Information Security 37th Edition

Fall 2015 Information Security 37th Edition

This chapter provides an introduction to the purpose and scope of information security. Basic concepts are introduced for developing security solutions that meet your business needs. Esri's information patterns share how to establish security measures appropriate for your organization.

Enterprise security can be a challenge for IT architects and security specialists. Until the last few years, entire IT systems were frequently designed around a single mission objective and a single "community of interest," normally supported with physically isolated systems, each with its own data stores and applications. New emerging standards are supported with more mature communication environments, more intelligent operating systems, and a variety of standard integration protocols enabling IT architects to design and maintain comprehensive organization-wide interactive enterprise solutions.

Recent industry advancements, especially in the areas of web service standards and service-oriented architectures, are enabling architects to more effectively satisfy enterprise security objectives. Esri's careful attention to these standards, coupled with an overall philosophy of providing highly interoperable software, provides security architects with a high level of flexibility, thus establishing trust for all Esri components contained in an enterprise solution.

A full discussion on enterprise security is beyond the scope of this chapter. The [Trust ArcGIS] site provides unified access to security related information for enterprise solutions using Esri products. The Trust ArcGIS web site includes a section on [ArcGIS Security] for Cloud, Server, Desktop and Mobile deployment patterns. 

What is information security?
Information security is the process of protecting the availability, privacy, and integrity of data. Risk management is an overall goal of every organization. Information security is one of the disciplines within the organization that addresses risk management. Risk is also managed through additional business continuity and information technology initiatives.

Information security has some common characteristics with business continuity and information technology as shown in Figure 9.1. 
 * Information security is a subset of overall risk management.
 * Information security is important in maintaining business continuance.
 * Information security is managed in part by information technology.

Four types of security threats
Information security is focused on addressing the four types of security threats identified in Figure 9.2. These security threats include natural disasters, malicious attacks, internal attacks, and system malfunctions or human error.

National Institute of Standards and Technology (NIST) definition of a security threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.

"Best Practice: Security controls are developed and deployed to protect against identified security threats. " 

CIA security triad
Figure 9.3 shows the CIA triad. The core principals of information security management are represented by the CIA triad.

The CIA triad includes confidentiality, integrity, and availability.
 * Confidentiality is protection of "privileged" communications, restricting user access to core business information based on a "need to know" principle.
 * Integrity refers to the trustworthiness of business data resources and the associated information products generated over its entire life cycle.
 * Availability refers to ensuring the information system is functional when needed to support operational business requirements.

Information security industry standards will be identified and applied as mechanisms of protection and prevention in the following three main areas:
 * Hardware
 * Software
 * Communications

Protection and prevention will be implemented at three levels, or layers:
 * People (personal security)
 * Procedures (organizational security)
 * Products (physical security)

"Best practice: The CIA triad is used to provide proper scope and focus for information security management." 

Levels of Security
Figure 9.4 shows the defense in depth concept. Defense in depth is an information assurance concept in which multiple layers of security controls (defenses) are placed throughout an IT system.

Multiple levels of security:
 * Physical controls (fences, guards, locks, etc.)
 * Policy controls (administrative policies and procedures)
 * Technical controls (system configuration)

Types of technical controls:
 * Authentication (user identity strategy, user name and password, keycards, keywords, etc.)
 * Authorization (role-based access policies, access control rules, etc.)
 * Filters (routing based on group policy, active directory containers, user identity, etc.)
 * Encryption (scrabbling information for unreadable transmission or storage)
 * Logging (record of security-related transactions)

Technical controls are implemented throughout the physical system providing multiple layers of defense:
 * Application controls (LDAP, SSO, HTML content filters, validation checks, secure stored procedures)
 * Host/device controls (native authentication, LDAP, repository, hardening guides, HIDS)
 * Network controls (firewalls, NIDS, single socket layer - SSL, IPSEC)
 * Data controls (authentication, role-based authorization, row-level access, data file encryption)

Examples of defense in depth:
 * Application functional limitations (view only)
 * Reverse proxy server (restrict port access)
 * Web application firewall (monitor traffic, restrict access, route traffic)
 * Web server (provide extra physical transmission layer)
 * ArcGIS for Server (restrict access to published services, user authentication, restricted data access)
 * Geodatabase server (restrict access to published services, user authentication, restricted table and row access, monitor traffic)

Idea behind defense in depth:
 * Defend a system using multiple varying protection methods.
 * Provide a comprehensive approach to information security.

Defense in depth seeks to delay advance of an attack:
 * Yield space in order to buy time without preventing proper access.
 * Prevent penetration and direct attacks by providing multiple layers of defense.
 * Prevent security breaches and buy time to detect and respond to an attack.

"Best practice: Multiple layers of defense improve information security."

"Warning: Do not expect a high level of protection from a single layer of defense. "

Review current security trends
Information security is a growing science
 * Dollar amount losses by threat
 * Security technologies utilized

Review security options
 * Trust ArcGIS site
 * Enterprise-wide security mechanisms
 * Application-specific options

Implement security as a business enabler 
 * Improve appropriate availability of information.

Standards approach to security risk management.
Figure 9.5 shows a standards approach to security risk management. Standard approaches to security risk management are well established and should be followed to ensure compliance.

Identify your security needs
 * Review industry security threats.
 * Assess your environment.
 * Evaluate risk to datasets and operational systems.
 * Determine sensitivity, categorization, and patterns of risk.

Key steps to effective information security:
 * 1) Legislation. Review regulations related to your industry.  Security regulations may dictate compliance standards and a security implementation framework; there may be negative business consequences for non-compliance.
 * 2) Benefits. Identify any potential benefits that can be derived from security compliance and operational savings that can be attributed to the proposed security program. This can be helpful in justifying security program expenses.
 * 3) Objectives. Establish SMART information security program objectives.  Objectives should be specific, measurable, attainable, relevant, and time-bound.
 * 4) Framework. Identify an information security management approach and methodology that will deliver results.  Several frameworks have been developed and shared for general use in establishing an information security program.  Information Security Frameworks can be industry specific and share focused best practices that address your business needs.
 * 5) Approved planning. Establish a plan for the security risk assessment effort.  You will need management authorization for required resources, support, and funding.
 * 6) Risk assessment and mitigation. Complete a risk assessment security needs analysis identifying potential threats and associated mitigation strategies.
 * 7) Safeguards. Identify security procedures (rules) and technology (tools) that must be implemented to address identified security needs.
 * 8) Training and awareness. Design and build the approved security solutions.  Implement training and awareness programs to implement and enforce identified security practices.
 * 9) Implementation. Operate and support the security solutions.  Monitor levels of protection and measure compliance.

Steps 1-5 are required efforts to establish a successful security program. Security program should be presented and endorsed by Executive management, and an Executive sponsor should be actively committed to enforcing the objectives of the security program.

Information security management is an active ongoing effort assessing risks, defining security requirements, and measuring security solutions.

IT group must be on board to design, build, and operate the approved security solutions. Periodic audit reviews and formal compliance demonstrations are essential to assess risk management effectiveness. Executive sponsor should actively review progress in meeting the established security program SMART objectives.

"Best practice: Security management is a continuous process of reviewing and updating security rules and supporting technology to maintain a proper level of defense against evolving security threats.."

Security framework and compliance
Figure 9.6 shows what tools the Federal Chief Information Security Officers (CIFOs) are using to manage their secure operations.

Recommended best practices:
 * Choose a security standard.
 * Perform an assessment relative to standard metrics.

"Best practice: Best way to get it right is to follow a methodology developed by those who have established a pathway for success. " 

Esri security strategy evolution
Figure 9.7 shows security moving from an isolated product solution focus to addressing security on an integrated solutions level. Enterprise IT solutions are changing including more transparency, sharing, collaboration, and web access. Security policies are adapting to these changes.


 * Product

User workflow environment:
 * Isolated systems
 * Primarily desktop or internal network solutions
 * Limited web access
 * Data entry provided by well-defined workflows

Security solutions focused on isolated systems:
 * Protecting discrete products and services
 * Protecting focused user workflow environments
 * Include third-party security additions


 * Enterprise

User workflow environment:
 * Multiple clients and user locations
 * Multiple servers and data center locations
 * User collaboration across multiple integrated systems
 * Discretionary user grouping and sharing
 * Common interface with cloud-hosted services

Enterprise security solutions:
 * Integrated enterprise platforms and services
 * Multi-layered embedded security protection
 * Adaptive user-driven security controls
 * Include third-party security additions


 * Solution

Managed security solutions: 
 * Solution templates established based on industry standards.
 * Best practices developed and shared by community leaders.
 * Solution strategies involve integration of multiple enterprise environments.
 * Security solutions are expanded to include cloud deployments.

ArcGIS for Server security authentication and authorization
ArcGIS for Server security solutions include ArcGIS for Server tier authentication or enterprise level integration using Web tier authentication with Microsoft Active Directory or Lightweight Directory Access Protocol (LDAP).

ArcGIS for Server tier authentication
ArcGIS Server (AGS) site manages user authentication and service authorization.
 * Authentication credentials are stored in the AGS site identity store (secure users).
 * Authorization credentials are stored in the AGS site identity store (roles).
 * Privileges are assigned by administrative user roles.
 * Service access is authorized based on identified roles (AGS folders).
 * ArcGIS Server administrator manages user membership, user privileges and service access permissions (roles), and assigns users to roles.
 * Service publishers share published services with available roles.


 * Service authorization is provided by ArcGIS Server token based authentication.

ArcGIS for Server tier security authorization data flow
 * User security credentials are provided to the AGS site Web adaptor or third party reverse proxy.
 * AGS site Web adaptor (or third party reverse proxy) sends credentials to the ArcGIS for Server site.
 * AGS site identity store is used to complete authentication and authorization
 * Service authorization is provided by ArcGIS Server token based authentication.

Help: Configuring ArcGIS Server security 

Enterprise ArcGIS for Server tier authentication
ArcGIS Server (AGS) site manages service authorization based on validated enterprise user authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (secured users) and replicated to the ArcGIS for Server identity store (user name and password).

Two authentication options are available.
 * Privileges managed by ArcGIS Server site identity store (roles).
 * Enterprise Active Directory/LDAP administrator manages user membership.
 * ArcGIS Server administrator manages user privileges and access permissions (roles), and assigns Active Directory/LDAP identified users to roles.
 * Service publishers share published services with available roles assigned by the ArcGIS Server site administrator.


 * Privileges managed by Active Directory/LDAP data store (roles).
 * Enterprise Active Directory/LDAP administrator manages user membership, user privileges and access permissions (roles), and assigns users to roles.
 * Service publishers share published services with available roles assigned by the Active Directory/LDAP administrator.


 * Service authorization is provided by ArcGIS Server token based authentication.

Enterprise ArcGIS Server tier security authorization data flow
 * ArcGIS Server site identity store read only trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to the AGS site Web adaptor or third party reverse proxy.
 * AGS site Web adaptor (or third party reverse proxy) sends credentials to the ArcGIS for Server site.
 * AGS site identity store is used to complete authentication and authorization
 * Service authorization is provided by ArcGIS Server token based authentication.

Help: Advanced considerations when using domain accounts

"Best practice: Use secure socket layer (SSL) communications when transmitting user identification information over unsecure network. " 

Enterprise level Web tier authentication
ArcGIS Server (AGS) site manages service authorization based on validated enterprise user authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (secured users).

Two authentication options are available.
 * Privileges managed by ArcGIS Server site identity store (roles).
 * Enterprise Active Directory/LDAP administrator manages user membership.
 * ArcGIS Server administrator manages user privileges and access permissions (roles), and assigns Active Directory/LDAP identified users to roles.
 * Service publishers share published services with available roles assigned by the ArcGIS Server site administrator.


 * Privileges managed by Active Directory/LDAP data store (roles).
 * Enterprise Active Directory/LDAP administrator manages user membership, user privileges and access permissions (roles), and assigns users to roles.
 * Service publishers share published services with available roles assigned by the Active Directory/LDAP administrator.


 * Service authorization is provided by ArcGIS Server token based authentication.

Enterprise level Web tier security authorization data flow
 * ArcGIS Server site identity store read only trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to the Web server.
 * Web server sends user credentials to the Active Directory/LDAP server.
 * Active Directory/LDAP data store is used to complete authentication.
 * Validated authentication credentials are returned to the Web server.
 * AGS Web Adaptor sends validated authentication credentials to the ArcGIS Server site.
 * GIS Server identity store provides authorization for service access to client.
 * Service authorization is provided by ArcGIS Server token based authentication.

Help: Securing web services with Integrated Windows Authentication

"Best practice: Use secure socket layer (SSL) communications when transmitting user identification information over unsecure network. " 

ArcGIS portal information model
The GIS portal gives a self-service content management platform for managing geospatial content as shown in Figure 9.10.

The portal information model includes Users, Groups, Items, and Tags. 
 * Users own items and can own or join groups.
 * Groups are used to organize and secure user items.
 * Items identify user content added to the Portal.
 * Tags identify item content for search purposes.

Web GIS access and privileges
Portal privileges are based on named user roles managed by the Portal administrator as shown in Figure 9.11. Published maps and apps can be shared to anonymous (public) users outside the organization. Administrator has the capability to restrict shared services to named users within the organization (exclude anonymous access).

Portal security is managed by named user membership with the following privileges: 
 * Administrators have full permissions and manage portal named user membership.
 * All named users can use maps and apps, create content, share maps and apps, join and create groups, and edit features.
 * Named users with a publisher role are able to publish hosted web layers and have full access to ArcGIS Online analysis services. Online services include access to Business and Community demographics, spatial analysis, network routing, world geocoding, and landscape feature services.  Use of these services consume Organization online credits.
 * Administrators are able to create custom roles for more focused named user privileges. ArcGIS Online custom roles allow administrators to assign granular access (specific online analysis services) to named users based on their operational needs.

ArcGIS Online security authentication and authorization
ArcGIS Online provides secure access to shared maps, apps, and data packages hosted in your private ArcGIS Online Organization in the Cloud. Organization membership is limited to named users, with member authentication and resource access managed in a Cloud based security store. Security assertion markup language (SAML) authentication can be used to integrate the ArcGIS Online Organization security store with on-premise security solutions for Enterprise level member authentication.

Groups are created and managed by Organization named users.
 * Administrators have full permissions and manage organization membership (named users) and user roles.
 * Organization named users can create and manage their own group membership and permissions. Groups can be private, organization, or public access. An Online Organization membership is required to participate in managed group membership. Group users have contributor or viewer permissions.
 * When you add layers to an ArcGIS Online Web map from a Web service, these layers are published from their source site and delivered direct to the client. The source site manages any additional client authentication and validation requirements for the selected service (no data gets transferred through the ArcGIS Online site.)  Web map layers are assembled in the mashup at the client browser display.

ArcGIS Online authentication
ArcGIS Online global security store manages authentication and authorization.
 * Authentication credentials are stored in the ArcGIS Online global security store (named users).
 * Privileges and group membership are stored in the ArcGIS Online global security store (roles).
 * ArcGIS Online Organization administrator identifies and manages named users, creates custom privileges, and assigns named user privileges (roles).
 * ArcGIS Online named users create and manage ArcGIS Online Organization groups.
 * Service publishers share published services with ArcGIS Online Organization groups.
 * Service access authorization is based on group membership.

ArcGIS Online security authorization data flow 
 * User security credentials are provided to the ArcGIS Online global security store.
 * ArcGIS Online global security store is used to complete authentication and authorization
 * Service authorization is provided by ArcGIS Online token based authentication.

ArcGIS Online SAML authentication
Active directory or LDAP can be used for Online Organization membership authentication. SAML communication protocols are used for remote enterprise-level member authentication and validation.

ArcGIS Online service authorization based on SAML authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (named users).
 * Enterprise Active Directory/LDAP administrator identifies and manages ArcGIS Online Organization named user membership.
 * ArcGIS Online server administrator defines custom privileges, assigns privileges to identified SAML validated users, and manages ArcGIS Online groups.
 * ArcGIS Online named users create and manage ArcGIS Online Organization groups.
 * ArcGIS Online named users share published services with identified ArcGIS Online Organization groups.
 * Service access authorization is based on group membership.

ArcGIS Online for Organizations SAML security authorization data flow
 * ArcGIS Online global security store SAML identify provider trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to ArcGIS Online.
 * ArcGIS Online sends user credentials to the SAML identify provider.
 * SAML identify provider sends user credentials to the Enterprise Active Directory/LDAP server.
 * Active Directory/LDAP data store is used to complete authentication.
 * Validated authentication credentials are returned to the ArcGIS Online global security store.
 * Global security store credentials are used to authorize named user privileges and services access.
 * AGOL global security store provides authorization for service access to client.
 * Service authorization is provided by ArcGIS Online token based authentication.

"Best practice: Use secure socket layer (SSL) communications when transmitting user identification information over unsecure network. " 

Portal for ArcGIS security authentication and authorization
Portal for ArcGIS security solutions provide Portal tier authentication by the Portal for ArcGIS identity store or Web tier Enterprise level integration using Active Directory/LDAP authentication.

Portal for ArcGIS server authentication
Portal for ArcGIS identity store manages authentication and authorization.
 * Authentication credentials are stored in the Portal identity store (named users).
 * Privileges and group membership are stored in the Portal identity store (roles).
 * Portal server administrator identifies and manages named users, creates custom privileges, and assigns named user privileges (roles).
 * Portal named users create and manage Portal groups.
 * Service publishers share published services with groups.


 * Service access authorization is based on group membership.

Portal for ArcGIS server tier security authorization data flow
 * User security credentials are provided to the Portal Web adaptor.
 * Portal Web adaptor sends user credentials to the Portal server.
 * Portal identity store is used to complete authentication and authorization
 * Service authorization is provided by Portal for ArcGIS token based authentication.

Help: About configuring portal authentication 

Enterprise Portal for ArcGIS tier authentication
Portal for ArcGIS manages service authorization based on validated enterprise user authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (named users) and replicated to the Portal for ArcGIS identity store.

Three unique security management configurations options. Organization must select the security management option that best supports their business needs.
 * Portal named users are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership.
 * Portal server administrator defines custom privileges, assigns privileges to identified Active Directory/LDAP users, and manages Portal groups.
 * Portal named users create and manage Portal groups.
 * Portal named users share published services with identified Portal groups.


 * Portal named users and privileges (roles) are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership, defines custom privileges, and assigns privileges to identified Portal named users.
 * Portal server administrator manages Portal groups.
 * Portal named users create and manage Portal groups.
 * Named users share published services with identified Portal groups.


 * Portal named users, privileges (roles), and Portal groups are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership, defines custom privileges, assigns privileges to identified Portal named users, and manages Portal groups.
 * Portal named users share published services with identified Portal groups.


 * Service access authorization is based on group membership.

Portal for ArcGIS Web tier security authorization data flow
 * Portal for ArcGIS identity store read only trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to the Portal Web adaptor.
 * Portal Web adaptor sends user credentials to the Portal server.
 * Portal identity store is used to complete authentication and authorization
 * Service authorization is provided by Portal for ArcGIS token based authentication.

Help: Configure Portal to use Enterprise Identity Store 

Portal for ArcGIS Enterprise level Web tier authentication
Portal for ArcGIS manages service authorization based on validated enterprise user authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (named users).

Three unique security management configurations options. Organization must select the security management option that best supports their business needs.
 * Portal named users are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership.
 * Portal server administrator defines custom privileges, assigns privileges to identified Active Directory/LDAP users, and manages Portal groups.
 * Portal named users create and manage Portal groups.
 * Portal named users share published services with identified Portal groups.


 * Portal named users and privileges (roles) are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership, defines custom privileges, and assigns privileges to identified Portal named users.
 * Portal server administrator manages Portal groups.
 * Portal named users create and manage Portal groups.
 * Named users share published services with identified Portal groups.


 * Portal named users, privileges (roles), and Portal groups are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership, defines custom privileges, assigns privileges to identified Portal named users, and manages Portal groups.
 * Portal named users share published services with identified Portal groups.


 * Service access authorization is based on group membership.

Portal for ArcGIS Web tier security authorization data flow
 * Portal for ArcGIS identity store read only trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to the Web server.
 * Web server sends user credentials to the Active Directory/LDAP server.
 * Active Directory/LDAP data store is used to complete authentication.
 * Validated authentication credentials are returned to the Web server.
 * Portal Web adaptor send validated authentication credentials to the Portal server.
 * Portal identity store provides authorization for service access to client.
 * Service authorization is provided by Portal for ArcGIS token based authentication.

Help: Using Integrated Windows Authentication with your portal <br style="clear: both" />

GIS portal architecture in ArcGIS Online
ArcGIS Online Organization provides SaaS cloud solution for portal content management and sharing as shown in Figure 9.16.

ArcGIS Online (AGOL) portal architecture includes Users, Groups, and items.

Users provide content access
 * Requires ArcGIS Online services subscription
 * Funded by AGOL organization credits
 * Authorization provided by Esri global or organization's Enterprise security store.
 * Items are created and owned by licensed named users.
 * Users have access to portal subscription apps
 * Publishers can publish online feature services

Items provide user managed content
 * Files
 * Service links (Online Basemaps and Web Services)
 * Web Maps and user apps

Groups link items and users. <br style="clear: both" />

Portal for ArcGIS relationship to Server
Portal for ArcGIS provides on-premise solution for portal content management and sharing as shown in Figure 9.17.

Portal for ArcGIS architecture includes Users, Groups, and items.

Users provide content access
 * Requires hosted ArcGIS Server.
 * Funded by on-premise ArcGIS for Server licensing.
 * Authorization provided by Portal security store or organization's Enterprise security store.
 * Items are created and owned by licensed named users.
 * Users have access to portal subscription apps.
 * Publishers can create and publish portal services.

Items provide user managed content
 * Files
 * Service links (Online Basemaps/ArcGIS Data Appliance and Web Services).
 * Web Maps and user apps.

Groups link items and users.

Security in the cloud
Figure 9.18 shows the standard Cloud hosting patterns and user security practices. Security challenges in the cloud are familiar to any IT manager: loss of data, threats to the infrastructure, and compliance risk. What is new is the way these threats play out in a cloud environment.


 * ArcGIS in the cloud

Software as a Service (SaaS): Direct user interface for building services
 * ArcGIS Online (ArcGIS.com)
 * Business Analyst Online
 * ArcGIS Explorer Online

Platform as a Service (PaaS); Developer interface for building services
 * Esri web mapping APIs (JavaScript, Flex, Silverlight)
 * Microsoft Azure ArcGIS applications

Infrastructure as a Service (IaaS): IT administrator interface for building services
 * ArcGIS for Server on Amazon EC2
 * Terremark Cloud (now Verizon)
 * Private cloud

Cloud security is:
 * The response to a familiar set of security challenges that manifest differently in the cloud.
 * A set of policies, technologies, and controls designed to protect data and infrastructure from attack and enable regulatory compliance.
 * Layered technologies that create a durable security net or grid.
 * The joint responsibility of your organization and its cloud provider(s).

Cloud security is not:
 * A one-size-fits-all solution that can protect all your IT assets. In addition to different cloud delivery models, the cloud services you deploy will most likely require more than one approach to security.
 * A closed-perimeter approach or a "fill-the-gap" measure. Organizations can no longer rely on firewalls as a single point of control, and cobbling together security solutions to protect a single vulnerability may leave you open in places you do not suspect.
 * Something you can assume is provided at the level you require by your cloud service providers. Make sure you spell out and can verify what you require.

"Warning: Cloud computing security is a broad topic with hundreds of considerations: from protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different end-point devices. " <br style="clear: both" />

Cloud implementation options
Cloud security is evolving to satisfy customer needs. Figure 9.19 shows the risk tradeoff of several standard Cloud implementation options. Security management options vary based on the available service models, deployment models, and management models utilized in your deployment scenario.

Deployment strategies can include a mix of self-managed and vendor-managed security options.

Self-managed deployment options:
 * Non-cloud on-premise ArcGIS for Server deployment
 * Portal for ArcGIS on-premise content management
 * IaaS-based community private cloud deployment
 * Hybrid deployment including IaaS and on-premise services

Vendor-managed deployment options:
 * Vendor-managed IaaS-based community private cloud deployment
 * Vendor-managed hybrid deployment including IaaS public and private cloud services
 * Vendor-managed IaaS-based public cloud deployment
 * Vendor-managed ArcGIS Online content management
 * Public SaaS-based services deployment

"Best practice: An optimum security program involves an appropriate tradeoff between self- and vendor-managed risk. " <br style="clear: both" />

ArcGIS cloud hybrid capabilities
Figure 9.20 shows a ArcGIS for Server hybrid cloud deployment. A hybrid cloud may provide your best deployment solution, taking advantage of available technology in the most optimum way without compromising security. Deployment strategies can include a mix of self-managed and vendor-managed security options.

Hybrid solutions leverage the best technology options:
 * Internal-hosted service layers can provide your full internal level of security.
 * Private IaaS clouds provide scalable on-demand internal services while retaining required security.
 * Geodatabase replication services provide filtered content to physically separate internal secure data from external remote access.
 * Sensitive data layers can be published from within the data center for mash-up with authenticated field-worker displays.
 * ArcGIS Online organizations provide collaboration and data sharing with protected groups of agency locations.
 * ArcGIS Online subscription services (and public IaaS hosting) provide scalable public access for on-demand services.

"Best practice: Provide optimum enterprise security through hybrid cloud deployments. "

Esri’s security strategy
Deliver secure GIS products <br style="clear: both" />
 * [Incorporate security industry best practices.]
 * Trusted geospatial services across the globe.
 * Meet needs of individual users and entire organizations.

Esri informal pattern selection
Your security needs are unique. Figure 9.21 shows a full range of security levels available for ArcGIS users. Esri provides an approach to classifying the level of security required to manage your security risk.


 * Basic security:
 * Minimum level of security investment.
 * Enables simple and lowest system cost.
 * Enables full access to internet data sources and Online services.
 * Provides optimum business environment for external collaboration.
 * Extends enterprise operations to include connected mobile applications.
 * Protects system from internet virus attacks.


 * Standard security:
 * Moderate level of security investment.
 * Moderate increase in complexity and system cost.
 * Enables full access to Internet data sources and online services.
 * Provides optimum business environment for external collaboration.
 * Extends enterprise operations to include connected mobile applications.
 * Protects system from a variety of security risks.


 * Advanced security:
 * Heavy level of security investment.
 * High increase in complexity and system cost.
 * Restricts access to Internet data sources and online services.
 * Eliminates external online collaboration.
 * Prevents most connected mobile applications.
 * Provides optimum protection to manage security risks.

"Best practice: Apply appropriate mitigation strategies to address your unique confidentiality, integrity, and availability business requirements. " <br style="clear: both" />

Basic security needs
Figure 9.22 shows a Basic security architecture. Basic security provides the minimum level of protection required for secure enterprise operations.

Common attributes: <br style="clear: both" />
 * Utilize data and API downloads from public clouds.
 * Secure services with ArcGIS token service.
 * Separate internal systems from Internet access with DMZ.
 * Implement web application firewall and reverse proxy and enforce HTTP communications across firewalls.

Standard security needs
Figure 9.23 shows a Standard security architecture. Standard security provides moderate level of protection for secure enterprise operations.

Common attributes include: <br style="clear: both" />
 * Web application firewall on reverse proxy
 * Provide separate web service access for internal users
 * Dynamic ArcGIS tokens
 * LDAP or active directory services
 * Separate tiers with VLANs (web, database, and management)
 * Multi-factor authentication for external users
 * Separate management traffic connections
 * Redundant components
 * Local copies of all high-availability data
 * Install APIs on local ArcGIS for Server for internal users
 * Intrusion prevention/detection systems
 * Lock down ports, protocols, services (Hardening whitepaper)
 * Standardize system images (SMS whitepaper)
 * Host-based firewalls on systems
 * Browser plug-in restrictions

Advanced security needs
Figure 9.24 shows an Advanced security architecture. Advanced security provides the highest level of protection for secure enterprise operations.

Common attributes include:
 * Minimal reliance on external data/systems
 * On-premise ArcGIS Online services (ArcGIS Online behind your firewall)
 * Data and services within data center or private cloud hosting


 * Separate web and database server for internal web services
 * Separate datasets (e.g., public, employees, employee subset)
 * Consider explicit labels
 * Clustered database with transparent data encryption (TDE)
 * Public key infrastructure (PKI) certificates
 * Local user access via multi-factor authentication.
 * Something the user knows (password, PIN)
 * Something the user has (ATM card, smart card)
 * Something the user is (biometric characteristic, such as a fingerprint)

<br style="clear: both" />
 * Remote user access via hardware token multi-factor
 * Network connections redundant with IPSec between servers
 * Secure socket layer (SSL) or transmission layer security (TLS) between clients and servers (web and rich clients)
 * Network access control (NAC)

Web firewall best practices
Figure 9.25 shows best practices for firewall protection. Firewall configurations are provided to support communication between various levels of security. The effectiveness of your firewall configuration will depend on proper technology implementation.

Esri provides guidance and recommendations for different security patterns based on your security needs.
 * [Configuring ArcGIS 10.2 for Server security]
 * [Ports used by ArcGIS 10.2 for Server.]
 * [Ports used by Portal for ArcGIS 10.2.]

"Best practice: Security in depth provides multiple layers of defense between public access and protected data resources."

Public services should be deployed on separate servers from sensitive private internal services.
 * Separate web services tier increases security layer protection.
 * Deploy public services and internal private services on separate GIS server sites.
 * Separate publication dataset from production dataset for optimum protection.

High-availability services avoid a single point of failure.
 * Multiple servers ensure operational system with one server down.
 * Multiple online copies of operational data ensure continued operations with loss of one copy.
 * Point-in-time backups are critical—most data corruptions are caused by procedural error.
 * Additional backup copy of critical data should be stored off-site.<br style="clear: both" />

Web services with proxy server
Figure 9.26 shows ArcGIS web services with proxy server. Reverse proxy servers hide the existence and characteristics of the internal application server.

"Best practice: Basic security: Internal web server components can be installed on a single server tier to reduce cost."

ArcGIS for Server reverse proxy architecture (ArcGIS 10.1+):
 * Web client sends request to web server in the DMZ.
 * DMZ web server sends request to reverse proxy for routing to private GIS servers.

"Best practice: ArcGIS for Server web adaptor will provide reverse proxy and load balancing to the private GIS server site."


 * GIS server distributes (load balances) in-bound requests to available service instance located within the GIS server site.
 * Service instance executables access required data sources and service the request.
 * Service instance output is delivered back to the web client.

Additional functionality <br style="clear: both" />
 * Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult.
 * In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead off-loaded to a reverse proxy that may be equipped with SSL acceleration hardware.
 * A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request, in order to match the relevant internal location of the requested resource.
 * A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator.
 * A reverse proxy can optimize content by compressing it in order to speed up loading times.
 * Reverse proxies can be used whenever multiple web servers must be accessible via a single public IP address. The web servers listen on different ports in the same machine, with the same local IP address or, possibly, on different machines and different local IP addresses altogether. The reverse proxy analyzes each incoming call and delivers it to the right server within the local area network.

Web and ArcGIS for Server components in DMZ
Figure 9.27 shows ArcGIS web and GIS Server components in the DMZ. Web and GIS server components can be deployed in the DMZ along with replicated data sources or with access through the firewall to an internal DBMS.

"Best practice: Basic security: Web server DMZ components can be installed on a single server tier to reduce cost."

ArcGIS for Server reverse proxy architecture (ArcGIS 10.1+):
 * Reverse proxy secures administrative access to GIS server.
 * Web adaptor provides reverse proxy and network load balancing.
 * Web application firewall can enhance web service security.

GIS server access to required data sources must be secured.
 * File sources must be replicated to the DMZ to protect internal resources.
 * DBMS data sources should be replicated to DMZ for optimum security.

"Warning: Some security officers find this solution not acceptable because it provides direct access to the DBMS from the DMZ. "


 * SSL secured port connections can be used to access internal DBMS data source.

"Best practice: ArcGIS for Server web adaptor will provide reverse proxy and network load balancing protecting administrative access to the GIS server site."


 * GIS server distributes (load balance) in-bound requests to available service instance located within the GIS server site.
 * Service instance executables access required data sources and service the request.
 * Service instance output is delivered back to the web client.

"Best practice: Web application server installed with the web server can enhance web service security." <br style="clear: both" />

Security strategy overview
Figure 9.28 shows a summary of security facts and recommended actions. Security is everybody's job, there is no exception. The world is not a secure environment, and you need to keep your eyes and minds open to the threats around you.

There is no single solution for security.
 * There are costs and trade-offs that must be made to support an optimum solution.
 * Too much security controls can reduce productivity and increase cost.
 * Too little attention and control can result in loss of property and the ability to perform.

"Best practice: Finding the right balance is important, and the right solution can be a moving target. "

Security resources
<br style="clear: both" />
 * Esri [Trust ArcGIS] security site
 * [CSI Computer Crime and Security Survey 2010-2011]
 * [[https://www.nsslabs.com/ Web Browser Security Test Reports
 * [Windows on Amazon EC2 Security Guide]
 * [Selected Documents on Confidentiality and Geospatial Data]
 * [SaaS, PaaS, and IaaS: A Security Checklist]

Previous Editions
Information Security 36th Edition Information Security 35th Edition Information Security 34th Edition Information Security 33rd Edition Information Security 32nd Edition Information Security 31st Edition Information Security 30th Edition Information Security 29th Edition Information Security 28th Edition Information Security 27th Edition

Page Footer Specific license terms for this content System Design Strategies 26th edition - An Esri ® Technical Reference  Document • 2009 (final PDF release)