Randall Williams

Esri Software Security and Privacy, Esri PSIRT

ArcGIS Enterprise Security: An

Introduction

Agenda• ArcGIS Enterprise Security for *BEGINNING to INTERMIDIATE* users

• Security philosophy

• ArcGIS Enterprise Security Model – options and architecture

• Encryption (HTTPS)

• Defense in Depth - Threat Prevention, Mitigation, and Regulatory Compliance

• Summary

Security is an ART.

Security is the art of managing risk and tradeoffs.

There is a balance between security and

functionality

Security is an ART.

Security is the art of managing risk and tradeoffs.

Defining RISK and RISK TOLERANCE differs per-org

Security is an ART.

Security is the art of managing risk and tradeoffs

There is a balance between security and

functionality

Defining RISK and RISK TOLERANCE differs per-org

Three principles that form the cornerstone of any organization’s security infrastructure

The CIA Triad

ArcGIS Enterprise Security ModelProtect your Assets

Control Access and Set Permissions

ArcGIS Enterprise Security Model

Authentication vs. Authorization

Focus – Base

Enterprise

Deployment

Portal

for ArcGIS

ArcGIS

Server

ArcGIS

Data Store

(relational + tile cache)

ArcGIS

Web Adaptor

ArcGIS

Web Adaptor

ArcGIS EnterpriseLogical Architecture

ArcGIS Enterprise Security Model

token

ArcGIS Enterprise Security Model

The token is your access key into… ArcGIS ServerPortal for ArcGISArcGIS OnlineInsightsCollectorArcGIS ProArcGIS DesktopMaps for OfficeMaps for SharepointGeo EnrichmentGeocodingLiving AtlasSurvey 123AnalysisMaps for PowerBI

ArcGIS Enterprise Security Model

The token is your access key into…ArcGIS Enterprise

ArcGIS Enterprise Security Model

OK. So what is a token?

ArcGIS Enterprise Security Model

A token represents your login credentials…

(1AyZcQDO6xJjtWyycn206filCzn)

…and must be passed to with any request for secured content

ArcGIS Enterprise Security Model

A token represents your login credentials…

…and other attributes to make them randomized, unique and scoped.

ArcGIS Enterprise Security Model

Good news…

…ArcGIS Enterprise handles this transparently for you

ArcGIS Enterprise Security Model

But what about… Single Sign OnForms AuthActive DirectorySmart Cards

ArcGIS Enterprise Security Model

All authentication methods ultimately deliver a

token…

ArcGIS Enterprise Security Model

…the token is your key into… ArcGIS Enterprise

Securing Items-RBAC approach

item

package

web map

service

layer

What is an item?

document

image

shapeFile

itemcontent =

How do we grant access to items?

itemgroupuser

access

• Portal for ArcGIS

- Permissions set by item owner

- Can be changed by administrators

• ArcGIS Server

- Permissions can be set by any publisher/administrator

Access

Web Services

Portal Items

Web map Web appData

Groups vs User Types vs RolesDefining and securing users

Groups

itemgroupuser

access

User Types

User Types are scope privileges to roles

As a Viewer I can …

As a storyteller I can …

As a Creator I can …

As an Editor I can …

Roles

Roles are “privilege buckets” determined by user type

In the administrator role I can …

As a publisher I can …

In the viewer role I can …

As a user I can …

Portal for ArcGIS: Custom Roles

• Provide more flexibility to

enable fine grained control on

what members can do

• My Organization page > Edit

Settings > Roles > Create Role

• Be CAREFUL with

administrative Privileges

What security options are available?

Flexible Security Options with ArcGIS Enterprise

ArcGIS Enterprise

ArcGIS Enterprise Supports…

Single Sign OnIWAForms Auth

Active Directory

LDAP

HTTP Auth

OAuth SAML

Built-In Accounts

NTLM

PKI

Kerberos

CAC CardsCertificates

Custom Roles

Enterprise Groups Smart Cards

Encryption and HTTPS Securing communication protocols

ArcGIS Security Update – HTTPS Only

• Esri is committed to ensuring your content is secure

- TLS 1.2 implemented in 2019

- HTTPS Only / HSTS to be enforced September 15, 2020

• What does this mean for you?

- After 9/15/20 all HTTP requests to ArcGIS Online will be redirected to HTTPS

- Clients limited to HTTP only will fail (for example scheduled clear-text Python script calls)

- HTTP only ArcGIS Enterprise deployments may have issues accessing ArcGIS Online services

• What do you need to do?

- Validate your ArcGIS Online org utilizes HTTPS only immediately

- Launch AGO Security Advisor tool to check your org settings @ Trust.ArcGIS.com

- If HTTP enabled, used tool to discover HTTP references and change to HTTPS

- Enforce HTTPS only for your orgs ASAP and validate clients/scripts can use HTTPS

- Keep an eye out for additional announcements and support guidance pages

HTTPS EVERYWHERE!

HTTPS

Integrity!

Non-repudiation!

Confidentiality!

Don’t forget Strict Transport Security (HSTS)!

Implementing HTTPS

Portal

for ArcGIS

ArcGIS

Server

ArcGIS

Data Store

(relational + tile cache)

Web Adaptor

Load Balancer

(Gateway)

Web Adaptor

Load Balancer

(Gateway)

HTTPS default (with Self-

Signed Certificate)

Your job: Implement HTTPS here (with a

CA signed cert!)

How do you set up a CA Signed Security Certificate?

1. Generate a Certificate Signing Request (CSR)

2. Send CSR for signing

- By a domain CA or well-known Certificate Authority (preferred)

3. Import signed certificate

HTTPS options

https://www.ssllabs.com/ssltest/clients.html

• In 10.4+, both Server and Portal can be configured to limit which SSL protocol is

accepted and used.

• SSLv3 is *NOT* an option at ArcGIS 10.3+ (SSLv3 Is DEAD!)

• Restricting Server and Portal to TLS 1.2 is highly recommended (default in current

versions)

• HSTS (Strict-Transport-Security) is natively supported

TLS 1.0

TLS 1.2

Ports:

• 6443• 7443

Portal for ArcGISClient App

Get Granular: SSL Protocols and Cipher Suites

• Portal Administrator Directory

- Security > SSLCertificates

• Server Administrator Directory

- Security > Config

A (very) Brief Intro

Production Considerations

for Threat Mitigation and

Regulatory Compliance

Threat Mitigation, Prevention, and Regulatory Compliance

• Defense in Depth Paradigm

• Restrict Portal Proxy

• Restrict Cross Domain (CORS) Requests

• Disable PSA/IAA Accounts

• Scan Server / Scan Portal Scripts / Security Advisor

• Keep up-to-date!

Defense In Depth Paradigm

• Security plans have many “layers” – multiple levels of security

• Layered security mechanisms increase the security of the system as a whole

• Each feature discussed is considered a “layer”

Restrict Portal Proxy

• Used for OGC, KML, and request to non-CORS enabled servers

• Default : UNRESTRICTED

• Populate this parameter with an approved list of resources

• Reduces potential for Port Scan/DOS/SSRF

enterprise.arcgis.com > Search “Restricting the portal’s proxy capability”

Restrict Cross-Domain (CORS) Requestsenterprise.arcgis.com > Search “cross-domain requests”

• For JavaScript applications, a common method used to make cross domain requests

is called a CORS request (cross origin resource sharing)

• Required when making POST requests to Feature or GP services on a different server

ArcGIS Server

JavaScript

Web Application

Client Web Browser

Disable Primary Site Administrator (PSA) Account

• Recommend disable the PSA/IAA accounts to remove methods of administering

ArcGIS Server outside of your enterprise users

• Access the Server Administrator Directory

- Security > PSA > disable

PSA account

Scan ArcGIS Enterprise for Security Checks

• serverScan.py is a script in the Server installation directory

- Located: <install directory>\ArcGIS\Server\tools\admin

• portalScan.py is a script in the Portal installation directory

- Location: <install_directory>\ArcGIS\Portal\tools\security

• Scripts check for security settings → generates a report that makes

recommendations to improve security.

• *Protip – run as scheduled tasks, output to web server directory, view online.

Validate your security baseline!

https://arcg.is/ago-advisor

ArcGIS Online Security Advisor

Check for Updates Tool!

• Starting at 10.6, you can also

download and install software

patches and updates using

the patchnotification utility.

• You can install specific patches of

your choice, security patches only, or

all available patches.

Install patches!

Don’t Neglect Platform Protection!!

• Schedule and run OS updates (patch Tuesday for Microsoft)

• Provide Anti-Virus

• Configure intrusion detection

Additional Administrative Responsibilities

Don’t Neglect Platform Protection!!

• Schedule and run OS updates

• Provide Anti-Virus

• Configure intrusion detection

• Cloud images are templates

- New versions released fully patched, but need to be maintained by you

- Update your security baseline images (critical for autoscaling instances)

Additional Administrative Responsibilities Cloud environments

Compliance

ArcGIS Online:

• https://TRUST.ArcGIS.com – Compliance Documentation (Cloud Security Alliance,

NIST 800-53, GDPR, CCPA, FedRAMP to ISO mapping etc.)

• FedRAMP Tailored Low SaaS certified (Moderate 2021)

• Cloud Security Alliance Consensus Initiative Questionnaire

ArcGIS Enterprise:

• Esri Managed Cloud Services Advanced PLUS: FedRAMP MODERATE Authorized

Security Findings?Esri PSIRT!

• https://trust.arcgis.com

• Vulnerability - report a vulnerability found in our site or application.

• Suspicious E-mail from Esri - if you believe you were targeted by a possible phishing attack from an Esri e-mail address or have received other suspicious e-mail correspondence from Esri.

• Privacy Issue - if you have a privacy concern related to our application or organization.

• Other - for all other security, privacy or compliance related concerns.

Summary

• Tokens are the Foundation of the ArcGIS Enterprise Security Model

• ArcGIS Enterprise Supports many Authentication Options

• Use SAML if you can

• HTTPS *Everywhere* – Use CA Signed Certificates

• Use Security Scan tools to validate your baseline

• Review advanced options to achieve compliance

• Report security concerns to Esri via TRUST.ArcGIS.com

Print Your Certificate of Attendance

Print Stations Located in 150 Concourse Lobby

Tuesday12:30 pm – 6:30 pm

Expo

Hall B

5:15 pm – 6:30 pm

Expo Social

Hall B

Wednesday10:45 am – 5:15 pm

Expo

Hall B

6:30 pm – 9:30 pm

Networking Reception

Smithsonian National Museum

of Natural History

Download the Esri

Events app and find your event

Select the session

you attended

Scroll down to

“Survey”

Log in to access the

survey

Complete the survey

and select “Submit”

Please Share Your Feedback in the App

Section Subhead

Section Header

Presenter(s)

Demo Title