2.2: Key Modernisation Strategies

2.2: Key Modernisation Strategies¶

The transition to the new eMap platform involves more than just deploying new software; it requires a fundamental shift in how technical teams approach data management, infrastructure operations and service delivery. This section outlines the key modernisation strategies and the associated mindset changes crucial for success. These strategies are designed to transition the team from traditional practices to a cloud-native, automated and data-centric operational model.

2.2.1. From ESRI-Managed to User-Managed Databases¶

Legacy Approach: Traditionally, enterprise geodatabases were tightly controlled and managed primarily through Esri-specific tools. Schema, lifecycle and maintenance activities were heavily reliant on ArcGIS software interfaces, limiting broader enterprise data integration.

Modernisation Shift & Organisational Impact: The new eMap platform fundamentally changes this paradigm by establishing Azure Database for PostgreSQL with PostGIS as the platform for all user-managed enterprise geodatabases. This represents a significant transition in control, responsibility and required practices, positioning enterprise geodatabases as standard, well-governed components within the organisation's overall data ecosystem.

The key mindset shift involves:

• Empowered Data Stewardship: The breadth of IRD's technical teams (GIS Engineers, Cloud Infrastructure Engineers, Data Analysts, Database Administrators, DevOps Engineers) take part in provisioning, administering, securing and managing the lifecycle of enterprise geospatial data. ArcGIS registers these as externally managed databases but does not govern their core existence.
• Data Governance First: Enterprise data governance principles, rather than GIS software-specific practices, will drive dataset design, security and management decisions. This ensures alignment with broader organisational data strategies. All spatial data within these user-managed geodatabases will utilise PostGIS native spatial types.
• Direct Database Management: Lifecycle tasks such as backups, schema modifications, performance tuning and versioning will be performed using native PostgreSQL tools and standard database administration practices.

This transition brings significant benefits:

1. Enhanced Control & Transparency: Direct visibility and management of data sets, cataloging and auditing using standard Azure and DBMS tools.
2. Improved Integration: Seamless integration of spatial data with other enterprise systems (PowerBI, SQL Server Datawarehouse, Databricks) using standard PostgreSQL connectors.
3. Alignment with Enterprise Standards: Consistent application of enterprise database management, security and governance practices across all data platforms.

ArcGIS Data Store's Defined Role: The ArcGIS Data Store is a mandatory component of the base ArcGIS Enterprise deployment. Its PostgreSQL instance is internally managed by ArcGIS and is strictly limited to supporting Portal for ArcGIS specific operations, such as storing data for hosted feature layers (e.g., features from Portal Map Viewer uploads) and outputs of spatial analysis tools run within Portal.

This distinction reinforces the strategic shift: authoritative enterprise geospatial data resides within user-managed platforms, ensuring organisational control and governance.

2.2.2. Embracing DevOps and Full Automation¶

Core Principle: 2.1.5 Automation via OpenTofu (IaC) and Configuration Management Tool

Legacy Approach: GIS platform deployment and management often involved manual provisioning, click-based software installations and ad-hoc scripting, leading to environment inconsistencies, slow deployments and operational knowledge silos.

Modernisation Shift & Organisational Impact: The new eMap platform mandates a transition to a modern, fully automated approach driven by DevOps principles. This is not merely a technical upgrade but a cultural shift towards treating infrastructure and configuration as code, fostering collaboration and enabling agility.

The key mindset shift involves:

• Infrastructure and Configuration as Code (IaC & CM): Moving from manual setup to defining all Azure resources (OpenTofu) and VM configurations (Configuration Management tool) declaratively in code. This code, stored in version control, becomes the single source of truth for the platform's state.
• Systematic and Repeatable Processes: Embracing automation means deployments, updates and environment creation become consistent, testable and repeatable, executed via automated CI/CD pipelines rather than manual interventions; significantly reducing errors and configuration drift.
• Collaborative Development Practices: GIS Engineers, Cloud Infrastructure Engineers and Security Specialists collaborate on developing, testing and maintaining the codebase that defines the platform; breaking down traditional silos and encouraging shared stewardship.
• Focus on Higher-Value Activities: Automation frees technical teams from repetitive manual tasks, allowing them to focus on strategic initiatives, service improvement and innovation.

This transformation fosters a culture of continuous improvement, where the platform evolves through auditable, version-controlled changes, enabling faster delivery of value and increased operational resilience. All team members will engage in continuous learning to adapt to these modern tools and methodologies.

2.2.3. Adopting Cloud-Native Data Services¶

Legacy Approach: Traditional GIS deployments often relied on self-managed file servers or locally attached disks for various data types (caches, outputs, rasters) and IaaS-centric web server configurations, requiring significant administrative overhead for maintenance, patching and scaling.

Modernisation Shift & Organisational Impact: The new eMap architecture prioritises the use of Azure Platform-as-a-Service (PaaS) offerings for specialised storage and application hosting. This shift reduces operational burden and enhances scalability, resilience and cost-effectiveness by leveraging Azure's managed service capabilities. It also encourages the adoption of open and cloud-optimised data formats.

The key mindset shift involves:

• Leveraging Managed Services: Teams transition from building and maintaining underlying infrastructure to configuring and consuming Azure's specialised PaaS offerings. This includes:

  • Azure Database for PostgreSQL with PostGIS: As the foundation for user-managed enterprise geodatabases, this choice provides a robust, open-standards-based and cost-effective managed RDBMS. Its adoption allows teams to focus on data modelling and access rather than database engine upkeep.
  • Azure Blob Storage: For versatile object storage, utilised for Portal content, map/image service tile caches (arcgiscache), ArcGIS Server jobs/output directories (as Cloud Stores) and webgisdr backups. Its use replaces traditional file shares and locally attached disks, offering superior scalability and durability.
  • Azure Data Lake Storage Gen2 (ADLS Gen2): As the Raster Store, utilising cloud-optimised formats such as Cloud Raster Format (CRF) and Meta Raster Format (MRF). ADLS Gen2 provides a highly scalable and performant solution for managing extensive raster libraries.
  • Azure Files: For managed shared storage for critical ArcGIS Server configuration directories (config-store, system), simplifying shared access requirements.
  • Azure App Service: For hosting ArcGIS Web Adaptors, eliminating the need to manage web server VMs and their underlying OS/runtime. Azure handles patching and maintenance, allowing focus on the Web Adaptor application itself. The detailed allocation of these PaaS resources by data category and their specific configurations are found in Chapter 5 and Chapter 15.

• Focus on Service Integration and Consumption: Interacting with these services primarily occurs via secure service endpoints and APIs, managed through code (IaC), rather than direct server access.

• Embracing Cloud-Optimised Formats: For raster data (CRF/MRF in ADLS Gen2) and tile caches (CompactV2 in Blob Storage), adopting cloud-optimised formats is crucial for performance and cost-efficiency in the cloud. Data lifecycle and storage tiering strategies further optimise costs.
• Distributed Systems Thinking & Observability: Understanding that the platform is a collection of interconnected services. This necessitates reliance on centralised monitoring and logging (e.g., Azure Monitor, Azure Application Insights) for operational visibility and troubleshooting.

2.2.4. Adopting a Zero Trust Security Model¶

Legacy Approach: Traditional security models rely on a "castle-and-moat" approach, where a strong perimeter defence (e.g., segmentation into private VNets) protects a trusted internal network. Once inside this perimeter, resources and users might have relatively broad access.

Modernisation Shift & Organisational Impact: The new eMap platform embraces a Zero Trust security architecture. This model operates on the principle of "never trust, always verify," assuming that breaches are inevitable and that no user or system should be implicitly trusted based on its network location. All components of the new eMap platform reside on Azure Virtual Networks (VNets) that are, by design, accessible from the public internet. Security is not reliant on perimeter defences but is enforced through multiple layers of controls applied as close to the protected resources as possible.

This transition requires a significant mindset shift for all technical teams:

• For Cloud Security Specialists: Deep engagement in configuring and managing a distributed set of security controls (WAF, ADC, NSGs, identity services) rather than focusing primarily on edge firewalls and private VNets.
• For Cloud Infrastructure Engineers: Understanding the incorporation of Zero Trust principles in infrastructure provisioning from the outset, with granular network segmentation and identity configurations.

The key pillars of implementing Zero Trust for the new eMap platform include:

1. Explicit Verification and Micro-segmentation:

   • Network Segmentation: Application tiers (Web, Application, Data) are isolated within dedicated subnets. Network Security Groups (NSGs) are meticulously configured and applied to network interfaces (NICs) of Virtual Machines and subnets.
   • NSG Rules: These rules enforce the principle of least privilege, allowing only necessary communication protocols and ports between defined application tiers and components. For instance, the ArcGIS Server VMs will only accept traffic from the Web Adaptor App Service's VNet integrated subnet on its specific port (e.g., 6443) and the Azure Database for PostgreSQL will only accept connections from the ArcGIS Server VMs. This fine-grained control, often termed micro-segmentation, drastically reduces the lateral movement potential for an attacker.

2. Strong Identity and Modern Authentication:

   • User Authentication: Portal for ArcGIS will integrate with the enterprise Identity Provider (IdP) using modern authentication protocols such as SAML 2.0 or OpenID Connect (OIDC) to centralise user identity management and enables Single Sign-On (SSO).
   • Resource Authorisation (RBAC): Role-Based Access Control (RBAC) should be used to govern permissions for managing Azure resources, ensuring that users and service principals have only the necessary access to deploy or configure infrastructure.
   • Service-to-Service Authentication (Azure Managed Identities): Azure Managed Identities provide an identity for Azure resources (e.g., VMs, VMSS, App Services) to authenticate to other Azure services such as Azure Key Vault and Azure Storage. This eliminates the need to store and manage service principal credentials in code or configuration files, significantly improving the security posture.

3. Understanding Key Security Components: A layered defence strategy is implemented using several key Azure and third-party security components:

   • Web Application Firewall (WAF): Positioned at the edge, the WAF inspects all incoming HTTP/S traffic destined for the new eMap platform. It protects against common web exploits (e.g., SQL injection, cross-site scripting) based on rulesets such as the OWASP Top 10 and potentially custom rules. Legitimate traffic is forwarded to the Application Delivery Controller.
   • Application Delivery Controller (ADC): The ADC (e.g., Azure Application Gateway, nginx, NetScaler) manages inbound traffic from the WAF, performing crucial functions such as SSL/TLS termination (offloading cryptographic processing from backend services) and path-based routing. It directs requests for /portal/* to the Portal Web Adaptor App Service and /server/* to the Server Web Adaptor App Service.
   • Azure Key Vault: Is central to the secure management of secrets. All sensitive information, including Portal for ArcGIS and ArcGIS Server primary site administrator (PSA) credentials, database passwords, API keys and SSL/TLS certificates, are stored securely in Azure Key Vault. Applications and automation scripts should retrieve these secrets at runtime, using Azure Managed Identities for authentication to Key Vault.

Adopting a Zero Trust model for eMap 2.0 is a proactive measure to enhance the platform's security against evolving threats. It necessitates a continuous cycle of assessment, refinement of controls and vigilance, ensuring that security is an integral part of the platform's lifecycle, not an afterthought. This modern approach provides a more resilient and defensible architecture compared to traditional perimeter-based security.