Esri Software Security & Privacy Blog

A customer modernized their environment and in the process encountered ArcGIS Pro startup performance issues and failures adding data from online resources - but WHY? Let's walk through our troubleshooting processes and explain the problem.

Esri is actively investigating the impact of the Log4j library vulnerability (CVE-2021-44228) disclosed on December 9, 2021, as some Esri products contain this common logging tool. This bulletin contains the latest information about Esri products and will be updated as new information becomes available.

In this recorded webinar we explain ArcGIS Online configuration options and best practices, explore the need for processes and  pipelines to govern information delivery, and demonstrate tools to help regularly monitor the security and sharing status of both ArcGIS Online items and the ArcGIS Online organizational account as a whole. 

This document augments the existing kB: FAQ: Which ArcGIS Enterprise directories should be excluded for security or antivirus software? And is a valuable resource for teams installing, configuring, and administering ArcGIS Enterprise

HTTPS, short for Hypertext Transfer Protocol for Secure communication, allows for the secure transmission of data, both incoming and outgoing, between a client, such as a web browser, and the server. Esri is making the HTTPS-Only change in a phased approach. Esri customers must act now to be ready for this change.

• Currently, ArcGIS Online supports configuring HTTP or HTTPS. With the update planned for December 8, 2020, the “HTTPS Only” default will be enforced, and customers will no longer have the option of turning it off. However, for ArcGIS Enterprise the customer has full control of the HTTPS/HSTS enforcement for their configuration.
• ArcGIS Hub is being updated to enforce the use of the HTTPS-Only standard on all sites and pages, starting September 8th, 2020.
• Esri is planning to enforce HTTPS Only in the World Geocoding Service on September 29, 2020. This important security update is likely to affect some ArcGIS software and custom solutions.

Additional details regarding the ArcGIS HTTPS enforcement is here

The Esri Software Security and Privacy Team is proud to announce the newest in our white paper series:

Discovering and Limiting Access to Public ArcGIS Survey123 Results!

Written for Survey Authors, admins, and privacy professionals and specifically intended to provide targeted guidance for public health‌ initiatives, this guidance highlights best practices, public survey layer discoverability, details specific scenarios, and provides contextual discussion around the various configuration options to be considered to protect your data prior to announcing a public survey where results are to remain secure.

From the abstract:

"Designing and configuring a Survey with an underlying survey layer can be tricky when the survey is intended to be completed by the public. Discovering insecure survey layers can be challenging for an organization administrator responsible for ensuring collected data is secure and configured to respect respondent privacy. This document provides guidance for GIS administrators, survey owners or users involved in implementing a public survey with respect to privacy and security."

We partnered with the ArcGIS Survey123 team to provide this guidance, and we strongly feel that organizations see value in bookmarking this document for reference. 

A new Windows-based application has been created by a malicious individual or group that uses the the online map posted by John Hopkins University at https://coronavirus.jhu.edu/map.html as a decoy for installing Malware.Michael Young has written a blog describing this issue.

Bottom-line, you are fine browsing the Coronavirus dashboard on the web with your browser as no software needs to be downloaded.  If you come across someone offering a Coronavirus dashboard where you need to download software to view it, don’t use it!

You'll find this blog titled "Coronavirus Downloadable Malware Map App Clarification" in the 'Alerts and Announcements' section on the front page of the ArcGIS Trust Center.

Esri’s Software Security and Privacy team is often called by both current and prospective customers to provide assurance as to the kinds of controls we’ve implemented to help keep your data and our infrastructure safe. Esri has provided a detailed list of answers to questions related to the security of the ArcGIS Online platform for security professionals in the form of the CAIQ Answers document. Esri’s CAIQ response document provides a set of 295 yes or no questions a cloud consumer or cloud auditor may wish to ask of a cloud provider. You’ll find this document (along with many others) in the Documents tab in the ArcGIS Trust Center. 

The CAIQ  is a survey provided by the Cloud Security Alliance (CSA) for cloud solution consumers and auditors to assess the security capabilities of a cloud service provider like ArcGIS Online. The CAIQ was developed to create commonly accepted industry standards to document how service providers like Esri implement security controls in infrastructure-as-a-service (IaaS), platform-as-a-service and (PaaS)/or software-as-a service (SaaS) applications.  

The CAIQ questionnaire is designed to support organizations when interacting with cloud provider during the cloud provider assessment process by giving organizations specific questions to ask about provider operations and processes. The CAIQ is part of the CSA governance, risk management and compliance stack. 

The CSA is a “not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing”. 

A wide range of industry security practitioners, corporations, and associations participate in this organization to achieve its mission. Esri began providing answers for the CSA CCM (133 questions) in 2013, and in 2019 shifted to utilizing the more extensive (CAIQ) with 295 questions/answers.  

ArcGIS Online is audited annually by a 3rd party assessor to ensure alignment with its Federal Risk and Authorization Management Program (FedRAMP) Tailored Low Authority to Operate (ATO) by the United States Department of Interior.  

For more information concerning the security, privacy and compliance of ArcGIS Online please see the Trust Center at: https://Trust.ArcGIS.com. 

ArcGIS Online utilizes the World-Class Cloud Infrastructure of Microsoft Azure and Amazon Web Services, both of which have completed the CSA questionnaires for their capabilities and may be downloaded from the CSA Registry located at: https://cloudsecurityalliance.org/star/#_registry 

Our responses to these questions meet Level 1 self-assessment requirements for the CSA’s Security Trust Assurance and Risk (STAR) Program. 

For a more lightweight set of answers, a basic overview of ArcGIS Online security (2-page flyer) is available within the Trust Center documents. Some basic, recurring customers questions include:  

• Where is my data hosted? Within AWS and MS Azure datacenters on US Soil. (CAIQ ID: BCR-032.2, DSI-01.1) 

• Is my data encrypted at rest and in transit? Yes, new organizations use HTTPS w/TLS 1.2 for in-transit and AES-256 at rest. (CAIQ ID: EKM-03.1) 

• Is my data backed up? Customers are responsible for backing up their datasets.  (CAIQ ID: DSI-04.1) 

• Can I do security tests against ArcGIS Online? Yes, however a Security Assessment Agreement (SAA) must be completed first.  

• Are my files scanned with Anti-virus? Yes – Files containing malicious code are rejected from upload. (CAIQ ID: CCC-04.1) 

• What privacy assurance is in place? ArcGIS Online is Privacy-Shield self-certified, and both GDPR/CCPA aligned. (CAIQ ID: GRM-06.4) 

For any questions/concerns/feedback please contact Esri’s Software Security & Privacy Team at: SoftwareSecurity@Esri.com 

References: 

https://cloudsecurityalliance.org/ 

https://searchcloudsecurity.techtarget.com/definition/CAIQ-Consensus-Assessments-Initiative-Question... 

https://blog.whistic.com/5-of-the-top-questionnaires-for-it-vendor-assessments-e1fc5b927eb9 

A new Tomcat CVE (CVE-2020-1938) referred to as 'Ghostcat' has a lot of users asking how Esri software is affected.

Michael Young has written a blog describing how users may be impacted and offers guidance for customers who deploy the Java version of the ArcGIS Web Adaptor on Tomcat or use Apache httpd along with Tomcat in a reverse proxy solution.  

You'll find this blog titled "Don't get Bitten by GhostCat Tomcat Vulnerability"in the 'Alerts and Announcements' section on the front page of the ArcGIS Trust Center.

Users are asking us how ArcGIS Enterprise may be affected by Microsoft blocking unsigned LDAP communication in Active Directory starting in March 2020.

ArcGIS Enterprise itself is not affected by this as long as connections to active directory can be made using LDAPS (port 636). To meet this requirement, be sure that LDAPS is available on your Active Directory servers.

However, *if* your organization is using the Java Web adaptor (which itself requires a J2EE server like Tomcat/Glassfish/Weblogic etc) and you’re using web tier authentication and Active Directory, then the J2EE application server must itself be configured to connect to the directory server using LDAPS.

Even if ArcGIS Enterprise is configured to use LDAP over plaintext port 389, it will attempt to first connect via LDAPS (port 636) first regardless. Front end application servers are unlikely to follow this pattern and will communicate with the directory server as literally configured.