0
Security in the CloudProtecting Your Business in a Cloud   World<br />IT Professionals<br />Jim Cavalieri:SVP & Chief Trus...
Safe Harbor<br />Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may c...
Agenda<br />How Salesforce defines “trust”<br />How Salesforce manages security for customers<br />How customers manage se...
Agenda<br />How Salesforcedefines “trust”<br />How Salesforce manages security for customers<br />How customers manage sec...
High Reliability<br />High Performance<br />High Security<br />What is Trust? <br />Trust means having …<br />Quarterly Tr...
Trust is Enhanced by Cloud Computing<br />Cloud computing is democratic<br />Broad set of security features<br />All custo...
Trust Requires a Strong Infrastructure<br />
And Trust Requires a Security Strategy<br />Operations<br />Products<br />Defense-in-depth approach<br />Commitment to inv...
Agenda<br />How Salesforce defines “trust”<br />How Salesforce manages security for customers<br />How customers manage se...
Trust Team Organization<br />Technology Audit & Compliance<br />Corporate & Physical Security<br />Enterprise Risk Managem...
Information Security Management System<br /><ul><li>Policies structured around ISO27002 framework
Board and executive commitment to  security governance
Security awareness and targeted training conducted routinely </li></ul>Policies<br />Guidelines<br />Procedures<br />Stand...
Operational Security Controls<br />
Infrastructure Security Controls<br />
Secure Software Development Lifecycle<br />
Multitenant Kernel Application Security<br />Continuous Advancement<br />Single Multitenant Infrastructure & Kernel<br />Y...
Mobile Security<br />General Salesforce Mobile application security<br />Passcode lockout<br />Remote application data wip...
Agenda<br />How Salesforce defines “trust”<br />How Salesforce manages security for customers<br />How customers manage se...
Customer Controlled Security Features<br />
Customer Controlled Security Features<br />
Sophisticated Sharing Model<br />
CRUD and Field Level Security<br />Limit a user to read-only access to a field, or hide the field entirely<br />Set Read, ...
Authentication Options<br />Salesforcenative<br />Delegated Authentication<br />SAML 1.1 and SAML 2.0<br />
Trusted Networks<br />Restrict login by IP range<br />Specify trusted networks<br />
Login History Log<br />
Setup Audit Trail Log<br />What it monitors<br />Weekly data export requests <br />Multiple currency setup changes <br />U...
Object History Tracking<br />
Compliance BCC<br />Facilitates monitoring all outbound emails<br />Automatically send a hidden copy of each outbound emai...
Eliminate Risk in Deployment<br />Fully Replicated Development Environments<br />Support any IT Governance Strategy<br />P...
Encrypted Custom Fields & APEX Encryption<br />Can be used to protect<br />Non-public personally identifying information (...
User Permissions<br />Export reports (and printable view)<br />Run reports<br />Mass email<br />View encrypted data (if en...
CAPTCHA for Reports and Export	<br />Requires users to complete a CAPTCHA<br />Covers report export, printable list views,...
Automated User Management<br />Integrate with internal user management software<br />E.g., ActiveDirectory<br />Single sou...
APEX Callouts/Outbound Messaging<br />APEX triggers<br />Before or After insert, update or delete or after undelete<br />S...
Portal Health Check Report<br />Easily monitor portal access<br />Sensitive administrative and user permissions<br />Objec...
Security Health Check Application<br />
Agenda<br />How Salesforce defines “trust”<br />How Salesforce manages security for customers<br />How customers manage se...
Malware & Phishing<br />Social Engineering is a Serious Threat<br />2. Malicious software<br />installs itself on PC<br />...
Identity Confirmation<br />The ability for an end-user to activate additional IP addresses for accessing Salesforce<br />O...
Customers Must Still Secure Employee Systems<br />
Mitigation is a Joint Effort<br />Customers need to: <br />Educate users about security<br />Secure employee systems<br />...
Agenda<br />How Salesforce defines “trust”<br />How Salesforce manages security for customers<br />How customers manage se...
Extensive Resources Available <br />Security Implementation Guide<br />Trust site<br />trust.salesforce.com<br />Developer...
Transparent Information<br />Live System Status <br />Security Best Practices<br />Privacy Overview<br />Historical Perfor...
Upcoming SlideShare
Loading in...5
×

Security in the Cloud: Protecting Your Business in a Cloud 2 World

1,425

Published on

There is no finish line to building the right security. And security is the foundation of success. Join this hard-hitting session to learn tips and best practices for ensuring data integrity and systems security in your organization.

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,425
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
78
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • JIMNote: be brief on this slide – get into meat on subsequent slides
  • - Our cloud infrastructure starts with our Multitenant Kernel that manages a single, shared infrastructure of over 55,000 companies- Because we have only one version of our application and a single, mulititenant infrastructure, we are able focus all of our efforts and investment to make it better every day- The result is greater success for our customers with the latest technology and best performing infrastructure in the industry
  • - Force.com also has sandboxes for development, testing and training.- Each user can have their own copy of the data and configuration of your production environment.- This allows you to build and test applications without touching the production system, which most governance policies require.
  • - Force.com also has sandboxes for development, testing and training.- Each user can have their own copy of the data and configuration of your production environment.- This allows you to build and test applications without touching the production system, which most governance policies require.
  • - Force.com also has sandboxes for development, testing and training.- Each user can have their own copy of the data and configuration of your production environment.- This allows you to build and test applications without touching the production system, which most governance policies require.
  • - We believe that transparency drives accountability.- You can always see security, performance and availability data at trust.salesforce.com- If there’s ever a problem we will be in constant communication with you until the issue is resolved.
  • Transcript of "Security in the Cloud: Protecting Your Business in a Cloud 2 World"

    1. 1. Security in the CloudProtecting Your Business in a Cloud World<br />IT Professionals<br />Jim Cavalieri:SVP & Chief Trust Officer, salesforce.com<br />
    2. 2. Safe Harbor<br />Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.<br />The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year ended January 31, 2010. This documents and others are available on the SEC Filings section of the Investor Information section of our Web site. <br />Any unreleased services or features referenced in this or other press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.<br />
    3. 3. Agenda<br />How Salesforce defines “trust”<br />How Salesforce manages security for customers<br />How customers manage security with Salesforce features<br />Malware and Phishing<br />Resources Available<br />
    4. 4. Agenda<br />How Salesforcedefines “trust”<br />How Salesforce manages security for customers<br />How customers manage security with Salesforcefeatures<br />Malware and Phishing<br />Resources Available<br />
    5. 5. High Reliability<br />High Performance<br />High Security<br />What is Trust? <br />Trust means having …<br />Quarterly Transactions<br />(billions)<br />Page Response Times (ms)<br />
    6. 6. Trust is Enhanced by Cloud Computing<br />Cloud computing is democratic<br />Broad set of security features<br />All customers benefit from security enhancements<br />Cloud computing is flexible<br />Features can be tuned to match sensitivity of data being stored<br />Cloud computing is simple<br />Removes patching headaches<br />Economies of scale and speed<br />
    7. 7. Trust Requires a Strong Infrastructure<br />
    8. 8. And Trust Requires a Security Strategy<br />Operations<br />Products<br />Defense-in-depth approach<br />Commitment to investment<br />Transparency about security<br />Partnership with the industry<br />Leader in Cloud Computing<br />Breadth-of-Options approach<br />Commitment to security usability<br />Transparency about security<br />Partnership with our customers<br />
    9. 9. Agenda<br />How Salesforce defines “trust”<br />How Salesforce manages security for customers<br />How customers manage security with Salesforcefeatures<br />Malware and Phishing<br />Resources Available<br />
    10. 10. Trust Team Organization<br />Technology Audit & Compliance<br />Corporate & Physical Security<br />Enterprise Risk Management<br />Product Security<br />Information Security<br />Privacy<br />
    11. 11. Information Security Management System<br /><ul><li>Policies structured around ISO27002 framework
    12. 12. Board and executive commitment to security governance
    13. 13. Security awareness and targeted training conducted routinely </li></ul>Policies<br />Guidelines<br />Procedures<br />Standards<br />
    14. 14. Operational Security Controls<br />
    15. 15. Infrastructure Security Controls<br />
    16. 16. Secure Software Development Lifecycle<br />
    17. 17. Multitenant Kernel Application Security<br />Continuous Advancement<br />Single Multitenant Infrastructure & Kernel<br />Your Success<br />Security<br />Performance<br />Reliability<br />Upgrades<br />Scale<br />87,200 Customers<br />Latest Technology<br />Highest Performance & Security<br />Real-time Provisioning<br />No Hassle Upgrades<br />
    18. 18. Mobile Security<br />General Salesforce Mobile application security<br />Passcode lockout<br />Remote application data wipe<br />Sharing model enforced<br />SQLite<br />“SQLite with encryption” database engine<br />Passwords<br />No stored passwords<br />OAuth1 access tokens (CRM Mobile)<br />Oauth2 refresh tokens (Chatter Mobile)<br />URLs<br />Basic tests on URLs for malicious code<br />
    19. 19. Agenda<br />How Salesforce defines “trust”<br />How Salesforce manages security for customers<br />How customers manage security with Salesforce features<br />Malware and Phishing<br />Resources Available<br />
    20. 20. Customer Controlled Security Features<br />
    21. 21. Customer Controlled Security Features<br />
    22. 22. Sophisticated Sharing Model<br />
    23. 23. CRUD and Field Level Security<br />Limit a user to read-only access to a field, or hide the field entirely<br />Set Read, Create, Edit and Delete access for all Force.com objects<br />
    24. 24. Authentication Options<br />Salesforcenative<br />Delegated Authentication<br />SAML 1.1 and SAML 2.0<br />
    25. 25. Trusted Networks<br />Restrict login by IP range<br />Specify trusted networks<br />
    26. 26. Login History Log<br />
    27. 27. Setup Audit Trail Log<br />What it monitors<br />Weekly data export requests <br />Multiple currency setup changes <br />User, role, and profile changes <br />Public groups, organization-wide sharing, and sharing rule changes <br />Password policy changes <br />Mass delete, mass transfer, and import wizard<br />Other changes as documented in online help<br />180 days of setup history<br />Date of the change<br />User that made the change<br />What the change was<br />
    28. 28. Object History Tracking<br />
    29. 29. Compliance BCC<br />Facilitates monitoring all outbound emails<br />Automatically send a hidden copy of each outbound email message to an email address you specify<br />Prevents users from editing the BCC field on any email and disables their Automatic Bcc setting<br />Allows for monitoring of emails with Data Loss Prevention tools<br />
    30. 30. Eliminate Risk in Deployment<br />Fully Replicated Development Environments<br />Support any IT Governance Strategy<br />Production-class Infrastructure <br />One Click Import/Refresh of Your Production Data <br />Refresh Anytime<br />Production<br />Development<br />Testing<br />Training<br />Sandbox Environments<br />
    31. 31. Encrypted Custom Fields & APEX Encryption<br />Can be used to protect<br />Non-public personally identifying information (NPPI)<br />Credit Card numbers<br />National identification numbers such as SSN<br />Has some limitations<br />Must be enabled by customer support<br />See online help for further information<br />
    32. 32. User Permissions<br />Export reports (and printable view)<br />Run reports<br />Mass email<br />View encrypted data (if encrypted fields enabled)<br />
    33. 33. CAPTCHA for Reports and Export <br />Requires users to complete a CAPTCHA<br />Covers report export, printable list views, and weekly export<br />Challenges once per session<br />Protects against some types of malware<br />Contact Salesforce Support <br /> to have it enabled<br />
    34. 34. Automated User Management<br />Integrate with internal user management software<br />E.g., ActiveDirectory<br />Single source of user information / status<br />Integration options<br />Build your own using the Salesforce API (Users, Profiles)<br />Use a Partner offering <br />
    35. 35. APEX Callouts/Outbound Messaging<br />APEX triggers<br />Before or After insert, update or delete or after undelete<br />Send an outbound message to your security event monitoring system<br />
    36. 36. Portal Health Check Report<br />Easily monitor portal access<br />Sensitive administrative and user permissions<br />Object permissions and field level security<br />Organization-wide default settings<br />Sharing rules<br />Your Company<br />Your Partners<br />
    37. 37. Security Health Check Application<br />
    38. 38. Agenda<br />How Salesforce defines “trust”<br />How Salesforce manages security for customers<br />How customers manage security with Salesforcefeatures<br />Malware and Phishing<br />Resources Available<br />
    39. 39. Malware & Phishing<br />Social Engineering is a Serious Threat<br />2. Malicious software<br />installs itself on PC<br />1. User receives email<br />3. Malware tracks user and steals data<br />
    40. 40. Identity Confirmation<br />The ability for an end-user to activate additional IP addresses for accessing Salesforce<br />Only necessary if IP address is unknown and browser cookie does not exist<br />Simple activation procedures<br />Any computer that will be used to access Salesforcethrough the Web interface<br />Web Clients<br />
    41. 41. Customers Must Still Secure Employee Systems<br />
    42. 42. Mitigation is a Joint Effort<br />Customers need to: <br />Educate users about security<br />Secure employee systems<br />Implement customer controlled security features commensurate with the sensitivity of the data being stored in Salesforce<br />Call support and specify a security contact for your company<br />
    43. 43. Agenda<br />How Salesforce defines “trust”<br />How Salesforce manages security for customers<br />How customers manage security with Salesforce features<br />Malware and Phishing<br />Resources Available<br />
    44. 44. Extensive Resources Available <br />Security Implementation Guide<br />Trust site<br />trust.salesforce.com<br />Developer site<br />developer.force.com<br />Online Help<br />Professional Services<br />AppExchange partner applications<br />Security Health Check AppExchange application<br />
    45. 45. Transparent Information<br />Live System Status <br />Security Best Practices<br />Privacy Overview<br />Historical Performance<br />
    46. 46. Jim Cavalieri<br />SVP & Chief Trust Officer, salesforce.com<br />jcavalieri [at] salesforce [dot] com<br />415-901-7013<br />
    47. 47. How Could Dreamforce Be Better? Tell Us!<br />Log in to the Dreamforce app to submit<br />surveys for the sessions you attended<br />Use the Dreamforce Mobile app to submit surveys<br />OR<br />Every session survey you submit is a chance to win an iPod nano!<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×