This section provides an overview of security capabilities available for the ArcGIS platform components and implementation guidance for authentication, authorization, encryption and auditing. The ArcGIS platform enables customers to leverage the required GIS capabilities with the assurance that Esri continues to follow a robust and effective security framework. Esri is continually advancing the security of the entire mapping platform including:
- Cloud: ArcGIS Online, Esri Managed Cloud Services Advanced Plus
- Enterprise: ArcGIS Server, Portal for ArcGIS
- Desktop: ArcGIS for Desktop, ArcGIS Pro
- Mobile: ArcGIS Mobile Apps
Building Security and Privacy In
In today's cybersecurity landscape, ensuring the products and services you receive from a software company have security and privacy considerations built-in is paramount. Our Secure Development Lifecycle Overview provides a consolidated summary of the assurance measures we incorporate, including governance, standards alignment, assessments/tools, vulnerability/incident management, and guidelines utilized.
Security validation tools
ArcGIS Enterprise comes with Python script tools, serverScan.py and portalScan.py, that scan for common security issues. The tools check for problems based on some of the best practices for configuring a secure environment for ArcGIS Enterprise. The Esri Software Security and Privacy team also offers the ArcGIS Online Advisor tool, a free tool to help ArcGIS Online organization admins perform a quick check on their security configuration.
· ArcGIS Server security validation
The serverscan script is located in the <ArcGIS Server installation location>/tools/admin directory. Run the script from the command line or shell. You have the option to specify parameters when running the script.
If the serverScan.py script is run without specifying any parameters, you will be prompted to enter them manually or select the default value. If you wish to use a token, it must be provided as a parameter when running the script.
The scan generates a report in HTML format that lists any of the above issues that were found in the specified ArcGIS Server site.
By default, the report is saved in the same folder where you run the script and is named serverScanReport_[hostname]_[date].html
· Portal for ArcGIS security validation
The portalScan.py script is located in the <Portal for ArcGIS installation location>\tools\security directory. Run the script from the command line or shell. You have the option to specify one or more parameters when running the script.
If the portalScan.py script is run without specifying any parameters, you will be prompted to enter them manually or select the default value. If you wish to use a token, it must be provided as a parameter when running the script.
The scan generates a report in HTML format that lists any of the above issues that were found in the specified portal.
By default, the report is saved in the same folder where you run the script and is named portalScanReport_[hostname]_[date].html.
· ArcGIS Online Security Advisor
The ArcGIS Online Advisor tool was created by the Esri Software Security and Privacy team to provide a simple, color coded interface for ArcGIS Online administrators to review security settings and past changes to the ArcGIS Online organizations at a glance.
The ArcGIS Online Advisor reports the current security state of your ArcGIS Online organizations, and provides remediation guidance for any potential findings discovered.
Recent enhancements include the ability to check for items added to ArcGIS Online that reference resources added using plaintext HTTP layers. This important feature is valuable for ArcGIS Online organization administrators who need to validate for the upcoming ArcGIS Online move to support only HTTPS. Other recent enhancements include the ability to check for publicly available feature layers with editing capabilities enabled and the ability to check for public surveys that have survey layers with the query capability enabled.
Be sure to visit the Software Security and Privacy blog on our GeoNet space to learn more about other initiatives!
Moderate to high risk vulnerabilities are addressed as part of standard security patches, which are released for the long-term support (LTS) releases of ArcGIS Enterprise products that are still in the General Availability and Extended Support phases. Risk is determined through internal scoring using the CVSSv3 formula. See the Esri product life cycle definitions for the phases of support, and the update to ArcGIS Enterprise Product Lifecycle describing STS and LTS releases.
Critical, proven exploitable vulnerabilities are rare with our products. When a critical, proven exploitable vulnerability is discovered in Esri software, Esri may take the exceptional action of releasing a patch for all currently supported versions of affected ArcGIS software regardless of their phase of support or availability of LTS releases.
Security patches released for ArcGIS Enterprise are cumulative, and include all previous security patches previously released for the ArcGIS Enterprise version the patch targets.
Documents and presentations
For popular documents and presentations to learn about security, privacy and compliance for the ArcGIS Platform, please see Documents.