Planning a New Deployment
ArcGIS Enterprise comes pre-configured with several default security settings, including:
- Automatic HTTPS activation
- Permission for users to share content publicly
- Access granted to the REST Services Directory
These defaults are intended to streamline the sharing of geospatial data within the system, catering to all users with system access. However, while suitable for initial testing and development phases, these default settings may not offer adequate security for production environments. It’s crucial to enhance the security of your ArcGIS Enterprise implementation for such environments.
Navigating the numerous security controls can be complex, necessitating guidance on configuring various security features. To address this, Esri now offers security control guidance through security profiles, akin to security baselines in the industry. Organization’s are recommended to adopt an industry-standard configuration, such as the ArcGIS Enterprise security profiles, and customize it to their specific requirements.
Security Profiles
Crafting a security profile from scratch or relying on a generic hardening guide often results in an insecure deployment prone to vulnerabilities. Implementing the appropriate ArcGIS Enterprise security profile tailored to your organization enhances flexibility, availability, and security while minimizing associated costs.
Every organization encounters security threats unique to its operations. For instance, while an ecommerce company prioritizes safeguarding its internet-facing web applications, a healthcare institution may concentrate on securing confidential patient data. Despite these differences, all organizations share the common imperative of ensuring the security of their applications and devices. These devices must adhere to the security standards outlined by the organization.
A security profile comprises Esri-recommended configuration settings delineating their security implications. These settings are formulated based on insights from Esri’s Software Security & Privacy Team, product groups, partners, and clientele. Given that the ArcGIS Enterprise system was crafted and validated with considerations for availability, scalability, and security, the manner in which it is deployed can profoundly affect the overall system’s security.
While no single set of guidelines can encompass all conceivable customer scenarios, each deployment of ArcGIS Enterprise operates within its unique IT environment. Variations in network topology, internal security protocols, customer prerequisites, and use cases necessitate tailored approaches. General guidelines are provided to bolster overall system security, supplemented by specific usage scenarios with corresponding guidance. However, the adoption of recommendations from this guide hinges on the nuances of your deployment environment and the security threats deemed pertinent to your organization.
Two Security Profile Levels
Controls designated as Basic represent the essential security measures recommended for production environments. The Basic profile satisfies the security requirements of over 95 percent of the customer base. This profile adheres to industry security standards established by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). These standards are pertinent to a wide array of regulatory compliance frameworks frequently mandated by customer security policies.
Controls categorized as Advanced are suitable for deployments where ArcGIS Enterprise holds critical software status. While the Basic profile typically suffices for most customers, organizations relying on ArcGIS Enterprise for mission-critical functions or necessitating stringent security compliance may find the Advanced profile more suitable. The Advanced profile supersedes the recommendations provided in the ArcGIS Server Security Technical Implementation Guide (STIG) and the broader web application development STIG when utilizing ArcGIS Enterprise.
The Advanced profile isn’t merely an arbitrary assortment of additional security measures. Rather, it addresses security protocols appropriate for software designated as critical by NIST, along with relevant STIGs, to fulfill the most exacting customer security by requirements globally in a standardized, secure, and dependable manner.
Each security profile’s controls begin with a standard action
- Disable – Enabled by default but should be disabled unless customer documents exception
- Remove – Not available via a configuration interface but should be removed
- Consider – Depends on the organization’s requirements balanced against the risk of the activity
- Verify – Default configuration appropriate, but worth verifying not changed to less secure
- Configure – Typically requires more effort to enact, such as deploying supporting services
- Manage – Requires ongoing management activities
- Avoid – Implement controls to prevent and alert upon detection
- WARNING – Extra attention is necessary to ensure an issue is addressed appropriately
Security Control Structure Template and Example
Template
{Profile: Basic, Advanced}: {Action: Disable, Remove, Consider, Verify, Configure, Implement, Manage, Avoid}: {Security Control: Free text description}
Example
Basic: Disable ArcGIS Portal Directory
Who We Are
GCS is a Geospatial Information Technology Services Company delivering award-winning solutions.
Our team of geospatial IT and cloud certified professionals help organizations unlock and enable GIS technology. With over 200 years of combined technical expertise, GCS converts your ideas into reality through customer-driven, innovative applications. GCS customers gain strategic value through increased productivity, efficiency and profitability, optimizing mission-critical business processes.
Esri Business Partner
Since 2002, GCS has been an Esri Business Partner.
Further, GCS is recognized by Esri for its expertise in state and local government, implementation, and delivery of services that help customers succeed with ArcGIS technologies
You must be logged in to post a comment.