The following section identifies best practices to consider for ArcGIS Online. These best practices involve authentication, authorization, encryption, and application specific security settings that can improve the overall security posture of an organization's implementation of ArcGIS Online.
Application security settings
ArcGIS Online enables customers to increase the security posture of their organization by applying security settings as appropriate. When possible, it is encouraged customers follow the best practices below.
- Allow only standard SQL queries.
- Enforce parameterized queries by default to reduce the likelihood of SQL injection vulnerabilities
- Aids in aligning with OWASP security industry best practices
- Do not allow anonymous access to your organization unless required
- Do not allow members to share content outside the organization unless required
- For more information, see Configure security settings in the ArcGIS Online Help.
Authentication
Authentication involves verifying the credentials in a connecting attempt to confirm the identity of the client.
- Set up Enterprise Logins using SAML 2.0, which provides federated identity management to your organization. This allows users to log into ArcGIS Online using the same credentials used for accessing your enterprise information systems and provides a Single-Sign On (SSO) experience. This requires a SAML-compliant identity provider. Below you will find a list of some of the identity providers that have been integrated by using Enterprise Logins and associated links to setup instructions, although other SAML 2.0 compliant identity provider can work.
- If an identity provider is not available in the enterprise, it is highly recommended that organizations enable:
- Multi-factor authentication for ArcGIS Online
- Strong password policies that align with organizational requirements
- For more information, see the FAQ for ArcGIS Platform Enterprise Logins via SAML.
Authorization
Authorization is the process by which client permissions are verified prior to accessing a resource. This occurs after successful authentication.
ArcGIS Online empowers customers to specify more granular security permissions to users using custom roles. Custom roles add greater control and flexibility in assigning privileges to members of your organization.
- Use a least-privilege model for assigning user types and managing roles within ArcGIS Online.
- Four default roles exist—Administrator, Publisher, User, and Data Editor.
- Five User types exist - GIS Professional, Creator, Field Worker, Editor, and Viewer.
- ArcGIS Online also allows the administrator to configure custom roles that can further refine privileges based on the specific workflows in an organization.
- For more information, see Configure roles in the ArcGIS Online Help.
Encryption
Encryption is the process of transforming data so that it is unreadable by those without a decryption key. ArcGIS Online empowers customers to protect data-in-transit by:
- Requiring HTTPS to access their ArcGIS Online Organization
- Protecting data-in-transit by forcing connections to use TLS 1.2
Logging and Auditing
Logging involves recording events of interest from a system. Auditing is the practice of inspecting those logs to ensure system is functioning desirably or to answer a specific question about a particular transaction that occurred.
- Use 'View Status' in your ArcGIS organization for a view of credit usage, content information, and details across all members and groups
- Use "Download Activity Log" to query historical events occurred in an ArcGIS Online organization
- Use the Operations Dashboard for ArcGIS to:
- Monitor activities and events
- Track your field workforce
- Assess status and performance of daily operations
- ArcGIS Online performs logging and auditing at the system level to align with FedRAMP Tailored Low requirements
Related content
For popular documents and presentations to learn about security, privacy and compliance for the ArcGIS Platform, please see Documents.