ArcGIS Enterprise Security Controls White Paper Available
Esri is providing a white paper describing enterprise security controls for ArcGIS client/server, Web application, and Web services architectures entitled ArcGIS Enterprise Security: Delivering Secure Solutions. It can be downloaded from the Esri Web site (www.esri.com/enterprisesecurity).
Effective enterprise security can be a challenge for the IT architects and security specialists who design, deploy, and support mission-critical solutions. Until the last few years, entire IT systems were frequently designed around a single mission objective and "community of interest." The result was physically isolated systems, each maintaining its own data stores and applications. Integration was accomplished through complicated interfaces that replicated and synchronized data among the various systems. Security was generally enforced at the perimeter; any authorized user, once granted entry to a system, could access all data and applications, including GIS applications, resident in the system. Maintaining such "islands of automation" is expensive and inefficient and does not offer the flexibility or, in many cases, the in-depth security that organizations are seeking.
New and emerging standards, coupled with significant improvements in networking, operating systems, and integration technology, are enabling IT architects to design and maintain a single, organization-wide enterprise architecture. Discretionary access to data and applications is managed as a function of an individual's role and privileges in the organization. This flexibility affords tremendous economies and efficiencies as fine-grained access controls can be used to pinpoint information delivery to carefully drawn communities of interest. However, as security moves from the perimeter into core IT infrastructure components, GIS and other enterprise applications must be designed to exploit the new security functionality.
Because of the challenges presented by a dynamic information threat landscape, there is neither one security tool that will mitigate all risks nor is there one security design that is appropriate for all situations. Successful enterprise security programs are unique and consist of behavioral, procedural, and technology controls designed to mitigate identified threats.
ArcGIS Enterprise Solutions
ArcGIS is an open, integrated collection of software products that have been widely deployed in secure environments. Built on a single set of interoperable components, the ArcGIS framework enables users to deploy GIS functionality and logic wherever it is neededin desktops, servers, and mobile devices and as Web services. For more specialized tasks, ArcGIS may be extended and customized using industry-standard tools. When combined with the geodatabase and, as appropriate, third-party products, ArcGIS provides the flexibility and capabilities necessary to assemble robust, secure enterprise geographic information systems.
ArcGIS technology is widely used today in secure enterprise solutions in both commercial and classified environments. Applying security controls to ArcGIS solutions is no different from securing any other IT solution. Security principles and controls can be applied at all levels of the architecture. Based on the security policies and requirements of the organization, ArcGIS security can be applied at application, network, operating system, and DBMS levels.
The application level provides the greatest level of flexibility of implementing security controls. Through the use of ArcObjects, desktop applications, Web applications, and Web services can integrate with standard technologies to provide enhanced controls that authenticate, authorize, and provide access control. ArcGIS functionality can be restricted, and geographic transactions can be logged for ArcGIS users with assigned privileges. ArcGIS Web applications and services can also be customized to use standard authentication methods (basic, digest, form, client certificate) over a secure channel (HTTPS). For additional security controls, ArcGIS applications can be customized to integrate with existing Lightweight Directory Access Protocol, single sign-on, and policy management systems for authorization to specific content based on assigned roles. As with any other secure IT solution, application security controls are designed to integrate and enhance the secure solution.
The network level additionally provides many industry-standard network configurations that can be utilized to secure the flow of data and communication between ArcGIS components. Firewalls provide a first line of defense in that they restrict unauthorized access to ArcGIS Server components (ArcIMS and ArcSDE and the DBMS) by providing a restrictive gateway between ArcGIS clients and the ArcGIS Server components. The Secure Sockets Layer can enhance security controls by providing encrypted point-to-point security between the ArcGIS client and the ArcGIS Server components. Internet protocol (IP) security can further enhance network layer security by providing secure exchange of packets at the IP layer. Both the header and data portions of each packet can be encrypted and decrypted between ArcGIS components that implement a common public key infrastructure.
Operating System Controls
The operating system layer of ArcGIS is additionally leveraged to provide operating system controls for authorization into ArcGIS. Operating system controls available to ArcGIS are dependent on the underlying DBMS' support of operating system integration. ArcGIS can be configured to leverage, for example, Windows client native authentication methods supported by the DBMS client. On the server, data file encryption can be utilized as a security control.
The DBMS layer enhances the secure solution by providing additional confidentiality and integrity controls between the ArcGIS components and database server. DBMS privilege assignments can be implemented to restrict access to feature datasets by allowing access to certain groups of users.
Esri's Professional Services provides consulting and technical services to address the enterprise needs of its customers and business partners. These services range from short-term implementation support to the delivery of strategic corporate and turnkey, mission-critical applications.
For more information, contact Esri Professional Services (e-mail: firstname.lastname@example.org, tel.: 1-888-620-0089). For additional information concerning ArcGIS enterprise security concepts, e-mail email@example.com or visit www.esri.com/enterprisesecurity.