Category: Security

Posts about security, privacy and compliance for Trust.arcgis.com.

Global Privacy Requirements

On October 6, 2015 the European Court of Justice declared that Safe Harbor alone is no longer considered adequate privacy assurance by itself for customers requiring EU’s data protection of personal data.  Media ran to the presses with the issues this might entail for European customers of US-based data holdings, however the UK Information Commissioner was quick to state “Keep calm, Safe Harbor is not the only route.”

To ensure our customers know what privacy assurance is available now and what we are working on, we have updated our Privacy overview page on our Trust site. We are strong advocates of your privacy and believe these efforts will help to ensure you remain in compliance with EU law.

Though Privacy is not called out as a specific fundamental right in the United States today, as it is by the EU, this is an area of active change as evidenced by the recent passage of the California Electronic Communications Privacy Act (CalECPA).  Previously, California privacy law did not cover electronic devices or digitally stored information, so now a warrant is required for the government to access electronic information – a step the EU considers the right direction.

Bottom line, some customers might want to utilize mechanisms in the short-term to help fulfill privacy regulation requirements such as Consent, EU Model Clauses, and even deployment models.  Esri plans to support Safe Harbor 2.0 when it is released to ensure we can all work together in the most effective manner and provide assurance to the privacy and security of our customers around the globe.

- The Security Standards & Architecture Team

References:
Esri’s Trust site Privacy Summary
EU Model Clauses
EU FAQ’s To Understand Personal Data Transfer Requirements
Overview of new CalECPA Privacy Law

Posted in Security | Tagged , , | Leave a comment

Agency FedRAMP Authorization & Security Guidance

SecReview

On September 4th, the US Census Bureau granted Esri Managed Cloud Services (EMCS) an Agency FedRAMP Authority to Operation (ATO) at the moderate level.  Esri first introduced the FedRAMP moderate compliant offering EMCS Advanced Plus at the beginning of 2015.  … Continue reading

Posted in Security | Tagged , | Leave a comment

More ways to collaborate on maps and apps

Collaboration

A recent blog described a new way to use groups to enable colleagues to update your maps and apps on ArcGIS Online. With the addition of this capability there are now three ways in which members can participate in collaborative publication and … Continue reading

Posted in Apps, ArcGIS Online, Security, Story Maps | Tagged | 6 Comments

Developers – Track Dependencies & Update Apps or Risk Exposing Users

secpatch

The days of developers not keeping track of where they use third party libraries and not upgrading them are dead.  Why?  Over the last year awareness of vulnerabilities in these dependencies has increased in general and also as  security researchers … Continue reading

Posted in Security | Tagged , , | Leave a comment

Enable colleagues to update your maps and apps

Collaboration

Groups are a great way to share and organize your web GIS content, and the July 2015 update to ArcGIS Online just gave groups an exciting and useful new capability: you can now use groups to give members permission to update your items. This … Continue reading

Posted in ArcGIS Online, Security, Story Maps | Tagged , , , | 28 Comments

VENOM & Logjam Vulnerability Hype

SecReview

Mid-May was a busy month for vulnerabilities being covered by media, so we’ve consolidated information about two of the most broadcasted vulnerabilities here. VENOM Vulnerability Information: On May 13, 2015, a hypervisor vulnerability was disclosed CVE-2015-3456 referred to as VENOM that … Continue reading

Posted in Security | Tagged , | Leave a comment

Sharing Web GIS Services? Always enable TLS

SecReview

Thousands of public Web GIS services are worthless for enterprise consumption, but there is a simple cure.  These increasingly worthless sites are configured without TLS (HTTPS) support.  Frequently, the operators of the sites are unaware that their lack of TLS … Continue reading

Posted in Security, Uncategorized | Tagged , , , , , | 2 Comments

ArcGIS January 2015 Security Patch

secpatch

Esri has released security updates for the ArcGIS Web adaptor for Java, ArcGIS Server, and Portal for ArcGIS.  A number of security issues are addressed with this patch as described in the associated KBA’s and we recommend our customers apply … Continue reading

Posted in Security, Uncategorized | Tagged , , | 4 Comments

Esri Managed Cloud Services (EMCS) achieves FedRAMP Moderate compliance

logo3

On January 29th, 2015, the Esri Managed Cloud Services (EMCS) achieved FedRAMP Moderate compliance. This milestone provides assurance to customers that EMCS aligns with today’s latest rigorous security controls required for cloud systems at the moderate impact level (specifically FedRAMP … Continue reading

Posted in Security | Tagged , | Leave a comment

Does Ghost haunt you?

SecReview

On January 27, 2015, a serious Linux operating system security vulnerability dubbed “Ghost” was announced concerning the glibc low level system library that can allow attackers to remotely take complete control of a victims system.  This issue does not affect ArcGIS web … Continue reading

Posted in Security | Tagged , , , | Leave a comment