The diagram below outlines responsibility by layers across the major cloud deployment models versus an on-premise implementation. These deployments are not exclusive, and an enterprise deployment of the ArcGIS platform could use multiple models such as an on-premise implementation supplemented with ArcGIS in the cloud in a hybrid approach.
CSP: Cloud Service Provider
ATO: Authority To Operate
ArcGIS Online is a secured, reliable geographic information system (GIS) delivered using the software-as-a-service (SaaS) model. ArcGIS Online services are elastic, available on demand, managed by Esri, and accessed by a client running on a wide range of platforms. They can be shared and utilized by many customers and offer security benefits.
For any comments or concerns, email us at: SecureSoftwareServices@esri.com.
General overview of security in ArcGIS Online (.pdf)
Detailed security answers for information security professionals (.pdf)
ArcGIS Online Service Level Agreement (.pdf)
ArcGIS Online Terms of Service
The following features are engineered by Esri as part of the core ArcGIS Online software platform:
For organizations that want to make use of ArcGIS Online but prevent storing sensitive data in the cloud, a hybrid approach is a common solution. ArcGIS Online can be used to for dissemination and discovery of services, while the organization can leverage their own infrastructure for hosting sensitive data.
For organizations that require complete segmentation of their solution from the Internet or do not allow distributed multitenant environments such as ArcGIS Online, the on-premises Portal for ArcGIS meets this requirement of high security needs by running inside corporate firewall environments.
Esri has consistently invested in stronger ArcGIS security and has been providing Managed Services for over 10 years, including FISMA accredited implementations such as the Geospatial One-Stop and ArcGIS Online.
Corporate security has substantially augmented resources assigned to protecting Esri IT infrastructure and services. A Security Standards and Architecture team has also been established to drive secure products and services including: best practice workshops, validation, and documentation for customers, partners and regulators.
Moving geospatial services to the cloud requires serious consideration of security issues and technology. Cloud computing is indeed complex; however, by utilizing a secured backbone of both industry-leading cloud providers and geospatial services, ArcGIS Online is able to provide the security organizations need.