Changes to organization security settings

Administration

An ArcGIS Online update earlier this year introduced a couple of changes to the security settings available for your ArcGIS Online organization. The changes are related to the Allow access to the organization through HTTPS only and Allow only standard SQL queries security settings. To help ensure a secure platform for your organization’s hosted resources, we’ve made a few changes to these settings. If your organization already has these options enabled, you’re set! You will no longer see them as configurable options in your organization’s settings. If you have one or both options disabled, you will see a Warning banner with a recommendation that you enable these options for your organization. These changes are part of a larger commitment to providing a secure platform. In 2019, you will see additional security enhancements to the ArcGIS platform. Esri’s Chief Information Security Officer, Michael Young, detailed these enhancements in a recent blog post, 2019 ArcGIS Transport Security Improvements.

What is HTTPS?

HTTPS, short for Hypertext Transfer Protocol for secure communication (and commonly referred to as TLS or SSL), provides a layer of security for data transmission over the Internet. When HTTPS is used, incoming and outgoing communication between your browser and the server providing the data is encrypted, which secures the information while in transit. Anyone monitoring the traffic between you and the layer is not able to see the information being transmitted.

One of the main drawbacks for using HTTPS has been that it is not as fast as HTTP. However, advances in web technology have closed the gap, specifically with the introduction of HTTP/2. In many cases, HTTPS is now faster than HTTP. HTTPS has become the internet standard, with the majority of the most popular websites and internet traffic overall using HTTPS. It is recommended that all communication over the internet use HTTPS.

Why HTTPS matters for your organization

HTTPS helps secure your organization’s assets. For instance, when you view data (as part of a layer, map, or app) or collect data (as part of a survey, for example), HTTPS helps ensure nobody can see the data aside from the people you share it with. Many government agencies, especially at the federal level, have stringent requirements for how data must be secured. Esri has done a considerable amount of work to meet these requirements (adhering to guidelines from FedRamp, FISMA, and GDRP to name a few), and will continue to enhance security for ArcGIS Online and the ArcGIS platform overall. See ArcGIS Trust Center for more information regarding Esri’s compliance with these initiatives.

When the HTTPS only setting is enabled for your organization, your data hosted in ArcGIS Online can only be accessed over HTTPS. HTTP is effectively disabled. Any communication between you (or anyone else) and your ArcGIS Online organization is only over HTTPS, whether that is through a browser, device or desktop application.

With a cloud-based SaaS such as ArcGIS Online, using HTTPS for communication over the internet is one of the most important steps you can take to secure sensitive information.

Additionally, the main browsers (Google Chrome, Mozilla Firefox, Microsoft Edge / Internet Explorer 11, and Apple Safari) are becoming increasingly strict with HTTP traffic, with browser updates frequently introducing tighter controls that either alert you to security issues with websites or block you from visiting websites the browser deems unsafe.

See Why should my organization use HTTPS only? for more information.

How to upgrade your organization to HTTPS only

To enable the HTTPS only setting for your organization, go to the settings tab of your organization page and select Security. In the Policies section, you will see Allow access to the organization with HTTPS only under the Warning banner. If you don’t see this option or the option is enabled, your organization is already enabled for HTTPS only!

Here are a few items to consider when enabling the HTTPS only setting for your organization.

Layers hosted in ArcGIS Online as well as layers provided by Esri, such as Living Atlas layers or basemaps, are automatically HTTPS ready. For many organizations, transitioning to HTTPS only will be seamless.
If you need to update the layers in your maps or scenes to use HTTPS, you can do that from the item’s details page. For instructions see, Updating web map layers to use HTTPS.
You can check your Story Maps for HTTPS compatibility using the Check Stories utility at the Story Maps website. See An Important Message about Web Security and Story Maps for more information.
If you have an ArcGIS Hub site, you can configure your site to enforce HTTPS only. However, HTTPS is not currently supported with custom domains. HTTPS support for custom domains is coming in the very near future. When HTTPS is supported for custom domains, Esri will automatically update your custom domain to support HTTPS (if you have enabled Enforce HTTPS). Learn more about configuring your Hub site.
Once you’ve enabled HTTPS only, check any critical apps, maps, or other content hosted in ArcGIS Online.
If you’ve enabled HTTPS only and find an issue, you can revert the setting back to allow HTTP access. Once the issue is resolved, you can re-enable HTTPS only. The option will remain available to disable for 60 days. Once 60 days has elapsed without being disabled, the option will no longer be available in your organization’s settings.

Stay tuned for an upcoming post with more instructions on updating your organization to HTTPS only.

Allow only Standard SQL Queries

SQL is a scripting language commonly used by developers when working with feature data hosted in ArcGIS Online. Standardized SQL is a specific version of SQL and is generally regarded as more secure. All ArcGIS apps support standardized SQL. As such, it’s no longer necessary to expose standardized SQL as a configurable option for your organization.

Esri recommends that your ArcGIS Online organization allow only standard SQL queries. If your organization already has this organization security option enabled, you will no longer see it as a configurable option. If your organization does not have the option enabled, you will see the option under the Warning banner in the Security section of your organization’s settings.

To learn more, see Standardized SQL functions in ArcGIS Online.

Additional reading

To learn more about HTTPS, check out the additional resources provided below. A good resource is The HTTPS-Only Standard, a website provided by the US government that details how federal websites should be secured. While the focus is on websites for the federal government, most of the information can be considered best practices for any website.

Below are specific resources that discuss HTTPS and overall security and privacy. Visit ArcGIS Trust Center for more information regarding Esri’s commitment to security and compliance.

Esri’s Committment to GDPR, Privacy & Security

ArcGIS Platform SSL/TLS Support and Configuration Briefing

ArcGIS Online FedRAMP Authorization & New Security Advisor Tool

Sharing Web GIS Services? Always enable TLS

ArcGIS Enterprise and SSL considerations

Google Developer presentation on HTTPS everywhere