ArcGIS%20Online%20A%20Security,%20Privacy,%20and%20Compliance%20Overview

1
ArcGIS OnlineA Security, Privacy, and Compliance
Overview

• Andrea Rosso
• Michael Young

2
ArcGIS Online A Multi-Tenant System
3
Agenda

• Online Platform Security
• Deployment Architecture
• Infrastructure and Compliance

4
Platform Security
5
Portal Information Model
Groups
Items
Users
6
Items

• Typed
• Web Map
• Services
• Data
• Private by default
• Can Share to
• Groups
• Organization
• Everyone/Public

7
Users

• Users own items and groups
• Discoverable
• No one
• Organization
• Everyone
• Users have a profile
• Users have a Role

8
User Roles

• Built-in Roles
• Administrator
• Publisher
• User
• Custom Roles
• Templates
• Fine Grained Privileges
• Use Cases
• Restrict Access
• Restrict Credits

9
Groups

• Contain Items and Users
• Users have access to items in group
• Group owners can share items to their own groups
• Groups can be visible to
• No one (private)
• Organization
• Everyone
• Items do not inherit visibility
• Use cases
• Access
• Collections

10
Groups with Update Capability

• Specialized Groups
• All members can update included items
• Restrictions
• Can only be created by Admins
• Items and Users must be within Org
• Capability cannot be toggled
• Use Cases
• Shift Operators
• Collaborative Editing

11
Feature Service Editing

• Users who always can edit
• Owner
• Admins
• Members of Groups w/ Update
• Enable Editing
• Options
• Add, update and delete features
• Update feature attributes only
• Add features only
• Anyone who can access the service
• Custom Roles can have Edit or Edit with full
  control privileges

12
Admin Organization Controls

• Sharing to Public
• Use all SSL/TLS
• Anonymous Access
• Standardized Queries

13
Administrator Controls on Users

• Admins can
• Manage Items, Groups, Profile
• Disable Users
• Delete Users
• Reset Users Password
• Change Role
• Enable Esri Access

14
Trust Boundaries
ArcGIS Online

• Esri Apps
• Geonet
• Forums
• My Esri
• ..

Third Party Applications
Esri Access
Login
15
Authentication Options
Multi-Factor
Password
Enterprise Logins
Password Policies
Multi-Factor Authentication
SAML Identity
Password Policy
16
Multi-Factor Authentication

• Additional security with second factor at login
• Support for Google Authenticator or MS
  Authenticator
• Admin needs to enable for Organization
• Must have 2 admins
• Users setup their own Multi-factor

17
Password Polices

• Default Password Policy
• 8 characters with at least 1 number
• Can Customize
• Complexity
• History
• Expiration

18
Enterprise Identities

• Use your own identity provider
• SAML 2.0
• ADFS
• NetIQ Access Manager
• Shibboleth
• .
• Can add users
• Automatically upon login
• With an Invitation
• Can use ArcGIS Online identities with Enterprise
  Identities

Identity Provider
19
Keeping Track of Usage

• Status Reports
• Credits
• Content
• Members
• Groups

20
Deployment Architecture

• Michael Young

21
Deployment Architecture

• Common Questions

• Where is my data?
• All ArcGIS Online customer data resides within US
  Data centers on US soil
• Is my information encrypted?
• Organization administrator can force TLS
  encryption for all communications
• ArcGIS Online does not encrypt customer data at
  rest
• Is my data locked into ArcGIS Online?
• No, customer can download data back to their
  organization via shapefiles, CSVs, or original
  publication package
• How do I know if ArcGIS Online was affected by
  the latest major Internet vulnerability?
• Trust.ArcGIS.com announcements
• Answers to all of the above questions and more
  available

22
ArcGIS Platform Components
Portal
GIS Services Infrastructure
Content
Geoenrichment
Data Tier
SDKs
online
Capability
Maps
Apps
Basemaps
GIS Servers
SaaS In the Cloud
ArcGIS Online for Organizations
ArcGIS Online for Organizations
ArcGIS Online for Organizations
SoftwareIn your Infrastructure
Portal for ArcGIS
ArcGIS for Server
Data Appliance for ArcGIS
23
Deployment Scenarios
Online
Online
Intranet
Intranet
Intranet
Portal
Server
Server
In Your Infrastructure
Public
Hybrid 1
Read-onlyBasemaps
Online
Server
Online
Server
Server
Intranet
Intranet
Intranet
Portal
Portal
Server
Server
In Your Infrastructure
Hybrid 3
Hybrid 2
Cloud
On-premise
24
Hosting Options
Users
Apps
AnonymousAccess

• Ready in months/years
• Behind your firewall
• You manage certify

• Ready in days
• All ArcGIS capabilities at your disposal in the
  cloud
• Dedicated services
• FedRAMP Moderate

. . . All options can be combined or separate
25
Deployment Scenarios
Public
Business Partner 1
Internal Portal
Business Partner 2
Internal AGS
External AGS
Filtered Content
File Geodatabase
Database
FieldWorker
Public IaaS
Enterprise Business
26
Responsibility Across Hosting Options
On-premises
Esri Images Cloud Builder
Esri Managed Cloud Services FedRAMP Moderate
ArcGIS Online FISMA Low
No Security Infrastructure by default
Virtual / Physical Servers
Cloud Infrastructure (IaaS)
Cloud Infrastructure (IaaS)
Cloud Infrastructure (IaaS)
27
EMCS Security Infrastructure
AWS
Customer Infrastructure
Active/Active Redundant across two Cloud Data
Centers
Web Application Firewall WAF
DMZ
Public-Facing Gateway
ArcGIS for Portal
End Users
ArcGIS Server
Dedicated Customer Application Infrastructure
File Servers
Cloud Infrastructure Hypervisor, TCP/IP, Network
ACLs, Routing, Storage, Hardware
Relational Database
Security ServiceGateway
Security Ops Center(SOC)
Intrusion Detection IDS / SIEM
Centralized Management Backup, CM, AV, Patch,
Monitor
Common Security Infrastructure
Authentication/Authorization LDAP, DNS, PKI
Bastion Gateway MFA
Esri AdminGateway
Cloud Infrastructure Hypervisor, TCP/IP, Network
ACLs, Routing, Storage, Hardware
Common Cloud Infrastructure
Esri Administrators
Legend
Customer
Application
Security
Cloud Provider
28
ArcGIS Online FISMA Use Cases
Tiles

• Use Case 1 Public Dissemination
• Publish tiles for fast, scalable visualizations
• Share information with the public
• Can be used for mashing up services with external
  non-SSL sites
• Use Case 2 Share operational data within or
  between businesses
• Register ArcGIS Server Services in ArcGIS Online
• Sensitive data stored on premises or other
  authorized environment
• ArcGIS Online operates as a discovery portal
• Utilize Enterprise Logins

Authoritative Source
Public Consumers
Consumer
Metadata
Publisher
ArcGIS Online
29
Using ArcGIS Online for Public Dissemination

• Pros
• Variable user loads handled by ArcGIS Online
• Public information Segmented from Sensitive
• Internal users have SSO experience w/IWA
• Cons
• Internal users access ArcGIS Online with separate
  logins
• Partners do not have an SSO experience
• External publishing workflow is needed

30
Using ArcGIS Online and Portal for ArcGIS
On-Premises

• Pros
• Same scalability and segmentation benefits for
  public services
• Portal Server Federation provide employee SSO
• Cons
• Overhead of internal Portal management /
  hardware
• Separate workflows for Portal and ArcGIS Online

31
Using Public and Private ArcGIS Online
Organizations

• Pros
• ArcGIS Online operates as a central discovery
  portal
• Mobile users / Collector App access ArcGIS Online
  directly
• Enterprise logins utilized for employee SSO
  experience
• Cons
• Two separate ArcGIS Online orgs to manage
• Partner logins managed within ArcGIS Online
• No SSO experience for Partners

32
Deployment Scenario

• Registering ArcGIS Server Services in ArcGIS
  Online

• Common for large enterprises
• Primary reason
• Data Segmentation / Prevent storing sensitive
  data in the cloud
• What is stored in AGOL? Service Metadata
• Username password - Default, not saved
• Initial extent - Adjust to a less specific area
• Name tags - Address with organization naming
  convention
• IP Address - Utilize DNS names within URLs
• Thumbnail image Replace with any image as
  appropriate

33
Infrastructure Compliance
34
Esri Security Compliance

• Esri Corporate
• Cloud Infrastructure Providers
• Products and Services
• Solution Guidance

35
Esri Security Compliance Milestones
First FedRAMP Authorization
OMB FedRAMP Mandate
Planned ArcGIS Online FedRAMP Authorization
FISMA Law Established
FedRAMP Announced
2010 2011 2012 2013 2014
2012 2013 2014 2015 2016
2002 2005
Esri GOS2 FISMA Authorization
Esri Participates in First Cloud Computing Forum
EMCS FedRAMP Compliant
Esri Hosts Federal Cloud Computing Security
Workshop
ArcGIS Online FISMA Authorization

• Esri has actively participated in hosting and
  advancing secure compliant solutions for over a
  decade

36
Esri Corporate Compliance

• ISO 27001
• Esris Corporate Security Charter
• Privacy Assurance
• US EU/Swiss SafeHarbor self-certified
• TRUSTed cloud certified

37
Cloud Infrastructure Provider Compliance

• ArcGIS Online Utilizes World-Class Cloud
  Infrastructure Providers
• Microsoft Azure
• Amazon Web Services
• Cloud Infrastructure Security Compliance

38
Product, Services, and Solution Compliance

• Product Based Initiatives
• ArcGIS Server - DISA STIG
• ArcGIS Desktop USGCB
• Service Based Initiatives
• ArcGIS Online FISMA Low
• Esri Managed Cloud Services FedRAMP Moderate
• Solution Based Guidance
• CJIS- Law enforcement - Started
• HIPAA Healthcare - Future

39
Layers of ArcGIS Online Security Responsibilities
Web App Consumption
Customer
ArcGIS Management
Web Server DB software
Esri
Operating system
AGOL SaaS FISMA Low (USDA) SafeHarbor (TRUSTe)
Instance Security Management
Hypervisor
Cloud Provider
Cloud Provider ISO 27001 SSAE16FedRAMP Mod
Physical
40
Summary

• Significant security advancements in the last
  year
• Password complexity control, Multi-factor Auth,
  Elimination of SSL v3
• Utilizes World-Class Cloud Infrastructure
  Providers
• Extensive security, privacy, compliance, and
  status info available
• Trust.ArcGIS.com
• Upcoming ArcGIS Online FedRAMP Agency
  Authorization
• Cross-cloud provider authorization Azure/AWS

41
Thank you

• Please fill out the session survey in your mobile
  app
• In the agenda, click on the title of this session
• ArcGIS Online A Security, Privacy, and
  Compliance Overview
• Click Technical Workshop Survey
• Answer a few short questions and enter any
  comments

42
Want to Learn More?

• Enterprise GIS Security Strategy
• Tues 1015am Room 6E, Thurs 315pm Room 6E
• ArcGIS Server Portal for ArcGIS An
  Introduction to Security
• Tues 315pm Room 4, Thurs 130pm Room 4
• ArcGIS Server Advanced Security
• Wed 3!5pm Room 3, Thurs Room 4
• Best Practices in Setting up Secured Services in
  ArcGIS for Server
• Tues 530pm Demo Theater 14
• Building Security into your System
• Tues 430pm Implementation Center
• Oauth 2 and Authentication in ArcGIS Online
  Demystified
• Tues 230pm Demo Theater 11
• Using Enterprise Logins for Portal in ArcGIS via
  SAML
• Tues 530pm, Wed 230pm Demo Theater 7

43
(No Transcript)