Information Security - 27th Edition (Spring 2010)
Information Security - 27th Edition (Spring 2010)
This section provides an introduction to the types of security measures that should be considered in supporting enterprise operations. Implementation needs vary based on the type of operations and the associated threat environment.
Enterprise security can be a challenge for IT architects and security specialists. Until the last few years, entire IT systems were frequently designed around a single mission objective and a single "community of interest" normally supported with physically isolated systems, each with its own data stores and applications. New emerging standards are supported with more mature communication environments, more intelligent operating systems, and a variety of standard integration protocols enabling IT architects to design and maintain comprehensive organization-wide interactive enterprise solutions.
Recent industry advancements, especially in the areas of Web service standards and service-oriented architectures, are enabling architects to more effectively satisfy enterprise security objectives. ESRI's careful attention to these standards, coupled with an overall philosophy of providing highly interoperable software, provides security architects with a high level of flexibility, thus establishing trust for all ESRI components contained in an enterprise solution.
A full discussion on enterprise security is beyond the scope of this document. The ArcGIS Security Resource Center provides unified access to Security related information for enterprise solutions using ESRI products.
- 1 Security and Control
- 2 Selecting the Right Security Solution
- 3 Web Firewall Configuration Alternatives
Security and Control
Application Security encompasses measures taken to prevent exceptions in the security policy of applications or the underlying system (vulnerabilities) through flaws in the design, development, or deployment of the application. The development of security and control procedures for the custom applications are based on COTS functionality provided by Windows OS, ArcGIS, RDBMS, and HTTP protocols:
Windows Access Control List (ACL), which provides for mandatory system wide access control through role based access control where permissions are assigned to roles and roles are assigned to users.
Thorough ACL's for file systems Access Control Entries (ACE) can be defined for group rights to specific system objects, such as applications, processes or files. These privileges or permissions determine specific access rights, such as whether a user can read from, write to, execute or delete an object.
ArcGIS controls for client or web applications are mechanisms implemented either through ArcGIS out-of-the-box configuration, custom application enhancement (using ArcObjects) or ArcGIS Web client. The following application controls are available in the ArcGIS enterprise environment: Custom Control extensions can be utilized to implement technologies such as Identity Management (IM) and access control. ArcGIS custom control extensions are developed using the ArcObjects development interface. ArcGIS gives the user the ability to restrict ArcGIS client operations (edit, copy, save, print) or controls users access to various data assets based on their role.
GML is an XML schema used for modeling, transporting, and storing geographic information. ArcObjects, utilizing GML and RDBMS storage functionality, offers a framework and method for auditing controls in ArcGIS multi-user geodatabase environments. A detailed history of GIS workflow activities can be recorded in a GML structure and stored in the RDBMS. In addition to recording who performed the edit, activities can be supplemented with comments and notes to provide a traceable, documented, activity log containing before-edit, after-edit, and edit justification history.
Integrated operating system authentication and single sign-on (SSO) are two security infrastructures that can be leveraged by ArcObjects applications to authenticate against and connect to ArcGIS products using user names and passwords managed in a centralized location. This location can be an encrypted file, an RDBMS table, a Lightweight Directory Access Protocol (LDAP) server, or a combination of RDBMS tables and an LDAP server. The primary intent is to insulate users from having to continually authenticate themselves. This technique relies on users' authentication into their desktop workstation (integrated operating system authentication) or the organization's SSO infrastructure.
Native authentication by ArcSDE and RDBMS; Strong authentication controls can be established between ArcGIS and system components through the use of native authentication allowing the user to be authorized by downstream systems. ArcSDE utilizing the direct connect architecture supports native Windows authentication from the ArcGIS client connecting to the RDBMS. The direct connect configuration allows ArcGIS clients to leverage RDBMS connectivity functionality. Deployed utilizing two-tier ArcSDE architecture configured with a RDBMS SSL transport layer, native authentication provides an encrypted communication channel between the trusted operating system and the RDBMS.
SSL is a protocol that communicates over the network through the use of public key encryption. SSL establishes a secure communication channel between the client and server. Encryption functionality of the RDBMS converts clear text into cipher text that is transmitted across the network. Each new session initiated between the RDBMS and the client creates a new public key, affording increased protection. Utilizing ArcSDE in a direct connect configuration eliminates the use of the ArcSDE application tier by moving the ArcSDE functionality from the server to the ArcGIS client. By moving the ArcSDE functionality from the server to the client (dynamic link library), the client application is enabled to communicate directly to the RDBMS through the RDBMS client software. ArcSDE interpretations are performed on the client before communication to the RDBMS. This provides the client application the ability to leverage network encryption controls supplied by the RDBMS client.
IPSec is a set of protocols that secures the exchange of packets between the ArcGIS client and the RDBMS server at the IP level. IPSec uses two protocols to provide IP communication security controls: authentication header (AH) and encapsulation security payload (ESP). The AH offers integrity and data origin authentication. The ESP protocol offers confidentiality.
Intrusion detection is available for ArcGIS users: Network based intrusion detection analyzing network packages flowing through the network or host based intrusion monitoring operation on a specific host.
Feature level security implemented in parallel with ArcSDE allows the Lands Department to assign privileges at the feature level, restricting data access within the geodatabase object. RDBMS Feature-level security is based on the concept of adding a column to a table that assigns a sensitivity level for that particular row. Based on the value in that column, the RDBMS determines, through an established policy, whether the requesting user has access to that information. If the sensitivity level is met, the RDBMS allows access to the data; otherwise, access is denied.
Data file encryption can be used by the ArcSDE direct connect architecture by using a data encryption "add-in" in the RDBMS which works with ArcGIS products accessing an RDBMS as a data store, custom ArcObjects applications, and custom non-ESRI technology-based applications using the ArcSDE C and Java APIs to access non-versioned data.
RDBMS privileges; RDBMS assigns SELECT, UPDATE, INSERT, and DELETE privileges to either a user or role. The ArcSDE command line and ArcCatalog leverage the RDBMS privilege assignment functionality and provide an interface that allows the administrator to assign privileges.
HTTP authentication is a mechanism by which an HTTP authentication method is used to verify that someone is who they claim to be. The standard methods of HTTP authentication integrated with ArcGIS Web applications are the basic, digest, form, and client certificate methods. Basic authentication involves protecting an HTTP resource and requiring a client to provide a user name and password to view that resource. Digest authentication also involves protecting an HTTP resource by requesting that a client provide user name and password credentials; however, the digest mechanism encrypts the password provided by the client to the server. Form-based authentication is identical to basic except that the application programmer provides the authentication interface using a standard HTML form. Client certificate is the most secure authentication method in that it uses the organizational PKI environment to provide and authenticate digital certificates for both client and server.
5.2 Enterprise Security Strategies
Desktop and network operating systems should require user identification and password based on defined system access privileges. Networks can include firewalls that restrict and monitor content of communications, establishing different levels of access criteria for message traffic. Communication packets can be encrypted (Secure Sockets Layer [SSL]) to deny unauthorized information access, even if the data is captured or lost during transmission. Specific content exchange criteria can be established between servers (IPSec) to restrict communication flow and to validate traffic sources. Traffic activity can be monitored (intrusion detection) to identify attempts to overcome security protection. Data can be protected on disk to avoid corruption or prevent access as appropriate (encryption). Database environments provide access control (privileges) and row-level security. A combination of these security techniques throughout the information flow can provide the highest level of protection.
Web Application Architecture
Standard firewall, SSL, IPSec, intrusion detection, data file encryption, and RDBMS security solutions continue to support Web operations. Additional security can be implemented to protect and control HTTP communications; basic and digest authentication and implementation of digital certificate authentication (PKI) procedures promote secure communications and support restricted user access to published Web applications. Secure HTTP protocols (HTTPS) encrypt data transfers supporting a higher level of communication protection. Web applications can assume user rights for data access (impersonation), and options for passing user authentication (single sign-on [SSO]) for database access enhance security and control access to the data source.
Web Services Architecture
The most security controls are available when deploying an enterprise service-oriented architecture. Protection provided by the Web application architecture supports an SOA, and additional options are available to enhance access controls. Client applications can include additional security features to ensure proper use and control. Additional Web services security (WS-Security) solutions can be implemented to support user authentication and restrict access to Web services. Web services extensions (WSE) are specific Web services security implementations supported through Web server technology. Secure HTTP communications encrypt data transmissions and improve communication security.
Selecting the Right Security Solution
Security solutions are unique to each client situation. The right security solution depends on your enterprise risks and your selection of enterprise controls. The challenge is to implement reasonable and appropriate security controls. It is important to maintain and support a current security risk assessment, establish security guidelines and controls, and perform on-going security audits to ensure objectives are being maintained.
Security comes with a price. Understanding the specific security risk and applying the appropriate security controls can reduce overall cost and provide the best operational solution.
Web Firewall Configuration Alternatives
Firewall configurations are provided to support communication between various levels of security. A number of firewall configuration options are identified here, based on the location of the ArcIMS or ArcGIS Server software components. An ESRI white paper, Security and ArcIMS, addresses configuration options for secure ArcIMS environments. This paper is available at http://resources.esri.com/enterprisegis/index.cfm?fa=security.main ESRI Resource Center.
The remaining discussion addresses available Web services firewall configuration strategies. Advantages and disadvantages of each configuration are discussed. Understanding the available configuration options and associated implications can help the security architect select the best solution for supporting enterprise security needs.
Web Services with Proxy Server
Web Application in the DMZ, Remainder of the Web Services Components on the Secure Network
All Web Services Components in DMZ
All Web Services Components in DMZ except Data Server
All Web Services Components on the Secure Network