ArcGIS Online is a secured, reliable geographic information system (GIS) delivered using the software-as-a-service (SaaS) model. ArcGIS Online services are elastic, available on demand, managed by Esri, and accessed by a client running on a wide range of options. They can be shared and used by many customers and offer numerous security benefits.
Esri security strategy is based on an industry-standard, defense-in-depth approach that provides security controls at every level, for every user, including the application, network, and facilities. Adherence to these security principles helps to ensure that ArcGIS Online provides confidentiality, integrity, and availability of data.
- Background investigations are performed against all employees.
- Access to customer database information is limited to select operation team members.
- The Esri Software Security and Privacy team drives secure products and services including incident response validation and documentation for customers, partners, and regulators.
- For comments or concerns, send an email to email@example.com.
- Ownership—Customers retain intellectual property rights for data published through Esri cloud offerings. Esriand third-party data can be incorporated into web applications using ArcGIS Online, Esri Business Analyst Online, and others.
- Multitenancy—Each data record within multitenant storage is stamped with the ID of the owning subscription to ensure organization data is accessible only by the organization's users.
- Features—Each organization has its own logically separated database, providing isolation of stored features.
- Extract—Data publishers can extract and download data to their organization via shapefiles or CSV files. Also, the original publication package can be downloaded to an organization.
- Deletion—The data owner controls when and what to delete, whether it's the removal of features or the publication package. Deleted information is not left in a recycle bin; once the owner deletes it, it's gone.
The following features are engineered by Esri as part of the ArcGIS Online core:
- Roles—There are six ArcGIS Online organization roles:
- Viewer—Able to view items such as maps, apps, demographics, and elevation analysis layers that have been shared with them.
- Data Editor—Viewer privileges plus the ability to edit features shared by other ArcGIS users.
- Users—Data Editor privileges plus the ability to create groups, content, and more.
- Publishers—User privileges plus the ability to publish features and map tiles as hosted web layers.
- Custom—Provides greater flexibility and granularity in assigning privileges to members of your organization.
- Administrator—Use a web-based administration interface to manage users, groups, permissions, and organization-wide security features such as restricting anonymous access to organization data.
- SAML logins—For authentication, SAML logins are supported via SAML 2.0, providing federated identity management. Developers can use OAuth 2-based APIs to manage user and app logins.
- Sharing—User-added content is only accessible by users and groups that users explicitly share content with. By default, items are private and only accessible by the user adding content.
- Enterprise—Secured ArcGIS Enterprise services can be incorporated into maps.
- Development—ArcGIS Online uses software development coding best practice techniques, that is, the use of static code analysis software, testing and code review, and more.
- ArcGIS Online data is encrypted both in transit through TLS 1.2 or later as well as rest with AES-256-bit encryption or better.
Advanced deployment options
- For organizations that want to make use of ArcGIS Online but prevent storing select data in the cloud, a hybrid approach is a common solution. ArcGIS Online can be used for dissemination and discovery of services, while the organization can leverage its own infrastructure for hosting sensitive data.
- For organizations that require complete segmentation of their solution from the internet or do not allow distributed multitenant environments such as ArcGIS Online, the on-premises offering of ArcGIS Enterprise meets this requirement by running inside corporate firewall environments.
Esri has consistently invested in stronger ArcGIS security and has been providing services for over 15 years.
ArcGIS Online United States-based services are FedRAMP Tailored Low authorized, which includes continuous monitoring requirements as well as annual third-party audits.
Moving geospatial services to the cloud requires serious consideration of security issues and technology. Cloud computing is indeed complex; however, by using a secured backbone of both industry-leading cloud providers and geospatial services, ArcGIS Online is able to provide the security organizations need.