DevelopingDeveloping SecureSecure ArcGISArcGIS EnterpriseEnterprise SolutionsSolutions John Alsup Randy Jones Sam Juarez David Kaiser Wittaker Mathot Rand Woolley OverviewOverview •• WelcomeWelcome •• EnterpriseEnterprise SecuritySecurity && ESRIESRI’’SS RoleRole •• DemoDemo IntroductionIntroduction •• ArcGISArcGIS ClientClient // ServerServer SecuritySecurity – Client / Server Demo •• ArcGISArcGIS WebWeb ApplicationApplication SecuritySecurity – Web Application Demo •• ArcGISArcGIS WebWeb ServicesServices SecuritySecurity – Web Services Demo •• QuestionsQuestions DevelopingDeveloping SecureSecure ArcGISArcGIS EnterpriseEnterprise SolutionsSolutions SecuritySecurity isis notnot aa product,product, butbut aa process;process; notnot aa destination,destination, butbut aa journeyjourney …. SQL Server Security Distilled, second edition, by Morris Lewis EnterpriseEnterprise SecuritySecurity && ESRIESRI’’SS RoleRole Challenge •• DynamicDynamic – ID Vulnerabilities (Users, Software Developers, Hackers, etc) – US-CERT (http://www.us-cert.gov) Security Bulletins – Exploit Vulnerabilities (Hackers) • Internet is a Endless Resource – Security Patches (Software Providers) • Release Schedules – Monthly – Quarterly – As Needed EnterpriseEnterprise SecuritySecurity && ESRIESRI’’SS RoleRole Challenge AnAn unun--patchedpatched WindowsWindows PCPC connectedconnected toto thethe InternetInternet willwill ““survivesurvive”” forfor onlyonly 2929 minutesminutes beforebefore thethe machinemachine isis likelylikely compromisedcompromised byby malwaremalware.. (Source: Internet Storm Center, July, 2005 -- http://isc.sans.org ) EnterpriseEnterprise SecuritySecurity && ESRIESRI’’SS RoleRole Challenge • Many Methods of Attack – Malicious Code (Trojan Horses, Trap Doors, Logic Bombs) – Denial of Service (Render a system unusable) – Physical Attacks (Physical Access to system) – Buffer Overflows (Extra code placed in Buffer to perform actions) – Spamming (Unsolicited E-mail) – Brute Force (Attempting all possible password combinations) – The list goes on …… • Historical View of Enterprise Security -- “The Soft Chewy Inside…” – Secure the Perimeter EnterpriseEnterprise SecuritySecurity && ESRIESRI’’SS RoleRole Challenge 52%52% ofof SecuritySecurity ExecutivesExecutives saysay theythey havehave aa ““moatmoat andand castlecastle”” approachapproach toto networknetwork security,security, admittingadmitting thatthat onceonce thethe perimeterperimeter isis penetratedpenetrated thethe innerinner defensesdefenses areare soft.soft. (Source: Preventsys, March 30, 2005) EnterpriseEnterprise SecuritySecurity && ESRIESRI’’SS RoleRole Security Is Bigger Than Technology •• EnterpriseEnterprise SecuritySecurity ProgramsPrograms – behavioral controls (policy) – procedural controls (process) – technological controls (technology) •• SecuritySecurity IsIs PartPart ofof thethe OrganizationOrganization FabricFabric – CSO (Chief Security Officer) / CISO (Chief Information Security Officer) 60% of Security Breaches are Internal, but 70% of People are Worried about Hackers on the Outside (Source: San Diego Supercomputing Center) EnterpriseEnterprise SecuritySecurity && ESRIESRI’’SS RoleRole Essential Enterprise Security Tasks • Identify Risks (Risk Management) • Identify Vulnerabilities (Vulnerability Management) • Develop Controls • Develop Business Continuity Plan (Document) • Implement Controls • Perform On-Going Risk Assessment (Verify) • Document and Take Action More than one-third (38 percent) of companies do not have comprehensive, integrated disaster recovery and business continuity plans in place. (Source: Veritas) EnterpriseEnterprise SecuritySecurity && ESRIESRI’’SS RoleRole Risk Management • Gartner Enterprise Risk Management (ERM) Framework – Definition (formalize risk tolerance into policy) • Define Risk Categories (for example: technical, contractual, regulatory) • Determine Risk Levels (0-5 scale) • Determine Acceptable Risk Level (risk tolerance) • Acceptable risk levels for business units • Define Risk Levels and Categories as formal policy – Planning • Analysis – Risk Identification – Business Impact Analysis – Risk Classification • Mitigation – Avoid / Transfer / Mitigate / Accept – Management • Control (Measurable / Testable / Auditable / Enforceable) • Monitor (Event / Trend / Intelligence / Controls) – Report • Regulatory Compliance • Policy Compliance • Risk Dash boarding • Risk Benchmarking / Optimization EnterpriseEnterprise SecuritySecurity && ESRIESRI’’SS RoleRole Hierarchy of Controls •• StructureStructure YOURYOUR EnterpriseEnterprise ControlControl SetSet toto MitigateMitigate YOURYOUR RisksRisks – Security Controls (NIST 800-53 / ISO 17799) • National Institute of Standards and Technology (NIST 800- 53) • International Organization for Standardization (ISO 17799) – IT Controls (COBIT / Software Development Lifecycle) • COBIT – Compliance / Regulatory Controls (SOX / HIPPA) • Sarbanes-Oxley Act of 2002 (SOX) – Financial & Accounting Disclosure • Health Insurance Portability and Accountability Act of 1996 – Health Care Discrimination EnterpriseEnterprise SecuritySecurity && ESRIESRI’’SS RoleRole Security Solutions Are Unique •• IdentifyIdentify YOURYOUR EnterpriseEnterprise RisksRisks •• DefineDefine YOURYOUR EnterpriseEnterprise ControlControl SetSet •• ImplementImplement ReasonableReasonable andand AppropriateAppropriate ControlsControls •• PerformPerform OnOn--GoingGoing RiskRisk AssessmentAssessment •• Document,Document, Document,Document, DocumentDocument andand DocumentDocument EnterpriseEnterprise SecuritySecurity && ESRIESRI’’SS RoleRole ESRI Role In Enterprise Security •• EnsureEnsure ArcGISArcGIS softwaresoftware worksworks effectivelyeffectively withinwithin enterpriseenterprise architecturesarchitectures takingtaking fullfull advantageadvantage ofof theirtheir inherentinherent securitysecurity capabilities,capabilities, eithereither throughthrough ArcGISArcGIS featuresfeatures andand customcustom extensionsextensions oror throughthrough integrationintegration withwith thirdthird--partyparty components.components. •• ArcGISArcGIS EnterpriseEnterprise Security:Security: DeliveringDelivering SecureSecure SolutionsSolutions –– JulyJuly 20052005 – http://www.esri.com/library/whitepapers/pdfs/arcgis-security.pdf – [email protected] EnterpriseEnterprise SecuritySecurity && ESRIESRI’’SS RoleRole Defense-In-Depth • ArcGIS Provides Enterprise Security: – Configuration – Integration with Security technologies – Secure Solution Development (Best Practices) • Architectures – Client / Server – Web Application – Web Services • Defense-In-Depth Approach OverviewOverview •• WelcomeWelcome •• EnterpriseEnterprise SecuritySecurity && ESRIESRI’’SS RoleRole •• DemoDemo IntroductionIntroduction •• ArcGISArcGIS ClientClient // ServerServer SecuritySecurity – Client / Server Demo •• ArcGISArcGIS WebWeb ApplicationApplication SecuritySecurity – Web Application Demo •• ArcGISArcGIS WebWeb ServicesServices SecuritySecurity – Web Services Demo •• QuestionsQuestions G8G8 SummitSummit Threat Analysis Demonstration •• JuneJune 2004,2004, 3030th G8G8 SummitSummit waswas heldheld onon SeaSea IslandIsland inin GlynnGlynn County,County, GAGA •• G8G8 ConsistsConsists ofof thethe LeadersLeaders ofof thethe worldworld’’ss majormajor IndustrialIndustrial DemocraciesDemocracies – Canada – France – Germany – Italy – Japan – Russia – United Kingdom – United States G8G8 SummitSummit Fictitious Scenario •• MissionMission Objective:Objective: SupplySupply G8G8 SummitSummit SecuritySecurity PersonnelPersonnel andand OthersOthers withwith AccurateAccurate andand TimelyTimely EventEvent Data.Data. •• LeverageLeverage EnterpriseEnterprise GISGIS toto provideprovide situationsituation awarenessawareness to:to: – Secret Service, FBI, Department of Defense, Federal/State/Local Law Enforcement, Medical, Foreign Dignitary Security Details G8G8 SummitSummit Fictitious Scenario • Enterprise GIS Components – Client / Server Application (Joint Operations Command) • RDBMS (Oracle 10g) – Data Repository • ArcSDE (9.1) – Spatial Database Engine • Geodatabase (9.1) – Management Repository for County GIS and Relevant Business Logic • ArcGIS Desktop (9.1) – Maintenance of Incident Data – Web Application (G8 Support Operations) • Web Application (Java Integration Tool Kit) – User Interface • Web Application Server (Tomcat / IIS) – Brokers Transactions between users and applications • ArcIMS (9.1) – Delivery of dynamic incident maps – Web Services (G8 Dignitary Operations) • Web Application Server (Tomcat / IIS) • Web Service (.Net) • ArcGIS Server (9.1) G8G8 SummitSummit Fictitious Scenario •• ClientClient // ServerServer – Microsoft Active Directory Integration – Fine Grained Access to ArcGIS Desktop Functionality based on Role Assignment G8G8 SummitSummit Fictitious Scenario •• WebWeb ApplicationApplication – Secure Communications between Web Client / Server / ArcIMS – Custom Web Application Content Based on Users Role in the Organization G8G8 SummitSummit Fictitious Scenario •• WebWeb ServicesServices – Secure Web Service (WSE) Used To Assist in Network Analysis OverviewOverview •• WelcomeWelcome •• EnterpriseEnterprise SecuritySecurity && ESRIESRI’’SS RoleRole •• DemoDemo IntroductionIntroduction •• ArcGISArcGIS ClientClient // ServerServer SecuritySecurity – Client / Server Demo •• ArcGISArcGIS WebWeb ApplicationApplication SecuritySecurity – Web Application Demo •• ArcGISArcGIS WebWeb ServicesServices SecuritySecurity – Web Services Demo •• QuestionsQuestions ArcGISArcGIS ClientClient // SeverSever
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages59 Page
-
File Size-