3. J10243
Esri White Paper i
Esri Location Analytics:
Four Implementation Models
An Esri White Paper
Contents Page
Overview............................................................................................... 1
Four Implementation Models................................................................ 2
Product Descriptions....................................................................... 2
Cloud Model with ArcGIS Online........................................................ 2
Security ................................................................................................. 3
Security and Privacy Considerations .............................................. 4
Map Rendering.......................................................................... 4
GeoEnrichment Service and Infographics ................................ 5
Routing and Geocoding ............................................................ 5
Sharing and Collaboration ........................................................ 6
Hybrid Cloud/On-Premises Model with ArcGIS Online and
ArcGIS for Server.............................................................................. 7
Security ........................................................................................... 7
Security and Privacy Considerations .............................................. 8
Hybrid Cloud/On-Premises Model with ArcGIS Online and
Portal for ArcGIS............................................................................... 9
Security ........................................................................................... 9
Security and Privacy Considerations .............................................. 10
On-Premises Model with Portal for ArcGIS......................................... 11
Security ........................................................................................... 11
Security and Privacy Considerations .............................................. 12
Conclusion ............................................................................................ 12
4. J10243
Esri White Paper
Esri Location Analytics:
Four Implementation Models
Overview Esri® Location Analytics is a strategy for enabling everyone in your
organization to discover, use, make, and share maps and geographic data
anywhere, on any device, at any time.
This document is designed to help you understand the different implementation models
available to your organization based on considerations such as financial resources,
staffing, risk, and security.
Esri's ArcGIS® named user licensing includes access to configurable applications that
integrate with the following business systems:
■ IBM Cognos Business Intelligence
■ SAP BusinessObjects
■ MicroStrategy
■ Salesforce.com
■ Microsoft Dynamics CRM
■ Microsoft SharePoint
■ Microsoft Office
In addition to these applications, Esri provides a broad range of APIs and software
development kits (SDK) to integrate ArcGIS with virtually any business system or
workflow.
For details, see Location Analytics.
ArcGIS can be implemented through cloud, on-premises, or hybrid deployment options.
Esri anticipates that, as with any enterprise-level solution deployment, many of our
customers will wish to undertake a formal discovery process during which best practices
decisions will be made regarding
■ Development, staging, and production environments.
■ Solution hardware and software specifications.
■ Resource allocation in light of service-level agreements (SLAs).
■ High-availability architectures and service/data redundancy.
■ Overall system security.
Due to the unique needs of each of our customers, this paper is not meant to serve as a
system architecture design but describes common patterns for implementing ArcGIS. All
diagrams are conceptual, and data security and privacy concerns are emphasized.
5. Esri Location Analytics:
Four Implementation Models
J10243
July 2014 2
Four
Implementation
Models
The four implementation models are
1. Cloud Model with ArcGISSM
Online.
2. Hybrid Cloud/On-Premises Model with ArcGIS Online and ArcGIS for Server.
3. Hybrid Cloud/On-Premises Model with ArcGIS Online and Portal for ArcGIS.
4. On-Premises Model with Portal for ArcGIS.
Product Descriptions ■ ArcGIS Online is a cloud-based, collaborative mapping platform for creating,
managing, and sharing maps, data, and other geographic information. For details, see
ArcGIS Online.
■ ArcGIS for Server is software for sharing your geographic information system
(GIS) resources across an enterprise as web services. It is composed of a scalable
line of editions based on functionality and levels based on capacity. For details, see
ArcGIS for Server.
■ Portal for ArcGIS is a feature of ArcGIS for Server that provides a mapcentric,
collaborative content management system that organizations can deploy in their own
infrastructure (i.e., on-premises). For details, see Portal for ArcGIS.
■ ArcGIS for Desktop is software for creating, editing, and analyzing geographic
knowledge to examine relationships; test predictions; and, ultimately, make better
decisions. For details, see ArcGIS for Desktop.
■ StreetMap™ Premium for ArcGIS is a ready-to-use street dataset that works with
ArcGIS to provide geocoding, routing, and high-quality cartographic display. For
details, see StreetMap Premium for ArcGIS.
■ Data Appliance for ArcGIS is a turnkey solution that provides terabytes of
worldwide basemaps and reference layers preloaded onto a network-attached storage
device that plugs right into your organization's internal network. For details, see Data
Appliance for ArcGIS.
Cloud Model with
ArcGIS Online
Most Esri applications and data products are either built on top of ArcGIS Online or
connect through it to form an integrated system for creating, analyzing, and distributing
maps and spatial data. Under this architecture, customers configure an ArcGIS Online
account that is sized appropriately for the expected user load. The account is based on an
annual subscription plan. Information about current subscription plans is available at
esri.com/software/arcgis/arcgisonline/purchase.
In addition to being a geographic content management and mapping system for
organizations, ArcGIS Online supports the sharing and collaboration features of the
ArcGIS platform and facilitates searches for data across all Esri products that connect to
ArcGIS Online. The customer has cloud-based, read-only access to Esri basemaps,
boundary map services, business data, community and lifestyle data, demographics
information, and much more. ArcGIS Online provides routing, geocoding, and other
location services such as drive-time analysis. In addition, this architecture provides the
customer with access to additional data and services published and shared by an
extensive Esri community.
6. Esri Location Analytics:
Four Implementation Models
J10243
Esri White Paper 3
Customers may also configure and publish web maps and map services in ArcGIS Online
to serve their own spatial data. In order to connect and publish data, at least one license of
ArcGIS for Desktop is required. All web maps and map services created and explicitly
shared by the customer are stored and accessed via ArcGIS Online.
Security ArcGIS Online serves as the repository for the sharing model (including users, roles, and
groups). ArcGIS uses the underlying sharing model of ArcGIS Online. Additionally, the
customer may elect to configure the use of enterprise logins via Security Assertion
Markup Language (SAML) and a supported Lightweight Directory Access Protocol
(LDAP) provider. Users can configure Active Directory Federation Services 2.0, NetIQ
Access Manager 3.2, OpenAM 10.1.0, Shibboleth 2.3.8, or SimpleSAMLphp 1.10 as the
identity provider. The customer may further elect to require Secure Sockets Layer (SSL)
for all communication with ArcGIS Online and optionally disable sharing of on-premises
business system data through the use of users/roles permissions and the sharing settings
within location analytics products (see figure 1).
Figure 1
Cloud Model with ArcGIS Online
This diagram depicts how ArcGIS would be integrated with a generic business system and configured to embed
map content and map-based analytics into the business system dashboard or user interface (UI).
7. Esri Location Analytics:
Four Implementation Models
J10243
July 2014 4
Security and Privacy
Considerations
Access to data for implementing ArcGIS uses the underlying sharing model of
ArcGIS Online, whereby all spatial data layers, map services, and web maps reside
within and are accessed via ArcGIS Online.
Access to data is controlled by named user logins or by accessing the organization's data
through the use of a registered application key, whereby
■ Authorization is controlled through the use of users and groups within the
ArcGIS Online organization.
■ Administrators can require SSL encryption for all access and interaction with their
ArcGIS Online for Organizations subscription.
■ All data is encrypted in transit over the Internet. Data is not encrypted in situ within
ArcGIS Online.
■ Data can be encrypted during upload through the use of third-party solutions.
ArcGIS Online administrators and users should understand the security and privacy
considerations inherent in a cloud-based solution. The most common types of interaction
with ArcGIS Online are as follows:
Map Rendering Maps within ArcGIS are delivered in one of three formats:
■ Image tiles—for cached map services
■ Map images from dynamic map services
■ Feature data drawn on the map by combining geometries from a feature service with
data held in the business system (feature data drawn on the map takes place entirely
within the consuming client. No customer data is transmitted outside the containing
business system during map rendering tasks.)
Figure 2
Map Rendering
Maps are delivered in one of three formats: image tiles, map images, and feature data.
8. Esri Location Analytics:
Four Implementation Models
J10243
Esri White Paper 5
Information transmitted outside the customer's firewall includes one or more source
URLs for map data that has been registered with or stored in ArcGIS Online as well as
projection and bounding box information from the map. Information received back
through the firewall will include map images or URLs to map images and feature
geometries and attributes in JSON format.
GeoEnrichment
Service and
Infographics
The ArcGIS platform provides a GeoEnrichmentSM
service that's built on the ArcGIS
REST API. The service can be used to add fields to the business analysis layer and
populate them with spatially relevant values, such as demographics.
The API provides a method for generating a variety of infographics (charts, graphs,
tables) within ArcGIS. It operates on a user-provided geometry (clicking or drawing on
map), spatial reference information derived from the map, and a list of variable values
that the user wishes to use. Information received back through the firewall is a JSON
format response containing the requested data relevant to the submitted geometry. For
these activities, no customer data is transmitted outside the firewall beyond the location
information and variable names used for GeoEnrichment services or generation of
infographics.
Figure 3
GeoEnrichment
The GeoEnrichment service adds fields to the business analysis layer and populates them with spatially relevant
values.
Routing and
Geocoding
In most routing and geocoding workflows, one or more street addresses are transmitted to
the Esri World Geocoder, and an x,y location is returned to the client for each submitted
address. In other cases, routes with driving directions or drive-time polygons are returned
to the client for further processing and rendering.
9. Esri Location Analytics:
Four Implementation Models
J10243
July 2014 6
Figure 4
Geocoding, Routing, and Drive Times
Street addresses are returned as x,y locations using the Esri World Geocoder.
During the geocoding process, address information from a customer's business system is
transmitted outside the firewall to the Esri World Geocoder, and JSON format data on
location, route, or drive-time polygons is returned to the consuming client. An HTTPS
URL is available for geocoding, which will encrypt all data in transit.
For some organizations, the use of hosted routing, geocoding, and drive-time
functionality could be a source of concern in terms of on-premises business data security
and privacy. If this is the case, an on-premises solution may be appropriate.
Sharing and
Collaboration
One of the key value propositions for ArcGIS Online is the capability to share and
collaborate with map content. Users must be aware that information may be transmitted
and stored when it is shared. For example, if a business system dashboard author or
consumer elects to share a map or individual data layer via the ArcGIS Online
organizational account, a snapshot of the business system data being rendered on the map
is packaged along with spatial information required to display it and transmitted and
stored in ArcGIS Online.
Figure 5
Sharing and Collaboration
When a map or individual data layer is shared via ArcGIS Online, a snapshot of the data on the map is
packaged along with spatial information, then transmitted and stored in ArcGIS Online.
10. Esri Location Analytics:
Four Implementation Models
J10243
Esri White Paper 7
Typically, sharing means that
■ A map service is created.
■ A CSV file is uploaded for each business system data layer in a map.
■ A feature service is created for each map layer derived from business data.
■ A web map is created (essentially, a JSON format config file) that duplicates the
view of the map from within the business system.
Users must understand that in such cases, they are transmitting their business data
through the firewall to be available to authorized groups within ArcGIS Online and other
Esri products. In ArcGIS, the sharing capability can be administratively turned off by
default.
Hybrid Cloud/On-
Premises Model with
ArcGIS Online and
ArcGIS for Server
In this scenario, the organization wishes to keep sensitive spatial data inside the
organization's firewall. To do this, the standard architecture described in the section
"Cloud Model with ArcGIS Online" can be enhanced with one or more ArcGIS for
Server instances.
Security All the features of the standard architecture apply. However, services on one or more
ArcGIS servers are registered with the ArcGIS Online account. These services are
available with ArcGIS.
The ArcGIS for Server service registration process effectively creates a "pointer" to
where the data is located and enables discovery of the data. The ArcGIS for Server token-
based security model is respected in these cases. In this manner, customer data is stored
and accessed using on-premises or Amazon-based ArcGIS for Server, and none of the
customer's spatial data assets reside in ArcGIS Online unless they are explicitly uploaded.
As with the standard architecture, ArcGIS Online serves as the repository for the sharing
model; supports sharing and collaboration; and includes standard Esri datasets and
services such as routing, geocoding, drive-time, and GeoEnrichment service requests.
11. Esri Location Analytics:
Four Implementation Models
J10243
July 2014 8
Figure 6
Hybrid Cloud/On-Premises Model with ArcGIS Online and ArcGIS for Server
This diagram depicts how ArcGIS would be integrated with a generic business system using a hybrid model,
where some map and feature services are created and maintained on-premises and shared via ArcGIS Online.
Security and Privacy
Considerations
The same basic security and privacy rules for business data apply in this hybrid
architecture as in the cloud model described previously. The only time business data
leaves the organization's firewall is when geocoding is performed on addresses stored
within the target business system or when a user explicitly shares a map or individual
map layer through the ArcGIS Online account.
The main difference between this architecture and the cloud model is that when business
data is rendered over the map and the spatial data is stored in an on-premises database
and made available via ArcGIS for Server, it can also be used for standard map layers
and as a geometry source for rendering business system data. In this manner, proprietary
or sensitive spatial data can be housed and secured on-premises via ArcGIS for Server,
while less sensitive assets can be stored in ArcGIS Online. The presence of an on-
premises ArcGIS for Server installation does not, in and of itself, make any modifications
to the sharing, search, and security patterns that depend on ArcGIS Online.
12. Esri Location Analytics:
Four Implementation Models
J10243
Esri White Paper 9
Hybrid Cloud/On-
Premises Model with
ArcGIS Online and
Portal for ArcGIS
In special circumstances, some organizations may use ArcGIS with highly sensitive
information. For example, organizations that handle personal health information or
intellectual property may be prohibited from transmitting information outside the
organizational firewall as a matter of policy. In this scenario, a hybrid architecture that
mixes on- and off-premises resources may serve as an acceptable implementation pattern.
Security Under this architecture, the organization establishes and configures an on-premises
instance of Portal for ArcGIS to support collaboration and sharing within the
organization's own infrastructure. Portal for ArcGIS then serves as the repository for the
sharing model (including users, roles, and groups), supports the sharing and collaboration
features of the ArcGIS platform, and facilitates searches for data.
The organization may need to provide map content to a community of users or customers
outside the firewall. In this case, the organization can optionally set up an ArcGIS Online
Nexus account to facilitate the sharing of selected maps and datasets. Nexus users have
cloud-based, read-only access to all Esri basemaps, boundary map services, business
data, community/lifestyle data, and demographics information. An instance of StreetMap
Premium for ArcGIS is required to provide routing, geocoding, and drive-time analysis
services. Portal for ArcGIS must be configured to use these internal services.
The organization may elect to configure the use of enterprise logins via SAML and a
supported LDAP provider. The customer may further elect to require SSL for all
communication with the ArcGIS Online Nexus account. An ArcGIS for Server instance
is required under this architecture.
13. Esri Location Analytics:
Four Implementation Models
J10243
July 2014 10
Figure 7
Hybrid Cloud/On-Premises Model with ArcGIS Online and Portal for ArcGIS
This diagram depicts how ArcGIS would be integrated with a generic business system, where Portal for ArcGIS
is used to share highly sensitive information within the organizational firewall.
Security and Privacy
Considerations
This architecture leverages the hosted geographic content, GeoEnrichment service
capabilities, and infographics available through ArcGIS Online; however, the architecture
moves the sharing model, search capabilities, and routing and geocoding on-premises
behind the organization's firewall. Under this model, maps may be composed of one to
many map layers that may be registered with Portal for ArcGIS. The map layers may be
local to the customer network, or they may be publicly accessible at an Internet location.
In either case, a simple request to get map data from a service URL is required.
Collaboration and sharing across the organization are facilitated by the use of Portal for
ArcGIS. Likewise, address information for geocoding operations also remains on-
premises through the implementation of StreetMap Premium for ArcGIS. The
organization still has the option to manually upload or register nonsensitive data to the
ArcGIS Online Nexus account.
14. Esri Location Analytics:
Four Implementation Models
J10243
Esri White Paper 11
On-Premises Model
with Portal for
ArcGIS
For some clients, a full on-premises implementation of ArcGIS is warranted either due to
the extreme sensitivity of location and other business data transmitted online or due to
completely disconnected network architectures whereby users have an internal network
but no access to the Internet from within the organization's infrastructure. In these rare
circumstances, an on-premises architecture is possible—one that includes many of the
key features of the Esri platform, albeit with reduced functionality.*
*GeoEnrichment service and infographics are not available with this configuration.
Security Under this architecture, the customer establishes and configures an instance of Portal for
ArcGIS to support collaboration and sharing within the organization's own infrastructure.
Portal for ArcGIS serves as the repository for the sharing model (including users, roles,
and groups), supports collaboration across the ArcGIS platform, and facilitates searches
for data. An optional ArcGIS Online Nexus account can be set up to facilitate sharing of
selected maps and datasets as needed.
Data Appliance for ArcGIS is required to provide the customer with access to all Esri
basemaps, boundary map services, and other standard data offerings. An instance of
StreetMap Premium for ArcGIS is required to provide routing, geocoding, and drive-time
analysis services. Portal for ArcGIS is configured to use these internal services.
Figure 8
On-Premises Model with Portal for ArcGIS
This diagram depicts how ArcGIS would be integrated with a generic business system on-premises.
15. Esri Location Analytics:
Four Implementation Models
J10243
July 2014 12
Security and Privacy
Considerations
Beyond standard security considerations critical in any networked computing
environment, the risk for accidental disclosure of sensitive information under this
architecture is low. However, users can still share data to the ArcGIS Online Nexus
account if configured.
Conclusion There are four common implementation models for ArcGIS:
1. Cloud Model with ArcGIS Online
2. Hybrid Cloud/On-Premises Model with ArcGIS Online and ArcGIS for Server
3. Hybrid Cloud/On-Premises Model with ArcGIS Online and Portal for ArcGIS
4. On-Premises Model with Portal for ArcGIS
These different configurations address an organization's specific needs with regard to
data sensitivity and basic security concerns about sharing maps and geographic data
assets.
Each implementation model can be integrated with existing enterprise business
intelligence, customer relationship management, and office collaboration and
productivity systems to help organizations discover, use, make, and share maps and
geographic data anywhere, on any device, at any time.
For more information, contact your local Esri office.
16. Printed in USA
Contact Esri
380 New York Street
Redlands, California 92373-8100 usa
1 800 447 9778
t 909 793 2853
f 909 793 5953
info@esri.com
esri.com
Offices worldwide
esri.com/locations
Esri inspires and enables people to positively impact their
future through a deeper, geographic understanding of the
changing world around them.
Governments, industry leaders, academics, and nongovernmental
organizations trust us to connect them with the analytic knowledge
they need to make the critical decisions that shape the planet. For
more than 40 years, Esri has cultivated collaborative relationships
with partners who share our commitment to solving earth’s most
pressing challenges with geographic expertise and rational resolve.
Today, we believe that geography is at the heart of a more resilient
and sustainable future. Creating responsible products and solutions
drives our passion for improving quality of life everywhere.