Security in the Cloud: Protecting Your Business in a Cloud 2 World

Security in the CloudProtecting Your Business in a Cloud World
IT Professionals
Jim Cavalieri:SVP & Chief Trust Officer, salesforce.com

Safe Harbor
Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year ended January 31, 2010. This documents and others are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

Agenda
How Salesforce defines “trust”
How Salesforce manages security for customers
How customers manage security with Salesforce features
Malware and Phishing
Resources Available

Agenda
How Salesforcedefines “trust”
How customers manage security with Salesforcefeatures
Resources Available

High Reliability
High Performance
High Security
What is Trust?
Trust means having …
Quarterly Transactions
(billions)
Page Response Times (ms)

Trust is Enhanced by Cloud Computing
Cloud computing is democratic
Broad set of security features
All customers benefit from security enhancements
Cloud computing is flexible
Features can be tuned to match sensitivity of data being stored
Cloud computing is simple
Removes patching headaches
Economies of scale and speed

Trust Requires a Strong Infrastructure

And Trust Requires a Security Strategy
Operations
Products
Defense-in-depth approach
Commitment to investment
Transparency about security
Partnership with the industry
Leader in Cloud Computing
Breadth-of-Options approach
Commitment to security usability
Transparency about security
Partnership with our customers

Agenda
Resources Available

Trust Team Organization
Technology Audit & Compliance
Corporate & Physical Security
Enterprise Risk Management
Product Security
Information Security
Privacy

Information Security Management System
Policies structured around ISO27002 framework
Board and executive commitment to security governance
Security awareness and targeted training conducted routinely
Policies
Guidelines
Procedures
Standards

Operational Security Controls

Infrastructure Security Controls

Secure Software Development Lifecycle

Multitenant Kernel Application Security
Continuous Advancement
Single Multitenant Infrastructure & Kernel
Your Success
Security
Performance
Reliability
Upgrades
Scale
87,200 Customers
Latest Technology
Highest Performance & Security
Real-time Provisioning
No Hassle Upgrades

Mobile Security
General Salesforce Mobile application security
Passcode lockout
Remote application data wipe
Sharing model enforced
SQLite
“SQLite with encryption” database engine
Passwords
No stored passwords
OAuth1 access tokens (CRM Mobile)
Oauth2 refresh tokens (Chatter Mobile)
URLs
Basic tests on URLs for malicious code

Agenda
Resources Available

Customer Controlled Security Features

Sophisticated Sharing Model

CRUD and Field Level Security
Limit a user to read-only access to a field, or hide the field entirely
Set Read, Create, Edit and Delete access for all Force.com objects

Authentication Options
Salesforcenative
Delegated Authentication
SAML 1.1 and SAML 2.0

Trusted Networks
Restrict login by IP range
Specify trusted networks

Login History Log

Setup Audit Trail Log
What it monitors
Weekly data export requests
Multiple currency setup changes
User, role, and profile changes
Public groups, organization-wide sharing, and sharing rule changes
Password policy changes
Mass delete, mass transfer, and import wizard
Other changes as documented in online help
180 days of setup history
Date of the change
User that made the change
What the change was

Object History Tracking

Compliance BCC
Facilitates monitoring all outbound emails
Automatically send a hidden copy of each outbound email message to an email address you specify
Prevents users from editing the BCC field on any email and disables their Automatic Bcc setting
Allows for monitoring of emails with Data Loss Prevention tools

Eliminate Risk in Deployment
Fully Replicated Development Environments
Support any IT Governance Strategy
Production-class Infrastructure
One Click Import/Refresh of Your Production Data
Refresh Anytime
Production
Development
Testing
Training
Sandbox Environments

Encrypted Custom Fields & APEX Encryption
Can be used to protect
Non-public personally identifying information (NPPI)
Credit Card numbers
National identification numbers such as SSN
Has some limitations
Must be enabled by customer support
See online help for further information

User Permissions
Export reports (and printable view)
Run reports
Mass email
View encrypted data (if encrypted fields enabled)

CAPTCHA for Reports and Export
Requires users to complete a CAPTCHA
Covers report export, printable list views, and weekly export
Challenges once per session
Protects against some types of malware
Contact Salesforce Support
to have it enabled

Automated User Management
Integrate with internal user management software
E.g., ActiveDirectory
Single source of user information / status
Integration options
Build your own using the Salesforce API (Users, Profiles)
Use a Partner offering

APEX Callouts/Outbound Messaging
APEX triggers
Before or After insert, update or delete or after undelete
Send an outbound message to your security event monitoring system

Portal Health Check Report
Easily monitor portal access
Sensitive administrative and user permissions
Object permissions and field level security
Organization-wide default settings
Sharing rules
Your Company
Your Partners

Security Health Check Application

Agenda
Resources Available

Malware & Phishing
Social Engineering is a Serious Threat
2. Malicious software
installs itself on PC
1. User receives email
3. Malware tracks user and steals data

Identity Confirmation
The ability for an end-user to activate additional IP addresses for accessing Salesforce
Only necessary if IP address is unknown and browser cookie does not exist
Simple activation procedures
Any computer that will be used to access Salesforcethrough the Web interface
Web Clients

Customers Must Still Secure Employee Systems

Mitigation is a Joint Effort
Customers need to:
Educate users about security
Secure employee systems
Implement customer controlled security features commensurate with the sensitivity of the data being stored in Salesforce
Call support and specify a security contact for your company

Agenda
Resources Available

Extensive Resources Available
Security Implementation Guide
Trust site
trust.salesforce.com
Developer site
developer.force.com
Online Help
Professional Services
AppExchange partner applications
Security Health Check AppExchange application

Transparent Information
Live System Status
Security Best Practices
Privacy Overview
Historical Performance

Jim Cavalieri
SVP & Chief Trust Officer, salesforce.com
jcavalieri [at] salesforce [dot] com
415-901-7013

How Could Dreamforce Be Better? Tell Us!
Log in to the Dreamforce app to submit
surveys for the sessions you attended
Use the Dreamforce Mobile app to submit surveys
OR
Every session survey you submit is a chance to win an iPod nano!

Security in the Cloud: Protecting Your Business in a Cloud 2 World

by Salesforce

Accessibility

Categories

Upload Details

Usage Rights

Statistics