Esri Software Security & Privacy Blog - Page 4

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Latest Activity

(35 Posts)
RandallWilliams
Esri Regular Contributor

On November 2, 2018, ArcGIS Online's signing and encryption certificates have been updated. 

ArcGIS Online has a new SAML signing and encryption certificate available. This certificate is necessary when an organization has enabled signed requests or encrypted assertions. The previous SAML signing and encryption certificate is due to expire on November 14th, 2018 and it is necessary to take action to ensure that your organization can continue to use your Enterprise Identity Provider (IDP). SAML enterprise logins that use the old certificate for signed requests or encrypted assertions will continue to work until Nov 13, 2018.

Action: Users who have enabled the advanced options 'Enable Signed Requests' and/or 'Encrypt Assertion' will need to obtain the new ArcGIS Online Service Provider metadata file and associate it with their Identity Provider before November 14, 2018.

Customers using these advanced options who do not upload the updated ArcGIS Online metadata file containing the new certificate before this date will receive an IDP specific error when they attempt to sign into ArcGIS Online with an Enterprise account.

To obtain the updated metadata file:

a. Login to www.arcgis.com with your administrative credentials
b. Click on "Organization" then "Settings" then "Security"
c. Scroll down to "Enterprise Logins" then click the "Get Service Provider" button.

   - This action will download the metadata needed for your IDP.


An email containing the following text has already been sent to ArcGIS Online Organization Administrators:

"ArcGIS Online will be updating its SAML signing and encryption certificates on November 13th, and we need you to take action to ensure your organization can continue to use your Enterprise Identity Provider (IDP).

This certificate is necessary when an Organization has enabled signed requests or encrypted assertions.

To enable your IDP to discover our new certificates, you will need to re-register ArcGIS Online as your trusted services provider.

The process for this varies by the SAML identity provider used, but tutorials on how to do this can be found in our documentation within the section titled 'Register ArcGIS Online as the trusted service provider'.

Esri has documented this process for these popular Identity Providers:

ADFS
NetIQ
Okta
OpenAM
Shibboleth
SimpleSAML


If you have any questions, please contact technical support."

Esri Support Services has released a KB article describing this issue. See:

Problem: ArcGIS Online SAML Authentication signing and encryption certificate renewal 

more
1 7 2,103
PeterBuwembo
Esri Contributor

ArcGIS Online was granted a FedRAMP Tailored Low (Li-SaaS) Authority to Operate(ATO) which went into effect June 28th 2018. When a solution such as ArcGIS Online is authorized, specific applications, services, and providers are assessed as part of the effort.  The security controls for this authorization align with National Institute of Standards and Technology (NIST) Special Publication 800-53 (Revision 4) which maps to International Standards Organization (ISO) 27001 & 15408 controls.

more
0 0 1,092
RandallWilliams
Esri Regular Contributor

The Portal for ArcGIS Security 2018 Update 2 Patch has been released for Portal for ArcGIS 10.3.1.

ArcGIS Enterprise Administrators should consider installing this patch as high priority, as it addresses an incorrect proxy access control vulnerability, among others.

Security patches are released for the last minor release in a series of ArcGIS products that are still in mainstream support.

All versions of this patch are available here:

Portal for ArcGIS Security 2018 Update 2 Patch

Users can also run the ArcGIS Patch Notification tool to check for, download, and install patches.

Check for and install software patches and updates—ArcGIS Server (Windows) Installation Guide (10.5)... 

more
0 0 644
RandallWilliams
Esri Regular Contributor

In today’s cybersecurity landscape, ensuring the products and services you receive from a software company have security and privacy considerations built-in is paramount.  Today, we are publicly releasing an overview of the assurance measures we incorporate, including governance, standards alignment, assessments/tools, vulnerability/incident management, and guidelines utilized.

We have also updated the Trust Center to have its own domain, so that users are no longer directed to .doc.arcgis.com pages as part of the main site and we have updated the Documents section descriptions to more easily identify what content is best for you (including the SDLC overview document titled “Esri Software Security and Privacy”).

We welcome your feedback on this overview, so feel free to reach out to our team – Esri’s Software Security & Privacy team –[email protected]

Reference:
Esri Software Security & Privacy (SDLC Overview) –https://downloads.esri.com/RESOURCES/ENTERPRISEGIS/Esri_SDLC.pdf 

more
0 0 539
RandallWilliams
Esri Regular Contributor

The ArcGIS SSL/TLS Guidance Briefing has been updated. Updates include specific guidance for ArcGIS Client software, insight into TLS plans for ArcGIS Online, and details regarding ArcGIS Enterprise components.

Browse to the ArcGIS Trust Center document repository to review this document and all of our other helpful resources!

more
0 0 594
124 Subscribers