arcgis enterprise security: an introduction · security findings? esri psirt! • •vulnerability...
TRANSCRIPT
Randall Williams
Esri Software Security and Privacy, Esri PSIRT
ArcGIS Enterprise Security: An
Introduction
Agenda• ArcGIS Enterprise Security for *BEGINNING to INTERMIDIATE* users
• Security philosophy
• ArcGIS Enterprise Security Model – options and architecture
• Encryption (HTTPS)
• Defense in Depth - Threat Prevention, Mitigation, and Regulatory Compliance
• Summary
Security is an ART.
Security is the art of managing risk and tradeoffs.
There is a balance between security and
functionality
Security is an ART.
Security is the art of managing risk and tradeoffs.
Defining RISK and RISK TOLERANCE differs per-org
Security is an ART.
Security is the art of managing risk and tradeoffs
There is a balance between security and
functionality
Defining RISK and RISK TOLERANCE differs per-org
Three principles that form the cornerstone of any organization’s security infrastructure
The CIA Triad
Focus – Base
Enterprise
Deployment
Portal
for ArcGIS
ArcGIS
Server
ArcGIS
Data Store
(relational + tile cache)
ArcGIS
Web Adaptor
ArcGIS
Web Adaptor
ArcGIS EnterpriseLogical Architecture
ArcGIS Enterprise Security Model
The token is your access key into… ArcGIS ServerPortal for ArcGISArcGIS OnlineInsightsCollectorArcGIS ProArcGIS DesktopMaps for OfficeMaps for SharepointGeo EnrichmentGeocodingLiving AtlasSurvey 123AnalysisMaps for PowerBI
ArcGIS Enterprise Security Model
A token represents your login credentials…
(1AyZcQDO6xJjtWyycn206filCzn)
…and must be passed to with any request for secured content
ArcGIS Enterprise Security Model
A token represents your login credentials…
…and other attributes to make them randomized, unique and scoped.
ArcGIS Enterprise Security Model
But what about… Single Sign OnForms AuthActive DirectorySmart Cards
• Portal for ArcGIS
- Permissions set by item owner
- Can be changed by administrators
• ArcGIS Server
- Permissions can be set by any publisher/administrator
Access
Web Services
Portal Items
Web map Web appData
User Types
User Types are scope privileges to roles
As a Viewer I can …
As a storyteller I can …
As a Creator I can …
As an Editor I can …
Roles
Roles are “privilege buckets” determined by user type
In the administrator role I can …
As a publisher I can …
In the viewer role I can …
As a user I can …
Portal for ArcGIS: Custom Roles
• Provide more flexibility to
enable fine grained control on
what members can do
• My Organization page > Edit
Settings > Roles > Create Role
• Be CAREFUL with
administrative Privileges
Flexible Security Options with ArcGIS Enterprise
ArcGIS Enterprise
ArcGIS Enterprise Supports…
Single Sign OnIWAForms Auth
Active Directory
LDAP
HTTP Auth
OAuth SAML
Built-In Accounts
NTLM
PKI
Kerberos
CAC CardsCertificates
Custom Roles
Enterprise Groups Smart Cards
ArcGIS Security Update – HTTPS Only
• Esri is committed to ensuring your content is secure
- TLS 1.2 implemented in 2019
- HTTPS Only / HSTS to be enforced September 15, 2020
• What does this mean for you?
- After 9/15/20 all HTTP requests to ArcGIS Online will be redirected to HTTPS
- Clients limited to HTTP only will fail (for example scheduled clear-text Python script calls)
- HTTP only ArcGIS Enterprise deployments may have issues accessing ArcGIS Online services
• What do you need to do?
- Validate your ArcGIS Online org utilizes HTTPS only immediately
- Launch AGO Security Advisor tool to check your org settings @ Trust.ArcGIS.com
- If HTTP enabled, used tool to discover HTTP references and change to HTTPS
- Enforce HTTPS only for your orgs ASAP and validate clients/scripts can use HTTPS
- Keep an eye out for additional announcements and support guidance pages
Don’t forget Strict Transport Security (HSTS)!
Implementing HTTPS
Portal
for ArcGIS
ArcGIS
Server
ArcGIS
Data Store
(relational + tile cache)
Web Adaptor
Load Balancer
(Gateway)
Web Adaptor
Load Balancer
(Gateway)
HTTPS default (with Self-
Signed Certificate)
Your job: Implement HTTPS here (with a
CA signed cert!)
How do you set up a CA Signed Security Certificate?
1. Generate a Certificate Signing Request (CSR)
2. Send CSR for signing
- By a domain CA or well-known Certificate Authority (preferred)
3. Import signed certificate
HTTPS options
https://www.ssllabs.com/ssltest/clients.html
• In 10.4+, both Server and Portal can be configured to limit which SSL protocol is
accepted and used.
• SSLv3 is *NOT* an option at ArcGIS 10.3+ (SSLv3 Is DEAD!)
• Restricting Server and Portal to TLS 1.2 is highly recommended (default in current
versions)
• HSTS (Strict-Transport-Security) is natively supported
TLS 1.0
TLS 1.2
Ports:
• 6443• 7443
Portal for ArcGISClient App
Get Granular: SSL Protocols and Cipher Suites
• Portal Administrator Directory
- Security > SSLCertificates
• Server Administrator Directory
- Security > Config
Threat Mitigation, Prevention, and Regulatory Compliance
• Defense in Depth Paradigm
• Restrict Portal Proxy
• Restrict Cross Domain (CORS) Requests
• Disable PSA/IAA Accounts
• Scan Server / Scan Portal Scripts / Security Advisor
• Keep up-to-date!
Defense In Depth Paradigm
• Security plans have many “layers” – multiple levels of security
• Layered security mechanisms increase the security of the system as a whole
• Each feature discussed is considered a “layer”
Restrict Portal Proxy
• Used for OGC, KML, and request to non-CORS enabled servers
• Default : UNRESTRICTED
• Populate this parameter with an approved list of resources
• Reduces potential for Port Scan/DOS/SSRF
enterprise.arcgis.com > Search “Restricting the portal’s proxy capability”
Restrict Cross-Domain (CORS) Requestsenterprise.arcgis.com > Search “cross-domain requests”
• For JavaScript applications, a common method used to make cross domain requests
is called a CORS request (cross origin resource sharing)
• Required when making POST requests to Feature or GP services on a different server
ArcGIS Server
JavaScript
Web Application
Client Web Browser
Disable Primary Site Administrator (PSA) Account
• Recommend disable the PSA/IAA accounts to remove methods of administering
ArcGIS Server outside of your enterprise users
• Access the Server Administrator Directory
- Security > PSA > disable
PSA account
Scan ArcGIS Enterprise for Security Checks
• serverScan.py is a script in the Server installation directory
- Located: <install directory>\ArcGIS\Server\tools\admin
• portalScan.py is a script in the Portal installation directory
- Location: <install_directory>\ArcGIS\Portal\tools\security
• Scripts check for security settings → generates a report that makes
recommendations to improve security.
• *Protip – run as scheduled tasks, output to web server directory, view online.
Check for Updates Tool!
• Starting at 10.6, you can also
download and install software
patches and updates using
the patchnotification utility.
• You can install specific patches of
your choice, security patches only, or
all available patches.
Install patches!
Don’t Neglect Platform Protection!!
• Schedule and run OS updates (patch Tuesday for Microsoft)
• Provide Anti-Virus
• Configure intrusion detection
Additional Administrative Responsibilities
Don’t Neglect Platform Protection!!
• Schedule and run OS updates
• Provide Anti-Virus
• Configure intrusion detection
• Cloud images are templates
- New versions released fully patched, but need to be maintained by you
- Update your security baseline images (critical for autoscaling instances)
Additional Administrative Responsibilities Cloud environments
Compliance
ArcGIS Online:
• https://TRUST.ArcGIS.com – Compliance Documentation (Cloud Security Alliance,
NIST 800-53, GDPR, CCPA, FedRAMP to ISO mapping etc.)
• FedRAMP Tailored Low SaaS certified (Moderate 2021)
• Cloud Security Alliance Consensus Initiative Questionnaire
ArcGIS Enterprise:
• Esri Managed Cloud Services Advanced PLUS: FedRAMP MODERATE Authorized
Security Findings?Esri PSIRT!
• https://trust.arcgis.com
• Vulnerability - report a vulnerability found in our site or application.
• Suspicious E-mail from Esri - if you believe you were targeted by a possible phishing attack from an Esri e-mail address or have received other suspicious e-mail correspondence from Esri.
• Privacy Issue - if you have a privacy concern related to our application or organization.
• Other - for all other security, privacy or compliance related concerns.
Summary
• Tokens are the Foundation of the ArcGIS Enterprise Security Model
• ArcGIS Enterprise Supports many Authentication Options
• Use SAML if you can
• HTTPS *Everywhere* – Use CA Signed Certificates
• Use Security Scan tools to validate your baseline
• Review advanced options to achieve compliance
• Report security concerns to Esri via TRUST.ArcGIS.com
Print Your Certificate of Attendance
Print Stations Located in 150 Concourse Lobby
Tuesday12:30 pm – 6:30 pm
Expo
Hall B
5:15 pm – 6:30 pm
Expo Social
Hall B
Wednesday10:45 am – 5:15 pm
Expo
Hall B
6:30 pm – 9:30 pm
Networking Reception
Smithsonian National Museum
of Natural History
Download the Esri
Events app and find your event
Select the session
you attended
Scroll down to
“Survey”
Log in to access the
survey
Complete the survey
and select “Submit”
Please Share Your Feedback in the App