ArcGIS Security Authorization AdvancementsAuthorization • Federal Information Security Management...

ArcGIS Security Authorization Advancements

Michael Young & Erin Ross

February 9–10, 2015 | Washington, DC

Federal GIS Conference

Overview

• Authorization Past & Present• Products

- ArcGIS Server- ArcGIS Desktop

• Solutions- ArcGIS Online- Esri Managed Cloud Services

- New FedRAMP Moderate Option

• Summary

AuthorizationHistorical Issues

• Every implementation undergoes separate security authorization processes

• Federal and Defense utilized different frameworks- Authorization (based on risk) vs. certification

• Standard geospatial system security configurations not agreed upon by government

• Above items drive deployment delays, stability, and issue reproduction problems- E.g. Mitigating measures, waivers, policy refresh outages, and unable to reproduce issues

Authorization

• Federal Information Security Management Act (FISMA) 2002- All production US Federal government systems must be compliant/authorized- Enforced by the inspector general’s office of each agency- References NIST 800-53 Security Controls spanning 17 families including:

- Access Control, Training, Auditing, Maintenance, Integrity, Acquisition, Personnel

• Three categorization levels- Low – Non-sensitive information (100+)- Moderate – Sensitive information (300+)- High – Most sensitive information (350+)

• Solutions are authorized, not individual products- Datasets and workflows are part of the accreditation

FISMA

ArcGIS Online’s Low Accreditation Aligns Well with Hybrid Deployments

Collect System Information

Perform Privacy Analysis

Categorize System

Develop Test Plan

Assess Security Controls

Develop Reports andPOA&Ms

Step 1 – Categorize Information

Develop ATO Package

AO Reviews POA&M and Risk

AO Signs ATO / Denial of Operation

Step 4 –Assess Security Controls

Step 5 – Authorize Security Controls Step 6 – Monitor

Security Controls

Monitor for Major Changes

Remediate POA&M Items

Continuous Monitoring of Controls

Identify Common Controls

Select Remaining Controls

Tailor and Document in SSP

Step 2 – Select Security Controls

Implement Security Controls

Update the SSP

Develop CP, CMP and IRP

Step 3 – Implement Security Controls

Step 3 Concurrency

Review Step 4 Concurrency

Review

Authorization

• Relatively new authorization process aligningwith FISMA law

• Provides a stronger foundation of reciprocityfor cloud based offerings

• Same NIST 800-53 security controls withadditional ones added for cloud

• Security control baselines in place now for Low and Moderate, draft of High released Jan 2015

FedRAMP

Cloud.CIO.gov – Excellent Resource for FedRAMP Details

AuthorizationFederal and Defense Security Strategy is Evolving

• Federal- FISMA -> FedRAMP- Drives improved efficiency of Federal security authorization process for cloud offerings

• Defense- DIACAP -> Risk Management Framework- Drives improved efficiency of defense and federal departments operating off a common

framework and set of baseline security controls

AuthorizationEsri’s Security Strategy is Evolving

Product

EnterpriseSolution

Isolated Systems

3rd Party Security

Integrated Systems

Embedded Security

Cloud

Managed Security

ArcGIS

AuthorizationLevels of authorization across software and systems

• Product Based Initiatives- ArcGIS Server- ArcGIS Desktop

• Solution/Service Based Initiatives- ArcGIS Online- Esri Managed Cloud Services

ArcGIS Server & Desktop

Product Based Security Initiatives

Product Based Security InitiativesArcGIS Server – DISA STIG

• Sponsored by government to work with DISA- Create a Security Technical Implementation Guides (STIGs)- Non-FOUO therefore information will be publically accessible - First STIG will be Windows based ArcGIS Server 10.3

- Other STIGs will be performed based on demand

• Expected completion by Esri International User Conference – July 2015

• Post STIG completion- STIG will be an input for an ArcGIS Server Security Hardening guide for general distribution- Enterprise component integration testing and best practice recommendations incorporated

Product Based Security InitiativesDISA STIG Creation Process

Draft STIG Settings Provided to DISA – Undergoing SME Review

Product Based Security InitiativesArcGIS Server – Planned STIG Configuration

Legend

AD

ArcGIS ServerSite

TCP 443

TCP 6443 TCP 6443

Web Application Firewall

User

TCP 443

TCP 443

Config-StoreSMBCIFS

RDBMS

File StoreSMBCIFS

RDBMSPorts

SIEM LogAgent

SIEM LogAgent

SIEM LogAgent

SIEM LogAgent

SIEM LogAgent

Windows Integrated AuthenticationAccept Client Certificates (PKI)

Windows Integrated AuthenticationAccept Client Certificates (PKI)

Microsoft Component

ArcGIS Component

Non-Specific Vendor Component

SIEM LogAgent

SIEM LogAgent

Privileged User

AD

IIS

Web Adaptor (Admin)

IIS

Web Adaptor (User)

AD


• Security hardening best practices provide insights into relative risk of different services, and optional mitigation measures to reduce risk

ArcGIS Server – Awareness of Relative Risk

Providing new insights

Service Capability Default when Enabled

Security Hardened

Map MappingMap QueryFeature ReadFeature EditFeature SyncGeocoding GeocodeGeodata QueryGeodata Data ExtractionGeodata ReplicaGeoprocessing GeoprocessingImage ImagingImage EditImage Upload

Red = Higher riskYellow = Average riskGreen = Low risk

Security Hardened SettingsRelative Service Risk


• Esri performs self-certification of desktop products- Ensures smooth deployments within security constraints of systems- ArcGIS Desktop with all extensions is primary focus- Typically completed within 6 months of product release

• FDCC- Federal Desktop Certified Configuration- Versions 9.3-10- Deprecated due to Windows XP focus

• USGCB- United States Government Configuration Baseline- Versions 10.1+

• ArcGIS Pro (Expected Q1 2015)

Desktop

Eases your desktop deployment headaches

Solutions Based Security Initiatives

Solutions Based Security InitiativesFederal Geospatial Cloud Security Compliance Roadmap

Esri has actively participated in hosting and advancing secure compliant solutions for over a decade

2010 2011 2012 2013 2014

Feb 2010Kundra Announces FedRAMPSecurity Working Group concept announced

June 2014ArcGIS Online FISMA AuthorizationUSDA Issues ATO to Esri

June 2014OMB FedRAMP MandateFedRAMP now required for all cloud solutions covered by policy memo

May 2013First Agency AuthorizationHHS Issues ATO to Amazon

2012 2013 2014 2015 2016

Jan 2015EMCS FedRAMP CompliantSignoff by FedRAMP Director

Dec 2011Esri Federal Cloud Computing Security WorkshopEsri works with Agencies &FedRAMP to plan SaaSCompliance

Planned for 2015ArcGIS Online Hosted Feature Services AuthorizationDOI working with Esri towards Authorization

PlannedArcGIS OnlineFedRAMPAuthorization

May 2010Esri Participates in First Cloud Computing ForumEsri begins active involvement in cloud standards & security programs

2002… 2005…

2002FISMA Law EstablishedRequired security baselines for Federal systems

Aug 2005Esri GOS2 FISMAAuthorizationDOI Issues ATO to Esri

Solutions Based Security InitiativesEsri Corporate Operations Compliance

• ISO 27001- Esri’s Corporate Security Charter

• Privacy Assurance- US EU/Swiss SafeHarbor self-certified- TRUSTed cloud certified

• SSAE 16 Type 1 – Previously SAS 70- Esri Data Center Operations- Expanded to Managed Services in 2012

Solutions Based Security Initiatives ArcGIS Online Cloud Infrastructure Provider Compliance

• ArcGIS Online Utilizes World-Class Cloud Infrastructure Providers- Microsoft Azure- Amazon Web Services

Cloud Infrastructure Security Compliance

SSAE16SOC1 Type2 Moderate


• Common misconception- A cloud providers authorization should be “good enough” to meet Agency security requirements

• Useful facts- The majority of vulnerabilities are at the application level- Cloud providers IaaS authorizations don’t cover the applications, or even operating system

• Result- There is a significant security authorization gap

Mind the Authorization Gap


• Generalized Expert Provider- Equivalent to service provider middleware- Lack of depth with advanced API services such as ArcGIS increases both

security/availability risks

• Application Expert Provider- Obtain solutions that incorporate security infrastructure having their own FISMA or

FedRAMP compliance that layers on top of the CSP FedRAMP Authorization- Examples - ArcGIS Online and Esri Managed Cloud Services

• Tunnel- Establish tunnel between on-Premises security infrastructure and cloud deployment

• Do-It-Yourself- Establish your own security infrastructure in the cloud to use with applications

• Ostrich- Stick head in sand and pretend not a big deal (not recommended)

Options for Addressing the CSP Authorization Gap

Solutions Based Security Initiatives Responsibility Across ArcGIS Deployment Options

On-premises Esri Images& Cloud Builder

Virtual / Physical Servers

Security Infrastructure

OS/DB/Network

ArcGIS Server

Cloud Infrastructure

(IaaS)

OS/DB/Network

ArcGIS Server

Esri ManagedCloud Services

FedRAMP ModerateCompliant


(IaaS)


OS/DB/Network

ArcGIS Server

No Security Infrastructure by

default


(IaaS)


OS/DB/Network

ArcGIS Online

ArcGIS OnlineFISMA Low

ATO

Customer Responsibility Esri Responsibility CSP Responsibility

Esri Compliance & ATO Scope

IaaS ATO Scope

Solutions Based Security Initiatives ArcGIS Online Assurance Layers

Web Server & DB software

Operating system

Instance Security

Management

Hypervisor

ArcGISManagement

Cloud Providers

Physical

Web App ConsumptionCustomer

Esri

Cloud ProviderISO 27001 SSAE16FedRAMP Mod

AGOL SaaSFISMA Low(USDA)SafeHarbor(TRUSTe)

Solutions Based Security Initiatives ArcGIS Online Federal Use Cases in FISMA Authorization

• Use Case 1 – Public Dissemination- Publish tiles for fast, scalable visualizations- Share information with the public- Can be used for mashing up services with external non-SSL sites

• Use Case 2 – USG Operations- Hybrid deployment of ArcGIS Server and ArcGIS Online- Share operational data within or between agencies- Sensitive data maintained on Agency premises or

other authorized environment- ArcGIS Online operates as a discovery portal- Utilize Enterprise Logins

TilesAgency

AuthoritativeSource

Public Consumers

Server ArcGIS Online

Metadata

AgencyConsumer

AgencyPublisher

Solutions Based Security Initiatives ArcGIS Online – Meeting security needs with Hybrid deployments

On-Premises

Users

AppsAnonymous

Access

Esri Managed Cloud Services

• Ready in days• All ArcGIS capabilities at

your disposal in the cloud• Dedicated services• FedRAMP Moderate

• Ready in months/years• Behind your firewall• You manage & certify

• Ready in minutes• Centralized geo discovery• Segment anonymous

access from your systems• FISMA Low

ArcGIS Online

. . . All models can be combined or separate

Solutions Based Security Initiatives ArcGIS Online – Value Proposition of FISMA Low offering

• Outreach and collaboration- Provision of USG non-sensitive content to public, more sensitive content to authorized groups- Easy content discovery (via single metadata catalogue) and integration

• Flexibility and agility- Rapid stand-up of new content/services, accommodate surge

• Efficiency- Avoid development/implementation of one-off systems- Off-load systems operations onto more cost effective platform(s)


• Other agencies are pursuing ArcGIS Online Authorization- DoI is looking into supplementing their Authorization with Hosted Feature Services- EPA & NOAA are also actively pursuing authorization

• FedRAMP Agency-based Authorization- Low or Moderate based on feedback being gathered from customers now- Is supplementing ArcGIS Online’s Low authorization, with a hybrid implementation

combining EMCS moderate compliance, adequate for the majority of use-cases?

• Further discussion in Panel session on Tuesday- Panel being lead by DOI, with EPA and the FedRAMP Director from GSA- Tuesday 2:45pm – Room 102B

ArcGIS Online – Authorization efforts going forwards

Join us for shaping our future authorization plans


• ArcGIS Platform Authorization Briefing flyer available during Tuesday panel session

• ArcGIS Online- Esri can share current FISMA authorization materials with agencies under NDA- Contact [email protected]

• Esri Managed Cloud Services (EMCS)- Materials available through FedRAMP Repository

• Public Info - Trust.ArcGIS.com- Privacy, SLA, Terms of Service, Availability

trends, and best practices available- Answers to the most common cloud

security questions about ArcGIS Online areaddressed in the Cloud Security Alliance matrix

ArcGIS Online – How can agencies obtain necessary assurance to authorize?

Erin RossEsri Managed Cloud Services

Esri cloud GIS experts supporting customer apps & data in the cloud

What is Esri Managed Cloud Services?

ArcGIS Online and Esri Managed Cloud Services

Online Basemaps Geocoding, Routing Hosted Feature &

Tile Map Services App Templates

Esri Managed Cloud Services

Users

Desktop Web Mobile

Custom Web Apps GP, Reporting Services Imagery, Large Datasets Dynamic Map Services RDBMS (Oracle, SQL Server)

ArcGIS Online front-end, Managed Cloud Services back-end

ArcGIS Online

What is included?

• Provide Cloud-based GIS infrastructure support, including:- Enterprise system design

- Infrastructure management

- Software (Esri & 3rd Party) Installation, updates and patching

- Application deployment

- Database management

- 24/7 support and monitoring

Benefits of Esri Managed Cloud Services

Cloud GIS experts managing your critical apps and content

– Increase efficiency and business focus –

– High availability, quality and performance –

– Reduce internal costs –

– Preserves data integrity, privacy and availability–

– Increase usage and productivity –

How is it delivered? Available on GSA

Basic Packages “Sandbox”

• Ready to use cloud instance of ArcGIS for Server• Remote access provided to user

Ideal for development, prototyping...

Standard, Advanced, Advanced Plus Packages

• Esri loads, publishes and deploys on behalf of customer• 24/7 system monitoring and support• Ideal for production systems (internal or public facing)

ProductionStaging

Dev

Test

Esri Managed Cloud Services Use Cases

USGS Historical Topographic Maps

• More than 175,000 topographic maps published by the USGS since 1884

• 22 TB data x 2 for redundancy

• 1.6 million hits during Esri User Conference

• Consumed by several apps; premium service available in ArcGIS Online

Power Outage Viewers

Bringing critical outage information to the general public

• Highly available, scalable systems ready to perform during major events

• Frequent, automated data updates

Constellation Brands

Equipping staff with valuable information to increase sales

• Improve sales by leveraging tools to drive volume and revenue

• 4th of July deadline

• 2.7M records updated 2x / week via scripted tools

Who else uses Esri Managed Cloud Services?

• Manage over 500 servers, many TB of data• 80+ customers• Leveraged across many sectors

Michael Young

EMCS FedRAMP Moderate Option


• Why did Esri pursue FedRAMP Compliance?

- Demand- Customers demanded FedRAMP compliance before rolling out future production operations

- Risk- Customer risk increasing rapidly without security infrastructure

- Mandate- OMB mandate all low and moderate impact cloud services leveraged by more than one office or

agency must comply with FedRAMP requirements

Accelerates Review and Acceptance of Cloud Based Services

EMCS FedRAMP Moderate OptionFedRAMP Government Entities & Process

Cross Government Support & Standardized RMF Process


• FIPS 199• Control Implementation Summary (CIS)• System Security Plan (SSP)• Information System Security Policies • User Guide• E-Authentication Template• Privacy Threshold Analysis (PTA) • Rules of Behavior (ROB)• IT Contingency Plan

Documentation

1000’s of pages ensuring rigorous security

• Security Assessment Plan (SAP)• Test Case Workbook• Security Assessment Report (SAR)• Plan of Action and Milestone (POA&M)• Policies and procedures• Business Impact Analysis• Configuration Management Plan• Incident Response Plan• Interconnection Security Agreement (ISA / MOU)• Penetration Test Plan


• Cloud Security Assessor Veris Group- Third Party Assessment Organization (3PAO) accredited by FedRAMP- 1st to successfully inspect FedRAMP CSP Supplied, JAB, and Agency Approved Solutions- 5 month engagement- Three months of active Technical and Documentation assessments

- System level scans- Web Interface scans- Database scans- Penetration testing

• FedRAMP Advisor – Relevant Technologies- Laura Taylor - Wrote the initial Guide to Understanding FedRAMP

Assessment

Great advisors and skilled assessors keep the effort focused


• 3 Baseline Security Control Levels- Low, Moderate*, High in draft

• 3 Status Levels- Ready, In Process, Compliant*

• 3 FedRAMP Authorization Levels- Cloud Service Provider (CSP) Supplied*- Agency Authorization To Operate (ATO)- Joint Agency Board (JAB) Provisional Authority To Operate

• EMCS is- FedRAMP Moderate- FedRAMP Compliant- CSP Supplied offering

Authorization

EMCS CSP Supplied Package can be consumed by your Agency

EMCS FedRAMP Moderate OptionContinuous Monitoring

Ensures maintenance of acceptable risk posture

FedRAMP Reporting WorkflowMonitoring Workflow


• Most government systems- Require moderate security baseline controls

• Most geospatial information sets- Only require low baseline controls- ArcGIS Online Low FISMA is adequate for many customer use cases

• EMCS FedRAMP Infrastructure Design Goals- Consumable by the widest range of customers

- Amazon East-West Regions – Not limited to GovCloud- Drive down customer expenses for secure, compliant geospatial services

- Customer’s can choose level of multi-tenancy vs dedicated services they are comfortable with- Meet and exceed current rigorous FedRAMP requirements for cloud services

- First geospatial platform to be compliant with FedRAMP Rev 4 requirements


A balance of robust security and business requirements drove infrastructure choices

Cloud InfrastructureHypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware

EMCS Security Infrastructure

Web Application FirewallWAF

ArcGIS for Portal

ArcGIS Server

Intrusion DetectionIDS / SIEM

Centralized ManagementBackup, CM, AV, Patch, Monitor

Authentication/AuthorizationLDAP, DNS, PKI

AWS

Customer Infrastructure

Public-FacingGateway

Security Ops Center(SOC)

Esri Administrators

End Users

Dedicated Customer Application

Infrastructure

Common SecurityInfrastructure

Active/Active Redundant across two Cloud Data Centers

Agency Application Security

Relational Database

Esri AdminGateway Common Cloud

Infrastructure

Bastion GatewayMFA

Security ServiceGateway

DMZ

File Servers

Legend Cloud Provider

Cloud InfrastructureHypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware


• Express an interest in service offering and let your security team know EMCS is FedRAMP compliant

• Agency Authorized FedRAMP Approver can facilitate download and review of FedRAMP package for EMCS @

- http://cloud.cio.gov/fedramp/agency- If you are unsure of your FedRAMP approver email the FedRAMP

PMO: [email protected]

• What else is available outside FedRAMP repository?- Cloud Security Alliance (CSA) answers for EMCS coming

• Complete Agency Authority To Operate (ATO)- Utilize pre-existing EMCS and AWS FedRAMP moderate docs

How do I get started?

Simplifies obtaining an ATO for your organization

Summary

SummaryResources Available for Agency Review

• Cloud infrastructure provider- SSAE16 and ISO27001- Report available from cloud providers under NDA

• FedRAMP Repository- EMCS FedRAMP Moderate Compliance Package- Cloud Service Provider FedRAMP Moderate Packages

• Esri - SSAE16 for Esri Datacenter Operations- System Security Plan (SSP) – Agency references removed- Reports available from Esri under NDA- Cloud Security Alliance (CSA) Answers Publically Available

Summary

• ArcGIS Online FISMA Low Accreditation- Agency Authorization June 6, 2014

• Esri Managed Cloud Services (EMCS) FedRAMP Moderate Compliance- CSP Supplied Compliant Package Authorized January 29, 2015- Establishes validated secure clouds deployment patterns- Documentation and assessment materials enable FISMA or FedRAMP authorization- Initially AWS based, other cloud providers based on demand

• Upcoming ArcGIS Online FedRAMP Agency Authorization- Cross-cloud provider authorization Azure/AWS- Includes hosted feature services

Solution/Services Accreditation Roadmap

Summary

• Esri is working with security leaders to create standardized security hardened deployment guidance for our customers

• Esri self-certifies desktop based products to ensure alignment with Federal security configurations

• ArcGIS Online is FIMSA Low authorized and we can work with you to support your Agency’s authorization

• Join the Tuesday Panel session to solidify your authorization roadmap• Esri will be pursuing FedRAMP authorization for ArcGIS Online• New Esri Managed Cloud Services FedRAMP moderate compliant option ready for

your agency to review and authorize• Information readily available on Trust.ArcGIS.com

We welcome your feedback concerning any authorization needs or gaps not addressed in this presentation

SummaryWhere do I go for more information?

• Trust.ArcGIS.com is no longer limited to primarily ArcGIS Online information• NEW site expansion rolled out this past weekend

- Server, Desktop, Mobile, ArcGIS Online and even the new EMCS FedRAMP compliant offering

Don’t forget to complete a session evaluation form!

February 9–10, 2015 | Washington, DC

Federal GIS Conference

ArcGIS Security Authorization AdvancementsAuthorization • Federal Information Security Management...

Documents

Transcript of ArcGIS Security Authorization AdvancementsAuthorization • Federal Information Security Management...