Eventful week in the security and privacy fields with a 17 year old critical DNS vulnerability announced by Microsoft and the invalidation of Privacy Shield by the EU.
Due to the severity of the Microsoft DNS server vulnerability (CVE-2020-1350) announced this week, we have had multiple customers reach out to us to see if ArcGIS Online might be affected. ArcGIS Online does not make use of Windows-based DNS servers and is therefore not vulnerable to this issue.
We strongly support customers updating applicable DNS systems with the security patch released this week, whether it is to support their on-premises or cloud-based deployments. The US government issued an Emergency Directive 20-03 concerning this issue and the importance of patching your Windows-based servers within the next week.
UPDATE 7/24/20 – In alignment with the Emergency Directive, as an additional precautionary measure, all ArcGIS Online Windows Server instances that Esri manages patches for have had the July 2020 security patch applied.
On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.
Independent of Privacy Shield, Esri customers still have assurance that our practices for ArcGIS Online are in alignment with GDPR:
- Esri already commits to adequate data privacy safeguards in place under the EU Model Clauses through our Data Processing Addendum (DPA).
- Esri recently introduced the EU Region for ArcGIS Online which allows customers to store their data in the EU.
- Esri utilizes a third-party to assess the privacy adequacy of our company operations.
Normally, our announcements only cover one major issue, but we figured consolidating this information, that ArcGIS Online has your privacy and security covered for these issues, was worth confirming without separate notifications. We will update this announcement if and as necessary.
- Esri Software Security & Privacy Team