Cybersecurity hacks for ArcGIS
Navigating today's cybersecurity landscape is a dizzying ordeal of ever-changing threats, risks and regulations. HTTP vs. HTTPS, Active directory vs. Enterprise vs. Single sign-on authentication and that’s all without considering data sovereignty... In this episode Ta, Wayne and Josh untangle these hotly debated topics and share trusted resources for safeguarding security, privacy and compliance in ArcGIS.
Learn about security capabilities available for ArcGIS and guidelines for maintaining privacy and compliance.
Esri Australia's GIS Cloud services provides streamlined and secure GIS capabilities hosted and managed in Australia.
Discover up-to-date security information across the ArcGIS stack with articles and webinars from the global user community.
Find information on Esri's most recent security updates and patches released across Server and Portal for ArcGIS.
Leverage specialised technical know-how and implement best practice systems with GIS Professional Services.
Explore best practice for creating hardened instances of ArcGIS Enterprise through authentication, authorisation and encryption.
- Click to view the episode transcript
Securing your spatial information
Grab: If you can use ArcGIS Online as an organisation, then it is one of the easiest ways to establish a GIS that is secure, because Esri and the wonderful boffins over in their labs have worked long and hard over the security, and they continue to do so.
Disclaimer: This podcast is brought to you by the team at Esri Australia. To get your hands on more short, sharp and immediately usable resources, head to the Esri Australia website and search for Goldmine.
Wayne: Welcome to GIS Directions. I'm Wayne Lee-Archer.
Josh: I'm Josh Venman.
Ta: And I'm Ta Taneka.
Wayne: Josh, Ta, I have to say I'm super excited about today's episode. I've got a bag full of tips and tricks to give away, because we are diving into a topic that is near and dear to my heart. We're talking about cyber security.
Ta: Cyber security, yay. So, Skynet. Skynet is making a return I'm assuming, this sounds scary.
Wayne: Always Skynet.
Josh: I can sense the excitement, Wayne.
Wayne: In one way, shape or form, I've been dealing with internet and network security for 30 years now. So, it's definitely something near and dear to my heart. I'm going to challenge you for the role of jaded cynic or veteran in the room today I think Josh.
Josh: Ouch on two fronts there Wayne, but seriously, I think this is something we've all had to encounter with, certainly in my support days, and these days in solution architecture, you can't get away from security is something that GIS administrators have to deal with. There's no getting around it.
Wayne: All right, let's get into it.
Ta: Okay guys, before we dive into this topic particularly, I think it's worthwhile quickly defining what we mean when we say security, particularly in ArcGIS. Now there are a few terms that we were discussing just before we started recording here. So, things like TLS HTTP versus HTTPS, active directory versus enterprise versus single sign-on authentication.
That's all without thinking about data security. Okay, so, let's start with what is security in terms of ArcGIS and let's wade through these murky waters.
Josh: Let's kind of look at the proposition of what it means for a GIS person to think about security, and I honestly think this is one of those ones where there's kind of an awkward middle ground between IT folks who certainly do have lots of security expertise and experience, and GIS administrators, GIS professionals who really want to do the right thing, but perhaps not sure where the boundary is, would you agree with that Wayne?
Wayne: Absolutely. And I think, the boundary's getting a little bit more blurred every day, as we sort of evolve into a web GIS sort of architecture, we're leaning on all of these other technologies more and more and more. And unfortunately, that also means that we are sort of inheriting their, their security risks and their security exposures.
Josh: And something Ta brought up the, the HTTP HTTPS one, I think is a good example because, if you were the GIS administrator and you got a notification email, or in fact, multiple emails telling you about this shift from supporting HTTP to only supporting HTTPS, that could be quite intimidating, couldn't it? If you didn't know what that really meant, but you're the recipient of that advisory.
Wayne: I was actually really impressed, I mean, hopefully everyone in the room knows about this change. Everything in the ArcGIS platform as of I think, June or July last year, became all HTTPS. So, all of your traffic is encrypted. But the, you know, the biggest tip that we can give out today is patch. Patch, patch, patch.
There's always patches for security. Keep up to date with them. As you said, there's lists up on the website. There's also a cool tool that can check for updates built into the ArcGIS platform as well. So, if you're a GIS administrator, you're administrating your own environment, you can run that patch notify utility, and it'll go and see if there's any patches that you're missing out on that should be applied to your systems, patch, patch, patch, and this tool to help you.
Josh: And I'm going to throw in another one there which is, if you look at your ArcGIS version number, your ArcGIS Enterprise version, and you see it's like two or three versions behind, then patch, patch, patch, isn't probably gonna be working for you anymore. And that's, I think an area where you can come unstuck when you allow your ArcGIS Enterprise version to get so old that there aren't patches anymore, because then those security problems are not being addressed.
So that's a good reason to think about your upgrade cadence and make sure you're covered in that regard.
Ta: I like this. Okay so this has brought me to another point, compliance. Now where do we sit with compliance?
Wayne: Look, I've got a tip for this one and, this is my go-to place whenever I get this compliance question and that's trust.arcgis.com. So, this is the Esri formal platform for all of their security and trust documents.
What you'll find up there is all of the FedRAMP and the STIGs and all of those question-and-answer kind of documents that Government agencies in particular, but large organisations that are talking about their GIS in a security context, all of those questions are being answered in the documents that you'll find up there on trust.arcgis.com.
Josh: And Wayne would this be a good time do you think to talk about another one that comes up often, which is where's my data?
Wayne: What a great question, Josh. I know what you're talking about is this idea of data sovereignty and where your data lives, is important to a lot of people, including your government agencies.
The good news is that we've been making some great leeway or some headway in this space, and you can now choose at least the region that your data lives in, in ArcGIS Online. So that means, if you’re in Australia, you can have your data live in the Asia Pacific region.
Now that doesn't necessarily mean it meets the Australian data on Australian shores, regulations. But it certainly gets you closer to the front door. And this is a good thing, not just for data sovereignty and security reasons, but for performance reasons as well, getting that data as close to your audience as you can is always a good thing.
Josh: Bang on Wayne and I did some benchmarking early on when that APAC region came out and my research showed around two and a half times better performance in general on data from feature services getting back to the client, if it was coming from the APAC region versus US.
Ta: That's great guys. That's really awesome tips and tricks there. And think it's a perfect segue for us to jump into the topic of ArcGIS Online.
Now ArcGIS Online. Is it secure? What can you do in it? What do I need to be aware of in terms of security as well as my data, since we talked about data sovereignty there, what do you guys think about that?
Wayne: Look, ArcGIS Online is fantastic. And the great news is that it's super secure. You don't have to worry about that patching, we were talking about patch, patch, patch, patch patch, all before, ArcGIS Online always has the latest and greatest version of the ArcGIS product and all of those latest patches. And that means you don't have the burden as a GIS administrator, of having to maintain that patch cycle and keeping everything up to date.
So first and foremost, I think if you can, use ArcGIS Online as an organisation, then it is one of the easiest ways to establish a GIS that is secure, because Esri and the wonderful boffins over in their labs have worked long and hard over the security and they continue to do so.
Josh: I reckon it just is a no brainer consideration if your use case is public facing, particularly. Because for you to deal with all the security and performance aspects of trying to provide the infrastructure to deal with that, why would you unless security absolutely demanded it.
Wayne: And also, if you don't want to just take my word for it, head on and up to that trust.arcgis.com site, and there's this little-known tool you'll find it up in the top right-hand corner when you go to that site, it's called the “ArcGIS Security Advisor”. And this is a little online script that you can run, which will run either against your ArcGIS organisational account on ArcGIS Online, or against your own private GIS, and it will go over your system, analyse things and give you some hot tips and tricks as to what you can tighten, those screws and nuts and bolts you can tighten, to make things more secure, and to give your general setup, a more secure posture and be a more secure environment for your GIS data.
Ta: Now, what about your users? So, anyone who's going into online to either publish or to share or anyone who's actually using ArcGIS Online to consume any of the information, how does security play in that scenario?
Wayne: Well, one of the parts that's really important I'm going to throw roles and groups in there, right? So this is baked into your organisational account. Your users can adopt roles so that gives them certain privileges. That's one way of securing your GIS and securing your data, making sure people can't edit stuff that they shouldn't be able to.
And then by using groups and sharing amongst groups, this is a way of segregating your data and keeping it to a certain field of view within your organisation.
Josh: Where I was going to go was, kind of following directly on from what you were saying, Wayne, and that's this whole concept of roles and groups and sharing. There's one group that you want to be very careful about sharing to, and that's the entire planet.
Wayne: You're right. Yeah, absolutely.
Josh: And actually, it's a good link back to that ArcGIS Security Advisor Tool, that you brought up a few moments ago because that's one of the things that it will flag in your organisation. If you have that enabled for everybody to be able to share to the whole planet.
Wayne: And I'd make the counterpoint that, if you don't share things publicly, if you don't share them to the world in ArcGIS Online, then your data is secure. It's locked away and you can't see it from the external facing internet.
And that's why that's so important I think Josh, because that power allows your internal data to either be locked away and behind lock and key, or visible to the outside world. And that's something people need to be very mindful of.
Is there a way that organisations can take more control over that, Josh?
Josh: I think Ta brought it up earlier, but the concept of binding authentication for ArcGIS Online to your single sign on environment, whether it's Azure AD, some SAML-based SSO environment, that's really the way to do it because then you can have all aspects of that managed in your core IT system. And people who leave, people who, who arrive are dealt with there and ArcGIS Online just respects it.
Ta: So we've talked about Online and it seems that, apart from your security for your users, it really all boils down to sharing and if you don't share publicly, then your content is invisible to the world and you don't have too much to worry about.
Now, what about your web GIS on your own infrastructure and how you're securing your own GIS as an organisation, what do we need to know? What do we need to be wary of? And what are the benefits here?
Wayne: This is a big one. And I think, Josh alluded before, you know, these are the GIS administrators, the people who are maintaining their own GIS. I would say first and foremost, seek advice, don't be an island on this one okay.
Reach out to your ArcGIS distributors, your Esri distributors in your region. They can often provide a hosted solution or a managed solution for you. If that's available to you, and that's something that you can use in your organisation, I would say, go for that option if you can, because this is a tricky space, isn't it Josh? There's lots to think about.
Josh: I agree Wayne, because, potentially a managed, hosted GIS service kind of turnkey ArcGIS Enterprise, hey, it looks like ArcGIS Online, but there you can guarantee that the application and the data are hosted in Australia, or whatever your country and region is.
Wayne: And well, if you can't go down the managed route, the good news I suppose, is that there's a lot of support out there and there's a lot of guiding advice out there. So, my advice is, and we've got to have a whole heap of links in the show notes for this, have a look at trust.arcgis.com, up there on ArcGIS Online, there is also the security best practices guides. Now these things are renewed every six months. They're a fantastic guide as to hardening your environment and things that you can do for your portal and for your ArcGIS server environments to make them more secure.
Josh: I just want to throw in a shameless plug for, for something I had a hand in creating, a service that we offer out of Esri Australia. A bit like your ready steady pro, Ta!
Ta: Of course. What are we doing, hashtag what?
Josh: Uh, there's no kind of magic hashtag for this one, but sounds kind of tedious, but there's a security health check. And what it isn't is kind of a penetration test, trying to find all the vulnerabilities in your network and infrastructure. What it is, is a review and analysis of ArcGIS from a security perspective.
So, it's the kind of service that would help a GIS administrator understand what their risk footprint is from an ArcGIS perspective. And that means all the kinds of things that come out of that security advisor tool, helping someone understand those and whether they're something they really need to fix, or whether it's just a feature of what they do as business as usual. So, it's a good middle ground and helps a GIS administrator answer the question from their IT folks, is ArcGIS secure?
Wayne: If you are managing your own GIS, my biggest advice is, get in with your IT team early and first, and think about security and how your GIS fits into security in a very deep sense within your architecture. Because we're now no longer just talking about those GIS servers, we're talking about everything that feeds into your web GIS.
And I suppose, my final giveaway sort of tools there are, actually have a look at some of the online, open-source tools that you can use to check your general network infrastructure for common vulnerabilities and owasp.org is one of the things that I can throw out there.
I think that's all we've got time for today, but I will put it out there then this is a topic I'm very passionate about. If you want to continue the conversation, you've got other questions, hit me up on the LinkedIn, on the socials, or reach out to me directly at Esri Australia.
Ta: That's certainly a lot of really useful tips and tricks today. A couple of takeaways there, get in early and often when you're looking at and thinking about security for your GIS platform on your organisation. And as Josh said, health is wealth. So, think about a security health check for your organisation and reach out to us here.
We'll include a bunch of useful links to get you started on the website at gisdirectonspodcast.com.au. Now, we'd also love to hear from you guys so jump onto the website or connect with us through LinkedIn or Twitter and make sure you follow us wherever you get your podcasts. And please keep those five-star ratings coming. We love them so much.
Wayne: So that’s it for another year and another series. We’ll be taking a well-earned break over the festive period, and I highly recommend you do the same. Thanks for joining us for another season – stay spatial!
Josh: Until next year.
Ta: Happy mapping.
Disclaimer: The views and opinions expressed in this podcast are solely those of the hosts and do not necessarily represent the views or opinions of Esri Australia.