Your GIS Cloud Security Questions Answered by ROK’s Director of Cloud Services

In ROK Technologies webinar session, The 3 Essentials for GIS Cloud Security, Ryan Daley, Cloud Services Architect, talks about the interconnected ICA model that you should follow to protect your GIS. He also reviews best practices for building and maintaining a secure environment and a clear security cost comparison for a cloud vs. on-premise security implementation.

In response to the Q&A portion of the session, we are here to answer the questions presented for the overall GIS community.

To watch Mr. Daley's webinar, 3 Essentials for GIS Cloud Security, visit our on-demand webinar page.

Watch our 2 part series, Security and your GIS Cloud, on our YouTube playlist.

Mr. Daley answers your questions:

Q1: Can you give any use cases of an ArcGIS Web Adapter accessing data layers/servers directly?

A1: This practice would certainly go against what would be considered standard best practices, however there are a few niche cases where this may be appropriate. However, it would require specific precautions in regards to network architecture to maintain the integrity of the database. In some cases, this will happen in a DMZ that is completely separated from the standard production systems, and in other cases where the data on the data layer servers is not classified as important or sensitive. It's important to note that the tiers are based on system sensitivity and classification - this is different for every organization, however the goal would be to have data sources as "far" away from the public net as possible. With all of that being said, security in its entirety is about risk management, so there are ways to reduce the risk of this by implementing things like Web Application Firewalls

Q2. Provide some examples on how to set up cloud security

A2: This question is a little broad because it's specific to each organization's needs, however the outline provided in the presentation should give some direction as a foundation for creating a secure architecture for your cloud environment. There are many other precautions to take such as user access control, least privilege, etc. There are many layers of security you are able to apply to these environments, so many that it would be impossible to discuss it in the time frame of the presentation. 

Q3. Conflict resolution in the data segment where multiple sources may exist for a data element - how do you routinely decide and manage which is correct? Our engineers sometimes provide data which conflicts (slightly) with public sources like town GIS system.

A3: This is an interesting problem, essentially the approach to take in this situation is to choose which data is the authority and leverage that data source over the other - in this situation if I knew good data was getting replaced with bad data by users, the first approach I would take is user access control - do users need to change this data to do their job? If not, they don't need access to change it. If they do need to change it, but mistakes get made, in that case I would create a workflow that compares the two data sources, and if the secondary source is different than the authoritative source, it overwrites the alternative source. 

Q4: What is the best way to mitigate the the GIS security mistakes presented?

A4: In regards to the first mistake, the mitigation was covered throughout the presentation, showing how and why we split these machines into separate network segments, over having them on one machine. The mitigation for this is to use 1 server for 1 software package - 1 for portal, 1 for datastore, 1 for ArcGIS, etc. 

The second mistake is more transient, and there is no clear, black and white prescription on fixing it; this is primarily an issue of priorities for your organization and to get the viewers to start thinking about how to evaluate the judgement calls that are made on where to put resources. 

Q5: Do you have any additional details you can share?

A5: IT security as a whole, and especially as it relates to GIS is a very broad topic with many aspects that is impossible to cover in just one session. However, we are happy to keep the lines of communication open and can answer any additional questions you may have. Contact me directly. 
 

 

 

Read Next