and a variety of standard integration protocols enabling IT architects to design and maintain comprehensive organization-wide interactive enterprise solutions.

Recent industry advancements, especially in the areas of Web service standards and service-oriented architectures, are enabling architects to more effectively satisfy enterprise security objectives. ESRI's careful attention to these standards, coupled with an overall philosophy of providing highly interoperable software, provides security architects with a high level of flexibility, thus establishing trust for all ESRI components contained in an enterprise solution.

A full discussion on enterprise security is beyond the scope of this document. The ArcGIS Security Resource Center provides unified access to Security related information for enterprise solutions using ESRI products.

Security and Control
Information security controls, safeguards, threats, vulnerabilities and security processes can all be measured in terms of their impact on Confidentiality, Integrity, and Availability (CIA). Figure 7-1 provides an overview of the three CIA tenets. The primary focus of information security is to avoid unauthorized information disclosure, prevent unauthorized data modifications, and ensure reliable and timely access to data.

 Enterprise protection is provided through multiple levels of security controls. No security solution is infallible, and protection can only be achieved through a layered defense. Levels of defense include physical controls, administrative controls, and technical controls that work together to provide a secure environment. Figure 7-2 presents an overview of the types of security controls.

Information security includes multiple layers of technical controls, implemented through several layers of authentication and validation defense measures. The configuration layers can be grouped as application controls, host/device controls, network controls, and data controls. Figure 7-3 provides examples of the types of controls available for each system technical layer.

Application Security encompasses measures taken to prevent exceptions in the security policy of applications or the underlying system (vulnerabilities) through flaws in the design, development, or deployment of the application. The development of security and control procedures for the custom applications are based on COTS functionality provided by Windows OS, ArcGIS, RDBMS, and HTTP protocols:

Windows Access Control List (ACL), which provides for mandatory system wide access control through role based access control where permissions are assigned to roles and roles are assigned to users.

Thorough ACL's for file systems Access Control Entries (ACE) can be defined for group rights to specific system objects, such as applications, processes or files. These privileges or permissions determine specific access rights, such as whether a user can read from, write to, execute or delete an object.

ArcGIS controls for client or web applications are mechanisms implemented either through ArcGIS out-of-the-box configuration, custom application enhancement (using ArcObjects) or ArcGIS Web client. The following application controls are available in the ArcGIS enterprise environment: Custom Control extensions can be utilized to implement technologies such as Identity Management (IM) and access control. ArcGIS custom control extensions are developed using the ArcObjects development interface. ArcGIS gives the user the ability to restrict ArcGIS client operations (edit, copy, save, print) or controls users access to various data assets based on their role.

GML is an XML schema used for modeling, transporting, and storing geographic information. ArcObjects, utilizing GML and RDBMS storage functionality, offers a framework and method for auditing controls in ArcGIS multi-user geodatabase environments. A detailed history of GIS workflow activities can be recorded in a GML structure and stored in the RDBMS. In addition to recording who performed the edit, activities can be supplemented with comments and notes to provide a traceable, documented, activity log containing before-edit, after-edit, and edit justification history.

Integrated operating system authentication and single sign-on (SSO) are two security infrastructures that can be leveraged by ArcObjects applications to authenticate against and connect to ArcGIS products using user names and passwords managed in a centralized location. This location can be an encrypted file, an RDBMS table, a Lightweight Directory Access Protocol (LDAP) server, or a combination of RDBMS tables and an LDAP server. The primary intent is to insulate users from having to continually authenticate themselves. This technique relies on users' authentication into their desktop workstation (integrated operating system authentication) or the organization's SSO infrastructure.

Native authentication by ArcSDE and RDBMS; Strong authentication controls can be established between ArcGIS and system components through the use of native authentication allowing the user to be authorized by downstream systems. ArcSDE utilizing the direct connect architecture supports native Windows authentication from the ArcGIS client connecting to the RDBMS. The direct connect configuration allows ArcGIS clients to leverage RDBMS connectivity functionality. Deployed utilizing two-tier ArcSDE architecture configured with a RDBMS SSL transport layer, native authentication provides an encrypted communication channel between the trusted operating system and the RDBMS.

SSL is a protocol that communicates over the network through the use of public key encryption. SSL establishes a secure communication channel between the client and server. Encryption functionality of the RDBMS converts clear text into cipher text that is transmitted across the network. Each new session initiated between the RDBMS and the client creates a new public key, affording increased protection. Utilizing ArcSDE in a direct connect configuration eliminates the use of the ArcSDE application tier by moving the ArcSDE functionality from the server to the ArcGIS client. By moving the ArcSDE functionality from the server to the client (dynamic link library), the client application is enabled to communicate directly to the RDBMS through the RDBMS client software. ArcSDE interpretations are performed on the client before communication to the RDBMS. This provides the client application the ability to leverage network encryption controls supplied by the RDBMS client.

IPSec is a set of protocols that secures the exchange of packets between the ArcGIS client and the RDBMS server at the IP level. IPSec uses two protocols to provide IP communication security controls: authentication header (AH) and encapsulation security payload (ESP). The AH offers integrity and data origin authentication. The ESP protocol offers confidentiality.

Intrusion detection is available for ArcGIS users: Network based intrusion detection analyzing network packages flowing through the network or host based intrusion monitoring operation on a specific host.

Feature level security implemented in parallel with ArcSDE allows the Lands Department to assign privileges at the feature level, restricting data access within the geodatabase object. RDBMS Feature-level security is based on the concept of adding a column to a table that assigns a sensitivity level for that particular row. Based on the value in that column, the RDBMS determines, through an established policy, whether the requesting user has access to that information. If the sensitivity level is met, the RDBMS allows access to the data; otherwise, access is denied.

Data file encryption can be used by the ArcSDE direct connect architecture by using a data encryption "add-in" in the RDBMS which works with ArcGIS products accessing an RDBMS as a data store, custom ArcObjects applications, and custom non-ESRI technology-based applications using the ArcSDE C and Java APIs to access non-versioned data.

RDBMS privileges; RDBMS assigns SELECT, UPDATE, INSERT, and DELETE privileges to either a user or role. The ArcSDE command line and ArcCatalog leverage the RDBMS privilege assignment functionality and provide an interface that allows the administrator to assign privileges.

HTTP authentication is a mechanism by which an HTTP authentication method is used to verify that someone is who they claim to be. The standard methods of HTTP authentication integrated with ArcGIS Web applications are the basic, digest, form, and client certificate methods. Basic authentication involves protecting an HTTP resource and requiring a client to provide a user name and password to view that resource. Digest authentication also involves protecting an HTTP resource by requesting that a client provide user name and password credentials; however, the digest mechanism encrypts the password provided by the client to the server. Form-based authentication is identical to basic except that the application programmer provides the authentication interface using a standard HTML form. Client certificate is the most secure authentication method in that it uses the organizational PKI environment to provide and authenticate digital certificates for both client and server.

5.2 Enterprise Security Strategies

Business operations today are exposed to a variety of information security threats. These threats can be generated by friendly and unfriendly sources and may include both internal and external users. Threats can be intentional or inadvertent, but in either case, they can result in loss of resources, compromise of critical information, or denial of service. Figure 7-4 provides an overview of security options available for client/server, Web application, and Web services architecture.

Client/Server Architecture
Desktop and network operating systems should require user identification and password based on defined system access privileges. Networks can include firewalls that restrict and monitor content of communications, establishing different levels of access criteria for message traffic. Communication packets can be encrypted (Secure Sockets Layer [SSL]) to deny unauthorized information access, even if the data is captured or lost during transmission. Specific content exchange criteria can be established between servers (IPSec) to restrict communication flow and to validate traffic sources. Traffic activity can be monitored (intrusion detection) to identify attempts to overcome security protection. Data can be protected on disk to avoid corruption or prevent access as appropriate (encryption). Database environments provide access control (privileges) and row-level security. A combination of these security techniques throughout the information flow can provide the highest level of protection.

Web Application Architecture
Standard firewall, SSL, IPSec, intrusion detection, data file encryption, and RDBMS security solutions continue to support Web operations. Additional security can be implemented to protect and control HTTP communications; basic and digest authentication and implementation of digital certificate authentication (PKI) procedures promote secure communications and support restricted user access to published Web applications. Secure HTTP protocols (HTTPS) encrypt data transfers supporting a higher level of communication protection. Web applications can assume user rights for data access (impersonation), and options for passing user authentication (single sign-on [SSO]) for database access enhance security and control access to the data source.

Web Services Architecture
The most security controls are available when deploying an enterprise service-oriented architecture. Protection provided by the Web application architecture supports an SOA, and additional options are available to enhance access controls. Client applications can include additional security features to ensure proper use and control. Additional Web services security (WS-Security) solutions can be implemented to support user authentication and restrict access to Web services. Web services extensions (WSE) are specific Web services security implementations supported through Web server technology. Secure HTTP communications encrypt data transmissions and improve communication security.

Selecting the Right Security Solution
Security solutions are unique to each client situation. The right security solution depends on your enterprise risks and your selection of enterprise controls. The challenge is to implement reasonable and appropriate security controls. It is important to maintain and support a current security risk assessment, establish security guidelines and controls, and perform on-going security audits to ensure objectives are being maintained.

Figure 7-5 provides a list of standard risk management frameworks that can be used to develop and support a security risk management program. These are provided by trusted industry experts, and include Gartner's Simple Enterprise Risk Management Framework, Microsoft Risk Assessment Guide for Microsoft centric customers and the National Institute for Standards and Technology providing a baseline for security certification and accreditation of federal government sites.  The most common security risks are identified in Figure 7-6. Over 30 percent of the 2006 risk was virus contamination, followed with over 20 percent from unauthorized access to information. Unauthorized access increased dramatically in 2005 and continued to increase in 2006. Laptop theft has also increased making it rise to the number 3 risk in 2006.

 The most common security controls are highlighted in Figure 7-7. Firewall technology holds a slight lead over anti-virus software. Anti-spyware technology has increased dramatically over the past year. A diverse range of controls are available to address security concerns.

Security comes with a price. Understanding the specific security risk and applying the appropriate security controls can reduce overall cost and provide the best operational solution. 

Web Firewall Configuration Alternatives
Firewall configurations are provided to support communication between various levels of security. A number of firewall configuration options are identified here, based on the location of the ArcIMS or ArcGIS Server software components. An ESRI white paper, Security and ArcIMS, addresses configuration options for secure ArcIMS environments. This paper is available at http://resources.esri.com/enterprisegis/index.cfm?fa=security.main ESRI Resource Center.

Figure 7-8 provides an overview of default TCP ports used with ArcIMS and ArcGIS Server firewall configurations. ArcIMS firewall configuration ports are provided between each of the software configuration layers. ArcGIS Server communications between the Web application server and server object container use the Distributed Component Object Model (DCOM) protocols. The use of DCOM involves dynamically acquiring TCP/IP ports for communication between components, and separation of these components over a firewall configuration is not recommended.

The remaining discussion addresses available Web services firewall configuration strategies. Advantages and disadvantages of each configuration are discussed. Understanding the available configuration options and associated implications can help the security architect select the best solution for supporting enterprise security needs.



Web Services with Proxy Server
Figure 7-9 shows interface with intranet Web application configuration supported by a proxy server. This solution provides private network security through a reverse proxy server and supports the complete Web services configuration on the private network. This configuration enables full management of the Web site on the private network. This is the preferred configuration for ArcGIS Server deployment.



Web Application in the DMZ, Remainder of the Web Services Components on the Secure Network
Figure 7-10 shows the Web application server located in the DMZ, with the map server/container machine and data server located on the secure network. The service manager and spatial services must be located on the internal network for this configuration to be acceptable. The output file, located on the Web server, must be shared with the map server. This disk mount will support one-way access from the map server through the firewall to the Web server. This configuration is not recommended for ArcGIS Server.



All Web Services Components in DMZ
The most secure solution provides physical separation of the secure network from all ArcIMS software components. Figure 7-11 shows the Web application, service manager, spatial services, and data source are all located outside the secure network firewall and within the demilitarized zone (DMZ). This configuration requires maintenance of duplicate copies of the GIS data. Data must be replicated from the internal GIS data server to the external data server supporting the ArcIMS services.



All Web Services Components in DMZ except Data Server
Figure 7-12 shows the Web application, service manager, and spatial services located in the DMZ, accessing the internal ArcSDE data server located on the secure network. Port 5151 access through the secure firewall allows limited access to the ArcSDE DBMS data server. A high volume of traffic must be supported between the spatial services and the data source. Any network disconnects with the data server would generate delays while all publish service connections are reestablished.



All Web Services Components on the Secure Network
Figure 7-13 shows the Web application, map server/container machine, and data server components all inside the firewall on the secure network. Port 80 must be open to allow HTTP traffic to pass through the firewall. Many organizations are not comfortable with this level of security (this is not a recommended solution - does not provide secure access control)

Security is everybody's job, there is no exception. The world is not a secure environment, and we need to keep our eyes and minds open to the threats around us. There is no single solution for security. There are costs and trade-offs that must be made to support an optimum solution. Too much security controls can reduce productivity and increase cost. Too little attention and control can result in loss of property and the ability to perform. Finding the right balance is important, and the right solution can be a moving target. figure 7-14 provides emphasizes the importance of providing security in depth at several points throughout the solution architecture.

Page Footer Specific license terms for this content System Design Strategies 26th edition - An Esri ® Technical Reference   Document • 2009 (final PDF release)