Security in the Cloud: Protecting Your Business in a Cloud 2 World
Upcoming SlideShare
Loading in...5
×
 

Security in the Cloud: Protecting Your Business in a Cloud 2 World

on

  • 1,704 views

There is no finish line to building the right security. And security is the foundation of success. Join this hard-hitting session to learn tips and best practices for ensuring data integrity and ...

There is no finish line to building the right security. And security is the foundation of success. Join this hard-hitting session to learn tips and best practices for ensuring data integrity and systems security in your organization.

Statistics

Views

Total Views
1,704
Views on SlideShare
1,704
Embed Views
0

Actions

Likes
0
Downloads
76
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • JIMNote: be brief on this slide – get into meat on subsequent slides
  • - Our cloud infrastructure starts with our Multitenant Kernel that manages a single, shared infrastructure of over 55,000 companies- Because we have only one version of our application and a single, mulititenant infrastructure, we are able focus all of our efforts and investment to make it better every day- The result is greater success for our customers with the latest technology and best performing infrastructure in the industry
  • - Force.com also has sandboxes for development, testing and training.- Each user can have their own copy of the data and configuration of your production environment.- This allows you to build and test applications without touching the production system, which most governance policies require.
  • - Force.com also has sandboxes for development, testing and training.- Each user can have their own copy of the data and configuration of your production environment.- This allows you to build and test applications without touching the production system, which most governance policies require.
  • - Force.com also has sandboxes for development, testing and training.- Each user can have their own copy of the data and configuration of your production environment.- This allows you to build and test applications without touching the production system, which most governance policies require.
  • - We believe that transparency drives accountability.- You can always see security, performance and availability data at trust.salesforce.com- If there’s ever a problem we will be in constant communication with you until the issue is resolved.

Security in the Cloud: Protecting Your Business in a Cloud 2 World Security in the Cloud: Protecting Your Business in a Cloud 2 World Presentation Transcript

  • Security in the CloudProtecting Your Business in a Cloud World
    IT Professionals
    Jim Cavalieri:SVP & Chief Trust Officer, salesforce.com
  • Safe Harbor
    Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
    The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year ended January 31, 2010. This documents and others are available on the SEC Filings section of the Investor Information section of our Web site.
    Any unreleased services or features referenced in this or other press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
  • Agenda
    How Salesforce defines “trust”
    How Salesforce manages security for customers
    How customers manage security with Salesforce features
    Malware and Phishing
    Resources Available
  • Agenda
    How Salesforcedefines “trust”
    How Salesforce manages security for customers
    How customers manage security with Salesforcefeatures
    Malware and Phishing
    Resources Available
  • High Reliability
    High Performance
    High Security
    What is Trust?
    Trust means having …
    Quarterly Transactions
    (billions)
    Page Response Times (ms)
  • Trust is Enhanced by Cloud Computing
    Cloud computing is democratic
    Broad set of security features
    All customers benefit from security enhancements
    Cloud computing is flexible
    Features can be tuned to match sensitivity of data being stored
    Cloud computing is simple
    Removes patching headaches
    Economies of scale and speed
  • Trust Requires a Strong Infrastructure
  • And Trust Requires a Security Strategy
    Operations
    Products
    Defense-in-depth approach
    Commitment to investment
    Transparency about security
    Partnership with the industry
    Leader in Cloud Computing
    Breadth-of-Options approach
    Commitment to security usability
    Transparency about security
    Partnership with our customers
  • Agenda
    How Salesforce defines “trust”
    How Salesforce manages security for customers
    How customers manage security with Salesforcefeatures
    Malware and Phishing
    Resources Available
  • Trust Team Organization
    Technology Audit & Compliance
    Corporate & Physical Security
    Enterprise Risk Management
    Product Security
    Information Security
    Privacy
  • Information Security Management System
    • Policies structured around ISO27002 framework
    • Board and executive commitment to security governance
    • Security awareness and targeted training conducted routinely
    Policies
    Guidelines
    Procedures
    Standards
  • Operational Security Controls
  • Infrastructure Security Controls
  • Secure Software Development Lifecycle
  • Multitenant Kernel Application Security
    Continuous Advancement
    Single Multitenant Infrastructure & Kernel
    Your Success
    Security
    Performance
    Reliability
    Upgrades
    Scale
    87,200 Customers
    Latest Technology
    Highest Performance & Security
    Real-time Provisioning
    No Hassle Upgrades
  • Mobile Security
    General Salesforce Mobile application security
    Passcode lockout
    Remote application data wipe
    Sharing model enforced
    SQLite
    “SQLite with encryption” database engine
    Passwords
    No stored passwords
    OAuth1 access tokens (CRM Mobile)
    Oauth2 refresh tokens (Chatter Mobile)
    URLs
    Basic tests on URLs for malicious code
  • Agenda
    How Salesforce defines “trust”
    How Salesforce manages security for customers
    How customers manage security with Salesforce features
    Malware and Phishing
    Resources Available
  • Customer Controlled Security Features
  • Customer Controlled Security Features
  • Sophisticated Sharing Model
  • CRUD and Field Level Security
    Limit a user to read-only access to a field, or hide the field entirely
    Set Read, Create, Edit and Delete access for all Force.com objects
  • Authentication Options
    Salesforcenative
    Delegated Authentication
    SAML 1.1 and SAML 2.0
  • Trusted Networks
    Restrict login by IP range
    Specify trusted networks
  • Login History Log
  • Setup Audit Trail Log
    What it monitors
    Weekly data export requests
    Multiple currency setup changes
    User, role, and profile changes
    Public groups, organization-wide sharing, and sharing rule changes
    Password policy changes
    Mass delete, mass transfer, and import wizard
    Other changes as documented in online help
    180 days of setup history
    Date of the change
    User that made the change
    What the change was
  • Object History Tracking
  • Compliance BCC
    Facilitates monitoring all outbound emails
    Automatically send a hidden copy of each outbound email message to an email address you specify
    Prevents users from editing the BCC field on any email and disables their Automatic Bcc setting
    Allows for monitoring of emails with Data Loss Prevention tools
  • Eliminate Risk in Deployment
    Fully Replicated Development Environments
    Support any IT Governance Strategy
    Production-class Infrastructure
    One Click Import/Refresh of Your Production Data
    Refresh Anytime
    Production
    Development
    Testing
    Training
    Sandbox Environments
  • Encrypted Custom Fields & APEX Encryption
    Can be used to protect
    Non-public personally identifying information (NPPI)
    Credit Card numbers
    National identification numbers such as SSN
    Has some limitations
    Must be enabled by customer support
    See online help for further information
  • User Permissions
    Export reports (and printable view)
    Run reports
    Mass email
    View encrypted data (if encrypted fields enabled)
  • CAPTCHA for Reports and Export
    Requires users to complete a CAPTCHA
    Covers report export, printable list views, and weekly export
    Challenges once per session
    Protects against some types of malware
    Contact Salesforce Support
    to have it enabled
  • Automated User Management
    Integrate with internal user management software
    E.g., ActiveDirectory
    Single source of user information / status
    Integration options
    Build your own using the Salesforce API (Users, Profiles)
    Use a Partner offering
  • APEX Callouts/Outbound Messaging
    APEX triggers
    Before or After insert, update or delete or after undelete
    Send an outbound message to your security event monitoring system
  • Portal Health Check Report
    Easily monitor portal access
    Sensitive administrative and user permissions
    Object permissions and field level security
    Organization-wide default settings
    Sharing rules
    Your Company
    Your Partners
  • Security Health Check Application
  • Agenda
    How Salesforce defines “trust”
    How Salesforce manages security for customers
    How customers manage security with Salesforcefeatures
    Malware and Phishing
    Resources Available
  • Malware & Phishing
    Social Engineering is a Serious Threat
    2. Malicious software
    installs itself on PC
    1. User receives email
    3. Malware tracks user and steals data
  • Identity Confirmation
    The ability for an end-user to activate additional IP addresses for accessing Salesforce
    Only necessary if IP address is unknown and browser cookie does not exist
    Simple activation procedures
    Any computer that will be used to access Salesforcethrough the Web interface
    Web Clients
  • Customers Must Still Secure Employee Systems
  • Mitigation is a Joint Effort
    Customers need to:
    Educate users about security
    Secure employee systems
    Implement customer controlled security features commensurate with the sensitivity of the data being stored in Salesforce
    Call support and specify a security contact for your company
  • Agenda
    How Salesforce defines “trust”
    How Salesforce manages security for customers
    How customers manage security with Salesforce features
    Malware and Phishing
    Resources Available
  • Extensive Resources Available
    Security Implementation Guide
    Trust site
    trust.salesforce.com
    Developer site
    developer.force.com
    Online Help
    Professional Services
    AppExchange partner applications
    Security Health Check AppExchange application
  • Transparent Information
    Live System Status
    Security Best Practices
    Privacy Overview
    Historical Performance
  • Jim Cavalieri
    SVP & Chief Trust Officer, salesforce.com
    jcavalieri [at] salesforce [dot] com
    415-901-7013
  • How Could Dreamforce Be Better? Tell Us!
    Log in to the Dreamforce app to submit
    surveys for the sessions you attended
    Use the Dreamforce Mobile app to submit surveys
    OR
    Every session survey you submit is a chance to win an iPod nano!