Design: Delivering Secure SolutionsDesign: Delivering Secure Solutions

Michael YoungMichael Young

ESRI Senior Enterprise ArchitectESRI Senior Enterprise Architect

Certified Information Systems Security Professional (CISSP)Certified Information Systems Security Professional (CISSP)

Version 1.2

AgendaAgenda

• IntroIntro• ESRI’s GIS Security StrategyESRI’s GIS Security Strategy• Enterprise-wide Security MechanismsEnterprise-wide Security Mechanisms• Application SecurityApplication Security• Enterprise GIS Security PatternsEnterprise GIS Security Patterns• Current Security TrendsCurrent Security Trends• Scope of ESRI Security EffortsScope of ESRI Security Efforts• ESRI’s Next Steps Supporting Secure SolutionsESRI’s Next Steps Supporting Secure Solutions

IntroIntroGoals for this sessionGoals for this session

• Communicate ESRI’s plans to meet your security needsCommunicate ESRI’s plans to meet your security needs

• Open discussions to incorporate your inputOpen discussions to incorporate your input

IntroIntroSecurity Industry ChallengesSecurity Industry Challenges

• Service Oriented Architecture (SOA)Service Oriented Architecture (SOA)• Virtualized systemsVirtualized systems• Cloud computingCloud computing• Application vulnerabilities Application vulnerabilities

IntroIntroGeneral Security PrinciplesGeneral Security Principles

• CIA Security TriadCIA Security Triad

– Confidentiality Confidentiality • Prevent intentional or unintentional unauthorized disclosurePrevent intentional or unintentional unauthorized disclosure

– IntegrityIntegrity• Prevent unauthorized data modificationsPrevent unauthorized data modifications

– AvailabilityAvailability• Ensure reliable and timely access to dataEnsure reliable and timely access to data

IntroIntroGeneral Security PrinciplesGeneral Security Principles

• Defense in depthDefense in depth

– Enterprise-Wide Enterprise-Wide InitiativeInitiative

– Multiple LayersMultiple Layers

– Beyond Technology Beyond Technology SolutionsSolutions

– Security zone Security zone based architecturebased architecture

TechnicalControls

PolicyControls

Physical Controls

Data and

Assets

LDAP IntegrationSSO Integration

HTML Content FiltersValidation Checks

Native AuthenticationLDAP/Central User

RepositoryHardening Guides

FirewallsNIDSSSL

IPSec

AuthenticationRole Based AccessRow-Level Access

Data File Encryption

Application

Host/Device

Data

Network

IntroIntroGeneral Security PrinciplesGeneral Security Principles

• Maintain Defenses Against Different Stages of AttackMaintain Defenses Against Different Stages of Attack– Initial CompromiseInitial Compromise– Causing DamageCausing Damage– Long-Term RecognizanceLong-Term Recognizance

ESRI’s GIS Security StrategyESRI’s GIS Security Strategy

ESRI’s Security StrategyESRI’s Security StrategyTwo Reinforcing TrendsTwo Reinforcing Trends

Discrete products and services Discrete products and services

Applications

Isolated Systems Isolated Systems

Applications

ESRIESRI

IT/SecurityIT/Security

Enterprise platform and servicesEnterprise platform and services

Integrated systemsIntegrated systemswith discretionary access with discretionary access

… … exploiting 3exploiting 3rdrd party security functionality party security functionality … … exploiting embedded andexploiting embedded and33rdrd party security functionality party security functionality

… … relying on product and solution security relying on product and solution security validation validation … … relying on solution security validation relying on solution security validation

ESRI’s Security StrategyESRI’s Security StrategyInterdependent CapabilitiesInterdependent Capabilities

• Secure GIS productsSecure GIS products– ESRI develops products incorporating security ESRI develops products incorporating security

industry best practices and are trusted across industry best practices and are trusted across the globe to provide geospatial services that the globe to provide geospatial services that meet the needs of individual users and entire meet the needs of individual users and entire organizationsorganizations

• Secure GIS solution guidanceSecure GIS solution guidance– July release of Enterprise GIS Resource Center July release of Enterprise GIS Resource Center

containing security best practice guidance and containing security best practice guidance and documentationdocumentation

Enterprise-wide Security MechanismsEnterprise-wide Security Mechanisms

Enterprise-Wide Security MechanismsEnterprise-Wide Security MechanismsOverviewOverview

• AuthenticationAuthentication• AuthorizationAuthorization• FiltersFilters• EncryptionEncryption• Logging/AuditingLogging/Auditing

Enterprise-Wide Security MechanismsEnterprise-Wide Security MechanismsAuthenticationAuthentication

• ArcGIS Authentication OptionsArcGIS Authentication Options– Default of noneDefault of none– Local connectionLocal connection– IIS Web Server AuthenticationIIS Web Server Authentication– JavaEE Container ManagedJavaEE Container Managed– Server Token ServiceServer Token Service– Forms basedForms based– Multiple concurrent methodsMultiple concurrent methods

• ArcGIS 9.3 Token ServiceArcGIS 9.3 Token Service– Cross-Platform - .NET & JavaCross-Platform - .NET & Java– Cross-API – SOAP & RESTCross-API – SOAP & REST– Cross-Product – Desktop, Explorer, Web Cross-Product – Desktop, Explorer, Web

Service and ApplicationsService and Applications

• 33rdrd Party Party– Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)– Single Sign-On (SSO)Single Sign-On (SSO)– Windows IntegratedWindows Integrated– LDAPLDAP

Enterprise-Wide Security MechanismsEnterprise-Wide Security MechanismsAuthorizationAuthorization

• Role Based Access Control (RBAC)Role Based Access Control (RBAC)

– ESRI COTSESRI COTS• ArcGIS authorization across product lines to Service LevelArcGIS authorization across product lines to Service Level• Use ArcGIS Manager to assign access to servicesUse ArcGIS Manager to assign access to services• Services can be grouped into folders which utilize inheritance to ease Services can be grouped into folders which utilize inheritance to ease

management management

– 33rdrd Party Party• RDBMS – Row Level or Feature Class LevelRDBMS – Row Level or Feature Class Level

– Multi-Versioned instances may significantly degrade RDBM performance Multi-Versioned instances may significantly degrade RDBM performance

– Alternative is SDE ViewsAlternative is SDE Views

– Custom - Limit GUICustom - Limit GUI• Rich Clients via ArcObjectsRich Clients via ArcObjects• Web Applications Web Applications

– Check out sample code - Google: EDN Common SecurityCheck out sample code - Google: EDN Common Security

– Try out Microsoft’s AzMan toolTry out Microsoft’s AzMan tool

Enterprise-Wide Security MechanismsEnterprise-Wide Security MechanismsFiltersFilters

• 33rdrd Party Party– FirewallsFirewalls

– Reverse ProxyReverse Proxy• Common implementation optionCommon implementation option• MS now has free reverse proxy code for IIS 7 (Windows 2008)MS now has free reverse proxy code for IIS 7 (Windows 2008)• Looking into providing baseline filtersLooking into providing baseline filters

– Web Application FirewallWeb Application Firewall• Looking into providing baseline guidance for ModSecurityLooking into providing baseline guidance for ModSecurity

– Anti-Virus SoftwareAnti-Virus Software

– Intrusion Detection / Prevention SystemsIntrusion Detection / Prevention Systems

• CustomCustom– Limit applications able to access geodatabase Limit applications able to access geodatabase

Enterprise-Wide Security MechanismsEnterprise-Wide Security MechanismsEncryptionEncryption

• 33rdrd Party Party– NetworkNetwork

• IPSec (VPN, Internal Systems)IPSec (VPN, Internal Systems)• SSL (Internal and External System)SSL (Internal and External System)

– File BasedFile Based• Operating System – BitLockerOperating System – BitLocker• GeoSpatially enabled PDF’sGeoSpatially enabled PDF’s• Hardware (Disk)Hardware (Disk)

– RDBMSRDBMS• Transparent Data EncryptionTransparent Data Encryption• Low Cost Portable Solution - SQL Express 2008 w/TDELow Cost Portable Solution - SQL Express 2008 w/TDE

Enterprise-Wide Security MechanismsEnterprise-Wide Security MechanismsLogging/AuditingLogging/Auditing

• ESRI COTSESRI COTS– Geodatabase history may be utilized for tracking changesGeodatabase history may be utilized for tracking changes

– JTX Workflow tracking of Feature based activitiesJTX Workflow tracking of Feature based activities

– ArcGIS Server LoggingArcGIS Server Logging

• CustomCustom– ArcObjects component output GML of Feature based activitiesArcObjects component output GML of Feature based activities

• 33rdrd Party Party– Web ServerWeb Server

– RDBMSRDBMS

– OSOS

Application SecurityApplication Security

Application SecurityApplication SecurityOverviewOverview

• Rich Client ApplicationsRich Client Applications• Web ApplicationsWeb Applications• Web ServicesWeb Services• Online ServicesOnline Services• MobileMobile

Application SecurityApplication SecurityRich Client ApplicationsRich Client Applications

• ArcObject Development OptionsArcObject Development Options– Record user-initiated GIS transactionsRecord user-initiated GIS transactions

– Fine-grained access controlFine-grained access control• Edit, Copy, Cut, Paste and PrintEdit, Copy, Cut, Paste and Print

– Interface with centrally managed security infrastructure (LDAP)Interface with centrally managed security infrastructure (LDAP)

• Integration with server Token Authentication ServiceIntegration with server Token Authentication Service• Windows native authenticationWindows native authentication• Client Server CommunicationClient Server Communication

– Direct Connect – RDBMSDirect Connect – RDBMS

– Application Connect – SDEApplication Connect – SDE

– HTTP Service – GeoData ServiceHTTP Service – GeoData Service

• SSL and IPSec UtilizationSSL and IPSec Utilization

Application SecurityApplication SecurityWeb ApplicationsWeb Applications

• ArcGIS Server ManagerArcGIS Server Manager– Automates standard security configuration of web apps in Automates standard security configuration of web apps in

ASP.NET and Java EEASP.NET and Java EE• E.g. Modifies web.config file of ASP.NETE.g. Modifies web.config file of ASP.NET

• Application InterfacesApplication Interfaces– .NET and Java ADF’s.NET and Java ADF’s

• Out of the box integration with Token Security serviceOut of the box integration with Token Security service

– REST API’s (JavaScript, Flex, Silverlight)REST API’s (JavaScript, Flex, Silverlight)• Can embed in URL – SimpleCan embed in URL – Simple

• Better solution is dynamically generate tokenBetter solution is dynamically generate token

• Don’t forget to protect access to your client codeDon’t forget to protect access to your client code

Application SecurityApplication SecurityWeb ServicesWeb Services

• ArcGIS Server ManagerArcGIS Server Manager– Set permissions on folders as well as individual servicesSet permissions on folders as well as individual services

– Restricting access to some services but not others is only available Restricting access to some services but not others is only available through Internet connectionsthrough Internet connections

– Can remove Local service requests to ArcGIS Server by emptying Can remove Local service requests to ArcGIS Server by emptying AGSUsers groupAGSUsers group

– Secures access to all ArcGIS Server web interfacesSecures access to all ArcGIS Server web interfaces• RESTREST

– Service directory is on by default, disable if you don’t want it browsableService directory is on by default, disable if you don’t want it browsable

• SOAPSOAP– WS-Security can be addressed by 3WS-Security can be addressed by 3rdrd party XML/SOAP gateways party XML/SOAP gateways

• OGCOGC• KMLKML

Application SecurityApplication SecurityOnline ServicesOnline Services

• New ArcGIS Online Search and ShareNew ArcGIS Online Search and Share– Central resource for easily accessing, storing and sharing mapsCentral resource for easily accessing, storing and sharing maps

– A membership systemA membership system• You control access to items you shareYou control access to items you share• You are granted access to items shared by othersYou are granted access to items shared by others• You join and share information using groupsYou join and share information using groups• Organizations self-administer their own users and groupsOrganizations self-administer their own users and groups

– Site security similar in approach with other social networking sitesSite security similar in approach with other social networking sites• Not meant for highly confidential or proprietary dataNot meant for highly confidential or proprietary data

Application SecurityApplication SecurityMobileMobile

• ArcPadArcPad– Password protect and encrypt the AXF data filePassword protect and encrypt the AXF data file

– Encrypt mobile device memory cardsEncrypt mobile device memory cards

– Secure your ArcGIS Server environment with users and groups to limit Secure your ArcGIS Server environment with users and groups to limit who can publish ArcPad datawho can publish ArcPad data

– Secure your internet connection used for synchronizing ArcPad dataSecure your internet connection used for synchronizing ArcPad data

• ArcGIS MobileArcGIS Mobile– Encrypt communication via HTTPS (SSL) or VPN tunnel to GeoData Encrypt communication via HTTPS (SSL) or VPN tunnel to GeoData

ServiceService

– Utilization of Token ServiceUtilization of Token Service

– Web Service CredentialsWeb Service Credentials

– Consider utilization of Windows Mobile Crypto APIConsider utilization of Windows Mobile Crypto API

– Third party tools for entire storage systemThird party tools for entire storage system

Secure Enterprise GIS PatternsSecure Enterprise GIS Patterns

Secure GIS PatternsSecure GIS Patterns

• ESRI is providing security implementation patterns to help solve ESRI is providing security implementation patterns to help solve recurring security problems in a proven, successful wayrecurring security problems in a proven, successful way

• ESRI’s patterns leverage The National Institute of Standards and ESRI’s patterns leverage The National Institute of Standards and Technology (NIST) guidelines for securing information systemsTechnology (NIST) guidelines for securing information systems

• Patterns are based on risk for :Patterns are based on risk for :– Basic Security Risk ImplementationsBasic Security Risk Implementations

– Standard Security Risk ImplementationsStandard Security Risk Implementations

– Advanced Security Risk ImplementationsAdvanced Security Risk Implementations

To prioritize information security and privacy initiatives, To prioritize information security and privacy initiatives, organizations must assess their business needs and risksorganizations must assess their business needs and risks

Secure GIS PatternsSecure GIS PatternsChoosing the appropriate Risk Level PatternChoosing the appropriate Risk Level Pattern

• How does a customer choose the right pattern?How does a customer choose the right pattern?– Formal – NIST Security Categorization ProcessFormal – NIST Security Categorization Process

– Informal – Simple scenarios ESRI customers can relate toInformal – Simple scenarios ESRI customers can relate to

• Formal Pattern SelectionFormal Pattern Selection– NIST SP 800-60 - Guide for Mapping Types of Information and NIST SP 800-60 - Guide for Mapping Types of Information and

Information Systems to Security CategoriesInformation Systems to Security Categories

Secure GIS PatternsSecure GIS PatternsInformation Pattern SelectionInformation Pattern Selection

• Informal Pattern SelectionInformal Pattern Selection– Basic Risk PatternBasic Risk Pattern

• No Sensitive data – Public informationNo Sensitive data – Public information• All architecture tiers can be deployed to one physical boxAll architecture tiers can be deployed to one physical box

– Standard Risk PatternStandard Risk Pattern• Moderate consequences for data loss or integrityModerate consequences for data loss or integrity• Architecture tiers are separated to separate systemsArchitecture tiers are separated to separate systems• Potential need for Federated ServicesPotential need for Federated Services

– Advanced Risk PatternAdvanced Risk Pattern• Sensitive dataSensitive data• All components redundant for availabilityAll components redundant for availability• 33rdrd party enterprise security components utilized party enterprise security components utilized

BasicBasic

Standard

AdvancedAdvanced

Secure GIS PatternsSecure GIS PatternsBasic SecurityBasic Security

• Common Basic Security Environment AttributesCommon Basic Security Environment Attributes– Utilize data and API downloads from cloud computing environmentsUtilize data and API downloads from cloud computing environments

– Secure services and web applications with ArcGIS Token ServiceSecure services and web applications with ArcGIS Token Service

– Separate internal systems from Internet access with DMZSeparate internal systems from Internet access with DMZ

– Utilize a Reverse Proxy to avoid DCOM across firewallsUtilize a Reverse Proxy to avoid DCOM across firewalls

Internal Trusted Network

DMZ

Proxy Service IIS 7Windows 2008

Reverse Proxy Server

ArcGIS Server 9.3Application Server

MS SQL 2005Database Server

Internet

1.5 Mbp

s

Perimeter Network1 Gbps

Internal LANPerimeter Network

Anonymous Internet User

Web Application

Authenticated Internet User

Web Application

SSL for Login

Active Directory ServerWindows 2003

ArcGIS OnlineBasemap Layers

AGS Silverlight API

ArcMap

Rich Client

BasicBasic

Secure GIS PatternsSecure GIS PatternsStandard SecurityStandard Security

• Common Standard Security Environment AttributesCommon Standard Security Environment Attributes– Authentication/AuthorizationAuthentication/Authorization

• No static storage of ArcGIS Token in application codeNo static storage of ArcGIS Token in application code

• Multi-Factor authentication utilized for remote system accessMulti-Factor authentication utilized for remote system access

– NetworkNetwork• Partitioning system functions such as Web, Database and Management by VLANsPartitioning system functions such as Web, Database and Management by VLANs

– Servers have separate network connections for management trafficServers have separate network connections for management traffic

• Add Application Security Firewall (ex. ModSec) to Reverse Proxy ServerAdd Application Security Firewall (ex. ModSec) to Reverse Proxy Server– Utilize host-based firewalls on systemsUtilize host-based firewalls on systems

– Systems ManagementSystems Management• Can utilize data from cloud computing environments, but have local copiesCan utilize data from cloud computing environments, but have local copies

– Avoid usage of internal clients consuming external services for API downloadsAvoid usage of internal clients consuming external services for API downloads

• Redundant components for High AvailabilityRedundant components for High Availability– Can utilize low cost load balancers such as MS NLBCan utilize low cost load balancers such as MS NLB

• Utilize Intrusion Prevention/Detection SystemsUtilize Intrusion Prevention/Detection Systems

• Implement least privilegeImplement least privilege– Ensure separation of dutiesEnsure separation of duties– Lock down system ports, protocols, and services (Whitepaper available)Lock down system ports, protocols, and services (Whitepaper available)

• Standardize system images for clients and server (SMS)Standardize system images for clients and server (SMS)– Whitepaper availableWhitepaper available

• Be aware of browser plug-in restrictionsBe aware of browser plug-in restrictions

Standard

Secure GIS PatternsSecure GIS PatternsAdvanced SecurityAdvanced Security

• Common Advanced Security Environment AttributesCommon Advanced Security Environment Attributes– Minimal reliance on external data/systemsMinimal reliance on external data/systems– Data ManagementData Management

• Separate datasets (e.g. Public, Employees, Subset of Employees)Separate datasets (e.g. Public, Employees, Subset of Employees)

• Consider utilizing explicit labels on information, source and destination objectsConsider utilizing explicit labels on information, source and destination objects

• Clustered Database for High AvailabilityClustered Database for High Availability

• Utilization of Transparent Data Encryption for storage of sensitive dataUtilization of Transparent Data Encryption for storage of sensitive data

– Authentication/AuthorizationAuthentication/Authorization• Utilize 3rd party security products for service and web application authentication and Utilize 3rd party security products for service and web application authentication and

authorizationauthorization

• Utilize Public Key Infrastructure (PKI) certsUtilize Public Key Infrastructure (PKI) certs

• Multi-Factor Authentication required for Local Access, and for Remote system access Multi-Factor Authentication required for Local Access, and for Remote system access Hardware Token Multi-Factor requiredHardware Token Multi-Factor required

– Network configurationNetwork configuration• Redundant network connections between systemsRedundant network connections between systems

• Secure communication via IPSec between backend systemsSecure communication via IPSec between backend systems

• Secure communication via SSL/TLS between Clients and Servers (Both web and Rich Clients)Secure communication via SSL/TLS between Clients and Servers (Both web and Rich Clients)

• Partitioning system functions such as Web, Database and Management by VLANsPartitioning system functions such as Web, Database and Management by VLANs

• Servers have separate network connections for management trafficServers have separate network connections for management traffic

• Deploy Network Access Control (NAC) tools to verify security configuration and patch level Deploy Network Access Control (NAC) tools to verify security configuration and patch level compliance before granting access to a networkcompliance before granting access to a network

AdvancedAdvanced

Current Security TrendsCurrent Security Trends

Current Security TrendsCurrent Security TrendsOld-Fashioned DOS Attacks Still in StyleOld-Fashioned DOS Attacks Still in Style

• July 4July 4thth started off with a bang of 50,000 'zombies' triggering recent started off with a bang of 50,000 'zombies' triggering recent denial of service attacksdenial of service attacks

– High profile U.S. Web sites affected include:High profile U.S. Web sites affected include:• The White House siteThe White House site• The Department of Homeland DefenseThe Department of Homeland Defense• The State and the U.S. TreasuryThe State and the U.S. Treasury• The Washington Post, among othersThe Washington Post, among others

• Based on old virus - MyDoom.Based on old virus - MyDoom.• Patchwork of scripts – No coding neededPatchwork of scripts – No coding needed• No attempt to avoid AV signaturesNo attempt to avoid AV signatures

• Sad truth on protecting your site from thisSad truth on protecting your site from this– Batten the hatches, hunker down and work with your Internet Service Batten the hatches, hunker down and work with your Internet Service

Provider (ISP) to implement upstream filtering to cut down the massive Provider (ISP) to implement upstream filtering to cut down the massive online traffic overloading their networkonline traffic overloading their network

Current Security TrendsCurrent Security TrendsRecent Survey’sRecent Survey’s

• Increasing focus on degree to Increasing focus on degree to which security can be improved if which security can be improved if applications used for business applications used for business processes within enterprises were processes within enterprises were designed and programmed with designed and programmed with fewer vulnerabilities to begin withfewer vulnerabilities to begin with

– DHS - Build Security InDHS - Build Security In– Consensus Audit Guidelines (CAG)Consensus Audit Guidelines (CAG)– SafeCodeSafeCode

CSI 2008 Survey

• Application Firewalls have Application Firewalls have become commonplace with become commonplace with over ½ of organizations over ½ of organizations utilizing themutilizing them

Current Security TrendsCurrent Security TrendsCloud ComputingCloud Computing

• A current IT hotspotA current IT hotspot

– Be careful of security Be careful of security façades that can be façades that can be bypassedbypassed

– NIST Cloud Computing NIST Cloud Computing Security Whitepaper out Security Whitepaper out soonsoon

– The only “secure cloud” The only “secure cloud” right now are private right now are private cloudsclouds

Scope of ESRI Security EffortsScope of ESRI Security Efforts

Scope of ESRI Security EffortsScope of ESRI Security EffortsCompliance and certificationsCompliance and certifications

• ESRI fully supports and tests product compatibility with FDCC (Federal ESRI fully supports and tests product compatibility with FDCC (Federal Desktop Core Configuration) security settingsDesktop Core Configuration) security settings

• ESRI hosts FISMA certified and accredited low risk category environmentsESRI hosts FISMA certified and accredited low risk category environments

• ESRI’s Security Patterns are based on NIST/FISMA guidanceESRI’s Security Patterns are based on NIST/FISMA guidance– Not provided as full certification compliance representationsNot provided as full certification compliance representations

• ESRI software products are successfully deployed in high risk security ESRI software products are successfully deployed in high risk security environmentsenvironments

• ESRI does not certify classified environment products and systemsESRI does not certify classified environment products and systems– Function is performed by the system ownerFunction is performed by the system owner

• ESRI continues to evaluate the need for compliance and/or additional ESRI continues to evaluate the need for compliance and/or additional certificationscertifications

Scope of ESRI Security EffortsScope of ESRI Security EffortsRegulations and StandardsRegulations and Standards

• ESRI patterns based on ISO / NIST guidanceESRI patterns based on ISO / NIST guidance– Contain the backbone of most security regulations Contain the backbone of most security regulations

and standardsand standards

• NIST Standards can operate as a baseline of NIST Standards can operate as a baseline of security and then layer in applicable laws, security and then layer in applicable laws, regulations for compliance of an industry on topregulations for compliance of an industry on top

– Referred to as a Unified approach to information Referred to as a Unified approach to information security compliancesecurity compliance

Step 2.Preliminary Awareness

Raising and Training

Step 3. Information Collection

Step 4. Perform Risk and other

Analyses

Step 5.Report of Findings and

Recommendations

Step 6.Prepare Implementation

Plan

Documentation Review

Interviews/Questionnaires

Determine Security and

Privacy Standards

Determine Applicable Laws and Regulations.

Step 1. Establish

Requirements

Data Classification and Mapping

Step 7.Implementation Program,

Provide Training

Scope of ESRI Security EffortsScope of ESRI Security EffortsNEW Enterprise GIS Resource CenterNEW Enterprise GIS Resource Center

Incorporates IT

Incorporates IT

Foundation

Foundation

Architecture Guidance

Architecture Guidance

ESRI Provides GIS

ESRI Provides GIS

Best Practice

Best Practice Guidance

Guidance

Scope of ESRI Security EffortsScope of ESRI Security Efforts

• ESRI provides security due diligence with our products and ESRI provides security due diligence with our products and solutions, but is not a security software companysolutions, but is not a security software company

• ESRI recognizes every security solution is uniqueESRI recognizes every security solution is unique

• Ultimately, certifications and accreditations are based on a Ultimately, certifications and accreditations are based on a customers mission area and circumstancecustomers mission area and circumstance

• Reference Implementations on Enterprise Resource CenterReference Implementations on Enterprise Resource Center– Validate for performance and securityValidate for performance and security

Next Steps Supporting Secure SolutionsNext Steps Supporting Secure Solutions

Next Steps Supporting Secure SolutionsNext Steps Supporting Secure Solutions

• Your feedback and insight today are essentialYour feedback and insight today are essential

– Current security issuesCurrent security issues

– Upcoming security requirementsUpcoming security requirements

– Areas of concern not addressed todayAreas of concern not addressed today

Contact Us At:Contact Us At:

est@esri.com est@esri.com

Session Evaluation ReminderSession Evaluation Reminder

Session Attendees:Session Attendees:

Please turn in your session evaluations.Please turn in your session evaluations.

. . . Thank you. . . Thank you

ReferencesReferences

• ESRI Enterprise GIS Resource Center WebsiteESRI Enterprise GIS Resource Center Website– NEW JULY 2009NEW JULY 2009

– Focused Enterprise GIS Technical Solutions Focused Enterprise GIS Technical Solutions

– http://resources.esri.com/enterprisegis/ http://resources.esri.com/enterprisegis/

• Consensus Audit GuidelinesConsensus Audit Guidelines– Released May 2009 (Version 2.0)Released May 2009 (Version 2.0)

– http://www.sans.org/cag/guidelines.phphttp://www.sans.org/cag/guidelines.php

• SafeCode GuidelinesSafeCode Guidelines– http://www.safecode.org/ http://www.safecode.org/

• MS Application Architecture PatternsMS Application Architecture Patterns– Contains security guidance per application typeContains security guidance per application type

– http://www.codeplex.com/AppArchGuidehttp://www.codeplex.com/AppArchGuide