Post on 19-Sep-2020
Esri Managed Cloud Servicesand FedRAMP
Erin Ross & Michael Young
February 9–10, 2015 | Washington, DC
Federal GIS Conference
Agenda
• Esri Managed Services Program Overview• Example Deployments• New FedRAMP Compliant Option• Esri Managed Cloud Services FedRAMP Process• Esri Managed Cloud Services Security Infrastructure• How to Get Started• Summary
Program Overview
ArcGIS Cloud Options
SaaS
PaaS
IaaS
ArcGIS Online or Custom Esri Apps and Data on fully
Managed Cloud Services
ArcGIS for Server on Esri managed cloud infrastructure
ArcGIS for Server images availableto use on cloud infrastructure
ArcGIS for Server on [Fill in the Blank]
• Supported on multiple cloud platforms
- Virtual or bare metal
• Full ArcGIS for Server capabilities
• User-provisioned cloud infrastructure resources
• Pay for what you use
• BYOL or ArcGIS term licensing available
ArcGIS Online
• Create, share, collaborate
• Subscription-based
- Named User
- Credits – pay as you go
• Updates and enhancements occur behind the scenes
Esri Managed Cloud Services
• Cloud-based GIS infrastructure support, including:
- Enterprise system design
- Infrastructure management
- Software (Esri & 3rd Party) Installation, updates and patching
- Application deployment
- Database management
- 24/7 support and monitoring
ArcGIS Deployment Models
On-Premises
Users
AppsAnonymous
Access
Server
Esri Managed Cloud Services
PortalArcGIS Online
Server
Portal
Benefits of Esri Managed Cloud Services
Cloud GIS experts managing your critical apps and content
– Increase efficiency and business focus –
– High availability, quality and performance –
– Reduce internal costs –
– Preserves data integrity, privacy and availability–
– Increase usage and productivity –
How is it delivered? Available on GSA
Basic Packages “Sandbox”
• Ready to use cloud instance of ArcGIS for Server• Remote access provided to user
Ideal for development, prototyping...
Standard, Advanced, Advanced Plus Packages
• Esri loads, publishes and deploys on behalf of customer• 24/7 system monitoring and support• Ideal for production systems (internal or public facing)
ProductionStaging
Dev
Test
Example Deployments
USGS Historical Topographic Maps
• More than 175,000 topographic maps published by the USGS since 1884
• 22 TB data x 2 for redundancy
• 1.6 million hits during Esri User Conference
• Consumed by several apps; premium service available in ArcGIS Online
Constellation Brands
Equipping staff with valuable information to increase sales
• Improve sales by leveraging tools to drive volume and revenue
• 4th of July deadline
• 2.7M records updated 2x / week via scripted tools
Power Outage Viewers
Bringing critical outage information to the general public
• Highly available, scalable systems ready to perform during major events
• Frequent, automated data updates
Hurricane Sandy
• 14 additional servers (17 total)• Central Maine Power - 34 million hits over 3 days• New York State Electric & Gas – 76 million hits over 3 days
2/10/2014 -11:30 amPeak Sandy Hours
Maine – October 29
Maine – October 30
Maine – Ocbober 31
Maine – November 1
Maine – November 2
Who else uses Esri Managed Cloud Services?
• 80+ customers• Leveraged across many sectors• Manage over 500 servers, several TB of data
Michael Young
New FedRAMP Compliant Offering
Federal Geospatial Cloud Security Compliance Roadmap
Esri has actively participated in hosting and advancing secure compliant solutions for over a decade
2010 2011 2012 2013 2014
Feb 2010Kundra Announces FedRAMPSecurity Working Group concept announced
June 2014ArcGIS Online FISMA AuthorizationUSDA Issues ATO to Esri
June 2014OMB FedRAMP MandateFedRAMP now required for all cloud solutions covered by policy memo
May 2013First Agency AuthorizationHHS Issues ATO to Amazon
2012 2013 2014 2015 2016
Jan 2015EMCS FedRAMP CompliantSignoff by FedRAMP Director
Dec 2011Esri Federal Cloud Computing Security WorkshopEsri works with Agencies &FedRAMP to plan SaaSCompliance
Planned for 2015ArcGIS Online Hosted Feature Services AuthorizationDOI working with Esri towards Authorization
PlannedArcGIS OnlineFedRAMPAuthorization
May 2010Esri Participates in First Cloud Computing ForumEsri begins active involvement in cloud standards & security programs
2002… 2005…
2002FISMA Law EstablishedRequired security baselines for Federal systems
Aug 2005Esri GOS2 FISMAAuthorizationDOI Issues ATO to Esri
FedRAMP
• What does FedRAMP do?- Replace varied and duplicative procedures across government by providing agencies with a
standard approach for conducting security assessments of cloud services
• What is core of FedRAMP?- An accepted set of baseline security controls and consistent processes that have been
vetted and agreed upon by agencies across the government
• Why did Esri pursue FedRAMP Compliance?- Customers demanded FedRAMP compliance before rolling out future production operations- Customer risk has been increasing rapidly without security infrastructure - OMB mandate all low and moderate impact cloud services leveraged by more than one office
or agency must comply with FedRAMP requirementsAccelerates Review and Acceptance of Cloud Based Services
FedRAMPGovernment Entities
Cross Government Support
EMCS FedRAMP Benefits
What does EMCS provide?
• Contingency planning and risk management
• Patch and key management
• Data encryption and intrusion detection
• System logging and reporting
• Centralized identity and access management
• Regular security audits
• Well documented policies and procedures
• Penetration testing and vulnerability scanning
• CONTINUOUS MONITORING!
What are the benefits?
• Preserve data integrity
• Protect sensitive datasets
• Ensure availability and reliability
• Builds assurance and awareness
• Save costs by embracing “Cloud First”
• Shift the burden of managing enterprise GIS
systems to the experts
FedRAMPWhat is the process?
Risk Management Framework (RMF) centric process
Esri Managed Cloud Services FedRAMP Documentation
• FIPS 199• Control Implementation Summary (CIS)• System Security Plan (SSP)• Information System Security Policies• User Guide• E-Authentication Template• Privacy Threshold Analysis (PTA) • Rules of Behavior (ROB)• IT Contingency Plan
1000’s of pages ensuring rigorous security
• Security Assessment Plan (SAP)• Test Case Workbook• Security Assessment Report (SAR)• Plan of Action and Milestone (POA&M)• Policies and procedures• Business Impact Analysis• Configuration Management Plan• Incident Response Plan• Interconnection Security Agreement (ISA / MOU)• Penetration Test Plan
EMCS FedRAMP Assessment
• Cloud Security Assessor Veris Group- Third Party Assessment Organization (3PAO) accredited by FedRAMP- 1st to successfully inspect FedRAMP CSP Supplied, JAB, and Agency Approved Solutions- 5 month engagement- Three months of active Technical and Documentation assessments
- System level scans- Web Interface scans- Database scans- Penetration testing
• FedRAMP Advisor – Relevant Technologies- Laura Taylor - Wrote the initial Guide to Understanding FedRAMP
Great advisors and skilled assessors keep the effort focused
EMCS FedRAMP Authorization
• 3 Baseline Security Control Levels- Low, Moderate*, High in draft
• 3 Status Levels- Ready, In Process, Compliant*
• 3 FedRAMP Authorization Levels- Cloud Service Provider (CSP) Supplied*- Agency Authorization To Operate (ATO)- Joint Agency Board (JAB) Provisional Authority To Operate
• Esri Managed Cloud Services is- FedRAMP Moderate- FedRAMP Compliant- CSP Supplied offering
EMCS CSP Supplied Package can be consumed by your Agency
EMCS FedRAMP Continuous Monitoring
Ensures maintenance of acceptable risk posture
FedRAMP Reporting WorkflowMonitoring Workflow
Esri Managed Cloud Services Security Infrastructure
Esri Managed Cloud Services - Security Infrastructure
• Most government systems- Require moderate security baseline controls
• Most geospatial information sets- Only require low baseline controls- ArcGIS Online Low FISMA is adequate for many customer use cases
• Esri Managed Cloud Services FedRAMP Infrastructure Design Goals- Consumable by the widest range of customers
- Amazon East-West Regions – Not limited to GovCloud- Drive down customer expenses for secure, compliant geospatial services
- Customer’s can choose level of multi-tenancy vs dedicated services they are comfortable with- Meet and exceed current rigorous FedRAMP requirements for cloud services
- First geospatial platform to be compliant with FedRAMP Rev 4 requirements
Overview
A balance of robust security and business requirements drove infrastructure choices
Cloud InfrastructureHypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware
Esri Managed Cloud Services - Security Infrastructure
Web Application FirewallWAF
ArcGIS for Portal
ArcGIS Server
Intrusion DetectionIDS / SIEM
Centralized ManagementBackup, CM, AV, Patch, Monitor
Authentication/AuthorizationLDAP, DNS, PKI
AWS
Customer Infrastructure
Public-FacingGateway
Security Ops Center(SOC)
Esri Administrators
End Users
Dedicated Customer Application
Infrastructure
Common SecurityInfrastructure
Active/Active Redundant across two Cloud Data Centers
Agency Application Security
Relational Database
Esri AdminGateway Common Cloud
Infrastructure
Bastion GatewayMFA
Security ServiceGateway
DMZ
File Servers
Legend Cloud Provider
Cloud InfrastructureHypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware
Esri Managed Cloud Services - Security InfrastructureFoundation built on FedRAMP Rev 4 Security controls
First Geospatial solution to be assessed for compliance against latest cloud security controls
Esri Managed Cloud Services - Security Infrastructure (cont.)
• Formalize Policies and Procedures
• Incorporate Security Components- Intrusion Detection System (IDS)- Web Application Firewall (WAF)- Multi-factor Authentication – NSA Suite B alignment- Bastion Gateway / Jump Hosts – Reduce administrative interface attack surface- Centralized advanced server and application monitoring and updates
• Incorporate Security Hardening Standards- Utilize pre-existing Center for Internet Security (CIS) benchmarks as feasible- Create a draft ArcGIS Server 10.3 STIG
Technical, Operational, and Managerial Components
Esri Managed Cloud Services - Security Infrastructure (cont.)DISA STIG for ArcGIS Server 10.3
Draft STIG Settings Provided to DISA - Undergoing SME Review
Esri Managed Cloud Services - Security Infrastructure (cont.)Separation of duties
Managed by certified experts in their field
Applications managed byCertified ArcGIS Platform Experts
Security Operating Center backed by Certified Security Experts
How to get started
How do I get started?
• Express an interest in service offering and let your security team know EMCS is FedRAMP compliant
• Agency Authorized FedRAMP Approver can facilitate download and review of FedRAMP package for EMCS @
- http://cloud.cio.gov/fedramp/agency- If you are unsure of your FedRAMP approver email the FedRAMP
PMO: info@FedRAMP.gov
• What else is available outside FedRAMP repository?- Cloud Security Alliance (CSA) answers for EMCS coming
• Complete Agency Authority To Operate (ATO)- Utilize pre-existing EMCS and AWS FedRAMP moderate docs
Simplifies obtaining an ATO for your organization
Erin RossSummary
Summary
• Esri Managed Cloud Services is FedRAMP compliant
• Esri has experts available to support your cloud GIS and security infrastructure
• Esri Managed Cloud Services has a range of options available to meet your operational needs
• Customer’s can now visit the FedRAMP repository and request our Esri Managed Cloud Services security package
Don’t forget to complete a session evaluation form!
February 9–10, 2015 | Washington, DC
Federal GIS Conference