In 2018, an ArcGIS Online update introduced some changes to the security settings available for ArcGIS Online organizational accounts. These settings allow access to the organization only through HTTPS and allow only standard SQL queries.
To help ensure a secure platform for your organization’s hosted resources, Esri has made changes to these settings as part of a larger commitment to providing a secure platform:
If your organization already has these options enabled, you will no longer see them as configurable options in your organization’s settings.
If you have one or both options disabled, you will see a Warning banner with a recommendation that you enable these options for your organization.
To help administrators safeguard ArcGIS Online organizational accounts, Michael Young, Esri’s chief information security officer, has provided detailed answers to questions about these enhancements.
What is HTTPS?
HTTPS, which is an abbreviation for Hypertext Transfer Protocol for secure communication, commonly referred to as Transport Layer Security (TLS) or Secure Sockets Layer (SSL) encryption, provides a layer of security for data transmission over the Internet. When HTTPS is used, incoming and outgoing communication between your browser and the server providing the layer is encrypted. This secures information while it is in transit so that anyone monitoring traffic between you and the layer cannot see the information being transmitted.
One of the main drawbacks of using HTTPS has been that it is not as fast as HTTP. However, advances in web technology have closed the gap, specifically with the introduction of HTTP/2 [which is defined for both HTTP URIs and HTTPS URIs]. In many cases, HTTPS is now faster than HTTP. HTTPS has become the Internet standard. Most popular websites use HTTPS. It is recommended that all communication over the Internet use HTTPS.
Why HTTPS Matters for Your Organization
HTTPS helps secure your organization’s assets. For instance, when you view data (as part of a layer, map, or app) or collect data (as part of a survey), HTTPS helps ensure that nobody can see the data aside from the people that you share it with. Many government agencies, especially at the federal level, have stringent requirements regarding how data must be secured.
Esri has done a considerable amount of work to meet these requirements, adhering to guidelines from Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act of 2002 (FISMA), General Data Protection Regulation (GDPR), and other agencies and will continue to enhance security for ArcGIS Online and the ArcGIS platform overall. Visit the ArcGIS Trust Center (trust.arcgis.com) for more information on Esri’s compliance with these initiatives.
Encrypting sensitive information is the primary reason to use HTTPS. HTTPS uses TLS or SSL encryption protocols that provide secure communication across networks. The ArcGIS platform uses TLS, which is a more recent and secure encryption protocol than SSL. ArcGIS Online still supports SSL, and you will often see SSL and TLS used interchangeably in documentation.
When you send information over the Internet using HTTPS in your URL address, only the intended recipient can understand the information. This encryption is important because the information you send over the Internet is usually passed between many computers before it gets to the destination server. Any computer between you and the server can see sensitive information, such as passwords, if the information is not encrypted with a valid TLS or SSL certificate.
With a cloud-based software as a service (SaaS) such as ArcGIS Online, using HTTPS for communication over the Internet is one of the most important steps you can take to secure sensitive information. When the HTTPS only setting is enabled for your organization, your data hosted in ArcGIS Online can only be accessed over HTTPS. HTTP is effectively disabled. Any communication between you (or anyone else) and your ArcGIS Online organization is only over HTTPS, whether that is through a browser, device, or desktop application.
In addition, Google Chrome, Mozilla Firefox, Microsoft Edge/Internet Explorer 11, and Apple Safari are becoming increasingly strict with HTTP traffic. Browser updates frequently introduce tighter controls that either alert you to security issues with websites or block you from visiting websites a browser deems unsafe.
How to upgrade your organization to HTTPS only
To enable the HTTPS only setting for your organization, go to the Settings tab of your ArcGIS Online Organization page and select Security. In the Policies section, you will see Allow access to the organization with HTTPS only under the Warning banner. If you don’t see this option, your organization is already enabled for HTTPS only.
Here are a few items to consider when enabling the HTTPS only setting for your organization:
Layers hosted in ArcGIS Online as well as layers provided by Esri, such as ArcGIS Living Atlas of the World layers or basemaps, are automatically HTTPS ready. For many organizations, transitioning to HTTPS only will be seamless.
You can update the layers in your maps or scenes to use HTTPS from the item’s details page.
Check your Esri Story Maps apps for HTTPS compatibility using the Check Stories utility at the Story Maps website.
If you have an ArcGIS Hub site, you can configure your site to enforce HTTPS only. HTTPS is not currently supported with custom domains. HTTPS support for custom domains is coming in the near future. When HTTPS is supported for custom domains, Esri will automatically update your custom domain to support HTTPS (if you have enabled Enforce HTTPS).
Once you’ve enabled HTTPS only, check any critical apps, maps, or other content hosted in ArcGIS Online. If you’ve enabled HTTPS only and find an issue, you can revert the setting back to allow HTTP access. Once the issue is resolved, you can reenable HTTPS only. The option will remain available to disable for 60 days. Once 60 days has elapsed without being disabled, the option will no longer be available in your organization’s settings.
Allow only Standard SQL Queries
SQL is a scripting language commonly used by developers when working with feature data hosted in ArcGIS Online. Standardized SQL, a specific version of SQL, is generally regarded as more secure. All ArcGIS apps support standardized SQL. Esri recommends that your ArcGIS Online organization allow only standard SQL queries. If this security option is enabled, you will no longer see it as a configurable option. If option is not enabled, you will see the option under the Warning banner in the Security section of your organization’s settings.
Visit the ArcGIS Trust Center for more information about Esri’s commitment to security and compliance.