Tag Archives: Security

Survey123 for ArcGIS: Securing surveys and results

Survey123 for ArcGIS is a complete, form-centric solution for creating, sharing and analyzing surveys. It is used to create smart forms and can be submitted from a web browser or dedicated Survey123 for ArcGIS native app by a defined audience.

Surveys can be designed on the Survey123 website or via the desktop with Survey123 Connect. Once designed, the survey is published, and in this process a survey form and service layers are created in the designer’s portal (ArcGIS Online or ArcGIS Enterprise). The survey form item represents the questions and survey settings, and the survey layers storing the submitted data.

Continue reading

ArcGIS Online Security Changes – Is Your Organisation Prepared?

Earlier last month Esri published a blog post titled Prepare for Next Major ArcGIS Online Security Advancement Now. I have to admit when I first read it; I didn’t pause for long – thinking it was related to another recent web-security related change by Esri – the switch to TLS 1.2

If your eyes are glazing over already, hang in there. There was more to this post than I first thought, and it’s something you should be thinking about now if you’re administering an ArcGIS Online organisation that has been in place for some time. To be specific, if you created your ArcGIS Online site before September 2018, then you should read on.

What’s going to happen in 2020 is that ArcGIS Online will no longer work with external references to resources that use HTTP in the referring URL. Only HTTPS references will be supported. This is the way the web is moving and Esri is simply following best practice.

If you created your ArcGIS Online organisational after September 2018, then you will have been subject to this restriction from the get-go and won’t have a problem (it has been the default position since that time). If the organisational site is older than that, then there’s a chance you could have these less secure references to resources lurking in your web maps, web scenes and other items. If you do nothing, a bunch of things may stop working at some point in 2020, and you’ll be scurrying to try and fix them in a hurry.

For any of you utilising Story Maps you may have already encountered this. In 2018 the Story Map team implemented HTTPS only compliant web apps. This meant not only did the story map have to be secured with HTTPS but also any referenced site in a story map  also had to be secured in the same fashion. In 2020 ArcGIS Online in its entirety will follow suite. Details on that earlier Story Map change here.

How would you know you’ve got a problem to solve? Esri has created a tool called the ArcGIS Online Security Advisor that will scan all the items in your organisation, looking for the issue. You’ll need to be logged in as an administrator of the organisation to do this. The HTTP Check component of that tool is in Beta right now with new capabilities being added regularly.

It can’t directly fix the issues because a simple replacement of HTTP with HTTPS in the reference may not work  if the target server doesn’t support HTTPS. However, it will give you the feedback you need to go triage each of the problems it flags.

A typical scenario that could impact many users is where a GIS service is coming from an older version of ArcGIS Server and added as an item to an ArcGIS Online organisation. That older ArcGIS Server version would have allowed the specification of just HTTP, or both HTTP and HTTPS when exposing services.

Here’s an example. Way back, I created a web map in my ArcGIS Online organisation that refers to the Australian Coastal Sediment Compartments web service from GeoScience Australia.  The link here is for the HTTPS version (since this is all about best practice), but when I created that map, I used the HTTP version. Both forms are currently supported by the GeoScience Australia GIS Server.

GAMap

The map displays the GA map service on top of the Esri Oceans basemap and works fine. Come 2020; this won’t be the case. If I use the beta HTTP Check tool in the ArcGIS Online Security Advisor, it picks up two problems with the web map.

GAMapDetection

 
In scanning the web map item, it detected that I have the URL of the GA web service in the Description. While that won’t break the map when HTTP is no longer supported, it still needs attention given the resource it refers to will change.

GAMapItem

The second pickup by the tool was the actual URL to the GA service in the JSON data describing the web map.

GAMapItemData

Equally, if you’ve created items in your portal that refer to resources coming from external sources  – say a web service from an external agency that you collaborate with, then you may come up against the same issue if they’re using HTTP.

When you interact with a web site that doesn’t use HTTPS to encrypt traffic these days, you get to know it. It’s no longer just a small broken padlock icon – mainstream browsers are now calling it out and telling you that the site is not secure. That’s a good thing, and Esri is just doing its part to ensure web security best practices are adhered to.

Read the original blog post here and use the ArcGIS Online Security Advisor tool to determine whether you need to take any action.

Important Security Updates to the ArcGIS Platform

January, 2019

Esri have recently announced upcoming improvements to ArcGIS Online in order to maintain the highest industry standards for data integrity and network security. Starting on 16 April 2019, ArcGIS Online will only accept TLS 1.2 connections for ArcGIS Online services. Some software, like ArcGIS Pro, are already TLS 1.2 enabled. Other Esri software, such as ArcGIS Desktop, uses TLS 1.0—this software requires a patch or configuration change to support TLS 1.2 connections. Esri is releasing patches and instructions to update existing software to support these connections. Continue reading