Survey123 and AGOL - Scan Photos for Malware from Publicly Shared Survey

deleted-user-sNUdtFrn2yEY · ‎05-07-2020

Hello -

We are looking to create a publicly shared survey using Survey123 that captures photos (to determine if holes have been dug correctly). The users will change frequently and are external partners that we have contracted with. To manage these new users and add them to our portal with the correct User Type, we fear will become an daily administrative burden.

Because of this, we are exploring sharing the survey with the public and also following Esri’s Best Practices - https://downloads.esri.com/RESOURCES/ENTERPRISEGIS/Limiting_Access_to_Public_Survey123_Results.pdf

IT Security Issue

The issue raised by IT Security is the potential for malware to be embedded/included in Photos submitted from this public survey.

Questions

Do you know if there is any way to include a malware scanning of photos before the data comes into ArcGIS Online?
Is there a way to limit just taking a photo and not accessing photos on the mobile devices photo library?

I found this post, but it did not provide any answers to my specific question - https://community.esri.com/thread/246340-does-survey123-create-vulnerabilities

I could imaging other companies may have this concern if you generate a publicly shared survey in Survey123 to engage the public to assist in identifying Street Lights that are broken/not working or reporting graffiti.

Thanks in advance for any assistance Esri can provide regarding my questions. Have a great day!

Best regards,

Colleen Madigan Schelde

Orsted/radiuselnet

comas@radiuselnet.dk

Shwu-jingJeng · ‎05-07-2020

Hi Colleen,

To asnwer your questions:

1. With image question, only the image format is allowed to upload and if the format is other than the supported image formats, it will throw an error and upload is not allowed. I am not aware of the malware scanning on AGOL. The image question will initially scan the file format and will bock any other image formats which we do not support with.

2. Currently there is an enhancement request submitted for this request.

ENH-000116753 Allow disable the upload image from device's files in survey 123

I encourage you to contact Esri Support. Our Support team will assign an official enhancement number for your records. Similar requests from other customers can then be attached to the same enhancement request, which helps us assess demand for the enhancement and prioritize it accordingly.

deleted-user-sNUdtFrn2yEY · ‎05-08-2020

Hello Shwu-jing-

Thank you for your quick response to my questions.

I was wondering if you have some more detailed documentation regarding the ArcGIS Online supported image formats and the process ArcGIS Online goes through to approve/reject the image that you could share with me (in PDF or links). I will need to provide this information to IT Security for clarification.

I will Question # 2 to Esri Support as you suggest.

Thanks again and I look forward to hearing back from you.

Have a nice day!

Best regards,

Colleen Madigan Schelde

Orsted/Radiuselnet

comas@radiuselnet.dk

RandallWilliams · ‎05-11-2020

Hi Colleen,

All uploads submitted to ArcGIS Online are scanned for viruses and malware as required by our FedRAMP accreditation.

You’ll find our attestation to this fact in our Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ).

This document is one of many we provide in the documents tab in the ArcGIS Trust Center. We scan all uploaded files submitted to ArcGIS Online for viruses/malware. If malware or a virus is detected, the file is rejected and the event is logged in the customer’s organization in the activity log.

Common Questions we answer here include:

Where is my data hosted? Within AWS and MS Azure datacenters on US Soil by default, though starting in March 2020 new organizations will be able to choose to have their data stored in the US Region or the new EU Region.
Is my data encrypted at rest and in transit? Yes, new organizations use HTTPS w/TLS 1.2 for in-transit and AES-256 at rest.
Is my data backed up? Customers are responsible for backing up their datasets.
Can I do security tests against ArcGIS Online? Yes, however a Security Assessment Agreement (SAA) must be completed first.
Are my files scanned with Anti-virus? Yes – Files containing malicious code are rejected from upload.
What privacy assurance is in place? ArcGIS Online is Privacy-Shield self-certified, and both GDPR/CCPA aligned.

RyanBunting · ‎01-30-2024

Thank you for this information!

Do these security measures also apply when using a feature service hosted on ArcGIS Sever as opposed to hosted through ArcGIS Online through AWS and MS Azure?

Thanks.