arcgis enterprise security: an introduction · tokens are the foundation of the arcgis enterprise...
TRANSCRIPT
ArcGIS Enterprise Security: An Introduction
Randall WilliamsEsri Software Security and Privacy, Esri PSIRT
ArcGIS Security Update – TLS 1.2
• Esri is committed to using the latest industry standards and best practices for security protocols
• On April 16, 2019, we are updating ArcGIS Online to enforce the use of TLS (Transport Layer Security) version 1.2
• What Does This Mean For You?- Users of most ArcGIS software or custom solutions using Esri technology may be affected
by this planned update - If you have not updated and validated your system's support for TLS v1.2 only, you may lose your ability to connect to ArcGIS Online.
• What Do You Need to Do?- Go to the Esri TLS Support page for information, patches, and instructions for updating
software:
support.esri.com/en/tls
enterprise.arcgis.com > Search “cross-domain requests”
AgendaArcGIS Enterprise Security for *BEGINNING to INTERMIDIATE* users
• ArcGIS Enterprise Security Model• Portal for ArcGIS• Authentication and Authorization: ArcGIS Tokens• Encryption (HTTPS)• Defense in Depth - Threat Prevention, Mitigation, and Regulatory Compliance• Summary
Security is an ART.
Security is the art of managing risk and tradeoffs.
ArcGIS EnterpriseLogical Architecture
Focus
Portal for ArcGIS
ArcGISServer
ArcGIS Data Store(relational + tile cache)
ArcGIS Web Adaptor
ArcGIS Web Adaptor
ArcGIS Enterprise Security Model Protect your AssetsControl Access and Set Permissions
ArcGIS Enterprise Security Model
Authentication vs. Authorization
ArcGIS Enterprise Security Model
token
ArcGIS Enterprise Security Model
The token is your access key into…ArcGIS ServerPortal for ArcGISArcGIS OnlineInsightsCollectorArcGIS ProArcGIS DesktopMaps for OfficeMaps for SharepointGeo EnrichmentGeocodingLiving AtlasSurvey 123AnalysisMaps for PowerBI
ArcGIS Enterprise Security Model
The token is your access key into… ArcGIS Enterprise
ArcGIS Enterprise Security Model
OK. So what is a token?
ArcGIS Enterprise Security Model
A token represents your login credentials…
(1AyZcQDO6xJjtWyycn206filCzn)
…and must be passed to with any request for secured content
ArcGIS Enterprise Security Model
A token represents your login credentials……and other attributes to make them randomized, unique and
scoped.
ArcGIS Enterprise Security Model
Good news…
…ArcGIS Enterprise handles this transparently for you
ArcGIS Enterprise Security Model
Lets see how this works…
ArcGIS Enterprise Security Model
1. User requests access to Service
ArcGIS Enterprise Security Model
1. User requests access to Service2. Service sends user to Token Service
Service
Token Service
ArcGIS Enterprise Security Model
1. User requests access to Service2. Service sends user to Token Service3. User Authenticates to Token Service
User Service
Token Service
Token
ArcGIS Enterprise Security Model
1. User requests access to Service2. Service sends user to Token Service3. User Authenticates to Token Service4. Token Service issues Token to User
User Service
Token Service
Token
ArcGIS Enterprise Security Model
1. User requests access to Service2. Service sends user to Token Service3. User Authenticates to Token Service4. Token Service issues Token to User5. User passes Token to Service
ServiceToken
ArcGIS Enterprise Security Model
1. User requests access to Service2. Service sends user to Token Service3. User Authenticates to Token Service4. Token Service issues Token to User5. User passes Token to Service6. Service grants access
ServiceContent
ArcGIS Enterprise Security Model
But what about… Single Sign OnForms AuthActive DirectorySmart Cards
ArcGIS Enterprise Security Model
All authentication methods ultimately deliver a
token…
ArcGIS Enterprise Security Model
…the token is your key into… ArcGIS Enterprise
ArcGIS Enterprise
item
package
web map
service
layer
itemcontent =
How do we grant access to items?
itemgroupuser
access
• Portal for ArcGIS- Permissions set by item owner- Can be changed by administrators
• ArcGIS Server- Permissions can be set by any publisher/administrator
Access
Web Services
Portal Items
Web map Web appData
What security options are available?
Flexible Security Options with ArcGIS Enterprise
ArcGIS Enterprise
ArcGIS Enterprise Supports…
Single Sign OnIWAForms Auth
Active Directory
LDAP
HTTP Auth
OAuth SAML
Built-In Accounts
NTLM
PKI
Kerberos
CAC CardsCertificates
Custom Roles
Enterprise Groups Smart Cards
Single Web Sign On through SAML(Security Assertion Markup Language)
Industry standard for SSO
• With SAML authentication enabled, user will be prompted by IDP to login• Use IDP login or built-in login
SAML login User Experience
SAML – Conceptual Workflow
ArcGIS EnterpriseClient
Identity Provider (IDP)3rd party
1. User attempts to login
6. Portal verifiesSAML responseand user is logged in
3. User sends login credentials to IDP
2. Redirected to IDP4. IDP authenticates userand sends SAML responseto browser
5. Browser sends SAMLresponse to Portal
SAML – Conceptual Workflow
But what about the token?!
SAML – Conceptual Workflow
ArcGIS EnterpriseClient
Identity Provider (IDP)3rd party
1. User attempts to login
6. Portal verifiesSAML responseand user is logged in
3. User sends login credentials to IDP
2. Portal redirectsclient to IDP 4. IDP authenticates user
and sends SAML responseto browser
5. Browser sends SAMLresponse to Portal
Token
You ArcGIS ServerToken
Groups vs Roles
Groups
itemgroupuser
access
Roles
Roles are privileges
As an administrator I can …
As a publisher I can …As a viewer I can …
As a user I can …
• Permissions for Portal users defined by roles• 4 default roles
1. Administrator2. Publisher3. User4. Viewer
(Changing at v10.7 to align with ‘User Types’)
Roles
Perm
issi
ons
Portal for ArcGIS: Custom Roles
• Provide more flexibility to enable fine grained control on what members can do
• My Organization page > Edit Settings > Roles > Create Role
• Be CAREFUL with administrative Privileges
Encryption and HTTPS Securing communication protocols
Sensitive Content
HTTPS
Is the service valid?
Is the data secure?What happens to my password?
Can I trust the content?
Implementing HTTPS
Portal for ArcGIS
ArcGISServer
ArcGIS Data Store(relational + tile cache)
Web AdaptorLoad Balancer
Web AdaptorLoad Balancer
How do you set up a Security Certificate?
1. Generate a Certificate Signing Request (CSR)2. Send CSR for signing
- By a domain CA or well-known Certificate Authority3. Import signed certificate
A (very) Brief Intro
Production Considerations for Threat Mitigation and Regulatory Compliance
Threat Mitigation, Prevention, and Regulatory Compliance
• Defense in Depth Paradigm
• Restrict Portal Proxy
• Restrict Cross Domain (CORS) Requests
• Disable PSA Account
• Scan Server / Scan Portal Scripts
• HTTPS: Protocol and Cipher Configuration
Defense In Depth Paradigm
• Security plans have many “layers” – multiple levels of security• Layered security mechanisms increase the security of the system as a whole• Each feature discussed is considered a “layer”
Check for Updates Tool!
• Starting at 10.6, you can also download and install software patches and updates using the patchnotification utility.
• You can install specific patches of your choice, security patches only, or all available patches.
Install patches!
Restrict Portal Proxy
• Used for OGC, KML, and request to non-CORS enabled servers• Default : UNRESTRICTED• Populate this parameter with an approved list of resources• Reduces potential for DOS/CSRF
enterprise.arcgis.com > Search “Restricting the portal’s proxy capability”
Restrict Cross-Domain (CORS) Requestsenterprise.arcgis.com > Search “cross-domain requests”
• For JavaScript applications, a common method used to make cross domain requests is called a CORS request (cross origin resource sharing)
• Required when making POST requests to Feature or GP services on a different server
ArcGIS Server
JavaScriptWeb Application
Client Web Browser
Disable Primary Site Administrator (PSA) Account
• Recommend disable the PSA account to remove an alternate method of administering ArcGIS Server outside of your enterprise users
• Access the Server Administrator Directory- Security > PSA > disable
PSA account
Scan ArcGIS Enterprise for Security Checks• serverScan.py is a script in the Server installation directory
- Located: <install directory>\ArcGIS\Server\tools\admin
• portalScan.py is a script in the Portal installation directory- Location: <install_directory>\ArcGIS\Portal\tools\security
• Scripts check for security settings → generates a report that makes recommendations to improve security.
• *Protip – run as scheduled tasks, output to web server directory, view online.
SSL Protocol Configurationshttps://www.ssllabs.com/ssltest/clients.html
• In 10.4, both Server and Portal can be configured to limit which SSL protocol is accepted and used.
• SSLv3 is *NOT* an option at ArcGIS 10.3+• For organizations that are very security-aware and/or compliance focus, restricting
Server and Portal to TLS 1.2 is highly recommended• TLS (and it predecessor SSL) are cryptographic protocols designed to provide
secure network communication between a client and a server
TLS 1.0
TLS 1.2Ports:
• 6443• 7443
Portal for ArcGISClient App
SSL Protocols and Cipher Suites
• Portal Administrator Directory- Security > SSLCertificates
• Server Administrator Directory- Security > Config
Compliance
ArcGIS Online:• TRUST.ArcGIS.com – Compliance Documentation (Cloud Security Alliance, NIST
800-53, GDPR, etc.)• FedRAMP Tailored Low
ArcGIS Enterprise:• Esri Managed Cloud Services: FedRAMP MODERATE Authorized (Advanced Plus
Offering)
Security Findings?Esri PSIRT!
• https://trust.arcgis.com
• Vulnerability - report a vulnerability found in our site or application.
• Suspicious E-mail from Esri - if you believe you were targeted by a possible phishing attack from an Esri e-mail address, or have received other suspicious e-mail correspondence from Esri.
• Privacy Issue - if you have a privacy concern related to our application or organization.
• Other - for all other security, privacy or compliance related concerns.
Summary
• Tokens are the Foundation of the ArcGIS Enterprise Security Model• ArcGIS Enterprise Supports many Authentication Options• Use SAML if you can• HTTPS *Everywhere* – Use CA Signed Certificates• Federate Server with Portal to Fully Enable the ArcGIS Enterprise• Use Security Scan tools to validate your baseline• Review advanced options to achieve compliance
Print Your Certificate of AttendancePrint Stations Located at L Street Bridge
Tuesday Wednesday12:30 pm – 6:30 pm GIS Solutions Expo Hall D
5:15 pm – 6:30 pm GIS Solutions Expo SocialHall D
10:45 am – 5:15 pm GIS Solutions Expo Hall D
6:30 pm – 9:00 pm Networking ReceptionNational Museum ofNatural History
Please Take Our Survey on the AppDownload the Esri Events app and find your event
Select the session you attended
Scroll down to find the feedback section
Complete answersand select “Submit”
Presentation TitlePresenter Names
Sample Name Here
Click HereFor DEMO
Print Your Certificate of AttendancePrint Stations Located at L Street Bridge
Tuesday Wednesday12:30 pm – 6:30 pm GIS Solutions Expo Hall D
5:15 pm – 6:30 pm GIS Solutions Expo SocialHall D
10:45 am – 5:15 pm GIS Solutions Expo Hall D
6:30 pm – 9:00 pm Networking ReceptionNational Museum ofNatural History
Please Take Our Survey on the AppDownload the Esri Events app and find your event
Select the session you attended
Scroll down to find the feedback section
Complete answersand select “Submit”