The following sections outline the best practices to consider for ArcGIS Online. These best practices involve authentication, authorization, encryption, and application-specific security settings that can improve the overall security posture of an organization's implementation of ArcGIS Online.
Application security settings
ArcGIS Online enables customers to increase the security posture of their organization by applying security settings as appropriate. When possible, it is recommended that customers follow the best practices below.
- Allow only standard SQL queries.
- Enforce parameterized queries by default to reduce the likelihood of SQL injection vulnerabilities.
- This aids in aligning with OWASP security industry best practices.
- Do not allow anonymous access to your organization unless required.
- Do not allow members to share content outside the organization unless required.
- For more information, see Configure security settings in the ArcGIS Online help.
Authentication involves verifying the credentials in a connecting attempt to confirm the identity of the client.
- Set up enterprise logins using Security Assertion Markup Language (SAML) 2.0, which provides federated identity management to your organization. This allows users to sign in to ArcGIS Online using the same credentials that are used for accessing your enterprise information systems and provides a Single Sign-On (SSO) experience. This requires a SAML-compliant identity provider. The following is a list of some of the identity providers that have been integrated by using enterprise logins and associated links to setup instructions, although other SAML 2.0-compliant identity providers can be used:
- If an identity provider is not available in the enterprise, it is highly recommended that organizations enable the following:
- For more information, see the Organization-Specific Logins FAQ document.
Authorization is the process by which client permissions are verified prior to accessing a resource. This occurs after successful authentication.
ArcGIS Online enables organizations to specify more granular security permissions to members using custom roles. Custom roles add greater control and flexibility in assigning privileges to members of your organization.
- Use a least-privilege model for assigning user types and managing roles in ArcGIS Online.
- Four default roles exist—Administrator, Publisher, User, and Data Editor.
- Five user types exist—GIS Professional, Creator, Field Worker, Editor, and Viewer.
- ArcGIS Online also allows the administrator to configure custom roles that can further refine privileges based on the specific workflows in an organization.
- For more information, see Configure roles in the ArcGIS Online help.
Encryption is the process of transforming data so that it is unreadable by those without a decryption key. ArcGIS Online enables customers to protect data in transit by requiring HTTPS to access their ArcGIS Online organization and forcing connections to use TLS 1.2.
Logging and auditing
Logging involves recording events of interest from a system. Auditing is the practice of inspecting those logs to ensure the system is functioning appropriately or to answer a question about a specific transaction that occurred.
- Use View Status in your ArcGIS Online organization to see credit usage, content information, and details across all members and groups.
- Use Download Activity Log to query historical events occurred in an ArcGIS Online organization.
- Use ArcGIS Dashboards to do the following:
- Monitor activities and events.
- Track your field workforce.
- Assess status and performance of daily operations.
- ArcGIS Online performs logging and auditing at the system level to align with FedRAMP Tailored Low requirements.
For popular documents and presentations to learn about security, privacy, and compliance for ArcGIS, see Documents.