Access control is an important part of any security consideration, but did you know that it can do more for you than just blocking access to content that certain groups should not see?
Need-to-share versus need-to-know
In the past, publishing spatial data was very much on a “need-to-know” basis, opened to specific user groups and with data assumed to be sensitive. This often meant that many data sources were kept well away from published services. Over the past number of years, the trend has been increasingly towards a “need-to-share” world, with an impetus to open as much data as possible. Of course, that’s not to say that everyone should have access to everything, and organisations will of course have concerns about what information is being published, and who is consuming it, so a balance is needed between opening and restricting spatial and related data. You have so many different users, with so many different demands, that it can be quite a challenge to serve all their needs, all while respecting the rules on data sharing and staying in control.
Advanced access control
Most GIS Servers provide a service-level security model, where authentication and authorisation is needed to access particular services. It allows organisations to curate their data services in such a way that certain groups see certain collections of data, and keeps sensitive data away from others. But it is a fairly blunt approach to use, as it pays no heed to the subtleties of data, and the multi-tiered hierarchies of permissions. In such a world, each group of users would need its own set of services that expose the subsets of data that particular group needs, including perhaps extracting spatial areas, or hiding certain attributes.
This is where fine-grained access control comes into its own, providing the ability to tailor the view of a service depending on who is accessing it. This may be filtering to show certain layers, specific features of a layer, or defined geographical regions, all based on a single service.
The security benefits are pretty obvious, but fine-grained access control is not just for protecting your assets. It is also a means to work smarter with the resources at your disposal. In the past, providing different views of data to different user groups meant publishing multiple services, each of which needed to be maintained, and which consumed valuable computing resources. By introducing fine-grained access control to an infrastructure, you automatically have the means to expose different views of a single service to different groups, greatly reducing the efforts and costs required to achieve your goals.
Off-the-shelf solutions for access control
con terra provides an off-the-shelf implementation of fine-grained access control, in the form of security.manager. Available in two editions, it can either be directly embedded within the service management process of ArcGIS Server (the ArcGIS Edition) or be a standalone component in an Enterprise architecture, providing single-sign-on and federation capabilities for complex systems that need to include GI. With either edition, security.manager extends and enhances the ArcGIS Platform with tools needed to stay in control of your users, services and data.
Take a look and see what security.manager can do to let you stay in control of your services infrastructure.