Managed Cloud Services
Esri Managed Cloud Services offers to design, deploy, and manage your organizations ArcGIS Enterprise solution in an Esri-owned cloud environment. This option of deploying ArcGIS Enterprise provides organizations assurances that their GIS apps and content are optimized and securely deployed in the cloud. Esri Managed Cloud Services offers three different options depending on your organization's security and compliance requirements.
Esri Manged Cloud Services - Standard
EMCS Standard offers a tailored ArcGIS Enterprise deployment in the cloud that includes several security measures, however, is not certified to comply with specific IT security regulations pertaining to sensitive or specifically certified processes (e.g. HIPAA, PCI, FISMA, FedRAMP). This offering is intended for organizations that are looking to benefit from the management and maintenance of their ArcGIS Enterprise system for their low-risk, non-sensitive data that does not require a regulatory framework.
Esri Managed Cloud Services—Advanced
EMCS Advanced is a single tenant offering through Esri Professional Services that is designed for non-federal customers who require a higher level of security. The Esri Managed Cloud Services Advanced security offering follows American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) framework, which is widely recognized across many industries. SOC 2 and SOC 3 reports are generated and issued under SSAE 18 guidance and developed by the AICPA. These reports are applicable to all third-party service providers, rather than cloud focused. A SOC 2 report created by a third-party SOC assessor can be provided to customers with an active nondisclosure agreement. To request this report, send an email to your Esri account representative. A SOC 3 report is a general use report that does not require a nondisclosure agreement. The latest Esri Managed Cloud Services Advanced SOC 3 report can be found on our ArcGIS Trust Center. Note that these reports are specific to the Esri Managed Cloud Services offering and not ArcGIS Online.
Note, that while EMCS Advanced is not FedRAMP authorized, the program follows the FedRAMP Moderate (Revision 5) control implementation and continuous monitoring guidelines.
Esri Managed Cloud Services—Advanced Plus
EMCS Advanced Plus is a single tenant offering through Esri Professional Services that is designed for federal customers who require an environment that is FedRAMP Moderate authorized. EMCS Advanced Plus has achieved FedRAMP Moderate authorization at the latest Revision 5 baseline. FedRAMP is a security authorization framework developed by the federal government along with industry professionals to align requirements for cloud service providers with those of the NIST framework and containing mappings to ISO/IEC 27001. For general information about FedRAMP, visit the official FedRAMP site or view the Esri Managed Cloud Services Advanced Plus FedRAMP marketplace listing.
Details regarding the security benefits that are available in all offerings described above are provided in the following table:
| Security protocols | Standard | Advanced | Advanced Plus | ||||
|---|---|---|---|---|---|---|---|
Separate public and private networks | X | X | X | ||||
NAT and remote desktop gateway | X | X | X | ||||
Monthly OS patching | X | X | X | ||||
Esri COTS security patching | X | X | X | ||||
Web application firewall (WAF) | X | X | X | ||||
Malware protection | X | X | X | ||||
FIPS-compliant encryption for data in transit and at rest | X | X | X | ||||
Change management | X | X | X | ||||
Run books | X | X | X | ||||
Continuous infrastructure monitoring | X | X | X | ||||
Built-in identity store of SAML 2.0 (authentication and authorization) | X | X | X | ||||
Administrator multi-factor authentication | X | X | X | ||||
Instance imaging (backups) | X | X | X | ||||
High availability options | X | X | X | ||||
Disaster recovery and business contingency planning and testing | X | X | |||||
Security Information and Event Management (SIEM) | X | X | X | ||||
24/7 security event monitoring | X | X | X | ||||
Monthly system vulnerability scan and remediation | X | X | |||||
Contigency planning and risk management | X | X | |||||
HIPAA-compliant controls | X* | X* | |||||
NIST 800-53 Revision 5 "Moderate" compliant | X | X | |||||
X | |||||||
X | |||||||
Annual third-party penetration testing | X |
*HIPAA privacy controls implemented based on contract terms (BAA negotiation required)
For more information about FedRAMP, visit the official FedRAMP site or view the official listing for Esri Managed Cloud Services.