Information Security 33rd Edition

Fall 2013 Information Security 33rd Edition

This chapter provides an introduction to the purpose and scope of information security. Basic concepts are introduced for developing security solutions that meet your business needs. Esri's information patterns share how to establish security measures appropriate for your organization.

Enterprise security can be a challenge for IT architects and security specialists. Until the last few years, entire IT systems were frequently designed around a single mission objective and a single "community of interest," normally supported with physically isolated systems, each with its own data stores and applications. New emerging standards are supported with more mature communication environments, more intelligent operating systems, and a variety of standard integration protocols enabling IT architects to design and maintain comprehensive organization-wide interactive enterprise solutions.

Recent industry advancements, especially in the areas of web service standards and service-oriented architectures, are enabling architects to more effectively satisfy enterprise security objectives. Esri's careful attention to these standards, coupled with an overall philosophy of providing highly interoperable software, provides security architects with a high level of flexibility, thus establishing trust for all Esri components contained in an enterprise solution.

A full discussion on enterprise security is beyond the scope of this chapter. The [Enterprise GIS Security Resource Center] provides unified access to security related information for enterprise solutions using Esri products. The ArcGIS in Your Enterprise web page includes a section on [Control ArcGIS Security using your Enterprise Authentication]. 

What is information security?
Information security is the process of protecting the availability, privacy, and integrity of data. Risk management is an overall goal of every organization. Information security is one of the disciplines within the organization that addresses risk management. Risk is also managed through additional business continuity and information technology initiatives.

Information security has some common characteristics with business continuity and information technology as shown in Figure 9.1. 
 * Information security is a subset of overall risk management.
 * Information security is important in maintaining business continuance.
 * Information security is managed in part by information technology.

Four types of security threats
Information security is focused on addressing the four types of security threats identified in Figure 9.2. These security threats include natural disasters, malicious attacks, internal attacks, and system malfunctions or human error.

National Institute of Standards and Technology (NIST) definition of a security threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.

"Best Practice: Security controls are developed and deployed to protect against identified security threats. " 

CIA security triad
Figure 9.3 shows the CIA triad. The core principals of information security management are represented by the CIA triad.

The CIA triad includes confidentiality, integrity, and availability.
 * Confidentiality is protection of "privileged" communications, restricting user access to core business information based on a "need to know" principle.
 * Integrity refers to the trustworthiness of business data resources and the associated information products generated over its entire life cycle.
 * Availability refers to ensuring the information system is functional when needed to support operational business requirements.

Information security industry standards will be identified and applied as mechanisms of protection and prevention in the following three main areas:
 * Hardware
 * Software
 * Communications

Protection and prevention will be implemented at three levels, or layers:
 * People (personal security)
 * Procedures (organizational security)
 * Products (physical security)

"Best practice: The CIA triad is used to provide proper scope and focus for information security management." 

Levels of Security
Figure 9.4 shows the defense in depth concept. Defense in depth is an information assurance concept in which multiple layers of security controls (defenses) are placed throughout an IT system.

Multiple levels of security:
 * Physical controls (fences, guards, locks, etc.)
 * Policy controls (administrative policies and procedures)
 * Technical controls (system configuration)

Types of technical controls:
 * Authentication (user identity strategy, user name and password, keycards, keywords, etc.)
 * Authorization (role-based access policies, access control rules, etc.)
 * Filters (routing based on group policy, active directory containers, user identity, etc.)
 * Encryption (scrabbling information for unreadable transmission or storage)
 * Logging (record of security-related transactions)

Technical controls are implemented throughout the physical system providing multiple layers of defense: 
 * Application controls (LDAP, SSO, HTML content filters, validation checks, secure stored procedures)
 * Host/device controls (native authentication, LDAP, repository, hardening guides, HIDS)
 * Network controls (firewalls, NIDS, single socket layer - SSL, IPSEC)
 * Data controls (authentication, role-based access, row-level access, data file encryption)

Examples of defense in depth:
 * Application functional limitations (view only)
 * Reverse proxy server (restrict port access)
 * Web application firewall (monitor traffic, restrict access, route traffic)
 * Web server (provide extra physical transmission layer)
 * ArcGIS for Server (restrict access to published services, user authentication, restricted data access)
 * Geodatabase server (restrict access to published services, user authentication, restricted table and row access, monitor traffic)

Idea behind defense in depth:
 * Defend a system using multiple varying protection methods.
 * Provide a comprehensive approach to information security.

Defense in depth seeks to delay advance of an attack:
 * Yield space in order to buy time without preventing proper access.
 * Prevent penetration and direct attacks by providing multiple layers of defense.
 * Prevent security breaches and buy time to detect and respond to an attack.

"Best practice: Multiple layers of defense improve information security."

"Warning: Do not expect a high level of protection from a single layer of defense. "

Review current security trends
Information security is a growing science
 * Dollar amount losses by threat
 * Security technologies utilized

Review security options
 * Enterprise GIS Resource Center
 * Enterprise-wide security mechanisms
 * Application-specific options

Implement security as a business enabler 
 * Improve appropriate availability of information.

Standards approach to security risk management.
Figure 9.5 shows a standards approach to security risk management. Standard approaches to security risk management are well established and should be followed to ensure compliance.

Identify your security needs
 * Review industry security threats.
 * Assess your environment.
 * Evaluate risk to datasets and operational systems.
 * Determine sensitivity, categorization, and patterns of risk.

Key steps to effective information security:
 * 1) Legislation. Review regulations related to your industry.  Security regulations may dictate compliance standards and a security implementation framework; there may be negative business consequences for non-compliance.
 * 2) Benefits. Identify any potential benefits that can be derived from security compliance and operational savings that can be attributed to the proposed security program. This can be helpful in justifying security program expenses.
 * 3) Objectives. Establish SMART information security program objectives.  Objectives should be specific, measurable, attainable, relevant, and time-bound.
 * 4) Framework. Identify an information security management approach and methodology that will deliver results.  Several frameworks have been developed and shared for general use in establishing an information security program.  Information Security Frameworks can be industry specific and share focused best practices that address your business needs.
 * 5) Approved planning. Establish a plan for the security risk assessment effort.  You will need management authorization for required resources, support, and funding.
 * 6) Risk assessment and mitigation. Complete a risk assessment security needs analysis identifying potential threats and associated mitigation strategies.
 * 7) Safeguards. Identify security procedures (rules) and technology (tools) that must be implemented to address identified security needs.
 * 8) Training and awareness. Design and build the approved security solutions.  Implement training and awareness programs to implement and enforce identified security practices.
 * 9) Implementation. Operate and support the security solutions.  Monitor levels of protection and measure compliance.

Steps 1-5 are required efforts to establish a successful security program. Security program should be presented and endorsed by Executive management, and an Executive sponsor should be actively committed to enforcing the objectives of the security program.

Information security management is an active ongoing effort assessing risks, defining security requirements, and measuring security solutions.

IT group must be on board to design, build, and operate the approved security solutions. Periodic audit reviews and formal compliance demonstrations are essential to assess risk management effectiveness. Executive sponsor should actively review progress in meeting the established security program SMART objectives.

"Best practice: Security management is a continuous process of reviewing and updating security rules and supporting technology to maintain a proper level of defense against evolving security threats.."

Security framework and compliance
Figure 9.6 shows what tools the Federal Chief Information Security Officers (CIFOs) are using to manage their secure operations.

Recommended best practices:
 * Choose a security standard.
 * Perform an assessment relative to standard metrics.

There are two basic categories (solution and product level) for security certification/compliance.

"Best practice: Best way to get it right is to follow a methodology developed by those who have established a pathway for success. " 

Esri security strategy evolution
Figure 9.7 shows security moving from an isolated product solution focus to addressing security on an integrated solutions level. Enterprise IT solutions are changing including more transparency, sharing, collaboration, and web access. Security policies are adapting to these changes.

Product
User workflow environment:
 * Isolated systems
 * Primarily desktop or internal network solutions
 * Limited web access
 * Data entry provided by well-defined workflows

Security solutions focused on isolated systems:
 * Protecting discrete products and services
 * Protecting focused user workflow environments
 * Include third-party security additions

Enterprise
User workflow environment:
 * Multiple clients and user locations
 * Multiple servers and data center locations
 * User collaboration across multiple integrated systems
 * Discretionary user grouping and sharing
 * Common interface with cloud-hosted services

Enterprise security solutions:
 * Integrated enterprise platforms and services
 * Multi-layered embedded security protection
 * Adaptive user-driven security controls
 * Include third-party security additions

Solution
Managed security solutions: 
 * Solution templates established based on industry standards.
 * Best practices developed and shared by community leaders.
 * Solution strategies involve integration of multiple enterprise environments.
 * Security solutions are expanded to include cloud deployments.

ArcGIS for Server security authentication and authorization
ArcGIS for Server security solutions include authentication by the ArcGIS for Server site identity store or enterprise level integration using Web server authentication.

GIS Server authentication
GIS Server identify store manages authentication and authorization.
 * Authentication credentials are stored in the site identify store.
 * Roles are defined for each identified user.
 * Permissions are authorized by GIS Server token services.

Enterprise level authentication
GIS server identity store manages service authorization based on validated enterprise identity authentication.
 * User authentication provided by enterprise validation services (Web or GIS Server tier).
 * Roles can be identified by IT or GIS administrator.
 * GIS server identity store matches service authorization to enterprise-level user authentication. Roles can be managed at Server or Enterprise level.
 * Web adapter uses coded token services (such as PKI) to provide validated user access to authorized GIS server services when using Web Server Enterprise validation services.

"Best practice: Use secure socket layer (SSL) communications when transmitting user identification information over unsecure network. "

ArcGIS Online security authentication and authorization
ArcGIS Online provides secure access to shared maps, apps, and data packages hosted in the Cloud. Security assertion markup language (SAML) authentication enables federated use of Enterprise security solutions for member authentication.

ArcGIS Online authentication and group level security
Groups are created and managed by members with administrator or publisher permissions.
 * Administrators have full permissions and manage organization membership.
 * Publishers can create and manage their own group membership and permissions. Groups can be private, organization, or public access. An Online Organization membership is required to participate in managed group membership. Group users have contributor or viewer permissions.
 * Publishers can create new maps and apps and share data packages to public, organization, or groups.
 * When you add layers to an ArcGIS Online Web map from a Web service, these layers are published from their source site and delivered direct to the client. The source site manages any additional client authentication and validation requirements for the selected service (no data gets transferred through the ArcGIS Online site.)  Web map layers are assembled in the mashup at the client browser display.

Federated SAML authentication
Active directory or LDAP can be used for Online Organization membership authentication. SAML communication protocols are used for remote enterprise-level member authentication and validation.

"Best practice: Use secure socket layer (SSL) communications when transmitting user identification information over unsecure network. "

Esri’s security strategy
Deliver secure GIS products
 * [Incorporate security industry best practices.]
 * Trusted geospatial services across the globe.
 * Meet needs of individual users and entire organizations.

Provide secure GIS solution guidance 
 * [Enterprise Resource Center]
 * [Shares Esri security patterns]

Esri informal pattern selection
Your security needs are unique. Figure 9.10 shows a full range of security levels available for ArcGIS users. Esri provides an approach to classifying the level of security required to manage your security risk.


 * Basic security:
 * Minimum level of security investment.
 * Enables simple and lowest system cost.
 * Enables full access to internet data sources and Online services.
 * Provides optimum business environment for external collaboration.
 * Extends enterprise operations to include connected mobile applications.
 * Protects system from internet virus attacks.


 * Standard security:
 * Moderate level of security investment.
 * Moderate increase in complexity and system cost.
 * Enables full access to Internet data sources and online services.
 * Provides optimum business environment for external collaboration.
 * Extends enterprise operations to include connected mobile applications.
 * Protects system from a variety of security risks.


 * Advanced security:
 * Heavy level of security investment.
 * High increase in complexity and system cost.
 * Restricts access to Internet data sources and online services.
 * Eliminates external online collaboration.
 * Prevents most connected mobile applications.
 * Provides optimum protection to manage security risks.

"Best practice: Apply appropriate mitigation strategies to address your unique confidentiality, integrity, and availability business requirements. " 

Basic security needs
Figure 9.11 shows a Basic security architecture. Basic security provides the minimum level of protection required for secure enterprise operations.

Common attributes: 
 * Utilize data and API downloads from public clouds.
 * Secure services with ArcGIS token service.
 * Separate internal systems from Internet access with DMZ.
 * Implement web application firewall and reverse proxy and enforce HTTP communications across firewalls.

Standard security needs
Figure 9.12 shows a Standard security architecture. Standard security provides moderate level of protection for secure enterprise operations.

Common attributes include: 
 * Web application firewall on reverse proxy
 * Provide separate web service access for internal users
 * Dynamic ArcGIS tokens
 * LDAP or active directory services
 * Separate tiers with VLANs (web, database, and management)
 * Multi-factor authentication for external users
 * Separate management traffic connections
 * Redundant components
 * Local copies of all high-availability data
 * Install APIs on local ArcGIS for Server for internal users
 * Intrusion prevention/detection systems
 * Lock down ports, protocols, services (Hardening whitepaper)
 * Standardize system images (SMS whitepaper)
 * Host-based firewalls on systems
 * Browser plug-in restrictions

Advanced security needs
Figure 9.13 shows an Advanced security architecture. Advanced security provides the highest level of protection for secure enterprise operations.

Common attributes include:
 * Minimal reliance on external data/systems
 * On-premise ArcGIS Online services (ArcGIS Online behind your firewall)
 * Data and services within data center or private cloud hosting


 * Separate web and database server for internal web services
 * Separate datasets (e.g., public, employees, employee subset)
 * Consider explicit labels
 * Clustered database with transparent data encryption (TDE)
 * Public key infrastructure (PKI) certificates
 * Local user access via multi-factor authentication.
 * Something the user knows (password, PIN)
 * Something the user has (ATM card, smart card)
 * Something the user is (biometric characteristic, such as a fingerprint)


 * Remote user access via hardware token multi-factor
 * Network connections redundant with IPSec between servers
 * Secure socket layer (SSL) or transmission layer security (TLS) between clients and servers (web and rich clients)
 * Network access control (NAC)

Security in the cloud
Figure 9.14 shows the standard Cloud hosting patterns and user security practices. Security challenges in the cloud are familiar to any IT manager: loss of data, threats to the infrastructure, and compliance risk. What is new is the way these threats play out in a cloud environment.


 * ArcGIS in the cloud

Software as a Service (SaaS): Direct user interface for building services
 * ArcGIS Online (ArcGIS.com)
 * Business Analyst Online
 * ArcGIS Explorer Online

Platform as a Service (PaaS); Developer interface for building services
 * Esri web mapping APIs (JavaScript, Flex, Silverlight)
 * Microsoft Azure ArcGIS applications

Infrastructure as a Service (IaaS): IT administrator interface for building services
 * ArcGIS for Server on Amazon EC2
 * Terremark Cloud (now Verizon)
 * Private cloud

Cloud security is:
 * The response to a familiar set of security challenges that manifest differently in the cloud.
 * A set of policies, technologies, and controls designed to protect data and infrastructure from attack and enable regulatory compliance.
 * Layered technologies that create a durable security net or grid.
 * The joint responsibility of your organization and its cloud provider(s).

Cloud security is not:
 * A one-size-fits-all solution that can protect all your IT assets. In addition to different cloud delivery models, the cloud services you deploy will most likely require more than one approach to security.
 * A closed-perimeter approach or a "fill-the-gap" measure. Organizations can no longer rely on firewalls as a single point of control, and cobbling together security solutions to protect a single vulnerability may leave you open in places you do not suspect.
 * Something you can assume is provided at the level you require by your cloud service providers. Make sure you spell out and can verify what you require.

"Warning: Cloud computing security is a broad topic with hundreds of considerations: from protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different end-point devices. " 

Cloud implementation options
Cloud security is evolving to satisfy customer needs. Figure 9.15 shows the risk tradeoff of several standard Cloud implementation options. Security management options vary based on the available service models, deployment models, and management models utilized in your deployment scenario.

Deployment strategies can include a mix of self-managed and vendor-managed security options.

Self-managed deployment options:
 * Non-cloud on-premise ArcGIS for Server deployment
 * IaaS-based community private cloud deployment
 * Hybrid deployment including IaaS and on-premise services

Vendor-managed deployment options:
 * Vendor-managed IaaS-based community private cloud deployment
 * Vendor-managed hybrid deployment including IaaS public and private cloud services
 * Vendor-managed IaaS-based public cloud deployment
 * Public SaaS-based deployment

"Best practice: An optimum security program involves an appropriate tradeoff between self- and vendor-managed risk. "

ArcGIS cloud hybrid capabilities
Figure 9.16 shows a ArcGIS for Server hybrid cloud deployment. A hybrid cloud may provide your best deployment solution, taking advantage of available technology in the most optimum way without compromising security. Deployment strategies can include a mix of self-managed and vendor-managed security options.

Hybrid solutions leverage the best technology options:
 * Internal-hosted service layers can provide your full internal level of security.
 * Private IaaS clouds provide scalable on-demand internal services while retaining required security.
 * Geodatabase replication services provide filtered content to physically separate internal secure data from external remote access.
 * Sensitive data layers can be published from within the data center for mash-up with authenticated field-worker displays.
 * ArcGIS Online organizations provide collaboration and data sharing with protected groups of agency locations.
 * ArcGIS Online subscription services (and public IaaS hosting) provide scalable public access for on-demand services.

"Best practice: Provide optimum enterprise security through hybrid cloud deployments. "

Web firewall best practices
Figure 9.17 shows best practices for firewall protection. Firewall configurations are provided to support communication between various levels of security. The effectiveness of your firewall configuration will depend on proper technology implementation.

Esri provides guidance and recommendations for different security patterns based on your security needs.
 * [Enterprise GIS Security Patterns]
 * [Configuring ArcGIS for Server security]
 * [Ports used by ArcGIS for Server.]

"Best practice: Security in depth provides multiple layers of defense between public access and protected data resources."

Public services should be deployed on separate servers from sensitive private internal services.
 * Separate web services tier increases security layer protection.
 * Deploy public services and internal private services on separate GIS server sites.
 * Separate publication dataset from production dataset for optimum protection.

High-availability services avoid a single point of failure.
 * Multiple servers ensure operational system with one server down.
 * Multiple online copies of operational data ensure continued operations with loss of one copy.
 * Point-in-time backups are critical—most data corruptions are caused by procedural error.
 * Additional backup copy of critical data should be stored off-site.

Web services with proxy server
Figure 9.18 shows ArcGIS web services with proxy server. Reverse proxy servers hide the existence and characteristics of the internal application server.

"Best practice: Basic security: Internal web server components can be installed on a single server tier to reduce cost."

ArcGIS for Server reverse proxy architecture (ArcGIS 10.1+):
 * Web client sends request to web server in the DMZ.
 * DMZ web server sends request to reverse proxy for routing to private GIS servers.

"Best practice: ArcGIS for Server web adaptor will provide reverse proxy and load balancing to the private GIS server site."


 * GIS server distributes (load balances) in-bound requests to available service instance located within the GIS server site.
 * Service instance executables access required data sources and service the request.
 * Service instance output is delivered back to the web client.

Additional functionality 
 * Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult.
 * In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead off-loaded to a reverse proxy that may be equipped with SSL acceleration hardware.
 * A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request, in order to match the relevant internal location of the requested resource.
 * A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator.
 * A reverse proxy can optimize content by compressing it in order to speed up loading times.
 * Reverse proxies can be used whenever multiple web servers must be accessible via a single public IP address. The web servers listen on different ports in the same machine, with the same local IP address or, possibly, on different machines and different local IP addresses altogether. The reverse proxy analyzes each incoming call and delivers it to the right server within the local area network.

Web and ArcGIS for Server components in DMZ
Figure 9.19 shows ArcGIS web and GIS Server components in the DMZ. Web and GIS server components can be deployed in the DMZ along with replicated data sources or with access through the firewall to an internal DBMS.

"Best practice: Basic security: Web server DMZ components can be installed on a single server tier to reduce cost."

ArcGIS for Server reverse proxy architecture (ArcGIS 10.1+):
 * Reverse proxy secures administrative access to GIS server.
 * Web adaptor provides reverse proxy and network load balancing.
 * Web application firewall can enhance web service security.

GIS server access to required data sources must be secured.
 * File sources must be replicated to the DMZ to protect internal resources.
 * DBMS data sources should be replicated to DMZ for optimum security.

"Warning: Some security officers find this solution not acceptable because it provides direct access to the DBMS from the DMZ. "


 * SSL secured port connections can be used to access internal DBMS data source.

"Best practice: ArcGIS for Server web adaptor will provide reverse proxy and network load balancing protecting administrative access to the GIS server site."


 * GIS server distributes (load balance) in-bound requests to available service instance located within the GIS server site.
 * Service instance executables access required data sources and service the request.
 * Service instance output is delivered back to the web client.

"Best practice: Web application server installed with the web server can enhance web service security." <br style="clear: both" />

Security strategy overview
Figure 9.20 shows a summary of security facts and recommended actions. Security is everybody's job, there is no exception. The world is not a secure environment, and you need to keep your eyes and minds open to the threats around you.

There is no single solution for security.
 * There are costs and trade-offs that must be made to support an optimum solution.
 * Too much security controls can reduce productivity and increase cost.
 * Too little attention and control can result in loss of property and the ability to perform.

"Best practice: Finding the right balance is important, and the right solution can be a moving target. "

Security resources

 * Esri [Enterprise GIS Security Resource Center]


 * [CSI Computer Crime and Security Survey 2010-2011]


 * [[https://www.nsslabs.com/ Web Browser Security Test Reports


 * [Windows on Amazon EC2 Security Guide]


 * [Selected Documents on Confidentiality and Geospatial Data]


 * [SaaS, PaaS, and IaaS: A Security Checklist]

<br style="clear: both" />

Previous Editions
Information Security 32nd Edition (Spring 2013) Information Security 31st Edition (Fall 2012) Information Security 30th Edition (Fall 2011) Information Security 29th Edition (Spring 2011) Information Security 28th Edition (Fall 2010) Information Security 27th Edition (Spring 2010)

Page Footer Specific license terms for this content System Design Strategies 26th edition - An Esri ® Technical Reference  Document • 2009 (final PDF release)