Information Security 38th Edition

Spring 2016 Information Security 38th Edition

This chapter provides an introduction to the purpose and scope of information security. Basic concepts are introduced for developing security solutions that meet your business needs. Esri's information patterns share how to establish security measures appropriate for your organization.

Enterprise security can be a challenge for IT architects and security specialists. Until the last few years, entire IT systems were frequently designed around a single mission objective and a single "community of interest," normally supported with physically isolated systems, each with its own data stores and applications. New emerging standards are supported with more mature communication environments, more intelligent operating systems, and a variety of standard integration protocols enabling IT architects to design and maintain comprehensive organization-wide interactive enterprise solutions.

Recent industry advancements, especially in the areas of web service standards and service-oriented architectures, are enabling architects to more effectively satisfy enterprise security objectives. Esri's careful attention to these standards, coupled with an overall philosophy of providing highly interoperable software, provides security architects with a high level of flexibility, thus establishing trust for all Esri components contained in an enterprise solution.

A full discussion on enterprise security is beyond the scope of this chapter. The [Trust ArcGIS] site provides unified access to security related information for enterprise solutions using Esri products. The Trust ArcGIS web site includes a section on [ArcGIS Security] for Cloud, Server, Desktop and Mobile deployment patterns. 

What is information security?
Information security is the process of protecting the availability, privacy, and integrity of data. Risk management is an overall goal of every organization. Information security is one of the disciplines within the organization that addresses risk management. Risk is also managed through additional business continuance and information technology initiatives.

Information security has some common characteristics with business continuance and information technology as shown in Figure 9.1. 
 * Information security is a subset of overall risk management.
 * Information security is important in maintaining business continuance.
 * Information security is managed in part by information technology.

Four types of security threats
Information security is focused on addressing the four types of security threats identified in Figure 9.2. These security threats include natural disasters, malicious attacks, internal attacks, and system malfunctions or human error.

National Institute of Standards and Technology (NIST) definition of a security threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.

"Best Practice: Security controls are developed and deployed to protect against identified security threats. " 

CIA security triad
Figure 9.3 shows the CIA triad. The core principals of information security management are represented by the CIA triad.

The CIA triad includes confidentiality, integrity, and availability.
 * Confidentiality is protection of "privileged" communications, restricting user access to core business information based on a "need to know" principle.
 * Integrity refers to the trustworthiness of business data resources and the associated information products generated over its entire life cycle.
 * Availability refers to ensuring the information system is functional when needed to support operational business requirements.

Information security industry standards will be identified and applied as mechanisms of protection and prevention in the following three main areas:
 * Hardware
 * Software
 * Communications

Protection and prevention will be implemented at three levels, or layers:
 * People (personal security)
 * Procedures (organizational security)
 * Products (physical security)

"Best practice: The CIA triad is used to provide proper scope and focus for information security management." 

Levels of Security
Figure 9.4 shows the defense in depth concept. Defense in depth is an information assurance concept in which multiple layers of security controls (defenses) are placed throughout an IT system.

Multiple levels of security:
 * Physical controls (fences, guards, locks, etc.)
 * Policy controls (administrative policies and procedures)
 * Technical controls (system configuration)

Types of technical controls:
 * Authentication (user identity strategy, user name and password, keycards, keywords, etc.)
 * Authorization (role-based access policies, access control rules, etc.)
 * Filters (routing based on group policy, active directory containers, user identity, etc.)
 * Encryption (scrabbling information for unreadable transmission or storage)
 * Logging (record of security-related transactions)

Technical controls are implemented throughout the physical system providing multiple layers of defense:
 * Application controls (LDAP, SSO, HTML content filters, validation checks, secure stored procedures)
 * Host/device controls (native authentication, LDAP, repository, hardening guides, HIDS)
 * Network controls (firewalls, NIDS, single socket layer - SSL, IPSEC)
 * Data controls (authentication, role-based authorization, row-level access, data file encryption)

Examples of defense in depth:
 * Application functional limitations (view only)
 * Reverse proxy server (restrict port access)
 * Web application firewall (monitor traffic, restrict access, route traffic)
 * Web server (provide extra physical transmission layer)
 * ArcGIS for Server (restrict access to published services, user authentication, restricted data access)
 * Geodatabase server (restrict access to published services, user authentication, restricted table and row access, monitor traffic)

Idea behind defense in depth:
 * Defend a system using multiple varying protection methods.
 * Provide a comprehensive approach to information security.

Defense in depth seeks to delay advance of an attack:
 * Yield space in order to buy time without preventing proper access.
 * Prevent penetration and direct attacks by providing multiple layers of defense.
 * Prevent security breaches and buy time to detect and respond to an attack.

"Best practice: Multiple layers of defense improve information security."

"Warning: Do not expect a high level of protection from a single layer of defense. "

Review current security trends
Information security is a growing science
 * Dollar amount losses by threat
 * Security technologies utilized

Review security options
 * Trust ArcGIS site
 * Enterprise-wide security mechanisms
 * Application-specific options

Implement security as a business enabler 
 * Improve appropriate availability of information.

Standards approach to security risk management.
Figure 9.5 shows a standards approach to security risk management. Standard approaches to security risk management are well established and should be followed to ensure compliance.

Identify your security needs
 * Review industry security threats.
 * Assess your environment.
 * Evaluate risk to datasets and operational systems.
 * Determine sensitivity, categorization, and patterns of risk.

Key steps to effective information security:
 * 1) Legislation. Review regulations related to your industry.  Security regulations may dictate compliance standards and a security implementation framework; there may be negative business consequences for non-compliance.
 * 2) Benefits. Identify any potential benefits that can be derived from security compliance and operational savings that can be attributed to the proposed security program. This can be helpful in justifying security program expenses.
 * 3) Objectives. Establish SMART information security program objectives.  Objectives should be specific, measurable, attainable, relevant, and time-bound.
 * 4) Framework. Identify an information security management approach and methodology that will deliver results.  Several frameworks have been developed and shared for general use in establishing an information security program.  Information Security Frameworks can be industry specific and share focused best practices that address your business needs.
 * 5) Approved planning. Establish a plan for the security risk assessment effort.  You will need management authorization for required resources, support, and funding.
 * 6) Risk assessment and mitigation. Complete a risk assessment security needs analysis identifying potential threats and associated mitigation strategies.
 * 7) Safeguards. Identify security procedures (rules) and technology (tools) that must be implemented to address identified security needs.
 * 8) Training and awareness. Design and build the approved security solutions.  Implement training and awareness programs to implement and enforce identified security practices.
 * 9) Implementation. Operate and support the security solutions.  Monitor levels of protection and measure compliance.

Steps 1-5 are required efforts to establish a successful security program. Security program should be presented and endorsed by Executive management, and an Executive sponsor should be actively committed to enforcing the objectives of the security program.

Information security management is an active ongoing effort assessing risks, defining security requirements, and measuring security solutions.

IT group must be on board to design, build, and operate the approved security solutions. Periodic audit reviews and formal compliance demonstrations are essential to assess risk management effectiveness. Executive sponsor should actively review progress in meeting the established security program SMART objectives.

"Best practice: Security management is a continuous process of reviewing and updating security rules and supporting technology to maintain a proper level of defense against evolving security threats.."

Security framework and compliance
Figure 9.6 shows what tools the Federal Chief Information Security Officers (CIFOs) are using to manage their secure operations.

Recommended best practices:
 * Choose a security standard.
 * Perform an assessment relative to standard metrics.

There are two basic categories (solution and product level) for security certification/compliance.

"Best practice: Best way to get it right is to follow a methodology developed by those who have established a pathway for success. " 

Esri security strategy evolution
Figure 9.7 shows security moving from an isolated product solution focus to addressing security on an integrated solutions level. Enterprise IT solutions are changing including more transparency, sharing, collaboration, and web access. Security policies are adapting to these changes.


 * Product

User workflow environment:
 * Isolated systems
 * Primarily desktop or internal network solutions
 * Limited web access
 * Data entry provided by well-defined workflows

Security solutions focused on isolated systems:
 * Protecting discrete products and services
 * Protecting focused user workflow environments
 * Include third-party security additions


 * Enterprise

User workflow environment:
 * Multiple clients and user locations
 * Multiple servers and data center locations
 * User collaboration across multiple integrated systems
 * Discretionary user grouping and sharing
 * Common interface with cloud-hosted services

Enterprise security solutions:
 * Integrated enterprise platforms and services
 * Multi-layered embedded security protection
 * Adaptive user-driven security controls
 * Include third-party security additions


 * Solution

Managed security solutions: 
 * Solution templates established based on industry standards.
 * Best practices developed and shared by community leaders.
 * Solution strategies involve integration of multiple enterprise environments.
 * Security solutions are expanded to include cloud deployments.

ArcGIS for Server: Authorization deployment scenarios
ArcGIS for Server provides three primary options for managing user identify and access control.


 * Product-level security management

ArcGIS for Server includes a built-in identity store for local management of user identity and service access control. User access to secured services can be managed by the ArcGIS for Server site administrator.


 * Enterprise-level security management

ArcGIS for Server supports both Server tier and Web tier integration with Active Directory or LDAP directory store for enterprise-level management of user identity and service access control. User access to secured services can be managed by the Enterprise security administrator.

"Best practice: Business requirements will determine the optimum security management solution for your organization. " 

ArcGIS for Server tier authentication
ArcGIS Server (AGS) site manages user authentication and service authorization.
 * Authentication credentials are stored in the AGS site identity store (secure users).
 * Authorization credentials are stored in the AGS site identity store (roles).
 * Privileges are assigned by administrative user roles.
 * Service access is authorized based on identified roles (AGS folders).
 * ArcGIS Server administrator manages user membership, user privileges and service access permissions (roles), and assigns users to roles.
 * Service publishers share published services with available roles.


 * Service authorization is provided by ArcGIS Server token based authentication.

ArcGIS for Server tier security authorization data flow
 * User security credentials are provided to the AGS site Web adaptor or third party reverse proxy.
 * AGS site Web adaptor (or third party reverse proxy) sends credentials to the ArcGIS for Server site.
 * AGS site identity store is used to complete authentication and authorization
 * Service authorization is provided by ArcGIS Server token based authentication.

Help: Configuring ArcGIS Server security 

Enterprise ArcGIS for Server tier authentication
ArcGIS Server (AGS) site manages service authorization based on validated enterprise user authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (secured users) and replicated to the ArcGIS for Server identity store (user name and password).

Two authentication options are available.
 * Privileges managed by ArcGIS Server site identity store (roles).
 * Enterprise Active Directory/LDAP administrator manages user membership.
 * ArcGIS Server administrator manages user privileges and access permissions (roles), and assigns Active Directory/LDAP identified users to roles.
 * Service publishers share published services with available roles assigned by the ArcGIS Server site administrator.


 * Privileges managed by Active Directory/LDAP data store (roles).
 * Enterprise Active Directory/LDAP administrator manages user membership, user privileges and access permissions (roles), and assigns users to roles.
 * Service publishers share published services with available roles assigned by the Active Directory/LDAP administrator.


 * Service authorization is provided by ArcGIS Server token based authentication.

Enterprise ArcGIS Server tier security authorization data flow
 * ArcGIS Server site identity store read only trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to the AGS site Web adaptor or third party reverse proxy.
 * AGS site Web adaptor (or third party reverse proxy) sends credentials to the ArcGIS for Server site.
 * AGS site identity store is used to complete authentication and authorization
 * Service authorization is provided by ArcGIS Server token based authentication.

Help: Advanced considerations when using domain accounts

"Best practice: Use secure socket layer (SSL) communications when transmitting user identification information over unsecure network. " 

Enterprise level Web tier authentication
ArcGIS Server (AGS) site manages service authorization based on validated enterprise user authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (secured users).

Web-tier authentication supports user single sign-on experience.

Two authentication options are available.
 * Privileges managed by ArcGIS Server site identity store (roles).
 * Enterprise Active Directory/LDAP administrator manages user membership.
 * ArcGIS Server administrator manages user privileges and access permissions (roles), and assigns Active Directory/LDAP identified users to roles.
 * Service publishers share published services with available roles assigned by the ArcGIS Server site administrator.


 * Privileges managed by Active Directory/LDAP data store (roles).
 * Enterprise Active Directory/LDAP administrator manages user membership, user privileges and access permissions (roles), and assigns users to roles.
 * Service publishers share published services with available roles assigned by the Active Directory/LDAP administrator.


 * Service authorization is provided by ArcGIS Server token based authentication.

Enterprise level Web tier security authorization data flow
 * ArcGIS Server site identity store read only trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to the Web server.
 * Web server sends user credentials to the Active Directory/LDAP server.
 * Active Directory/LDAP data store is used to complete authentication.
 * Validated authentication credentials are returned to the Web server.
 * AGS Web Adaptor sends validated authentication credentials to the ArcGIS Server site.
 * GIS Server identity store provides authorization for service access to client.
 * Service authorization is provided by ArcGIS Server token based authentication.

Help: Securing web services with Integrated Windows Authentication

"Best practice: Use secure socket layer (SSL) communications when transmitting user identification information over unsecure network. " 

Portal: Authentication deployment scenarios
Portal security management is provided for ArcGIS Online and Portal for ArcGIS. Both portal deployment patterns support product-level and enterprise-level user identity management.


 * Product-level security management
 * ArcGIS Online includes a built-in global security store.
 * Portal for ArcGIS includes a built-in identity store.

Portal content is created and shared by named users using the portal information model. Security is managed by the ArcGIS Online or Portal for ArcGIS administrator.


 * Enterprise-level security management
 * ArcGIS Online and Portal for ArcGIS both support SAML integration with Active Directory or LDAP directory store.
 * Portal for ArcGIS supports both Portal tier and Web tier integration with Active Directory or LDAP directory store.

Portal content is created and shared by named users using the portal information model. Security is managed by the ArcGIS Online or Portal for ArcGIS administrator. User access to secured services can be managed by the Enterprise security administrator.

"Best practice: Business requirements will determine the optimum security management solution for your organization. " 

ArcGIS portal information model
The GIS portal gives a self-service content management platform for managing geospatial content as shown in Figure 9.10.

The portal information model includes Users, Groups, Items, and Tags. 
 * Users own items and can own or join groups.
 * Groups are used to organize and secure user items.
 * Items identify user content added to the Portal.
 * Tags identify item content for search purposes.

Web GIS access and privileges
Portal privileges are based on named user roles managed by the Portal administrator as shown in Figure 9.11. Published maps and apps can be shared to anonymous (public) users outside the organization. Administrator has the capability to restrict shared services to named users within the organization (exclude anonymous access).

Portal security is managed by named user membership with the following privileges: 
 * Administrators have full permissions and manage portal named user membership.
 * All named users can use maps and apps, create content, share maps and apps, join and create groups, and edit features.
 * Named users with a publisher role are able to publish hosted web layers and have full access to ArcGIS Online analysis services. Online services include access to Business and Community demographics, spatial analysis, network routing, world geocoding, and landscape feature services.  Use of these services consume Organization online credits.
 * Administrators are able to create custom roles for more focused named user privileges. ArcGIS Online custom roles allow administrators to assign granular access (specific online analysis services) to named users based on their operational needs.

ArcGIS Online security authentication and authorization
ArcGIS Online provides secure access to shared maps, apps, and data packages hosted in your private ArcGIS Online Organization in the Cloud. Organization membership is limited to named users, with member authentication and resource access managed in a Cloud based security store. Security assertion markup language (SAML) authentication can be used to integrate the ArcGIS Online Organization security store with on-premise security solutions for Enterprise level member authentication.

Groups are created and managed by Organization named users.
 * Administrators have full permissions and manage organization membership (named users) and user roles.
 * Organization named users can create and manage their own group membership and permissions. Groups can be private, organization, or public access. An Online Organization membership is required to participate in managed group membership. Group users have contributor or viewer permissions.
 * When you add layers to an ArcGIS Online Web map from a Web service, these layers are published from their source site and delivered direct to the client. The source site manages any additional client authentication and validation requirements for the selected service (no data gets transferred through the ArcGIS Online site.)  Web map layers are assembled in the mashup at the client browser display.

ArcGIS Online authentication
ArcGIS Online global security store manages authentication and authorization.
 * Authentication credentials are stored in the ArcGIS Online global security store (named users).
 * Privileges and group membership are stored in the ArcGIS Online global security store (roles).
 * ArcGIS Online Organization administrator identifies and manages named users, creates custom privileges, and assigns named user privileges (roles).
 * ArcGIS Online named users create and manage ArcGIS Online Organization groups.
 * Service publishers share published services with ArcGIS Online Organization groups.
 * Service access authorization is based on group membership.

ArcGIS Online security authorization data flow 
 * User security credentials are provided to the ArcGIS Online global security store.
 * ArcGIS Online global security store is used to complete authentication and authorization
 * Service authorization is provided by ArcGIS Online token based authentication.

ArcGIS Online SAML authentication
Active directory or LDAP can be used for Online Organization membership authentication. SAML communication protocols are used for remote enterprise-level member authentication and validation.

ArcGIS Online service authorization based on SAML authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (named users).
 * Enterprise Active Directory/LDAP administrator identifies and manages ArcGIS Online Organization named user membership.
 * ArcGIS Online server administrator defines custom privileges, assigns privileges to identified SAML validated users, and manages ArcGIS Online groups.
 * ArcGIS Online named users create and manage ArcGIS Online Organization groups.
 * ArcGIS Online named users share published services with identified ArcGIS Online Organization groups.
 * Service access authorization is based on group membership.

ArcGIS Online for Organizations SAML security authorization data flow
 * ArcGIS Online global security store SAML identify provider trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to ArcGIS Online.
 * ArcGIS Online sends user credentials to the SAML identify provider.
 * SAML identify provider sends user credentials to the Enterprise Active Directory/LDAP server.
 * Active Directory/LDAP data store is used to complete authentication.
 * Validated authentication credentials are returned to the ArcGIS Online global security store.
 * Global security store credentials are used to authorize named user privileges and services access.
 * AGOL global security store provides authorization for service access to client.
 * Service authorization is provided by ArcGIS Online token based authentication.

"Best practice: Use secure socket layer (SSL) communications when transmitting user identification information over unsecure network. " 

Portal for ArcGIS security authentication and authorization
Portal for ArcGIS security solutions provide Portal tier authentication by the Portal for ArcGIS identity store or Web tier Enterprise level integration using Active Directory/LDAP authentication.

Portal for ArcGIS server authentication
Portal for ArcGIS identity store manages authentication and authorization.
 * Authentication credentials are stored in the Portal identity store (named users).
 * Privileges and group membership are stored in the Portal identity store (roles).
 * Portal server administrator identifies and manages named users, creates custom privileges, and assigns named user privileges (roles).
 * Portal named users create and manage Portal groups.
 * Service publishers share published services with groups.


 * Service access authorization is based on group membership.

Portal for ArcGIS server tier security authorization data flow
 * User security credentials are provided to the Portal Web adaptor.
 * Portal Web adaptor sends user credentials to the Portal server.
 * Portal identity store is used to complete authentication and authorization
 * Service authorization is provided by Portal for ArcGIS token based authentication.

Help: About configuring portal authentication <br style="clear: both" />

Enterprise Portal for ArcGIS tier authentication
Portal for ArcGIS manages service authorization based on validated enterprise user authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (named users) and replicated to the Portal for ArcGIS identity store.

Three unique security management configurations options. Organization must select the security management option that best supports their business needs.
 * Portal named users are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership.
 * Portal server administrator defines custom privileges, assigns privileges to identified Active Directory/LDAP users, and manages Portal groups.
 * Portal named users create and manage Portal groups.
 * Portal named users share published services with identified Portal groups.


 * Portal named users and privileges (roles) are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership, defines custom privileges, and assigns privileges to identified Portal named users.
 * Portal server administrator manages Portal groups.
 * Portal named users create and manage Portal groups.
 * Named users share published services with identified Portal groups.


 * Portal named users, privileges (roles), and Portal groups are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership, defines custom privileges, assigns privileges to identified Portal named users, and manages Portal groups.
 * Portal named users share published services with identified Portal groups.


 * Service access authorization is based on group membership.

Portal for ArcGIS Web tier security authorization data flow
 * Portal for ArcGIS identity store read only trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to the Portal Web adaptor.
 * Portal Web adaptor sends user credentials to the Portal server.
 * Portal identity store is used to complete authentication and authorization
 * Service authorization is provided by Portal for ArcGIS token based authentication.

Help: Configure Portal to use Enterprise Identity Store <br style="clear: both" />

Portal for ArcGIS Enterprise level Web tier authentication
Portal for ArcGIS manages service authorization based on validated enterprise user authentication.
 * Authentication credentials are stored in the enterprise Active Directory/LDAP data store (named users).

Three unique security management configurations options. Organization must select the security management option that best supports their business needs.
 * Portal named users are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership.
 * Portal server administrator defines custom privileges, assigns privileges to identified Active Directory/LDAP users, and manages Portal groups.
 * Portal named users create and manage Portal groups.
 * Portal named users share published services with identified Portal groups.


 * Portal named users and privileges (roles) are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership, defines custom privileges, and assigns privileges to identified Portal named users.
 * Portal server administrator manages Portal groups.
 * Portal named users create and manage Portal groups.
 * Named users share published services with identified Portal groups.


 * Portal named users, privileges (roles), and Portal groups are identified and managed by the Enterprise Active Directory/LDAP administrator.
 * Enterprise Active Directory/LDAP administrator identifies and manages Portal named user membership, defines custom privileges, assigns privileges to identified Portal named users, and manages Portal groups.
 * Portal named users share published services with identified Portal groups.


 * Service access authorization is based on group membership.

Portal for ArcGIS Web tier security authorization data flow
 * Portal for ArcGIS identity store read only trust relationship is configured with the Enterprise security directory data store.
 * User security credentials are provided to the Web server.
 * Web server sends user credentials to the Active Directory/LDAP server.
 * Active Directory/LDAP data store is used to complete authentication.
 * Validated authentication credentials are returned to the Web server.
 * Portal Web adaptor send validated authentication credentials to the Portal server.
 * Portal identity store provides authorization for service access to client.
 * Service authorization is provided by Portal for ArcGIS token based authentication.

Help: Using Integrated Windows Authentication with your portal <br style="clear: both" />

GIS portal architecture in ArcGIS Online
ArcGIS Online Organization provides SaaS cloud solution for portal content management and sharing as shown in Figure 9.16.

ArcGIS Online (AGOL) portal architecture includes Users, Groups, and items.

Users provide content access
 * Requires ArcGIS Online services subscription
 * Funded by AGOL organization credits
 * Authorization provided by Esri global or organization's Enterprise security store.
 * Items are created and owned by licensed named users.
 * Users have access to portal subscription apps
 * Publishers can publish online feature services

Items provide user managed content
 * Files
 * Service links (Online Basemaps and Web Services)
 * Web Maps and user apps

Groups link items and users. <br style="clear: both" />

Portal for ArcGIS relationship to Server
Portal for ArcGIS provides on-premise solution for portal content management and sharing as shown in Figure 9.17.

Portal for ArcGIS architecture includes Users, Groups, and items.

Users provide content access
 * Requires hosted ArcGIS Server.
 * Funded by on-premise ArcGIS for Server licensing.
 * Authorization provided by Portal security store or organization's Enterprise security store.
 * Items are created and owned by licensed named users.
 * Users have access to portal subscription apps.
 * Publishers can create and publish portal services.

Items provide user managed content
 * Files
 * Service links (Online Basemaps/ArcGIS Data Appliance and Web Services).
 * Web Maps and user apps.

Groups link items and users.

Security in the cloud
Figure 9.18 shows the standard Cloud hosting patterns and user security practices. Security challenges in the cloud are familiar to any IT manager: loss of data, threats to the infrastructure, and compliance risk. What is new is the way these threats play out in a cloud environment.


 * ArcGIS in the cloud

Software as a Service (SaaS): Direct user interface for building services
 * ArcGIS Online (ArcGIS.com)
 * Business Analyst Online
 * ArcGIS Explorer Online

Platform as a Service (PaaS); Developer interface for building services
 * Esri web mapping APIs (JavaScript, Flex, Silverlight)
 * Microsoft Azure ArcGIS applications

Infrastructure as a Service (IaaS): IT administrator interface for building services
 * ArcGIS for Server on Amazon EC2
 * Terremark Cloud (now Verizon)
 * Private cloud

Cloud security is:
 * The response to a familiar set of security challenges that manifest differently in the cloud.
 * A set of policies, technologies, and controls designed to protect data and infrastructure from attack and enable regulatory compliance.
 * Layered technologies that create a durable security net or grid.
 * The joint responsibility of your organization and its cloud provider(s).

Cloud security is not:
 * A one-size-fits-all solution that can protect all your IT assets. In addition to different cloud delivery models, the cloud services you deploy will most likely require more than one approach to security.
 * A closed-perimeter approach or a "fill-the-gap" measure. Organizations can no longer rely on firewalls as a single point of control, and cobbling together security solutions to protect a single vulnerability may leave you open in places you do not suspect.
 * Something you can assume is provided at the level you require by your cloud service providers. Make sure you spell out and can verify what you require.

"Warning: Cloud computing security is a broad topic with hundreds of considerations: from protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different end-point devices. " <br style="clear: both" />

Cloud implementation options
Cloud security is evolving to satisfy customer needs. Figure 9.19 shows the risk tradeoff of several standard Cloud implementation options. Security management options vary based on the available service models, deployment models, and management models utilized in your deployment scenario.

Deployment strategies can include a mix of self-managed and vendor-managed security options.

Self-managed deployment options:
 * Non-cloud on-premise ArcGIS for Server deployment
 * Portal for ArcGIS on-premise content management
 * IaaS-based community private cloud deployment
 * Hybrid deployment including IaaS and on-premise services

Vendor-managed deployment options:
 * Vendor-managed IaaS-based community private cloud deployment
 * Vendor-managed hybrid deployment including IaaS public and private cloud services
 * Vendor-managed IaaS-based public cloud deployment
 * Vendor-managed ArcGIS Online content management
 * Public SaaS-based services deployment

"Best practice: An optimum security program involves an appropriate tradeoff between self- and vendor-managed risk. " <br style="clear: both" />

Deployment model responsibilities
Figure 9.19.1 shows responsibility by layers across the major cloud deployment models versus an on-premise implementation.

These deployments are not exclusive, and an enterprise deployment of the ArcGIS platform could use multiple models such as an on-premise implementation supplemented with ArcGIS in the cloud in a hybrid approach.

"Best practice: Security implementation involves a proper trade-off between self- and vendor-managed risk. "

<br style="clear: both" />

ArcGIS cloud hybrid capabilities
Figure 9.20 shows a ArcGIS for Server hybrid cloud deployment. A hybrid cloud may provide your best deployment solution, taking advantage of available technology in the most optimum way without compromising security. Deployment strategies can include a mix of self-managed and vendor-managed security options.

Hybrid solutions leverage the best technology options:
 * Internal-hosted service layers can provide your full internal level of security.
 * Private IaaS clouds provide scalable on-demand internal services while retaining required security.
 * Geodatabase replication services provide filtered content to physically separate internal secure data from external remote access.
 * Sensitive data layers can be published from within the data center for mash-up with authenticated field-worker displays.
 * ArcGIS Online organizations provide collaboration and data sharing with protected groups of agency locations.
 * ArcGIS Online subscription services (and public IaaS hosting) provide scalable public access for on-demand services.

"Best practice: Provide optimum enterprise security through hybrid cloud deployments. "

Esri’s security strategy
Deliver secure GIS products
 * [Incorporate security industry best practices.]
 * Trusted geospatial services across the globe.
 * Meet needs of individual users and entire organizations.

Provide secure GIS solution guidance <br style="clear: both" />
 * [Enterprise Resource Center]
 * [Shares Esri security patterns]

Esri informal pattern selection
Your security needs are unique. Figure 9.21 shows a full range of security levels available for ArcGIS users. Esri provides an approach to classifying the level of security required to manage your security risk.


 * Basic security:
 * Minimum level of security investment.
 * Enables simple and lowest system cost.
 * Enables full access to internet data sources and Online services.
 * Provides optimum business environment for external collaboration.
 * Extends enterprise operations to include connected mobile applications.
 * Protects system from internet virus attacks.


 * Standard security:
 * Moderate level of security investment.
 * Moderate increase in complexity and system cost.
 * Enables full access to Internet data sources and online services.
 * Provides optimum business environment for external collaboration.
 * Extends enterprise operations to include connected mobile applications.
 * Protects system from a variety of security risks.


 * Advanced security:
 * Heavy level of security investment.
 * High increase in complexity and system cost.
 * Restricts access to Internet data sources and online services.
 * Eliminates external online collaboration.
 * Prevents most connected mobile applications.
 * Provides optimum protection to manage security risks.

"Best practice: Apply appropriate mitigation strategies to address your unique confidentiality, integrity, and availability business requirements. " <br style="clear: both" />

Basic security needs
Figure 9.22 shows a Basic security architecture. Basic security provides the minimum level of protection required for secure enterprise operations.

Common attributes: <br style="clear: both" />
 * Utilize data and API downloads from public clouds.
 * Secure services with ArcGIS token service.
 * Separate internal systems from Internet access with DMZ.
 * Implement web application firewall and reverse proxy and enforce HTTP communications across firewalls.

Standard security needs
Figure 9.23 shows a Standard security architecture. Standard security provides moderate level of protection for secure enterprise operations.

Common attributes include: <br style="clear: both" />
 * Web application firewall on reverse proxy
 * Provide separate web service access for internal users
 * Dynamic ArcGIS tokens
 * LDAP or active directory services
 * Separate tiers with VLANs (web, database, and management)
 * Multi-factor authentication for external users
 * Separate management traffic connections
 * Redundant components
 * Local copies of all high-availability data
 * Install APIs on local ArcGIS for Server for internal users
 * Intrusion prevention/detection systems
 * Lock down ports, protocols, services (Hardening whitepaper)
 * Standardize system images (SMS whitepaper)
 * Host-based firewalls on systems
 * Browser plug-in restrictions

Advanced security needs
Figure 9.24 shows an Advanced security architecture. Advanced security provides the highest level of protection for secure enterprise operations.

Common attributes include:
 * Minimal reliance on external data/systems
 * On-premise ArcGIS Online services (ArcGIS Online behind your firewall)
 * Data and services within data center or private cloud hosting


 * Separate web and database server for internal web services
 * Separate datasets (e.g., public, employees, employee subset)
 * Consider explicit labels
 * Clustered database with transparent data encryption (TDE)
 * Public key infrastructure (PKI) certificates
 * Local user access via multi-factor authentication.
 * Something the user knows (password, PIN)
 * Something the user has (ATM card, smart card)
 * Something the user is (biometric characteristic, such as a fingerprint)

<br style="clear: both" />
 * Remote user access via hardware token multi-factor
 * Network connections redundant with IPSec between servers
 * Secure socket layer (SSL) or transmission layer security (TLS) between clients and servers (web and rich clients)
 * Network access control (NAC)

Web firewall best practices
Figure 9.25 shows best practices for firewall protection. Firewall configurations are provided to support communication between various levels of security. The effectiveness of your firewall configuration will depend on proper technology implementation.

Esri provides guidance and recommendations for different security patterns based on your security needs.
 * [Enterprise GIS Security Patterns]
 * [Configuring ArcGIS 10.2 for Server security]
 * [Ports used by ArcGIS 10.2 for Server.]
 * [Ports used by Portal for ArcGIS 10.2.]

"Best practice: Security in depth provides multiple layers of defense between public access and protected data resources."

Public services should be deployed on separate servers from sensitive private internal services.
 * Separate web services tier increases security layer protection.
 * Deploy public services and internal private services on separate GIS server sites.
 * Separate publication dataset from production dataset for optimum protection.

High-availability services avoid a single point of failure.
 * Multiple servers ensure operational system with one server down.
 * Multiple online copies of operational data ensure continued operations with loss of one copy.
 * Point-in-time backups are critical—most data corruptions are caused by procedural error.
 * Additional backup copy of critical data should be stored off-site.<br style="clear: both" />

Web services with proxy server
Figure 9.26 shows ArcGIS web services with proxy server. Reverse proxy servers hide the existence and characteristics of the internal application server.

"Best practice: Basic security: Internal web server components can be installed on a single server tier to reduce cost."

ArcGIS for Server reverse proxy architecture (ArcGIS 10.1+):
 * Web client sends request to web server in the DMZ.
 * DMZ web server sends request to reverse proxy for routing to private GIS servers.

"Best practice: ArcGIS for Server web adaptor will provide reverse proxy and load balancing to the private GIS server site."


 * GIS server distributes (load balances) in-bound requests to available service instance located within the GIS server site.
 * Service instance executables access required data sources and service the request.
 * Service instance output is delivered back to the web client.

Additional functionality <br style="clear: both" />
 * Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult.
 * In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead off-loaded to a reverse proxy that may be equipped with SSL acceleration hardware.
 * A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request, in order to match the relevant internal location of the requested resource.
 * A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator.
 * A reverse proxy can optimize content by compressing it in order to speed up loading times.
 * Reverse proxies can be used whenever multiple web servers must be accessible via a single public IP address. The web servers listen on different ports in the same machine, with the same local IP address or, possibly, on different machines and different local IP addresses altogether. The reverse proxy analyzes each incoming call and delivers it to the right server within the local area network.

Web and ArcGIS for Server components in DMZ
Figure 9.27 shows ArcGIS web and GIS Server components in the DMZ. Web and GIS server components can be deployed in the DMZ along with replicated data sources or with access through the firewall to an internal DBMS.

"Best practice: Basic security: Web server DMZ components can be installed on a single server tier to reduce cost."

ArcGIS for Server reverse proxy architecture (ArcGIS 10.1+):
 * Reverse proxy secures administrative access to GIS server.
 * Web adaptor provides reverse proxy and network load balancing.
 * Web application firewall can enhance web service security.

GIS server access to required data sources must be secured.
 * File sources must be replicated to the DMZ to protect internal resources.
 * DBMS data sources should be replicated to DMZ for optimum security.

"Warning: Some security officers find this solution not acceptable because it provides direct access to the DBMS from the DMZ. "


 * SSL secured port connections can be used to access internal DBMS data source.

"Best practice: ArcGIS for Server web adaptor will provide reverse proxy and network load balancing protecting administrative access to the GIS server site."


 * GIS server distributes (load balance) in-bound requests to available service instance located within the GIS server site.
 * Service instance executables access required data sources and service the request.
 * Service instance output is delivered back to the web client.

"Best practice: Web application server installed with the web server can enhance web service security." <br style="clear: both" />

Business continuance
Business continuance addresses infrastructure design considerations that ensure computer systems are functional when needed to support operational business requirements. Requirements for business continuance are a primary risk management consideration, and a core principal of information security management. Availability is the third tenant of the Security Triad, and system component redundancy is the concept developed and deployed to protect against identified business continuance threats.

Business continuance deployment options address high-availability and disaster recovery deployment scenarios. Requirements are established based on business security requirements. Software functionality can introduce constraints on acceptable deployment options. ArcGIS for Server and Portal for ArcGIS business continuance deployment strategies will be addressed in this section.

Design and deployment of the required deployment architecture patterns are addressed in the earlier chapter on GIS Product Architecture.

Requirements for high-availability deployments
High-availability configurations ensure business operations continue when infrastructure components fail.

General high-availability compliance requirements include the following:
 * Highly available load balancer
 * Multiple application server tier machines
 * Highly available shared storage
 * Highly available network

"Best practice: System designed to support continued operations following any single hardware component failure." <br style="clear: both" />

Disaster recovery: Typical workflow
Disaster recovery configurations ensure business operations continue following a catastrophic data center failure.

Secondary data center must be designed and maintained to support failover operations.

Custom business processes must be established to maintain and distribute traffic between the data center locations.
 * Multiple site install and configuration
 * Multiple site service deployments
 * Multiple site data source updates
 * Concurrent application updates between sites

"Best practice: System designed and resources maintained to support continued operations following loss of primary data center." <br style="clear: both" />

Business continuance: Server GIS components
ArcGIS for Server components that must be configured for high availability include the ArcGIS for Server components and supporting data sources.

This section will identify provisions for supporting highly available ArcGIS for Server tier components. Third-party vendor solutions are available for building highly available data sources hosted by DBMS and File share solutions.

<br style="clear: both" />

Server GIS: Multi-machine architecture
ArcGIS for Server site architecture is designed to support a multi-machine (two or more GIS Servers) with shared configuration store and server directories for highly available operations.

"Warning: Third-party load balancers, Web, and storage tier must be configured for highly available operations. "

"Best practice: Review architecture solution to ensure no single hardware/network failure can cause failed operations." <br style="clear: both" />

Server GIS: Primary deployment patterns for high availability
ArcGIS for Server production deployments may include two- or three-tier configurations.


 * Two-tier Server configuration
 * Highly available load balancer solution.
 * Multi-machine ArcGIS for Server site.
 * Highly available file share for Configuration Store and Server Directories.
 * Highly available data source (DBMS or File share).
 * Three-tier Server configuration
 * Highly available load balancer solution.
 * Multi-machine load balanced Web tier.
 * Multi-machine ArcGIS for Server site.
 * Highly available file share for Configuration Store and Server Directories.
 * Highly available data source (DBMS or File share).

"Warning: Virtual server deployments must distribute platform tier components on redundant host platforms. "

"Best practice: Review architecture solution to ensure no single hardware/network failure can cause failed operations." <br style="clear: both" />

Server GIS: The Silo deployment pattern
ArcGIS for Server single-machine site configurations must support high availability with third-party solutions.


 * Two-tier Server configuration
 * Highly available load balancer solution.
 * Multi-site identical load-balanced GIS Server tier configuration.
 * Identical Configuration Store and Server Directories for each site.
 * Highly available data source (DBMS or File share).

"Warning: Virtual server deployments must distribute platform tier components on redundant host platforms. "

"Best practice: Review architecture solution to ensure no single hardware/network failure can cause failed operations." <br style="clear: both" />

Server GIS: Pattern for disaster recovery
Primary high-availability solutions must be established and maintained at each data center.

"Warning: Virtual server deployments must distribute platform tier components on redundant host platforms. "

"Best practice: Review architecture solution to ensure no single hardware/network failure can cause failed operations."

Custom business processes must be established to maintain and distribute traffic between the data center locations.
 * Multiple site install and configuration
 * Multiple site service deployments
 * Multiple site data source updates
 * Concurrent application updates between sites

"Best practice: System designed and resources maintained to support continued operations following loss of primary data center."

<br style="clear: both" />

Business continuance: Portal for ArcGIS components
Web GIS components that must be configured for high availability include the Portal for ArcGIS, ArcGIS Server, and ArcGIS Data Store tier. The Portal for ArcGIS and ArcGIS Data Store tier will be discussed first, followed by a system-level discussion on the Web GIS high availability and disaster recovery solution.

Portal for ArcGIS components that must be configured for high availability include the Portal for ArcGIS components and supporting content store

This section will identify provisions for supporting highly available Portal for ArcGIS tier components. Third-party vendor solutions are available for building highly available File share solutions. <br style="clear: both" />

Portal for ArcGIS: Multi-machine architecture
Portal for ArcGIS architecture is designed to support a multi-machine (two Portal servers) with shared content store for highly available operations.

"Warning: Third-party load balancers, Web, and storage tier must be configured for high-availability operations. "

"Best practice: Review architecture solution to ensure no single hardware/network failure can cause failed operations."

<br style="clear: both" />

Portal for ArcGIS: Deployment patterns for high availability
Portal for ArcGIS production deployments may include one- or two-tier configurations.

Single-tier Portal configuration
 * Highly available load balancer solution.
 * Two-machine Portal tier.
 * Highly available File share for Content Store.

Two-tier Portal configuration
 * Highly available load balancer solution.
 * Two-machine load balanced Web tier (include Web Adaptors).
 * Two-machine Portal tier.
 * Highly available File share for Content Store.

"Warning: Virtual server deployments must distribute platform tier components on redundant host platforms. "

"Best practice: Review architecture solution to ensure no single hardware/network failure can cause failed operations."

<br style="clear: both" />

Business continuance: ArcGIS Data Store components
ArcGIS Data Store components must be configured for high Availability.

This section will identify provisions for supporting highly available ArcGIS for Data Store tier components.

<br style="clear: both" />

Data Stores: User-managed vs. ArcGIS-managed
Portal deployments are supported by both user-managed and ArcGIS-managed data stores.
 * User-managed data stores include data sources (Geodatabases and files).

User-managed data store
 * Geodatabases and file data sources for ArcGIS for Server published services.
 * Database schema and content are managed by the geodatabase administrator.
 * Geodatabase can be identified as a managed data store for Portal hosted sites.

ArcGIS managed data store
 * Installed on Portal-hosted GIS Server site.
 * Stores feature data published to Portal for ArcGIS.

"Best practice: ArcGIS Data Store provides a scalable architecture for Portal for ArcGIS feature publishing."

<br style="clear: both" />

ArcGIS Data Store: Is actually many ArcGIS- managed Data Stores
Portal is supported by several different ArcGIS-managed Data Stores.

Supported feature datasets include the following:
 * Features (points, polygons, lines)
 * 3D scene layers (tile cache)
 * Real-time geoevent observations (high-capacity "Big" Data Store)

<br style="clear: both" />

ArcGIS Data Store: Multi-machine architecture
Configure ArcGIS Data Store with a standby machine so your feature data is available even if the primary machine fails.

Include a secondary failover machine with the Data Store install.
 * ArcGIS for Server provides failover to secondary machine.
 * Common storage used by Primary and Secondary machines.
 * ArcGIS Data Store automatically generates backup recovery files.

<br style="clear: both" />

Business continuance: Web GIS components
Web GIS components that must be configured for high availability include the Portal for ArcGIS, ArcGIS Server, and ArcGIS Data Store tier.

All Web GIS components must stay in sync to support high availability and disaster recovery solutions.

<br style="clear: both" />

Web GIS: High-availability deployment pattern
Web GIS components include Portal for ArcGIS, ArcGIS Server, and the ArcGIS Data Store.

Diagram shows the complete Web GIS high-availability configuration.
 * High-availability Portal for ArcGIS tier (two Portal servers with shared Content Store).
 * High-availability ArcGIS Server tier (minimum of two GIS Servers with shared Configuration Store and Server Directories).
 * High-availability ArcGIS Data Store (Primary Data Store with failover secondary Data Store, sharing data on a common file share) Data Store automatically creates backups for disaster recovery.

<br style="clear: both" />

Web GIS: Disaster recovery deployment pattern
Secondary data center must be designed and maintained to support failover operations.

Primary high-availability solutions must be established and maintained at each data center.
 * Backup and restore model provides replicated configuration (available with 10.4 release).

"Warning: Virtual server deployments must distribute platform tier components on redundant host platforms. "

"Best practice: Review architecture solution to ensure no single hardware/network failure can cause failed operations."

Custom business processes must be established to maintain and distribute traffic between the data center locations.
 * Multiple site install and configuration
 * Web GIS backup and restore model provides replicated configuration (available with 10.4 release).

"Best practice: System designed and resources maintained to support continued operations following loss of primary data center."

<br style="clear: both" />

Business continuance operations
Business continuance operations are complex with multiple components that must work together to support reliable high availability and disaster recovery solution.

Technology solutions alone do not guarantee success.
 * Qualified people must be trained to support recovery operations.
 * Processes must be implemented and testing to ensure operational readiness.
 * Technology must work together to support integrated operations

<br style="clear: both" />

People and process considerations
Providing the right people with the right skills in the right place at the right time is critical for supporting sustained operations.

People qualifications
 * IT managed
 * Strong technical team
 * Knowledge of GIS and IT

Process validation
 * Business alignment
 * Established SLAs
 * Knowledge management
 * Training

<br style="clear: both" />

Security strategy overview
Figure 9.28 shows a summary of security facts and recommended actions. Security is everybody's job, there is no exception. The world is not a secure environment, and you need to keep your eyes and minds open to the threats around you.

There is no single solution for security.
 * There are costs and trade-offs that must be made to support an optimum solution.
 * Too much security controls can reduce productivity and increase cost.
 * Too little attention and control can result in loss of property and the ability to perform.

"Best practice: Finding the right balance is important, and the right solution can be a moving target. "

<br style="clear: both" />

Security resources
<br style="clear: both" />
 * Esri [Trust ArcGIS] security site
 * [CSI Computer Crime and Security Survey 2010-2011]
 * [[https://www.nsslabs.com/ Web Browser Security Test Reports
 * [Windows on Amazon EC2 Security Guide]
 * [Selected Documents on Confidentiality and Geospatial Data]
 * [SaaS, PaaS, and IaaS: A Security Checklist]

Previous Editions
Information Security 37th Edition Information Security 36th Edition Information Security 35th Edition Information Security 34th Edition Information Security 33rd Edition Information Security 32nd Edition Information Security 31st Edition Information Security 30th Edition Information Security 29th Edition Information Security 28th Edition Information Security 27th Edition

Page Footer Specific license terms for this content System Design Strategies 26th edition - An Esri ® Technical Reference  Document • 2009 (final PDF release)