Securing hosted services
Security for ArcGIS Online hosted services is based on the ArcGIS Online sharing model. This means that a hosted service is only accessible to users and groups with which the service has been explicitly shared using the standard sharing dialog boxes. By default, a published service is private and is only accessible to the publisher. It is not available to others; for example, it does not appear in search results and isn't part of any group.
If you want to share your hosted service, you can share it with groups you belong to, your organization, or everybody (public). If a service is made public, it is accessible by everyone including anonymous users using an ArcGIS Online client such as the ArcGIS.com website and map viewer, ArcGIS Explorer Online, ArcGIS for iOS, and custom applications developed with the ArcGIS web APIs. Access to a hosted service that has not been made public requires that the service has been shared with a user (or an organization or group the user belongs to) and that user is signed in to ArcGIS Online. This security model is enforced anytime the service is accessed.
If your organization has configured its subscription to prohibit sharing items outside your network, the option to share with everybody will not make your item visible to the public.
ArcGIS Online secures all access to your information. User identity is established through a login process that always takes place over an encrypted connection (HTTPS using Secure Socket Layers, or SSL). Subsequent transactions require the token acquired at login, and can take place over encrypted or unencrypted connections.
The organization administrator determines whether SSL is required for all transactions. See Configuring security settings for information on how to turn on SSL for your organization. The all-SSL solution supports maximum security and ensures that all data (for example, features and tiles), as well as authentication tokens, are encrypted during transport over the Internet. There is a performance cost in encrypting data for transmission and this should be factored in as part of deciding on this option.
SSL is intended for organizations that only access their own content and/or content from other SSL organizations. It is also possible for an organization to enable SSL and have its users access additional unencrypted content from outside the organization. However, not all applications support consuming web maps with mixed content, and this may result in a compromised user experience in the various map viewers. ArcGIS Explorer Online and other Microsoft Silverlight applications do not support mixed content. If, for example, you attempt to open a web map in ArcGIS Explorer Online as a member of an SSL organization and the map contains HTTP layers, those layers may appear broken.