Information Security 39th Edition

Fall 2016 Information Security 39th Edition

This chapter provides an introduction to the purpose and scope of information security. Basic concepts are introduced for developing security solutions that meet your business needs. Esri's information patterns share how to establish security measures appropriate for your organization.

Enterprise security can be a challenge for IT architects and security specialists. Until the last few years, entire IT systems were frequently designed around a single mission objective and a single "community of interest," normally supported with physically isolated systems, each with its own data stores and applications. New emerging standards are supported with more mature communication environments, more intelligent operating systems, and a variety of standard integration protocols enabling IT architects to design and maintain comprehensive organization-wide interactive enterprise solutions.

Recent industry advancements, especially in the areas of web service standards and service-oriented architectures, are enabling architects to more effectively satisfy enterprise security objectives. Esri's careful attention to these standards, coupled with an overall philosophy of providing highly interoperable software, provides security architects with a high level of flexibility, thus establishing trust for all Esri components contained in an enterprise solution.

A full discussion on enterprise security is beyond the scope of this chapter. The [Trust ArcGIS] site provides unified access to security related information for enterprise solutions using Esri products. The Trust ArcGIS web site includes a section on [ArcGIS Security] for Cloud, Server, Desktop and Mobile deployment patterns. 

What is information security?
Information security is the process of protecting the availability, privacy, and integrity of data. Risk management is an overall goal of every organization. Information security is one of the disciplines within the organization that addresses risk management. Risk is also managed through additional business continuance and information technology initiatives.

Information security has some common characteristics with business continuance and information technology as shown in Figure 9.1. 
 * Information security is a subset of overall risk management.
 * Information security is important in maintaining business continuance.
 * Information security is managed in part by information technology.

Four types of security threats
Information security is focused on addressing the four types of security threats identified in Figure 9.2. These security threats include natural disasters, malicious attacks, internal attacks, and system malfunctions or human error.

National Institute of Standards and Technology (NIST) definition of a security threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.

"Best Practice: Security controls are developed and deployed to protect against identified security threats. " 

CIA security triad
Figure 9.3 shows the CIA triad. The core principals of information security management are represented by the CIA triad.

The CIA triad includes confidentiality, integrity, and availability.
 * Confidentiality is protection of "privileged" communications, restricting user access to core business information based on a "need to know" principle.
 * Integrity refers to the trustworthiness of business data resources and the associated information products generated over its entire life cycle.
 * Availability refers to ensuring the information system is functional when needed to support operational business requirements.

Information security industry standards will be identified and applied as mechanisms of protection and prevention in the following three main areas:
 * Hardware
 * Software
 * Communications

Protection and prevention will be implemented at three levels, or layers:
 * People (personal security)
 * Procedures (organizational security)
 * Products (physical security)

"Best practice: The CIA triad is used to provide proper scope and focus for information security management." 

Levels of Security
Figure 9.4 shows the defense in depth concept. Defense in depth is an information assurance concept in which multiple layers of security controls (defenses) are placed throughout an IT system.

Multiple levels of security:
 * Physical controls (fences, guards, locks, etc.)
 * Policy controls (administrative policies and procedures)
 * Technical controls (system configuration)

Types of technical controls:
 * Authentication (user identity strategy, user name and password, keycards, keywords, etc.)
 * Authorization (role-based access policies, access control rules, etc.)
 * Filters (routing based on group policy, active directory containers, user identity, etc.)
 * Encryption (scrabbling information for unreadable transmission or storage)
 * Logging (record of security-related transactions)

Technical controls are implemented throughout the physical system providing multiple layers of defense:
 * Application controls (LDAP, SSO, HTML content filters, validation checks, secure stored procedures)
 * Host/device controls (native authentication, LDAP, repository, hardening guides, HIDS)
 * Network controls (firewalls, NIDS, single socket layer - SSL, IPSEC)
 * Data controls (authentication, role-based authorization, row-level access, data file encryption)

Examples of defense in depth:
 * Application functional limitations (view only)
 * Reverse proxy server (restrict port access)
 * Web application firewall (monitor traffic, restrict access, route traffic)
 * Web server (provide extra physical transmission layer)
 * ArcGIS for Server (restrict access to published services, user authentication, restricted data access)
 * Geodatabase server (restrict access to published services, user authentication, restricted table and row access, monitor traffic)

Idea behind defense in depth:
 * Defend a system using multiple varying protection methods.
 * Provide a comprehensive approach to information security.

Defense in depth seeks to delay advance of an attack:
 * Yield space in order to buy time without preventing proper access.
 * Prevent penetration and direct attacks by providing multiple layers of defense.
 * Prevent security breaches and buy time to detect and respond to an attack.

"Best practice: Multiple layers of defense improve information security."

"Warning: Do not expect a high level of protection from a single layer of defense. "

Review current security trends
Information security is a growing science
 * Dollar amount losses by threat
 * Security technologies utilized

Review security options
 * Trust ArcGIS site
 * Enterprise-wide security mechanisms
 * Application-specific options

Implement security as a business enabler 
 * Improve appropriate availability of information.

Standards approach to security risk management.
Figure 9.5 shows a standards approach to security risk management. Standard approaches to security risk management are well established and should be followed to ensure compliance.

Identify your security needs
 * Review industry security threats.
 * Assess your environment.
 * Evaluate risk to datasets and operational systems.
 * Determine sensitivity, categorization, and patterns of risk.

Key steps to effective information security:
 * 1) Legislation. Review regulations related to your industry.  Security regulations may dictate compliance standards and a security implementation framework; there may be negative business consequences for non-compliance.
 * 2) Benefits. Identify any potential benefits that can be derived from security compliance and operational savings that can be attributed to the proposed security program. This can be helpful in justifying security program expenses.
 * 3) Objectives. Establish SMART information security program objectives.  Objectives should be specific, measurable, attainable, relevant, and time-bound.
 * 4) Framework. Identify an information security management approach and methodology that will deliver results.  Several frameworks have been developed and shared for general use in establishing an information security program.  Information Security Frameworks can be industry specific and share focused best practices that address your business needs.
 * 5) Approved planning. Establish a plan for the security risk assessment effort.  You will need management authorization for required resources, support, and funding.
 * 6) Risk assessment and mitigation. Complete a risk assessment security needs analysis identifying potential threats and associated mitigation strategies.
 * 7) Safeguards. Identify security procedures (rules) and technology (tools) that must be implemented to address identified security needs.
 * 8) Training and awareness. Design and build the approved security solutions.  Implement training and awareness programs to implement and enforce identified security practices.
 * 9) Implementation. Operate and support the security solutions.  Monitor levels of protection and measure compliance.

Steps 1-5 are required efforts to establish a successful security program. Security program should be presented and endorsed by Executive management, and an Executive sponsor should be actively committed to enforcing the objectives of the security program.

Information security management is an active ongoing effort assessing risks, defining security requirements, and measuring security solutions.

IT group must be on board to design, build, and operate the approved security solutions. Periodic audit reviews and formal compliance demonstrations are essential to assess risk management effectiveness. Executive sponsor should actively review progress in meeting the established security program SMART objectives.

"Best practice: Security management is a continuous process of reviewing and updating security rules and supporting technology to maintain a proper level of defense against evolving security threats.."

Esri informal pattern selection
Your security needs are unique. Figure 9.6 shows a full range of security levels available for ArcGIS users. Esri provides an approach to classifying the level of security required to manage your security risk.


 * Basic security:
 * Minimum level of security investment.
 * Enables simple and lowest system cost.
 * Enables full access to internet data sources and Online services.
 * Provides optimum business environment for external collaboration.
 * Extends enterprise operations to include connected mobile applications.
 * Protects system from internet virus attacks.


 * Standard security:
 * Moderate level of security investment.
 * Moderate increase in complexity and system cost.
 * Enables full access to Internet data sources and online services.
 * Provides optimum business environment for external collaboration.
 * Extends enterprise operations to include connected mobile applications.
 * Protects system from a variety of security risks.


 * Advanced security:
 * Heavy level of security investment.
 * High increase in complexity and system cost.
 * Restricts access to Internet data sources and online services.
 * Eliminates external online collaboration.
 * Prevents most connected mobile applications.
 * Provides optimum protection to manage security risks.

"Best practice: Apply appropriate mitigation strategies to address your unique confidentiality, integrity, and availability business requirements. " 

Esri security strategy evolution
Figure 9.7 shows security moving from an isolated product solution focus to addressing security on an integrated solutions level. Enterprise IT solutions are changing including more transparency, sharing, collaboration, and web access. Security policies are adapting to these changes.


 * Product

User workflow environment:
 * Isolated systems
 * Primarily desktop or internal network solutions
 * Limited web access
 * Data entry provided by well-defined workflows

Security solutions focused on isolated systems:
 * Protecting discrete products and services
 * Protecting focused user workflow environments
 * Include third-party security additions


 * Enterprise

User workflow environment:
 * Multiple clients and user locations
 * Multiple servers and data center locations
 * User collaboration across multiple integrated systems
 * Discretionary user grouping and sharing
 * Common interface with cloud-hosted services

Enterprise security solutions:
 * Integrated enterprise platforms and services
 * Multi-layered embedded security protection
 * Adaptive user-driven security controls
 * Include third-party security additions


 * Solution

Managed security solutions: 
 * Solution templates established based on industry standards.
 * Best practices developed and shared by community leaders.
 * Solution strategies involve integration of multiple enterprise environments.
 * Security solutions are expanded to include cloud deployments.

ArcGIS for Server: Authorization deployment scenarios
Figure 9.8 shows the security options available with ArcGIS for Server. ArcGIS for Server provides three primary options for managing user identify and access control.


 * Product-level security management

ArcGIS for Server includes a built-in identity store for local management of user identity and service access control. User access to secured services can be managed by the ArcGIS for Server site administrator.


 * Enterprise-level security management

ArcGIS for Server supports both Server tier and Web tier integration with Active Directory or LDAP directory store for enterprise-level management of user identity and service access control. User access to secured services can be managed by the Enterprise security administrator.

"Best practice: Business requirements will determine the optimum security management solution for your organization. " 

ArcGIS for Server tier authentication
Figure 9.9 shows the ArcGIS for Server built in security option.

ArcGIS Server (AGS) site manages user authentication and service authorization.
 * Authentication credentials are stored in the AGS site identity store (secure users).
 * Authorization credentials are stored in the AGS site identity store (roles).
 * Privileges are assigned by administrative user roles.
 * Service access is authorized based on identified roles (AGS folders).
 * ArcGIS Server administrator manages user membership, user privileges and service access permissions (roles), and assigns users to roles.
 * Service publishers share published services with available roles.


 * Service authorization is provided by ArcGIS Server token based authentication.

ArcGIS for Server tier security authorization data flow
 * User security credentials are provided to the AGS site Web adaptor or third party reverse proxy.
 * AGS site Web adaptor (or third party reverse proxy) sends credentials to the ArcGIS for Server site.
 * AGS site identity store is used to complete authentication and authorization
 * Service authorization is provided by ArcGIS Server token based authentication.

Help: Configuring ArcGIS Server security 

Enterprise ArcGIS for Server tier authentication
Figure 9.10 shows the enterprise level ArcGIS for Server tier security option.

ArcGIS Server (AGS) site manages service authorization based on validated enterprise user authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (secured users) and replicated to the ArcGIS for Server identity store (user name and password).

Two authentication options are available.
 * Privileges managed by ArcGIS Server site identity store (roles).
 * Enterprise Active Directory/LDAP administrator manages user membership.
 * ArcGIS Server administrator manages user privileges and access permissions (roles), and assigns Active Directory/LDAP identified users to roles.
 * Service publishers share published services with available roles assigned by the ArcGIS Server site administrator.


 * Privileges managed by Active Directory/LDAP data store (roles).
 * Enterprise Active Directory/LDAP administrator manages user membership, user privileges and access permissions (roles), and assigns users to roles.
 * Service publishers share published services with available roles assigned by the Active Directory/LDAP administrator.


 * Service authorization is provided by ArcGIS Server token based authentication.

Enterprise ArcGIS Server tier security authorization data flow
 * ArcGIS Server site identity store read only trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to the AGS site Web adaptor or third party reverse proxy.
 * AGS site Web adaptor (or third party reverse proxy) sends credentials to the ArcGIS for Server site.
 * AGS site identity store is used to complete authentication and authorization
 * Service authorization is provided by ArcGIS Server token based authentication.

Help: Advanced considerations when using domain accounts

"Best practice: Use secure socket layer (SSL) communications when transmitting user identification information over unsecure network. " 

Enterprise level Web tier authentication
Figure 9.11 shows the ArcGIS for Server Web tier security option. ArcGIS Server (AGS) site manages service authorization based on validated enterprise user authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (secured users).

Web-tier authentication supports user single sign-on experience.

Two authentication options are available.
 * Privileges managed by ArcGIS Server site identity store (roles).
 * Enterprise Active Directory/LDAP administrator manages user membership.
 * ArcGIS Server administrator manages user privileges and access permissions (roles), and assigns Active Directory/LDAP identified users to roles.
 * Service publishers share published services with available roles assigned by the ArcGIS Server site administrator.


 * Privileges managed by Active Directory/LDAP data store (roles).
 * Enterprise Active Directory/LDAP administrator manages user membership, user privileges and access permissions (roles), and assigns users to roles.
 * Service publishers share published services with available roles assigned by the Active Directory/LDAP administrator.


 * Service authorization is provided by ArcGIS Server token based authentication.

Enterprise level Web tier security authorization data flow
 * ArcGIS Server site identity store read only trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to the Web server.
 * Web server sends user credentials to the Active Directory/LDAP server.
 * Active Directory/LDAP data store is used to complete authentication.
 * Validated authentication credentials are returned to the Web server.
 * AGS Web Adaptor sends validated authentication credentials to the ArcGIS Server site.
 * GIS Server identity store provides authorization for service access to client.
 * Service authorization is provided by ArcGIS Server token based authentication.

Help: Securing web services with Integrated Windows Authentication

"Best practice: Use secure socket layer (SSL) communications when transmitting user identification information over unsecure network. " 

Portal: Authentication deployment scenarios
Figure 9.12 shows the security options available for ArcGIS Online and Portal for ArcGIS deployments. Both portal deployment patterns support product-level and enterprise-level user identity management.


 * Product-level security management
 * ArcGIS Online includes a built-in global security store.
 * Portal for ArcGIS includes a built-in identity store.

Portal content is created and shared by named users using the portal information model. Security is managed by the ArcGIS Online or Portal for ArcGIS administrator.


 * Enterprise-level security management
 * ArcGIS Online and Portal for ArcGIS both support SAML integration with Active Directory or LDAP directory store.
 * Portal for ArcGIS supports both Portal tier and Web tier integration with Active Directory or LDAP directory store.

Portal content is created and shared by named users using the portal information model. Security is managed by the ArcGIS Online or Portal for ArcGIS administrator. User access to secured services can be managed by the Enterprise security administrator.

"Best practice: Business requirements will determine the optimum security management solution for your organization. " 

ArcGIS portal information model
The GIS portal gives a self-service content management platform for managing geospatial content as shown in Figure 9.13.

The portal information model includes Users, Groups, Items, and Tags. 
 * Users own items and can own or join groups.
 * Groups are used to organize and secure user items.
 * Items identify user content added to the Portal.
 * Tags identify item content for search purposes.

Web GIS access and privileges
Portal privileges are based on named user roles managed by the Portal administrator as shown in Figure 9.14. Published maps and apps can be shared to anonymous (public) users outside the organization. Administrator has the capability to restrict shared services to named users within the organization (exclude anonymous access).

Portal security is managed by named user membership with the following privileges: 
 * Administrators have full permissions and manage portal named user membership.
 * All named users can use maps and apps, create content, share maps and apps, join and create groups, and edit features.
 * Named users with a publisher role are able to publish hosted web layers and have full access to ArcGIS Online analysis services. Online services include access to Business and Community demographics, spatial analysis, network routing, world geocoding, and landscape feature services.  Use of these services consume Organization online credits.
 * Administrators are able to create custom roles for more focused named user privileges. ArcGIS Online custom roles allow administrators to assign granular access (specific online analysis services) to named users based on their operational needs.

ArcGIS Online security authentication and authorization
ArcGIS Online provides secure access to shared maps, apps, and data packages hosted in your private ArcGIS Online Organization in the Cloud. Organization membership is limited to named users, with member authentication and resource access managed in a Cloud based security store. Security assertion markup language (SAML) authentication can be used to integrate the ArcGIS Online Organization security store with on-premise security solutions for Enterprise level member authentication.

Groups are created and managed by Organization named users.
 * Administrators have full permissions and manage organization membership (named users) and user roles.
 * Organization named users can create and manage their own group membership and permissions. Groups can be private, organization, or public access. An Online Organization membership is required to participate in managed group membership. Group users have contributor or viewer permissions.
 * When you add layers to an ArcGIS Online Web map from a Web service, these layers are published from their source site and delivered direct to the client. The source site manages any additional client authentication and validation requirements for the selected service (no data gets transferred through the ArcGIS Online site.)  Web map layers are assembled in the mashup at the client browser display.

ArcGIS Online authentication
Figure 9.15 shows ArcGIS Online Global Security Store authentication.

ArcGIS Online global security store manages authentication and authorization.
 * Authentication credentials are stored in the ArcGIS Online global security store (named users).
 * Privileges and group membership are stored in the ArcGIS Online global security store (roles).
 * ArcGIS Online Organization administrator identifies and manages named users, creates custom privileges, and assigns named user privileges (roles).
 * ArcGIS Online named users create and manage ArcGIS Online Organization groups.
 * Service publishers share published services with ArcGIS Online Organization groups.
 * Service access authorization is based on group membership.

ArcGIS Online security authorization data flow. 
 * User security credentials are provided to the ArcGIS Online global security store.
 * ArcGIS Online global security store is used to complete authentication and authorization
 * Service authorization is provided by ArcGIS Online token based authentication.

ArcGIS Online SAML authentication
Figure 9.16 shows ArcGIS Online Federated SAML authentication. Active directory or LDAP can be used for Online Organization membership authentication. SAML communication protocols are used for remote enterprise-level member authentication and validation.

ArcGIS Online service authorization based on SAML authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (named users).
 * Enterprise Active Directory/LDAP administrator identifies and manages ArcGIS Online Organization named user membership.
 * ArcGIS Online server administrator defines custom privileges, assigns privileges to identified SAML validated users, and manages ArcGIS Online groups.
 * ArcGIS Online named users create and manage ArcGIS Online Organization groups.
 * ArcGIS Online named users share published services with identified ArcGIS Online Organization groups.
 * Service access authorization is based on group membership.

ArcGIS Online for Organizations SAML security authorization data flow
 * ArcGIS Online global security store SAML identify provider trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to ArcGIS Online.
 * ArcGIS Online sends user credentials to the SAML identify provider.
 * SAML identify provider sends user credentials to the Enterprise Active Directory/LDAP server.
 * Active Directory/LDAP data store is used to complete authentication.
 * Validated authentication credentials are returned to the ArcGIS Online global security store.
 * Global security store credentials are used to authorize named user privileges and services access.
 * AGOL global security store provides authorization for service access to client.
 * Service authorization is provided by ArcGIS Online token based authentication.

"Best practice: Use secure socket layer (SSL) communications when transmitting user identification information over unsecure network. " 

Portal for ArcGIS security authentication and authorization
Portal for ArcGIS security solutions provide Portal tier authentication by the Portal for ArcGIS identity store or Web tier Enterprise level integration using Active Directory/LDAP authentication.

Portal for ArcGIS server authentication
Figure 9.17 shows Portal for ArcGIS server authentication.

Portal for ArcGIS identity store manages authentication and authorization.
 * Authentication credentials are stored in the Portal identity store (named users).
 * Privileges and group membership are stored in the Portal identity store (roles).
 * Portal server administrator identifies and manages named users, creates custom privileges, and assigns named user privileges (roles).
 * Portal named users create and manage Portal groups.
 * Service publishers share published services with groups.


 * Service access authorization is based on group membership.

Portal for ArcGIS server tier security authorization data flow
 * User security credentials are provided to the Portal Web adaptor.
 * Portal Web adaptor sends user credentials to the Portal server.
 * Portal identity store is used to complete authentication and authorization
 * Service authorization is provided by Portal for ArcGIS token based authentication.

Help: About configuring portal authentication <br style="clear: both" />

Enterprise Portal for ArcGIS tier authentication
Figure 9.18 shows Enterprise Portal for ArcGIS tier authentication.

Portal for ArcGIS manages service authorization based on validated enterprise user authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (named users) and replicated to the Portal for ArcGIS identity store.

Three unique security management configurations options. Organization must select the security management option that best supports their business needs.
 * Portal named users are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership.
 * Portal server administrator defines custom privileges, assigns privileges to identified Active Directory/LDAP users, and manages Portal groups.
 * Portal named users create and manage Portal groups.
 * Portal named users share published services with identified Portal groups.


 * Portal named users and privileges (roles) are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership, defines custom privileges, and assigns privileges to identified Portal named users.
 * Portal server administrator manages Portal groups.
 * Portal named users create and manage Portal groups.
 * Named users share published services with identified Portal groups.


 * Portal named users, privileges (roles), and Portal groups are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership, defines custom privileges, assigns privileges to identified Portal named users, and manages Portal groups.
 * Portal named users share published services with identified Portal groups.


 * Service access authorization is based on group membership.

Portal for ArcGIS Web tier security authorization data flow
 * Portal for ArcGIS identity store read only trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to the Portal Web adaptor.
 * Portal Web adaptor sends user credentials to the Portal server.
 * Portal identity store is used to complete authentication and authorization
 * Service authorization is provided by Portal for ArcGIS token based authentication.

Help: Configure Portal to use Enterprise Identity Store <br style="clear: both" />

Portal for ArcGIS Enterprise level Web tier authentication
Figure 9.19 shows Portal for ArcGIS Web tier authentication.

Portal for ArcGIS manages service authorization based on validated enterprise user authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (named users).

Three unique security management configurations options. Organization must select the security management option that best supports their business needs.
 * Portal named users are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership.
 * Portal server administrator defines custom privileges, assigns privileges to identified Active Directory/LDAP users, and manages Portal groups.
 * Portal named users create and manage Portal groups.
 * Portal named users share published services with identified Portal groups.


 * Portal named users and privileges (roles) are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership, defines custom privileges, and assigns privileges to identified Portal named users.
 * Portal server administrator manages Portal groups.
 * Portal named users create and manage Portal groups.
 * Named users share published services with identified Portal groups.


 * Portal named users, privileges (roles), and Portal groups are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership, defines custom privileges, assigns privileges to identified Portal named users, and manages Portal groups.
 * Portal named users share published services with identified Portal groups.


 * Service access authorization is based on group membership.

Portal for ArcGIS Web tier security authorization data flow
 * Portal for ArcGIS identity store read only trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to the Web server.
 * Web server sends user credentials to the Active Directory/LDAP server.
 * Active Directory/LDAP data store is used to complete authentication.
 * Validated authentication credentials are returned to the Web server.
 * Portal Web adaptor send validated authentication credentials to the Portal server.
 * Portal identity store provides authorization for service access to client.
 * Service authorization is provided by Portal for ArcGIS token based authentication.

Help: Using Integrated Windows Authentication with your portal <br style="clear: both" />

Security in the cloud
Figure 9.20 shows the standard Cloud hosting patterns and user security practices. Security challenges in the cloud are familiar to any IT manager: loss of data, threats to the infrastructure, and compliance risk. What is new is the way these threats play out in a cloud environment.


 * ArcGIS in the cloud

Software as a Service (SaaS): Direct user interface for building services
 * ArcGIS Online (ArcGIS.com)
 * Business Analyst Online
 * ArcGIS Explorer Online

Platform as a Service (PaaS); Developer interface for building services
 * Esri web mapping APIs (JavaScript, Flex, Silverlight)
 * Microsoft Azure ArcGIS applications

Infrastructure as a Service (IaaS): IT administrator interface for building services
 * ArcGIS for Server on Amazon EC2
 * Terremark Cloud (now Verizon)
 * Private cloud

Cloud security is:
 * The response to a familiar set of security challenges that manifest differently in the cloud.
 * A set of policies, technologies, and controls designed to protect data and infrastructure from attack and enable regulatory compliance.
 * Layered technologies that create a durable security net or grid.
 * The joint responsibility of your organization and its cloud provider(s).

Cloud security is not:
 * A one-size-fits-all solution that can protect all your IT assets. In addition to different cloud delivery models, the cloud services you deploy will most likely require more than one approach to security.
 * A closed-perimeter approach or a "fill-the-gap" measure. Organizations can no longer rely on firewalls as a single point of control, and cobbling together security solutions to protect a single vulnerability may leave you open in places you do not suspect.
 * Something you can assume is provided at the level you require by your cloud service providers. Make sure you spell out and can verify what you require.

"Warning: Cloud computing security is a broad topic with hundreds of considerations: from protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different end-point devices. " <br style="clear: both" />

Web GIS deployment options
Cloud security is evolving to satisfy customer deployment needs. Figure 9.21 shows the options available for Web GIS deployment. Security may be a primary factor in determining the optimum deployment strategy. Security management options vary based on the available service models, deployment models, and management models utilized in your deployment scenario.

Deployment strategies can include a mix of customer-managed and vendor-managed security options.

Vendor-managed deployment options:
 * Vendor-managed SaaS-based services deployment (ArcGIS Online Organization)
 * Vendor-managed IaaS-based community private cloud deployment
 * Vendor-managed hybrid deployment including IaaS public and private cloud services
 * Vendor-managed IaaS-based public cloud deployment
 * Vendor-managed ArcGIS Online content management

Customer-managed deployment options:
 * Non-cloud on-premise ArcGIS for Server deployment
 * Portal for ArcGIS on-premise content management
 * IaaS-based community private cloud deployment
 * Hybrid deployment including IaaS and on-premise services

Optimum Web GIS deployment includes a proper mix of customer-managed and vendor-managed security policies.

"Best practice: An optimum security program involves an appropriate tradeoff between customer- and vendor-managed risk. " <br style="clear: both" />

Deployment model responsibilities
Figure 9.22 shows responsibility by layers across the major cloud deployment models versus an on-premise implementation.

These deployments are not exclusive, and an enterprise deployment of the ArcGIS platform could use multiple models such as an on-premise implementation supplemented with ArcGIS in the cloud in a hybrid approach.

"Best practice: Security implementation involves a proper trade-off between self- and vendor-managed risk. " <br style="clear: both" />

ArcGIS cloud hybrid capabilities
Figure 9.23 shows a ArcGIS for Server hybrid cloud deployment. A hybrid cloud may provide your best deployment solution, taking advantage of available technology in the most optimum way without compromising security. Deployment strategies can include a mix of self-managed and vendor-managed security options.

Hybrid solutions leverage the best technology options:
 * Internal-hosted service layers can provide your full internal level of security.
 * Private IaaS clouds provide scalable on-demand internal services while retaining required security.
 * Geodatabase replication services provide filtered content to physically separate internal secure data from external remote access.
 * Sensitive data layers can be published from within the data center for mash-up with authenticated field-worker displays.
 * ArcGIS Online organizations provide collaboration and data sharing with protected groups of agency locations.
 * ArcGIS Online subscription services (and public IaaS hosting) provide scalable public access for on-demand services.

"Best practice: Provide optimum enterprise security through hybrid cloud deployments. "

Esri’s security strategy
Deliver secure GIS products
 * [Incorporate security industry best practices.]
 * Trusted geospatial services across the globe.
 * Meet needs of individual users and entire organizations.

Provide secure GIS solution guidance <br style="clear: both" />
 * [Enterprise Resource Center]
 * [Shares Esri security patterns]

Web firewall best practices
Figure 9.24 shows best practices for firewall protection. Firewall configurations are provided to support communication between various levels of security. The effectiveness of your firewall configuration will depend on proper technology implementation.

Esri provides guidance and recommendations for different security patterns based on your security needs.
 * [Enterprise GIS Security Patterns]
 * [Configuring ArcGIS 10.2 for Server security]
 * [Ports used by ArcGIS 10.2 for Server.]
 * [Ports used by Portal for ArcGIS 10.2.]

"Best practice: Security in depth provides multiple layers of defense between public access and protected data resources."

Public services should be deployed on separate servers from sensitive private internal services.
 * Separate web services tier increases security layer protection.
 * Deploy public services and internal private services on separate GIS server sites.
 * Separate publication dataset from production dataset for optimum protection.

High-availability services avoid a single point of failure.
 * Multiple servers ensure operational system with one server down.
 * Multiple online copies of operational data ensure continued operations with loss of one copy.
 * Point-in-time backups are critical—most data corruptions are caused by procedural error.
 * Additional backup copy of critical data should be stored off-site.<br style="clear: both" />

Web services with proxy server
Figure 9.25 shows ArcGIS web services with proxy server. Reverse proxy servers hide the existence and characteristics of the internal application server.

"Best practice: Basic security: Internal web server components can be installed on a single server tier to reduce cost."

ArcGIS for Server reverse proxy architecture (ArcGIS 10.1+):
 * Web client sends request to web server in the DMZ.
 * DMZ web server sends request to reverse proxy for routing to private GIS servers.

"Best practice: ArcGIS for Server web adaptor will provide reverse proxy and load balancing to the private GIS server site."


 * GIS server distributes (load balances) in-bound requests to available service instance located within the GIS server site.
 * Service instance executables access required data sources and service the request.
 * Service instance output is delivered back to the web client.

Additional functionality <br style="clear: both" />
 * Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult.
 * In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead off-loaded to a reverse proxy that may be equipped with SSL acceleration hardware.
 * A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request, in order to match the relevant internal location of the requested resource.
 * A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator.
 * A reverse proxy can optimize content by compressing it in order to speed up loading times.
 * Reverse proxies can be used whenever multiple web servers must be accessible via a single public IP address. The web servers listen on different ports in the same machine, with the same local IP address or, possibly, on different machines and different local IP addresses altogether. The reverse proxy analyzes each incoming call and delivers it to the right server within the local area network.

Web and ArcGIS for Server components in DMZ
Figure 9.26 shows ArcGIS web and GIS Server components in the DMZ. Web and GIS server components can be deployed in the DMZ along with replicated data sources or with access through the firewall to an internal DBMS.

"Best practice: Basic security: Web server DMZ components can be installed on a single server tier to reduce cost."

ArcGIS for Server reverse proxy architecture (ArcGIS 10.1+):
 * Reverse proxy secures administrative access to GIS server.
 * Web adaptor provides reverse proxy and network load balancing.
 * Web application firewall can enhance web service security.

GIS server access to required data sources must be secured.
 * File sources must be replicated to the DMZ to protect internal resources.
 * DBMS data sources should be replicated to DMZ for optimum security.

"Warning: Some security officers find this solution not acceptable because it provides direct access to the DBMS from the DMZ. "


 * SSL secured port connections can be used to access internal DBMS data source.

"Best practice: ArcGIS for Server web adaptor will provide reverse proxy and network load balancing protecting administrative access to the GIS server site."


 * GIS server distributes (load balance) in-bound requests to available service instance located within the GIS server site.
 * Service instance executables access required data sources and service the request.
 * Service instance output is delivered back to the web client.

"Best practice: Web application server installed with the web server can enhance web service security." <br style="clear: both" />

Business continuance
Business continuance addresses infrastructure design considerations that ensure computer systems are functional when needed to support operational business requirements. Requirements for business continuance are a primary risk management consideration, and a core principal of information security management. Availability is the third tenant of the Security Triad, and system component redundancy is the principal concept developed and deployed to protect against identified business continuance threats.

The level of protection required by any particular business operation is a balance between cost of the supporting systems and the risk of downtime. Basic levels of protection can be satisfied by incremental data backups and off-site storage. Standard levels of protection would include high availability solutions avoiding downtime caused by a single system component failure. Advanced levels would include disaster recovery to a secondary data center with the lost of the primary site. Recovery time from a protected failure event will depend on the capabilities of the high available and/or disaster recovery solution. There is no absolute answer that establishes the level of protection required to manage the risk of system downtime.

ArcGIS for Server and Web GIS (component and system level) business continuance deployment strategies will be addressed in this section. Business continuance deployment options will address product level high-availability and disaster recovery deployment scenarios. Requirements are established based on business security risk management objectives. Software functionality can introduce constraints on acceptable deployment options.

Design and deployment of the required deployment architecture patterns are addressed in the earlier chapter on GIS Product Architecture.

Requirements for high-availability deployments
Figure 9.27 shows required high-availability configuration support for continued business operations. High-availability configurations ensure business operations continue when infrastructure components fail.

General high-availability compliance requirements include the following:
 * Highly available load balancer
 * Multiple application server tier machines
 * Highly available shared storage
 * Highly available network

For virtual server environments, high availability platform solutions (clustered or failover virtual machines) must be deployed on separate host platforms to avoid single point of failure.

"Best practice: System designed to support continued operations following any single hardware component failure." <br style="clear: both" />

Disaster recovery: Typical workflow
Figure 9.28 shows disaster recovery solution architecture with two data centers. Disaster recovery configurations ensure business operations continue following a catastrophic data center failure.

Secondary data center must be designed and maintained to support failover operations.

Custom IT administration processes must be established to maintain and distribute traffic between the data center locations.
 * Multiple site install and configuration
 * Multiple site service deployments
 * Multiple site data source updates
 * Concurrent application updates between sites

Deploying effective disaster recovery solutions can be very complicated and require enterprise level IT management and governance. The most effective solutions are supported by virtualization software technology, with VMware as one of the leading software vendors in the virtualization marketplace. Virtualization software can support a variety of business systems through a common set of architecture solutions, managed by enterprise level IT operations with proper training and staff to ensure compliance with business requirements. The VMware vCenter Server Availability Guide shares requirements for defining high availability for VMware virtualization software, with recommendations and best practices for providing acceptable levels of protection. The VMware virtualization software can be used to manage replication and synchronization of business software across multiple data center locations.
 * Virtual server replication to secondary data center
 * Virtualization tools to orchestrate fail over to a secondary data center

"Best practice: Use of virtualization software technology to manage distributed high availability systems supporting continued operations following loss of the primary data center." <br style="clear: both" />

Business continuance: Server GIS components
Figure 9.29 shows ArcGIS for Server high availability configuration. Server machines that must be configured for high availability include the ArcGIS for Server components and supporting data sources.

This section will identify provisions for supporting highly available ArcGIS for Server tier components. Third-party vendor solutions are available for building highly available data sources hosted by DBMS and File share solutions.

<br style="clear: both" />

Server GIS: Multi-machine architecture
Figure 9.30 shows ArcGIS for Server multiple machine architecture. ArcGIS for Server site architecture is designed to support a multi-machine (two or more GIS Servers) with shared configuration store and server directories for highly available operations.

"Warning: Third-party load balancers, Web, and storage tier must be configured for highly available operations. "

'Best practice: Review architecture solution to ensure no single hardware/ network failure can cause failed operations.' <br style="clear: both" />

Server GIS: Primary deployment patterns for high availability
Figure 9.31 shows options with and without ArcGIS Web Adaptor. ArcGIS for Server production deployments may include two- or three-tier configurations.


 * Two-tier Server configuration
 * Highly available load balancer solution.
 * Multi-machine ArcGIS for Server site.
 * Highly available file share for Configuration Store and Server Directories.
 * Highly available data source (DBMS or File share).
 * Three-tier Server configuration
 * Highly available load balancer solution.
 * Multi-machine load balanced Web tier.
 * Multi-machine ArcGIS for Server site.
 * Highly available file share for Configuration Store and Server Directories.
 * Highly available data source (DBMS or File share).

"Warning: Virtual server deployments must distribute platform tier components on redundant host platforms. "

'Best practice: Review architecture solution to ensure no single hardware/ network failure can cause failed operations.' <br style="clear: both" />

Server GIS: The Silo deployment pattern
Figure 9.32 shows ArcGIS for Server high availability single machine site configurations. ArcGIS for Server single-machine site configurations must support high availability with third-party solutions.


 * Two-tier Server configuration
 * Highly available load balancer solution.
 * Multi-site identical load-balanced GIS Server tier configuration.
 * Identical Configuration Store and Server Directories for each site.
 * Highly available data source (DBMS or File share).

"Warning: Virtual server deployments must distribute platform tier components on redundant host platforms. "

'Best practice: Review architecture solution to ensure no single hardware/ network failure can cause failed operations.' <br style="clear: both" />

Server GIS: Pattern for disaster recovery
Figure 9.33 shows ArcGIS for Server architecture pattern for disaster recovery. Primary high-availability solutions must be established and maintained at each data center.

"Warning: Virtual server deployments must distribute platform tier components on redundant host platforms. "

"Best practice: Review architecture solution to ensure no single hardware/network failure can cause failed operations."

Custom business processes must be established to maintain and distribute traffic between the data center locations.
 * Multiple site install and configuration
 * Multiple site service deployments
 * Multiple site data source updates
 * Concurrent application updates between sites

"Best practice: System designed and resources maintained to support continued operations following loss of primary data center."

<br style="clear: both" />

Business continuance: Portal for ArcGIS components
Figure 9.34 shows the Web GIS architecture components. Web GIS components that must be configured for high availability include the Portal for ArcGIS, ArcGIS Server, and ArcGIS Data Store tier. The Portal for ArcGIS and ArcGIS Data Store tier will be discussed first, followed by a system-level discussion on the Web GIS high availability and disaster recovery solution.

Portal for ArcGIS components that must be configured for high availability include the Portal for ArcGIS components and supporting content store. This section will identify provisions for supporting highly available Portal for ArcGIS tier components. Third-party vendor solutions are available for building highly available File share solutions. <br style="clear: both" />

Portal for ArcGIS: Multi-machine architecture
Figure 9.35 shows a two machine Portal for ArcGIS configuration. Portal for ArcGIS architecture is designed to support a multi-machine (two Portal servers) with shared content store for highly available operations.

"Warning: Third-party load balancers, Web, and storage tier must be configured for high-availability operations. "

'Best practice: Review architecture solution to ensure no single hardware/ network failure can cause failed operations.' <br style="clear: both" />

Portal for ArcGIS: Deployment patterns for high availability
Figure 9.36 shows high available portal architecture with or without using the ArcGIS Web Adaptor. Portal for ArcGIS production deployments may include one- or two-tier configurations.

Single-tier Portal configuration (third party HA load balancer)
 * Highly available load balancer solution.
 * Two-machine Portal tier.
 * Highly available File share for Content Store.

Two-tier Portal configuration (ArcGIS Web Adaptor with third party load balancer)
 * Highly available load balancer solution.
 * Two-machine load balanced Web tier (include Web Adaptors).
 * Two-machine Portal tier.
 * Highly available File share for Content Store.

"Warning: Virtual server deployments must distribute platform tier components on redundant host platforms. "

'Best practice: Review architecture solution to ensure no single hardware/ network failure can cause failed operations.' <br style="clear: both" />

Business continuance: ArcGIS Data Store components
Figure 9.37 shows the Portal for ArcGIS data store components. ArcGIS Data Store components must be configured for high Availability to support business continuance.

This section will identify provisions for supporting highly available ArcGIS for Data Store tier components. <br style="clear: both" />

Data Stores: User-managed vs. ArcGIS-managed
Figure 9.38 shows the available Portal Data Store options.

Portal deployments are supported by both user-managed and ArcGIS-managed data stores.
 * User-managed data stores include data sources (Geodatabases and files).

User-managed data store
 * Geodatabases and file data sources for ArcGIS for Server published services.
 * Database schema and content are managed by the geodatabase administrator.
 * Geodatabase can be identified as a managed data store for Portal hosted sites.

ArcGIS managed data store
 * Installed on Portal-hosted GIS Server site.
 * Stores feature data published to Portal for ArcGIS.

"Best practice: ArcGIS Data Store provides a scalable architecture for Portal for ArcGIS feature publishing."

<br style="clear: both" />

ArcGIS Data Store: Is actually many ArcGIS- managed Data Stores
Figure 9.39 shows the various ArcGIS-managed Data Store options. Portal is supported by several different ArcGIS-managed Data Stores.

Supported feature datasets include the following:
 * Features (points, polygons, lines)
 * 3D scene layers (tile cache)
 * Real-time geoevent observations (high-capacity "Big" Data Store)

<br style="clear: both" />

ArcGIS Data Store: Multi-machine architecture
Figure 9.40 shows the ArcGIS-managed Data Store high availability configuration option. Configure ArcGIS Data Store with a standby machine so your feature data is available even if the primary machine fails.

Include a secondary failover machine with the Data Store install. <br style="clear: both" />
 * ArcGIS for Server provides failover to secondary machine.
 * Common storage used by Primary and Secondary machines.
 * ArcGIS Data Store automatically generates backup recovery files.

Business continuance: Web GIS components
Figure 9.41 shows an overview of components supporting the Web GIS configuration. Web GIS components that must be configured for high availability include the Portal for ArcGIS, ArcGIS Server, and ArcGIS Data Store tier.

All Web GIS components must stay in sync to support high availability and disaster recovery solutions. <br style="clear: both" />

Web GIS: High-availability deployment pattern
Web GIS components include Portal for ArcGIS, ArcGIS Server, and the ArcGIS Data Store.

Figure 9.42 shows the complete Web GIS high-availability configuration.
 * High-availability Portal for ArcGIS tier (two Portal servers with shared Content Store).
 * High-availability ArcGIS Server tier (minimum of two GIS Servers with shared Configuration Store and Server Directories).
 * High-availability ArcGIS Data Store (Primary Data Store with failover secondary Data Store, sharing data on a common file share) Data Store automatically creates backups for disaster recovery.

<br style="clear: both" />

Web GIS: Disaster recovery deployment pattern
Figure 9.43 shows the Web GIS disaster recovery deployment pattern. Secondary data center must be designed and maintained to support failover operations.

Primary high-availability solutions must be established and maintained at each data center.
 * Backup and restore model provides replicated configuration (available with 10.4 release).

"Warning: Virtual server deployments must distribute platform tier components on redundant host platforms. "

"Best practice: Review architecture solution to ensure no single hardware/network failure can cause failed operations."

Custom IT processes must be established to maintain and distribute traffic between the data center locations.
 * Multiple site install and configuration
 * Web GIS backup and restore model provides replicated configuration (available with 10.4 release).

Virtualization software technology can be used to manage replication and synchronization of business software across multiple data center locations.
 * Virtual server replication to secondary data center
 * Virtualization tools to orchestrate fail over to a secondary data center

"Best practice: Use of virtualization software technology to manage distributed high availability systems supporting continued operations following loss of the primary data center." <br style="clear: both" />

Business continuance operations: Requires more than technology
Figure 9.44 shows that business continuance involves more than technology to ensure successful operations. Business continuance operations are complex with multiple components that must work together to support reliable high availability and disaster recovery solution.

Technology solutions alone do not guarantee success. <br style="clear: both" />
 * Qualified people must be trained to support recovery operations.
 * Processes must be implemented and testing to ensure operational readiness.
 * Technology must work together to support integrated operations

Business continuance operations: People and process considerations
Figure 9.45 shows best practices for ensuring business continuance. Providing the right people with the right skills in the right place at the right time is critical for supporting sustained operations.

People qualifications
 * IT managed
 * Strong technical team
 * Knowledge of GIS and IT

Process validation <br style="clear: both" />
 * Business alignment
 * Established SLAs
 * Knowledge management
 * Training

Security strategy overview
Figure 9.46 provides a summary of security facts and recommended actions. Security is everybody's job, there is no exception. The world is not a secure environment, and you need to keep your eyes and minds open to the threats around you.

There is no single solution for security.
 * There are costs and trade-offs that must be made to support an optimum solution.
 * Too much security controls can reduce productivity and increase cost.
 * Too little attention and control can result in loss of property and the ability to perform.

"Best practice: Finding the right balance is important, and the right solution can be a moving target. " <br style="clear: both" />

Security resources
<br style="clear: both" />
 * Esri [Trust ArcGIS] security site
 * [CSI Computer Crime and Security Survey 2010-2011]
 * [[https://www.nsslabs.com/ Web Browser Security Test Reports
 * [Windows on Amazon EC2 Security Guide]
 * [Selected Documents on Confidentiality and Geospatial Data]
 * [SaaS, PaaS, and IaaS: A Security Checklist]

Previous Editions
Information Security 38th Edition Information Security 37th Edition Information Security 36th Edition Information Security 35th Edition Information Security 34th Edition Information Security 33rd Edition Information Security 32nd Edition Information Security 31st Edition Information Security 30th Edition Information Security 29th Edition Information Security 28th Edition Information Security 27th Edition

Page Footer Specific license terms for this content System Design Strategies 26th edition - An Esri ® Technical Reference  Document • 2009 (final PDF release)