Information Security 31st Edition

From wiki.gis.com
Jump to: navigation, search
System Design Strategies
System Design Strategies 31st Edition (Fall 2012)
1. System Design Process 2. GIS Software Technology 3. Software Performance 4. Server Software Performance
5. GIS Data Administration 6. Network Communications 7. GIS Product Architecture 8. Platform Performance
9. Information Security 10. Performance Management 11. System Implementation 12. City of Rome
A1. Capacity Planning Tool A2. ESD Planning tools A3. Acronyms and Glossary


Fall 2012 Information Security 31st Edition

This chapter provides an introduction to the purpose and scope of information security. Basic concepts are introduced for developing security solutions that meet your business needs. Esri's approach to enterprise security is adjusted based on customer needs, and information patterns share how to establish security measures appropriate for your organization.

Enterprise security can be a challenge for IT architects and security specialists. Until the last few years, entire IT systems were frequently designed around a single mission objective and a single "community of interest," normally supported with physically isolated systems, each with its own data stores and applications. New emerging standards are supported with more mature communication environments, more intelligent operating systems, and a variety of standard integration protocols enabling IT architects to design and maintain comprehensive organization-wide interactive enterprise solutions.

Recent industry advancements, especially in the areas of web service standards and service-oriented architectures, are enabling architects to more effectively satisfy enterprise security objectives. Esri's careful attention to these standards, coupled with an overall philosophy of providing highly interoperable software, provides security architects with a high level of flexibility, thus establishing trust for all Esri components contained in an enterprise solution.

A full discussion on enterprise security is beyond the scope of this chapter. The [Enterprise GIS Security Resource Center] provides unified access to security related information for enterprise solutions using Esri products.

CIA security triad

Figure 9-1 The CIA security triad provides overall guidance for enterprise security management.

Figure 9-1 shows the CIA triad. The core principals of information security management are represented by the CIA triad.

The CIA triad includes confidentiality, integrity, and availability.

  • Confidentiality is protection of "privileged" communications, restricting user access to core business information based on a "need to know" principle.
  • Integrity refers to the trustworthiness of business data resources and the associated information products generated over its entire life cycle.
  • Availability refers to ensuring the information system is functional when needed to support operational business requirements.

Information security industry standards will be identified and applied as mechanisms of protection and prevention in the following three main areas:

  • Hardware
  • Software
  • Communications

Protection and prevention will be implemented at three levels, or layers:

  • People (personal security)
  • Procedures (organizational security)
  • Products (physical security)
Best practice: The CIA triad is used to provide proper scope and focus for information security management.


Defense in depth

Figure 9-2 Defense in depth provides multiple layers of protection to defend against potential security risks.

Figure 9-2 shows the defense in depth concept. Defense in depth is an information assurance concept in which multiple layers of security controls (defenses) are placed throughout an IT system.

Examples of defense in depth:

  • Application functional limitations (view only)
  • Reverse proxy server (restrict port access)
  • Web application firewall (monitor traffic, restrict access, route traffic)
  • Web server (provide extra physical transmission layer)
  • ArcGIS for Server (restrict access to published services, user authentication, restricted data access)
  • Geodatabase server (restrict access to published services, user authentication, restricted table and row access, monitor traffic)

Idea behind defense in depth:

  • Defend a system using multiple varying protection methods.
  • Provide a comprehensive approach to information security.

Defense in depth seeks to delay advance of an attack:

  • Yield space in order to buy time without preventing proper access.
  • Prevent penetration and direct attacks by providing multiple layers of defense.
  • Prevent security breaches and buy time to detect and respond to an attack.
Best practice: Multiple layers of defense improve information security.
Warning: Do not expect a high level of protection from a single layer of defense.


Esri security strategy parallels IT trends

Figure 9-3 GIS security solutions are driven by technology change, following the patterns common to most standard IT trends.

Figure 9-3 shows security moving from an isolated product solution focus to addressing security on an enterprise level. Enterprise IT solutions are changing including more transparency, sharing, collaboration, and web access. Security policies are adapting to these changes.

Traditional systems

User workflow environment:

  • Limited enterprise integration
  • Primarily desktop or internal network solutions
  • Limited web access
  • Data entry provided by well-defined workflows

Security solutions focused on isolated systems:

  • Protecting discrete products and services
  • Protecting focused user workflow environments
  • Include third-party security additions

Enterprise security

User workflow environment:

  • Multiple clients and user locations
  • Multiple servers and data center locations
  • User collaboration across multiple integrated systems
  • Discretionary user grouping and sharing
  • Common interface with cloud-hosted services

Enterprise security solutions:

  • Integrated enterprise platforms and services
  • Multi-layered embedded security protection
  • Adaptive user-driven security controls
  • Include third-party security additions


Levels of security

Figure 9-4 Several levels of security are required to ensure protected business operations.

Figure 9-4 shows the levels of security. Multiple levels of security provide defense in depth.

Multiple levels of security:

  • Physical controls (fences, guards, locks, etc.)
  • Policy controls (administrative policies and procedures)
  • Technical controls (system configuration)

Types of technical controls:

  • Authentication (user identity strategy, user name and password, keycards, keywords, etc.)
  • Authorization (role-based access policies, access control rules, etc.)
  • Filters (routing based on group policy, active directory containers, user identity, etc.)
  • Encryption (scrabbling information for unreadable transmission or storage)
  • Logging (record of security-related transactions)

Technical controls implemented throughout physical system:

  • Application controls (LDAP, SSO, HTML content filters, validation checks, secure stored procedures)
  • Host/device controls (native authentication, LDAP, repository, hardening guides, HIDS)
  • Network controls (firewalls, NIDS, single socket layer - SSL, IPSEC)
  • Data controls (authentication, role-based access, row-level access, data file encryption)


Enterprise security strategy

Standards approach to security risk management.

Figure 9-5 Security risk management process diagram.

Figure 9-5 shows a standards approach to security risk management. Standard approaches to security risk management are well established and should be followed to ensure compliance.

Identify your security needs

  • Review industry security threats.
  • Assess your environment.
  • Evaluate risk to datasets and operational systems.
  • Determine sensitivity, categorization, and patterns of risk.

Review current security trends

Information security is a growing science

Review security options

  • Enterprise GIS Resource Center
  • Enterprise-wide security mechanisms
  • Application-specific options

Implement security as a business enabler

  • Improve appropriate availability of information.


Esri's security strategy

Figure 9-6 Text

Figure 9-6 shows Esri's security strategy. Esri's security strategy encourages secure enterprise GIS operations.

Deliver secure GIS products

Provide secure GIS solution guidance


Esri informal pattern selection

Figure 9-7 Classify your security needs based on your own security risk.

Your security needs are unique. Figure 9-7 shows the levels of security. Esri provides an approach to classifying the level of security required to manage your security risk.

Basic security
  • Minimum level of security investment.
  • Enables simple and lowest system cost.
  • Enables full access to internet data sources and Online services.
  • Provides optimum business environment for external collaboration.
  • Extends enterprise operations to include connected mobile applications.
  • Protects system from internet virus attacks.
Standard security
  • Moderate level of security investment.
  • Moderate increase in complexity and system cost.
  • Enables full access to Internet data sources and online services.
  • Provides optimum business environment for external collaboration.
  • Extends enterprise operations to include connected mobile applications.
  • Protects system from a variety of security risks.
Advanced security
  • Heavy level of security investment.
  • High increase in complexity and system cost.
  • Restricts access to Internet data sources and online services.
  • Eliminates external online collaboration.
  • Prevents most connected mobile applications.
  • Provides optimum protection to manage security risks.


Basic security needs

Figure 9-8 Esri basic security patterns represent the minimum level of enterprise security management.

Figure 9-8 shows a Basic security architecture. Basic security provides the minimum level of protection required for secure enterprise operations.

Common attributes:

  • Utilize data and API downloads from public clouds.
  • Secure services with ArcGIS token service.
  • Separate internal systems from Internet access with DMZ.
  • Implement web application firewall and reverse proxy and enforce HTTP communications across firewalls.


Standard security needs

Figure 9-9 Esri standard security patterns represent a moderate level of enterprise security management.

Figure 9-9 shows a Standard security architecture. Standard security provides moderate level of protection for secure enterprise operations.

Common attributes include:

  • Web application firewall on reverse proxy
  • Provide separate web service access for internal users
  • Dynamic ArcGIS tokens
  • LDAP or active directory services
  • Separate tiers with VLANs (web, database, and management)
  • Multi-factor authentication for external users
  • Separate management traffic connections
  • Redundant components
  • Local copies of all high-availability data
  • Install APIs on local ArcGIS for Server for internal users
  • Intrusion prevention/detection systems
  • Lock down ports, protocols, services (Hardening whitepaper)
  • Standardize system images (SMS whitepaper)
  • Host-based firewalls on systems
  • Browser plug-in restrictions


Advanced security needs

Figure 9-10 Esri advanced security patterns represent the highest level of enterprise security management.

Figure 9-10 shows an Advanced security architecture. Advanced security provides the highest level of protection for secure enterprise operations.

Common attributes include:

  • Minimal reliance on external data/systems
    • On-premise ArcGIS Online services (ArcGIS Online behind your firewall)
    • Data and services within data center or private cloud hosting
  • Separate web and database server for internal web services
  • Separate datasets (e.g., public, employees, employee subset)
  • Consider explicit labels
  • Clustered database with transparent data encryption (TDE)
  • Public key infrastructure (PKI) certificates
  • Local user access via multi-factor authentication.
    • Something the user knows (password, PIN)
    • Something the user has (ATM card, smart card)
    • Something the user is (biometric characteristic, such as a fingerprint)
  • Remote user access via hardware token multi-factor
  • Network connections redundant with IPSec between servers
  • Secure socket layer (SSL) or transmission layer security (TLS) between clients and servers (web and rich clients)
  • Network access control (NAC)


Choose a security standard

Figure 9-11 The most useful metric tools used by federal CISOs.

Figure 9-11 shows what tools the Federal Chief Information Security Officers (CIFOs) are using to manage their secure operations.

Recommended best practices:

  • Choose a security standard.
  • Perform an assessment relative to standard metrics.
Best practice: Perform on-going risk assessment. Document, document, document, and document.


Security in the cloud

Figure 9-12 Security in the cloud is one of the challenges facing security managers as they leverage new architecture capabilities.

Figure 9-12 shows the standard Cloud hosting patterns and user security practices. Security challenges in the cloud are familiar to any IT manager: loss of data, threats to the infrastructure, and compliance risk. What is new is the way these threats play out in a cloud environment.

ArcGIS in the cloud

Software as a Service (SaaS): Direct user interface for building services

  • ArcGIS Online (ArcGIS.com)
  • Business Analyst Online
  • ArcGIS Explorer Online

Platform as a Service (PaaS); Developer interface for building services

  • Esri web mapping APIs (JavaScript, Flex, Silverlight)
  • Microsoft Azure ArcGIS applications

Infrastructure as a Service (IaaS): IT administrator interface for building services

  • ArcGIS for Server on Amazon EC2
  • Terremark Cloud (now Verizon)
  • Private cloud

Cloud security is:

  • The response to a familiar set of security challenges that manifest differently in the cloud.
  • A set of policies, technologies, and controls designed to protect data and infrastructure from attack and enable regulatory compliance.
  • Layered technologies that create a durable security net or grid.
  • The joint responsibility of your organization and its cloud provider(s).

Cloud security is not:

  • A one-size-fits-all solution that can protect all your IT assets. In addition to different cloud delivery models, the cloud services you deploy will most likely require more than one approach to security.
  • A closed-perimeter approach or a "fill-the-gap" measure. Organizations can no longer rely on firewalls as a single point of control, and cobbling together security solutions to protect a single vulnerability may leave you open in places you do not suspect.
  • Something you can assume is provided at the level you require by your cloud service providers. Make sure you spell out and can verify what you require.
Warning: Cloud computing security is a broad topic with hundreds of considerations: from protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different end-point devices.


Enterprise security firewall patterns

Web firewall best practices

Figure 9-13 The web firewall configuration practices depend on your security needs and proper technology deployment.

Figure 9-13 shows best practices for firewall protection. Firewall configurations are provided to support communication between various levels of security. The effectiveness of your firewall configuration will depend on proper technology implementation.

Esri provides guidance and recommendations for different security patterns based on your security needs.

Best practice: Security in depth provides multiple layers of defense between public access and protected data resources.

Public services should be deployed on separate servers from sensitive private internal services.

  • Minimum recommendation is to separate in-bound traffic on separate web servers.
  • ArcGIS 10.1 for Server can deploy private and public services on separate GIS server sites.
  • Separate publication dataset from production server for optimum protection.

High-availability services avoid a single point of failure.

  • Multiple servers ensure system is operational when one server is down.
  • Multiple online copies of operational data ensure continued operations with loss of one copy.
  • Point-in-time backups are critical—most data corruptions are caused by procedural error.
  • Backup copy of critical data should be stored off-site.


Web services with proxy server

Figure 9-14 A reverse proxy server provides a minimum level of protection for web publishing.

Figure 9-14 shows ArcGIS web services with proxy server. Reverse proxy servers hide the existence and characteristics of the internal application server.

Best practice: Basic security: Internal web server components can be installed on a single server tier to reduce cost.

ArcGIS 10 for Server reverse proxy architecture:

  • Web client sends request to web server in DMZ.
  • DMZ web server send request to reverse proxy for routing to private web servers
  • Private web server sends request to the Server Object Manager: SOM.
  • Server Object Manager assigns request to available service instance located in a Server Object Container: SOC.
  • Service instance executables access required data sources and service the request.
  • ervice instance output is delivered back to the web client.
Warning: SOM service instance assignment is made by assigning a DCOM port for communications between the private web server and the service instance. DCOM communications should not be transmitted across a firewall.

ArcGIS 10.1 for Server reverse proxy architecture:

  • Web client sends request to web server in the DMZ.
  • DMZ web server sends request to reverse proxy for routing to private GIS servers.
Best practice: ArcGIS for Server web adaptor will provide reverse proxy and load balancing to the private GIS server site.
  • GIS server distributes (load balances) in-bound requests to available service instance located within the GIS server site.
  • Service instance executables access required data sources and service the request.
  • ervice instance output is delivered back to the web client.

Additional functionality

  • Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult.
  • In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead off-loaded to a reverse proxy that may be equipped with SSL acceleration hardware.
  • A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request, in order to match the relevant internal location of the requested resource.
  • A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator.
  • A reverse proxy can optimize content by compressing it in order to speed up loading times.
  • Reverse proxies can be used whenever multiple web servers must be accessible via a single public IP address. The web servers listen on different ports in the same machine, with the same local IP address or, possibly, on different machines and different local IP addresses altogether. The reverse proxy analyzes each incoming call and delivers it to the right server within the local area network.


Web service components in DMZ (Replicated DBMS)

Figure 9-15 Web service components and published data sources provided in the DMZ.

Figure 9-15 shows ArcGIS web service components and the DBMS in the DMZ. Replicating data sources and publishing web services in the DMZ provides optimum protection for private network resources.

Best practice: Basic security: Web server DMZ components can be installed on a single server tier to reduce cost.

ArcGIS 10 for Server DMZ architecture:

  • Web client sends request to web server in DMZ
  • DMZ web server sends request to the Server Object Manager (SOM).
  • Server Object Manager assigns request to available service instance located in a Server Object Container (SOC).
  • Service instance executables access required data sources and service the request.
  • Service instance output is delivered back to the web client.

ArcGIS 10.1 for Server reverse proxy architecture:

  • Web client sends request to web server in DMZ.
  • DMZ web server sends request to GIS servers.
Best practice: ArcGIS for Server web adaptor will provide reverse proxy and network load balancing protecting administrative access to the GIS server site.
  • GIS server distributes (load balance) in-bound requests to available service instance located within the GIS server site.
  • Service instance executables access required data sources and service the request.
  • Service instance output is delivered back to the web client.
Best practice:Web application server installed with the web server can enhance web service security.


Web service components in the DMZ (Internal DBMS)

Figure 9-16 Web service publishing in the DMZ with firewall access to the internal DBMS avoids replicated production data across the firewall.

Figure 9-16 shows ArcGIS web services with service components in the DMZ accessing an internal DBMS data source. Publishing web services in the DMZ with firewall access to DBMS can provide moderate security protection.

Best practice: Basic security: Web server DMZ components can be installed on a single server tier to reduce cost.

Providing a disk mount to an internal file share (cached map services) does not provide a secure connection. File-based data must be replicated to DMZ for this deployment option.

ArcGIS 10 for Server DMZ architecture

  • Web client sends request to web server in DMZ.
  • DMZ web server sends request to the Server Object Manager (SOM).
  • Server Object Manager assigns request to available service instance located in a Server Object Container (SOC).
  • Service instance executables accesses required data sources and service the request.
Best practice: Database ports are opened through the firewall to provide service instance access to DBMS data resources. Normal communications with the DBMS flow through published map services.
Warning: Some security officers find this solution not acceptable because it provides direct access to the DBMS from the DMZ.
  • Service instance output is delivered back to the web client.

ArcGIS 10.1 for Server reverse proxy architecture

  • Web client sends request to web server in DMZ.
  • DMZ web server sends request to GIS servers.
Best practice: ArcGIS for Server web adaptor will provide reverse proxy and network load balancing, protecting administrative access to the GIS server site.
  • GIS server distributes (load balance) in-bound requests to available service instance located within the GIS server site.
  • Service instance executables accesses required data sources and service the request.
Best practice: Database ports are opened through the firewall to provide service instance access to DBMS data resources. Normal communications with the DBMS flow through published map services.
Warning: Some security officers find this solution not acceptable because it provides direct access to the DBMS from the DMZ.
  • Service instance output is delivered back to the web client.
Best practice: Web application server installed with the web server can enhance web service security.


Security strategy overview

Figure 9-17 Security is important to ensure effective business operations.

Figure 9-17 shows a summary of security facts and recommended actions. Security is everybody's job, there is no exception. The world is not a secure environment, and you need to keep your eyes and minds open to the threats around you.

There is no single solution for security.

  • There are costs and trade-offs that must be made to support an optimum solution.
  • Too much security controls can reduce productivity and increase cost.
  • Too little attention and control can result in loss of property and the ability to perform.
Best practice: Finding the right balance is important, and the right solution can be a moving target.

Security resources


Previous Editions

Information Security 30th Edition (Fall 2011)
Information Security 29th Edition (Spring 2011)
Information Security 28th Edition (Fall 2010)
Information Security 27th Edition (Spring 2010)

System Design Strategies
System Design Strategies 31st Edition (Fall 2012)
1. System Design Process 2. GIS Software Technology 3. Software Performance 4. Server Software Performance
5. GIS Data Administration 6. Network Communications 7. GIS Product Architecture 8. Platform Performance
9. Information Security 10. Performance Management 11. System Implementation 12. City of Rome
A1. Capacity Planning Tool A2. ESD Planning tools A3. Acronyms and Glossary


Page Footer
Specific license terms for this content
System Design Strategies 26th edition - An Esri ® Technical Reference Document • 2009 (final PDF release)