FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
ArcGIS Security Authorization AdvancementsAuthorization • Federal Information Security Management...
Transcript of ArcGIS Security Authorization AdvancementsAuthorization • Federal Information Security Management...
ArcGIS Security Authorization Advancements
Michael Young & Erin Ross
February 9–10, 2015 | Washington, DC
Federal GIS Conference
Overview
• Authorization Past & Present• Products
- ArcGIS Server- ArcGIS Desktop
• Solutions- ArcGIS Online- Esri Managed Cloud Services
- New FedRAMP Moderate Option
• Summary
AuthorizationHistorical Issues
• Every implementation undergoes separate security authorization processes
• Federal and Defense utilized different frameworks- Authorization (based on risk) vs. certification
• Standard geospatial system security configurations not agreed upon by government
• Above items drive deployment delays, stability, and issue reproduction problems- E.g. Mitigating measures, waivers, policy refresh outages, and unable to reproduce issues
Authorization
• Federal Information Security Management Act (FISMA) 2002- All production US Federal government systems must be compliant/authorized- Enforced by the inspector general’s office of each agency- References NIST 800-53 Security Controls spanning 17 families including:
- Access Control, Training, Auditing, Maintenance, Integrity, Acquisition, Personnel
• Three categorization levels- Low – Non-sensitive information (100+)- Moderate – Sensitive information (300+)- High – Most sensitive information (350+)
• Solutions are authorized, not individual products- Datasets and workflows are part of the accreditation
FISMA
ArcGIS Online’s Low Accreditation Aligns Well with Hybrid Deployments
Collect System Information
Perform Privacy Analysis
Categorize System
Develop Test Plan
Assess Security Controls
Develop Reports andPOA&Ms
Step 1 – Categorize Information
Develop ATO Package
AO Reviews POA&M and Risk
AO Signs ATO / Denial of Operation
Step 4 –Assess Security Controls
Step 5 – Authorize Security Controls Step 6 – Monitor
Security Controls
Monitor for Major Changes
Remediate POA&M Items
Continuous Monitoring of Controls
Identify Common Controls
Select Remaining Controls
Tailor and Document in SSP
Step 2 – Select Security Controls
Implement Security Controls
Update the SSP
Develop CP, CMP and IRP
Step 3 – Implement Security Controls
Step 3 Concurrency
Review Step 4 Concurrency
Review
Authorization
• Relatively new authorization process aligningwith FISMA law
• Provides a stronger foundation of reciprocityfor cloud based offerings
• Same NIST 800-53 security controls withadditional ones added for cloud
• Security control baselines in place now for Low and Moderate, draft of High released Jan 2015
FedRAMP
Cloud.CIO.gov – Excellent Resource for FedRAMP Details
AuthorizationFederal and Defense Security Strategy is Evolving
• Federal- FISMA -> FedRAMP- Drives improved efficiency of Federal security authorization process for cloud offerings
• Defense- DIACAP -> Risk Management Framework- Drives improved efficiency of defense and federal departments operating off a common
framework and set of baseline security controls
AuthorizationEsri’s Security Strategy is Evolving
Product
EnterpriseSolution
Isolated Systems
3rd Party Security
Integrated Systems
Embedded Security
Cloud
Managed Security
ArcGIS
AuthorizationLevels of authorization across software and systems
• Product Based Initiatives- ArcGIS Server- ArcGIS Desktop
• Solution/Service Based Initiatives- ArcGIS Online- Esri Managed Cloud Services
ArcGIS Server & Desktop
Product Based Security Initiatives
Product Based Security InitiativesArcGIS Server – DISA STIG
• Sponsored by government to work with DISA- Create a Security Technical Implementation Guides (STIGs)- Non-FOUO therefore information will be publically accessible - First STIG will be Windows based ArcGIS Server 10.3
- Other STIGs will be performed based on demand
• Expected completion by Esri International User Conference – July 2015
• Post STIG completion- STIG will be an input for an ArcGIS Server Security Hardening guide for general distribution- Enterprise component integration testing and best practice recommendations incorporated
Product Based Security InitiativesDISA STIG Creation Process
Draft STIG Settings Provided to DISA – Undergoing SME Review
Product Based Security InitiativesArcGIS Server – Planned STIG Configuration
Legend
AD
ArcGIS ServerSite
TCP 443
TCP 6443 TCP 6443
Web Application Firewall
User
TCP 443
TCP 443
Config-StoreSMBCIFS
RDBMS
File StoreSMBCIFS
RDBMSPorts
SIEM LogAgent
SIEM LogAgent
SIEM LogAgent
SIEM LogAgent
SIEM LogAgent
Windows Integrated AuthenticationAccept Client Certificates (PKI)
Windows Integrated AuthenticationAccept Client Certificates (PKI)
Microsoft Component
ArcGIS Component
Non-Specific Vendor Component
SIEM LogAgent
SIEM LogAgent
Privileged User
AD
IIS
Web Adaptor (Admin)
IIS
Web Adaptor (User)
AD
Product Based Security Initiatives
• Security hardening best practices provide insights into relative risk of different services, and optional mitigation measures to reduce risk
ArcGIS Server – Awareness of Relative Risk
Providing new insights
Service Capability Default when Enabled
Security Hardened
Map MappingMap QueryFeature ReadFeature EditFeature SyncGeocoding GeocodeGeodata QueryGeodata Data ExtractionGeodata ReplicaGeoprocessing GeoprocessingImage ImagingImage EditImage Upload
Red = Higher riskYellow = Average riskGreen = Low risk
Security Hardened SettingsRelative Service Risk
Product Based Security Initiatives
• Esri performs self-certification of desktop products- Ensures smooth deployments within security constraints of systems- ArcGIS Desktop with all extensions is primary focus- Typically completed within 6 months of product release
• FDCC- Federal Desktop Certified Configuration- Versions 9.3-10- Deprecated due to Windows XP focus
• USGCB- United States Government Configuration Baseline- Versions 10.1+
• ArcGIS Pro (Expected Q1 2015)
Desktop
Eases your desktop deployment headaches
Solutions Based Security Initiatives
Solutions Based Security InitiativesFederal Geospatial Cloud Security Compliance Roadmap
Esri has actively participated in hosting and advancing secure compliant solutions for over a decade
2010 2011 2012 2013 2014
Feb 2010Kundra Announces FedRAMPSecurity Working Group concept announced
June 2014ArcGIS Online FISMA AuthorizationUSDA Issues ATO to Esri
June 2014OMB FedRAMP MandateFedRAMP now required for all cloud solutions covered by policy memo
May 2013First Agency AuthorizationHHS Issues ATO to Amazon
2012 2013 2014 2015 2016
Jan 2015EMCS FedRAMP CompliantSignoff by FedRAMP Director
Dec 2011Esri Federal Cloud Computing Security WorkshopEsri works with Agencies &FedRAMP to plan SaaSCompliance
Planned for 2015ArcGIS Online Hosted Feature Services AuthorizationDOI working with Esri towards Authorization
PlannedArcGIS OnlineFedRAMPAuthorization
May 2010Esri Participates in First Cloud Computing ForumEsri begins active involvement in cloud standards & security programs
2002… 2005…
2002FISMA Law EstablishedRequired security baselines for Federal systems
Aug 2005Esri GOS2 FISMAAuthorizationDOI Issues ATO to Esri
Solutions Based Security InitiativesEsri Corporate Operations Compliance
• ISO 27001- Esri’s Corporate Security Charter
• Privacy Assurance- US EU/Swiss SafeHarbor self-certified- TRUSTed cloud certified
• SSAE 16 Type 1 – Previously SAS 70- Esri Data Center Operations- Expanded to Managed Services in 2012
Solutions Based Security Initiatives ArcGIS Online Cloud Infrastructure Provider Compliance
• ArcGIS Online Utilizes World-Class Cloud Infrastructure Providers- Microsoft Azure- Amazon Web Services
Cloud Infrastructure Security Compliance
SSAE16SOC1 Type2 Moderate
Solutions Based Security Initiatives
• Common misconception- A cloud providers authorization should be “good enough” to meet Agency security requirements
• Useful facts- The majority of vulnerabilities are at the application level- Cloud providers IaaS authorizations don’t cover the applications, or even operating system
• Result- There is a significant security authorization gap
Mind the Authorization Gap
Solutions Based Security Initiatives
• Generalized Expert Provider- Equivalent to service provider middleware- Lack of depth with advanced API services such as ArcGIS increases both
security/availability risks
• Application Expert Provider- Obtain solutions that incorporate security infrastructure having their own FISMA or
FedRAMP compliance that layers on top of the CSP FedRAMP Authorization- Examples - ArcGIS Online and Esri Managed Cloud Services
• Tunnel- Establish tunnel between on-Premises security infrastructure and cloud deployment
• Do-It-Yourself- Establish your own security infrastructure in the cloud to use with applications
• Ostrich- Stick head in sand and pretend not a big deal (not recommended)
Options for Addressing the CSP Authorization Gap
Solutions Based Security Initiatives Responsibility Across ArcGIS Deployment Options
On-premises Esri Images& Cloud Builder
Virtual / Physical Servers
Security Infrastructure
OS/DB/Network
ArcGIS Server
Cloud Infrastructure
(IaaS)
OS/DB/Network
ArcGIS Server
Esri ManagedCloud Services
FedRAMP ModerateCompliant
Cloud Infrastructure
(IaaS)
Security Infrastructure
OS/DB/Network
ArcGIS Server
No Security Infrastructure by
default
Cloud Infrastructure
(IaaS)
Security Infrastructure
OS/DB/Network
ArcGIS Online
ArcGIS OnlineFISMA Low
ATO
Customer Responsibility Esri Responsibility CSP Responsibility
Esri Compliance & ATO Scope
IaaS ATO Scope
Solutions Based Security Initiatives ArcGIS Online Assurance Layers
Web Server & DB software
Operating system
Instance Security
Management
Hypervisor
ArcGISManagement
Cloud Providers
Physical
Web App ConsumptionCustomer
Esri
Cloud ProviderISO 27001 SSAE16FedRAMP Mod
AGOL SaaSFISMA Low(USDA)SafeHarbor(TRUSTe)
Solutions Based Security Initiatives ArcGIS Online Federal Use Cases in FISMA Authorization
• Use Case 1 – Public Dissemination- Publish tiles for fast, scalable visualizations- Share information with the public- Can be used for mashing up services with external non-SSL sites
• Use Case 2 – USG Operations- Hybrid deployment of ArcGIS Server and ArcGIS Online- Share operational data within or between agencies- Sensitive data maintained on Agency premises or
other authorized environment- ArcGIS Online operates as a discovery portal- Utilize Enterprise Logins
TilesAgency
AuthoritativeSource
Public Consumers
Server ArcGIS Online
Metadata
AgencyConsumer
AgencyPublisher
Solutions Based Security Initiatives ArcGIS Online – Meeting security needs with Hybrid deployments
On-Premises
Users
AppsAnonymous
Access
Esri Managed Cloud Services
• Ready in days• All ArcGIS capabilities at
your disposal in the cloud• Dedicated services• FedRAMP Moderate
• Ready in months/years• Behind your firewall• You manage & certify
• Ready in minutes• Centralized geo discovery• Segment anonymous
access from your systems• FISMA Low
ArcGIS Online
. . . All models can be combined or separate
Solutions Based Security Initiatives ArcGIS Online – Value Proposition of FISMA Low offering
• Outreach and collaboration- Provision of USG non-sensitive content to public, more sensitive content to authorized groups- Easy content discovery (via single metadata catalogue) and integration
• Flexibility and agility- Rapid stand-up of new content/services, accommodate surge
• Efficiency- Avoid development/implementation of one-off systems- Off-load systems operations onto more cost effective platform(s)
Solutions Based Security Initiatives
• Other agencies are pursuing ArcGIS Online Authorization- DoI is looking into supplementing their Authorization with Hosted Feature Services- EPA & NOAA are also actively pursuing authorization
• FedRAMP Agency-based Authorization- Low or Moderate based on feedback being gathered from customers now- Is supplementing ArcGIS Online’s Low authorization, with a hybrid implementation
combining EMCS moderate compliance, adequate for the majority of use-cases?
• Further discussion in Panel session on Tuesday- Panel being lead by DOI, with EPA and the FedRAMP Director from GSA- Tuesday 2:45pm – Room 102B
ArcGIS Online – Authorization efforts going forwards
Join us for shaping our future authorization plans
Solutions Based Security Initiatives
• ArcGIS Platform Authorization Briefing flyer available during Tuesday panel session
• ArcGIS Online- Esri can share current FISMA authorization materials with agencies under NDA- Contact [email protected]
• Esri Managed Cloud Services (EMCS)- Materials available through FedRAMP Repository
• Public Info - Trust.ArcGIS.com- Privacy, SLA, Terms of Service, Availability
trends, and best practices available- Answers to the most common cloud
security questions about ArcGIS Online areaddressed in the Cloud Security Alliance matrix
ArcGIS Online – How can agencies obtain necessary assurance to authorize?
Erin RossEsri Managed Cloud Services
Esri cloud GIS experts supporting customer apps & data in the cloud
What is Esri Managed Cloud Services?
ArcGIS Online and Esri Managed Cloud Services
Online Basemaps Geocoding, Routing Hosted Feature &
Tile Map Services App Templates
Esri Managed Cloud Services
Users
Desktop Web Mobile
Custom Web Apps GP, Reporting Services Imagery, Large Datasets Dynamic Map Services RDBMS (Oracle, SQL Server)
ArcGIS Online front-end, Managed Cloud Services back-end
ArcGIS Online
What is included?
• Provide Cloud-based GIS infrastructure support, including:- Enterprise system design
- Infrastructure management
- Software (Esri & 3rd Party) Installation, updates and patching
- Application deployment
- Database management
- 24/7 support and monitoring
Benefits of Esri Managed Cloud Services
Cloud GIS experts managing your critical apps and content
– Increase efficiency and business focus –
– High availability, quality and performance –
– Reduce internal costs –
– Preserves data integrity, privacy and availability–
– Increase usage and productivity –
How is it delivered? Available on GSA
Basic Packages “Sandbox”
• Ready to use cloud instance of ArcGIS for Server• Remote access provided to user
Ideal for development, prototyping...
Standard, Advanced, Advanced Plus Packages
• Esri loads, publishes and deploys on behalf of customer• 24/7 system monitoring and support• Ideal for production systems (internal or public facing)
ProductionStaging
Dev
Test
Esri Managed Cloud Services Use Cases
USGS Historical Topographic Maps
• More than 175,000 topographic maps published by the USGS since 1884
• 22 TB data x 2 for redundancy
• 1.6 million hits during Esri User Conference
• Consumed by several apps; premium service available in ArcGIS Online
Power Outage Viewers
Bringing critical outage information to the general public
• Highly available, scalable systems ready to perform during major events
• Frequent, automated data updates
Constellation Brands
Equipping staff with valuable information to increase sales
• Improve sales by leveraging tools to drive volume and revenue
• 4th of July deadline
• 2.7M records updated 2x / week via scripted tools
Who else uses Esri Managed Cloud Services?
• Manage over 500 servers, many TB of data• 80+ customers• Leveraged across many sectors
Michael Young
EMCS FedRAMP Moderate Option
EMCS FedRAMP Moderate Option
• Why did Esri pursue FedRAMP Compliance?
- Demand- Customers demanded FedRAMP compliance before rolling out future production operations
- Risk- Customer risk increasing rapidly without security infrastructure
- Mandate- OMB mandate all low and moderate impact cloud services leveraged by more than one office or
agency must comply with FedRAMP requirements
Accelerates Review and Acceptance of Cloud Based Services
EMCS FedRAMP Moderate OptionFedRAMP Government Entities & Process
Cross Government Support & Standardized RMF Process
EMCS FedRAMP Moderate Option
• FIPS 199• Control Implementation Summary (CIS)• System Security Plan (SSP)• Information System Security Policies • User Guide• E-Authentication Template• Privacy Threshold Analysis (PTA) • Rules of Behavior (ROB)• IT Contingency Plan
Documentation
1000’s of pages ensuring rigorous security
• Security Assessment Plan (SAP)• Test Case Workbook• Security Assessment Report (SAR)• Plan of Action and Milestone (POA&M)• Policies and procedures• Business Impact Analysis• Configuration Management Plan• Incident Response Plan• Interconnection Security Agreement (ISA / MOU)• Penetration Test Plan
EMCS FedRAMP Moderate Option
• Cloud Security Assessor Veris Group- Third Party Assessment Organization (3PAO) accredited by FedRAMP- 1st to successfully inspect FedRAMP CSP Supplied, JAB, and Agency Approved Solutions- 5 month engagement- Three months of active Technical and Documentation assessments
- System level scans- Web Interface scans- Database scans- Penetration testing
• FedRAMP Advisor – Relevant Technologies- Laura Taylor - Wrote the initial Guide to Understanding FedRAMP
Assessment
Great advisors and skilled assessors keep the effort focused
EMCS FedRAMP Moderate Option
• 3 Baseline Security Control Levels- Low, Moderate*, High in draft
• 3 Status Levels- Ready, In Process, Compliant*
• 3 FedRAMP Authorization Levels- Cloud Service Provider (CSP) Supplied*- Agency Authorization To Operate (ATO)- Joint Agency Board (JAB) Provisional Authority To Operate
• EMCS is- FedRAMP Moderate- FedRAMP Compliant- CSP Supplied offering
Authorization
EMCS CSP Supplied Package can be consumed by your Agency
EMCS FedRAMP Moderate OptionContinuous Monitoring
Ensures maintenance of acceptable risk posture
FedRAMP Reporting WorkflowMonitoring Workflow
EMCS FedRAMP Moderate Option
• Most government systems- Require moderate security baseline controls
• Most geospatial information sets- Only require low baseline controls- ArcGIS Online Low FISMA is adequate for many customer use cases
• EMCS FedRAMP Infrastructure Design Goals- Consumable by the widest range of customers
- Amazon East-West Regions – Not limited to GovCloud- Drive down customer expenses for secure, compliant geospatial services
- Customer’s can choose level of multi-tenancy vs dedicated services they are comfortable with- Meet and exceed current rigorous FedRAMP requirements for cloud services
- First geospatial platform to be compliant with FedRAMP Rev 4 requirements
Security Infrastructure
A balance of robust security and business requirements drove infrastructure choices
Cloud InfrastructureHypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware
EMCS Security Infrastructure
Web Application FirewallWAF
ArcGIS for Portal
ArcGIS Server
Intrusion DetectionIDS / SIEM
Centralized ManagementBackup, CM, AV, Patch, Monitor
Authentication/AuthorizationLDAP, DNS, PKI
AWS
Customer Infrastructure
Public-FacingGateway
Security Ops Center(SOC)
Esri Administrators
End Users
Dedicated Customer Application
Infrastructure
Common SecurityInfrastructure
Active/Active Redundant across two Cloud Data Centers
Agency Application Security
Relational Database
Esri AdminGateway Common Cloud
Infrastructure
Bastion GatewayMFA
Security ServiceGateway
DMZ
File Servers
Legend Cloud Provider
Cloud InfrastructureHypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware
EMCS FedRAMP Moderate Option
• Express an interest in service offering and let your security team know EMCS is FedRAMP compliant
• Agency Authorized FedRAMP Approver can facilitate download and review of FedRAMP package for EMCS @
- http://cloud.cio.gov/fedramp/agency- If you are unsure of your FedRAMP approver email the FedRAMP
PMO: [email protected]
• What else is available outside FedRAMP repository?- Cloud Security Alliance (CSA) answers for EMCS coming
• Complete Agency Authority To Operate (ATO)- Utilize pre-existing EMCS and AWS FedRAMP moderate docs
How do I get started?
Simplifies obtaining an ATO for your organization
Summary
SummaryResources Available for Agency Review
• Cloud infrastructure provider- SSAE16 and ISO27001- Report available from cloud providers under NDA
• FedRAMP Repository- EMCS FedRAMP Moderate Compliance Package- Cloud Service Provider FedRAMP Moderate Packages
• Esri - SSAE16 for Esri Datacenter Operations- System Security Plan (SSP) – Agency references removed- Reports available from Esri under NDA- Cloud Security Alliance (CSA) Answers Publically Available
Summary
• ArcGIS Online FISMA Low Accreditation- Agency Authorization June 6, 2014
• Esri Managed Cloud Services (EMCS) FedRAMP Moderate Compliance- CSP Supplied Compliant Package Authorized January 29, 2015- Establishes validated secure clouds deployment patterns- Documentation and assessment materials enable FISMA or FedRAMP authorization- Initially AWS based, other cloud providers based on demand
• Upcoming ArcGIS Online FedRAMP Agency Authorization- Cross-cloud provider authorization Azure/AWS- Includes hosted feature services
Solution/Services Accreditation Roadmap
Summary
• Esri is working with security leaders to create standardized security hardened deployment guidance for our customers
• Esri self-certifies desktop based products to ensure alignment with Federal security configurations
• ArcGIS Online is FIMSA Low authorized and we can work with you to support your Agency’s authorization
• Join the Tuesday Panel session to solidify your authorization roadmap• Esri will be pursuing FedRAMP authorization for ArcGIS Online• New Esri Managed Cloud Services FedRAMP moderate compliant option ready for
your agency to review and authorize• Information readily available on Trust.ArcGIS.com
We welcome your feedback concerning any authorization needs or gaps not addressed in this presentation
SummaryWhere do I go for more information?
• Trust.ArcGIS.com is no longer limited to primarily ArcGIS Online information• NEW site expansion rolled out this past weekend
- Server, Desktop, Mobile, ArcGIS Online and even the new EMCS FedRAMP compliant offering
Don’t forget to complete a session evaluation form!
February 9–10, 2015 | Washington, DC
Federal GIS Conference