Your SlideShare is downloading. ×
Security in the Cloud: Protecting Your Business in a Cloud 2 World
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Security in the Cloud: Protecting Your Business in a Cloud 2 World

1,385
views

Published on

There is no finish line to building the right security. And security is the foundation of success. Join this hard-hitting session to learn tips and best practices for ensuring data integrity and …

There is no finish line to building the right security. And security is the foundation of success. Join this hard-hitting session to learn tips and best practices for ensuring data integrity and systems security in your organization.

Published in: Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,385
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
78
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • JIMNote: be brief on this slide – get into meat on subsequent slides
  • - Our cloud infrastructure starts with our Multitenant Kernel that manages a single, shared infrastructure of over 55,000 companies- Because we have only one version of our application and a single, mulititenant infrastructure, we are able focus all of our efforts and investment to make it better every day- The result is greater success for our customers with the latest technology and best performing infrastructure in the industry
  • - Force.com also has sandboxes for development, testing and training.- Each user can have their own copy of the data and configuration of your production environment.- This allows you to build and test applications without touching the production system, which most governance policies require.
  • - Force.com also has sandboxes for development, testing and training.- Each user can have their own copy of the data and configuration of your production environment.- This allows you to build and test applications without touching the production system, which most governance policies require.
  • - Force.com also has sandboxes for development, testing and training.- Each user can have their own copy of the data and configuration of your production environment.- This allows you to build and test applications without touching the production system, which most governance policies require.
  • - We believe that transparency drives accountability.- You can always see security, performance and availability data at trust.salesforce.com- If there’s ever a problem we will be in constant communication with you until the issue is resolved.
  • Transcript

    • 1. Security in the CloudProtecting Your Business in a Cloud World
      IT Professionals
      Jim Cavalieri:SVP & Chief Trust Officer, salesforce.com
    • 2. Safe Harbor
      Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
      The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year ended January 31, 2010. This documents and others are available on the SEC Filings section of the Investor Information section of our Web site.
      Any unreleased services or features referenced in this or other press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
    • 3. Agenda
      How Salesforce defines “trust”
      How Salesforce manages security for customers
      How customers manage security with Salesforce features
      Malware and Phishing
      Resources Available
    • 4. Agenda
      How Salesforcedefines “trust”
      How Salesforce manages security for customers
      How customers manage security with Salesforcefeatures
      Malware and Phishing
      Resources Available
    • 5. High Reliability
      High Performance
      High Security
      What is Trust?
      Trust means having …
      Quarterly Transactions
      (billions)
      Page Response Times (ms)
    • 6. Trust is Enhanced by Cloud Computing
      Cloud computing is democratic
      Broad set of security features
      All customers benefit from security enhancements
      Cloud computing is flexible
      Features can be tuned to match sensitivity of data being stored
      Cloud computing is simple
      Removes patching headaches
      Economies of scale and speed
    • 7. Trust Requires a Strong Infrastructure
    • 8. And Trust Requires a Security Strategy
      Operations
      Products
      Defense-in-depth approach
      Commitment to investment
      Transparency about security
      Partnership with the industry
      Leader in Cloud Computing
      Breadth-of-Options approach
      Commitment to security usability
      Transparency about security
      Partnership with our customers
    • 9. Agenda
      How Salesforce defines “trust”
      How Salesforce manages security for customers
      How customers manage security with Salesforcefeatures
      Malware and Phishing
      Resources Available
    • 10. Trust Team Organization
      Technology Audit & Compliance
      Corporate & Physical Security
      Enterprise Risk Management
      Product Security
      Information Security
      Privacy
    • 11. Information Security Management System
      • Policies structured around ISO27002 framework
      • 12. Board and executive commitment to security governance
      • 13. Security awareness and targeted training conducted routinely
      Policies
      Guidelines
      Procedures
      Standards
    • 14. Operational Security Controls
    • 15. Infrastructure Security Controls
    • 16. Secure Software Development Lifecycle
    • 17. Multitenant Kernel Application Security
      Continuous Advancement
      Single Multitenant Infrastructure & Kernel
      Your Success
      Security
      Performance
      Reliability
      Upgrades
      Scale
      87,200 Customers
      Latest Technology
      Highest Performance & Security
      Real-time Provisioning
      No Hassle Upgrades
    • 18. Mobile Security
      General Salesforce Mobile application security
      Passcode lockout
      Remote application data wipe
      Sharing model enforced
      SQLite
      “SQLite with encryption” database engine
      Passwords
      No stored passwords
      OAuth1 access tokens (CRM Mobile)
      Oauth2 refresh tokens (Chatter Mobile)
      URLs
      Basic tests on URLs for malicious code
    • 19. Agenda
      How Salesforce defines “trust”
      How Salesforce manages security for customers
      How customers manage security with Salesforce features
      Malware and Phishing
      Resources Available
    • 20. Customer Controlled Security Features
    • 21. Customer Controlled Security Features
    • 22. Sophisticated Sharing Model
    • 23. CRUD and Field Level Security
      Limit a user to read-only access to a field, or hide the field entirely
      Set Read, Create, Edit and Delete access for all Force.com objects
    • 24. Authentication Options
      Salesforcenative
      Delegated Authentication
      SAML 1.1 and SAML 2.0
    • 25. Trusted Networks
      Restrict login by IP range
      Specify trusted networks
    • 26. Login History Log
    • 27. Setup Audit Trail Log
      What it monitors
      Weekly data export requests
      Multiple currency setup changes
      User, role, and profile changes
      Public groups, organization-wide sharing, and sharing rule changes
      Password policy changes
      Mass delete, mass transfer, and import wizard
      Other changes as documented in online help
      180 days of setup history
      Date of the change
      User that made the change
      What the change was
    • 28. Object History Tracking
    • 29. Compliance BCC
      Facilitates monitoring all outbound emails
      Automatically send a hidden copy of each outbound email message to an email address you specify
      Prevents users from editing the BCC field on any email and disables their Automatic Bcc setting
      Allows for monitoring of emails with Data Loss Prevention tools
    • 30. Eliminate Risk in Deployment
      Fully Replicated Development Environments
      Support any IT Governance Strategy
      Production-class Infrastructure
      One Click Import/Refresh of Your Production Data
      Refresh Anytime
      Production
      Development
      Testing
      Training
      Sandbox Environments
    • 31. Encrypted Custom Fields & APEX Encryption
      Can be used to protect
      Non-public personally identifying information (NPPI)
      Credit Card numbers
      National identification numbers such as SSN
      Has some limitations
      Must be enabled by customer support
      See online help for further information
    • 32. User Permissions
      Export reports (and printable view)
      Run reports
      Mass email
      View encrypted data (if encrypted fields enabled)
    • 33. CAPTCHA for Reports and Export
      Requires users to complete a CAPTCHA
      Covers report export, printable list views, and weekly export
      Challenges once per session
      Protects against some types of malware
      Contact Salesforce Support
      to have it enabled
    • 34. Automated User Management
      Integrate with internal user management software
      E.g., ActiveDirectory
      Single source of user information / status
      Integration options
      Build your own using the Salesforce API (Users, Profiles)
      Use a Partner offering
    • 35. APEX Callouts/Outbound Messaging
      APEX triggers
      Before or After insert, update or delete or after undelete
      Send an outbound message to your security event monitoring system
    • 36. Portal Health Check Report
      Easily monitor portal access
      Sensitive administrative and user permissions
      Object permissions and field level security
      Organization-wide default settings
      Sharing rules
      Your Company
      Your Partners
    • 37. Security Health Check Application
    • 38. Agenda
      How Salesforce defines “trust”
      How Salesforce manages security for customers
      How customers manage security with Salesforcefeatures
      Malware and Phishing
      Resources Available
    • 39. Malware & Phishing
      Social Engineering is a Serious Threat
      2. Malicious software
      installs itself on PC
      1. User receives email
      3. Malware tracks user and steals data
    • 40. Identity Confirmation
      The ability for an end-user to activate additional IP addresses for accessing Salesforce
      Only necessary if IP address is unknown and browser cookie does not exist
      Simple activation procedures
      Any computer that will be used to access Salesforcethrough the Web interface
      Web Clients
    • 41. Customers Must Still Secure Employee Systems
    • 42. Mitigation is a Joint Effort
      Customers need to:
      Educate users about security
      Secure employee systems
      Implement customer controlled security features commensurate with the sensitivity of the data being stored in Salesforce
      Call support and specify a security contact for your company
    • 43. Agenda
      How Salesforce defines “trust”
      How Salesforce manages security for customers
      How customers manage security with Salesforce features
      Malware and Phishing
      Resources Available
    • 44. Extensive Resources Available
      Security Implementation Guide
      Trust site
      trust.salesforce.com
      Developer site
      developer.force.com
      Online Help
      Professional Services
      AppExchange partner applications
      Security Health Check AppExchange application
    • 45. Transparent Information
      Live System Status
      Security Best Practices
      Privacy Overview
      Historical Performance
    • 46. Jim Cavalieri
      SVP & Chief Trust Officer, salesforce.com
      jcavalieri [at] salesforce [dot] com
      415-901-7013
    • 47. How Could Dreamforce Be Better? Tell Us!
      Log in to the Dreamforce app to submit
      surveys for the sessions you attended
      Use the Dreamforce Mobile app to submit surveys
      OR
      Every session survey you submit is a chance to win an iPod nano!