Esri Managed Cloud Servicesand FedRAMP

Erin Ross & Michael Young

February 9–10, 2015 | Washington, DC

Federal GIS Conference

Agenda

• Esri Managed Services Program Overview• Example Deployments• New FedRAMP Compliant Option• Esri Managed Cloud Services FedRAMP Process• Esri Managed Cloud Services Security Infrastructure• How to Get Started• Summary

Program Overview

ArcGIS Cloud Options

SaaS

PaaS

IaaS

ArcGIS Online or Custom Esri Apps and Data on fully

Managed Cloud Services

ArcGIS for Server on Esri managed cloud infrastructure

ArcGIS for Server images availableto use on cloud infrastructure

ArcGIS for Server on [Fill in the Blank]

• Supported on multiple cloud platforms

- Virtual or bare metal

• Full ArcGIS for Server capabilities

• User-provisioned cloud infrastructure resources

• Pay for what you use

• BYOL or ArcGIS term licensing available

ArcGIS Online

• Create, share, collaborate

• Subscription-based

- Named User

- Credits – pay as you go

• Updates and enhancements occur behind the scenes

Esri Managed Cloud Services

• Cloud-based GIS infrastructure support, including:

- Enterprise system design

- Infrastructure management

- Software (Esri & 3rd Party) Installation, updates and patching

- Application deployment

- Database management

- 24/7 support and monitoring

ArcGIS Deployment Models

On-Premises

Users

AppsAnonymous

Access

Server

Esri Managed Cloud Services

PortalArcGIS Online

Server

Portal

Benefits of Esri Managed Cloud Services

Cloud GIS experts managing your critical apps and content

– Increase efficiency and business focus –

– High availability, quality and performance –

– Reduce internal costs –

– Preserves data integrity, privacy and availability–

– Increase usage and productivity –

How is it delivered? Available on GSA

Basic Packages “Sandbox”

• Ready to use cloud instance of ArcGIS for Server• Remote access provided to user

Ideal for development, prototyping...

Standard, Advanced, Advanced Plus Packages

• Esri loads, publishes and deploys on behalf of customer• 24/7 system monitoring and support• Ideal for production systems (internal or public facing)

ProductionStaging

Dev

Test

Example Deployments

USGS Historical Topographic Maps

• More than 175,000 topographic maps published by the USGS since 1884

• 22 TB data x 2 for redundancy

• 1.6 million hits during Esri User Conference

• Consumed by several apps; premium service available in ArcGIS Online

Constellation Brands

Equipping staff with valuable information to increase sales

• Improve sales by leveraging tools to drive volume and revenue

• 4th of July deadline

• 2.7M records updated 2x / week via scripted tools

Power Outage Viewers

Bringing critical outage information to the general public

• Highly available, scalable systems ready to perform during major events

• Frequent, automated data updates

Hurricane Sandy

• 14 additional servers (17 total)• Central Maine Power - 34 million hits over 3 days• New York State Electric & Gas – 76 million hits over 3 days

2/10/2014 -11:30 amPeak Sandy Hours

Maine – October 29

Maine – October 30

Maine – Ocbober 31

Maine – November 1

Maine – November 2

Who else uses Esri Managed Cloud Services?

• 80+ customers• Leveraged across many sectors• Manage over 500 servers, several TB of data

Michael Young

New FedRAMP Compliant Offering

Federal Geospatial Cloud Security Compliance Roadmap

Esri has actively participated in hosting and advancing secure compliant solutions for over a decade

2010 2011 2012 2013 2014

Feb 2010Kundra Announces FedRAMPSecurity Working Group concept announced

June 2014ArcGIS Online FISMA AuthorizationUSDA Issues ATO to Esri

June 2014OMB FedRAMP MandateFedRAMP now required for all cloud solutions covered by policy memo

May 2013First Agency AuthorizationHHS Issues ATO to Amazon

2012 2013 2014 2015 2016

Jan 2015EMCS FedRAMP CompliantSignoff by FedRAMP Director

Dec 2011Esri Federal Cloud Computing Security WorkshopEsri works with Agencies &FedRAMP to plan SaaSCompliance

Planned for 2015ArcGIS Online Hosted Feature Services AuthorizationDOI working with Esri towards Authorization

PlannedArcGIS OnlineFedRAMPAuthorization

May 2010Esri Participates in First Cloud Computing ForumEsri begins active involvement in cloud standards & security programs

2002… 2005…

2002FISMA Law EstablishedRequired security baselines for Federal systems

Aug 2005Esri GOS2 FISMAAuthorizationDOI Issues ATO to Esri

FedRAMP

• What does FedRAMP do?- Replace varied and duplicative procedures across government by providing agencies with a

standard approach for conducting security assessments of cloud services

• What is core of FedRAMP?- An accepted set of baseline security controls and consistent processes that have been

vetted and agreed upon by agencies across the government

• Why did Esri pursue FedRAMP Compliance?- Customers demanded FedRAMP compliance before rolling out future production operations- Customer risk has been increasing rapidly without security infrastructure - OMB mandate all low and moderate impact cloud services leveraged by more than one office

or agency must comply with FedRAMP requirementsAccelerates Review and Acceptance of Cloud Based Services

FedRAMPGovernment Entities

Cross Government Support

EMCS FedRAMP Benefits

What does EMCS provide?

• Contingency planning and risk management

• Patch and key management

• Data encryption and intrusion detection

• System logging and reporting

• Centralized identity and access management

• Regular security audits

• Well documented policies and procedures

• Penetration testing and vulnerability scanning

• CONTINUOUS MONITORING!

What are the benefits?

• Preserve data integrity

• Protect sensitive datasets

• Ensure availability and reliability

• Builds assurance and awareness

• Save costs by embracing “Cloud First”

• Shift the burden of managing enterprise GIS

systems to the experts

FedRAMPWhat is the process?

Risk Management Framework (RMF) centric process

Esri Managed Cloud Services FedRAMP Documentation

• FIPS 199• Control Implementation Summary (CIS)• System Security Plan (SSP)• Information System Security Policies• User Guide• E-Authentication Template• Privacy Threshold Analysis (PTA) • Rules of Behavior (ROB)• IT Contingency Plan

1000’s of pages ensuring rigorous security

• Security Assessment Plan (SAP)• Test Case Workbook• Security Assessment Report (SAR)• Plan of Action and Milestone (POA&M)• Policies and procedures• Business Impact Analysis• Configuration Management Plan• Incident Response Plan• Interconnection Security Agreement (ISA / MOU)• Penetration Test Plan

EMCS FedRAMP Assessment

• Cloud Security Assessor Veris Group- Third Party Assessment Organization (3PAO) accredited by FedRAMP- 1st to successfully inspect FedRAMP CSP Supplied, JAB, and Agency Approved Solutions- 5 month engagement- Three months of active Technical and Documentation assessments

- System level scans- Web Interface scans- Database scans- Penetration testing

• FedRAMP Advisor – Relevant Technologies- Laura Taylor - Wrote the initial Guide to Understanding FedRAMP

Great advisors and skilled assessors keep the effort focused

EMCS FedRAMP Authorization

• 3 Baseline Security Control Levels- Low, Moderate*, High in draft

• 3 Status Levels- Ready, In Process, Compliant*

• 3 FedRAMP Authorization Levels- Cloud Service Provider (CSP) Supplied*- Agency Authorization To Operate (ATO)- Joint Agency Board (JAB) Provisional Authority To Operate

• Esri Managed Cloud Services is- FedRAMP Moderate- FedRAMP Compliant- CSP Supplied offering

EMCS CSP Supplied Package can be consumed by your Agency

EMCS FedRAMP Continuous Monitoring

Ensures maintenance of acceptable risk posture

FedRAMP Reporting WorkflowMonitoring Workflow

Esri Managed Cloud Services Security Infrastructure

Esri Managed Cloud Services - Security Infrastructure

• Most government systems- Require moderate security baseline controls

• Most geospatial information sets- Only require low baseline controls- ArcGIS Online Low FISMA is adequate for many customer use cases

• Esri Managed Cloud Services FedRAMP Infrastructure Design Goals- Consumable by the widest range of customers

- Amazon East-West Regions – Not limited to GovCloud- Drive down customer expenses for secure, compliant geospatial services

- Customer’s can choose level of multi-tenancy vs dedicated services they are comfortable with- Meet and exceed current rigorous FedRAMP requirements for cloud services

- First geospatial platform to be compliant with FedRAMP Rev 4 requirements

Overview

A balance of robust security and business requirements drove infrastructure choices

Cloud InfrastructureHypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware

Esri Managed Cloud Services - Security Infrastructure

Web Application FirewallWAF

ArcGIS for Portal

ArcGIS Server

Intrusion DetectionIDS / SIEM

Centralized ManagementBackup, CM, AV, Patch, Monitor

Authentication/AuthorizationLDAP, DNS, PKI

AWS

Customer Infrastructure

Public-FacingGateway

Security Ops Center(SOC)

Esri Administrators

End Users

Dedicated Customer Application

Infrastructure

Common SecurityInfrastructure

Active/Active Redundant across two Cloud Data Centers

Agency Application Security

Relational Database

Esri AdminGateway Common Cloud

Infrastructure

Bastion GatewayMFA

Security ServiceGateway

DMZ

File Servers

Legend Cloud Provider

Cloud InfrastructureHypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware

Esri Managed Cloud Services - Security InfrastructureFoundation built on FedRAMP Rev 4 Security controls

First Geospatial solution to be assessed for compliance against latest cloud security controls

Esri Managed Cloud Services - Security Infrastructure (cont.)

• Formalize Policies and Procedures

• Incorporate Security Components- Intrusion Detection System (IDS)- Web Application Firewall (WAF)- Multi-factor Authentication – NSA Suite B alignment- Bastion Gateway / Jump Hosts – Reduce administrative interface attack surface- Centralized advanced server and application monitoring and updates

• Incorporate Security Hardening Standards- Utilize pre-existing Center for Internet Security (CIS) benchmarks as feasible- Create a draft ArcGIS Server 10.3 STIG

Technical, Operational, and Managerial Components

Esri Managed Cloud Services - Security Infrastructure (cont.)DISA STIG for ArcGIS Server 10.3

Draft STIG Settings Provided to DISA - Undergoing SME Review

Esri Managed Cloud Services - Security Infrastructure (cont.)Separation of duties

Managed by certified experts in their field

Applications managed byCertified ArcGIS Platform Experts

Security Operating Center backed by Certified Security Experts

How to get started

How do I get started?

• Express an interest in service offering and let your security team know EMCS is FedRAMP compliant

• Agency Authorized FedRAMP Approver can facilitate download and review of FedRAMP package for EMCS @

- http://cloud.cio.gov/fedramp/agency- If you are unsure of your FedRAMP approver email the FedRAMP

PMO: info@FedRAMP.gov

• What else is available outside FedRAMP repository?- Cloud Security Alliance (CSA) answers for EMCS coming

• Complete Agency Authority To Operate (ATO)- Utilize pre-existing EMCS and AWS FedRAMP moderate docs

Simplifies obtaining an ATO for your organization

Erin RossSummary

Summary

• Esri Managed Cloud Services is FedRAMP compliant

• Esri has experts available to support your cloud GIS and security infrastructure

• Esri Managed Cloud Services has a range of options available to meet your operational needs

• Customer’s can now visit the FedRAMP repository and request our Esri Managed Cloud Services security package

Don’t forget to complete a session evaluation form!

February 9–10, 2015 | Washington, DC

Federal GIS Conference