Security for hosted web layers is based on the Portal for ArcGIS sharing model. This means that a hosted web layer is only accessible to users and groups with which it has been explicitly shared using the standard sharing dialog boxes. By default, a hosted web layer is private when it is first published and is only accessible to the publisher. It is not available to others; for example, it does not appear in search results and isn't part of any group.
If you want to share your hosted web layer, you can share it with groups you belong to, your organization, or everyone (public). If a hosted web layer is made public, it is accessible by anyone with access to the web layer's URL, including clients such as the portal website and map viewer, ArcGIS apps, and custom apps developed with the ArcGIS Web APIs. Access to a hosted web layer that has not been made public requires that the layer be shared with an organization or group. Then when members of that organization or group sign in to their portal, the hosted web layer is available. This security model is enforced anytime the hosted web layer is accessed.
Portal for ArcGIS secures all access to your information. User identity is established through a login process that always takes place over an encrypted connection (HTTPS). Subsequent transactions require the token acquired at sign in and can take place over encrypted or unencrypted connections.
The organization administrator determines whether HTTPS is required for all transactions. The all-HTTPS solution supports maximum security and ensures that all data (for example, features and tiles), as well as authentication tokens, are encrypted during transport over the Internet. There is a performance cost in encrypting data for transmission and this should be factored in as part of deciding on this option.
HTTPS is intended for organizations that only access their own content or content from other HTTPS organizations. It is also possible for an organization to enable HTTPS and have its users access additional unencrypted content from outside the organization. However, not all apps support consuming maps with mixed content, and this may result in a compromised user experience in the various map viewers. Microsoft Silverlight apps do not support mixed content. If, for example, you attempt to open a map in a Silverlight app as a member of an HTTPS organization and the map contains HTTP layers, those layers may appear broken.