SlideShare a Scribd company logo

Salesforce Security: Zero Trust and Beyond

A
Anna Loughnan Colquhoun

Doug Merrett presents a focus on Salesforce security to the Wellington Salesforce trailblazer community group in cybersecurity month - October 2023.

Technology
1 of 15
Download to read offline
Let’s discuss Salesforce Security Doug Merrett – Platinum7 Wellington Salesforce User Group Meetup October 2023
What is Zero Trust? • Zero Trust describes an approach to the strategy, design and implementation of IT systems. • The main concept is "never trust, always verify." • This brings about zero trust data security where every request to access the data needs to be authenticated dynamically and ensure least privileged access to resources. • In order to determine if access can be granted, policies can be applied based on the attributes of the data, who the user is, and the type of environment using Attribute-Based Access Control. • This zero-trust data security approach can protect access to the data. Besides a buzzword Source: https://en.wikipedia.org/wiki/Zero_trust_security_model
Hmmm… Not all hacks are complicated
Shared Responsibility Model Salesforce does not do all of it for you… Copyright © 2023 Platinum7 Foundational International Infrastructure Hardware Compute Storage Scalability Availability Datacentre Security Security Foundational Network (inc encryption) Server (inc encryption) Administrative Capacity High Availability Disaster Recovery Operational Management Audits Site Reliability CSIRT Secure SDLC Security Foundational Persona Level Record Level Field Level Performance Monitor / Audit Backup / Archive Secure SDLC Org Level Privacy / Data Gov Customer
Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
Assessments • Health Check • Portal Health Check • Optimizer • Code Scan with Checkmarx/DigitSec S4/AutoRabit/Salesforce’s own Code Scanner • Third parties (shameless plug) Copyright © 2023 Platinum7
Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
Secure your Application • Reconfigure broad sharing access (Public R/W, Public Read, …) • Ensure Aura based communities are protected : https://links.platinum7.com.au/Aura-Issue • Reconfigure API Users that are System Admins • Especially with the new Integration User license • Restrict access to Connected Apps with API Access Control • Raise a case with Salesforce Support to get enabled • Use Lightning Login to go passwordless • Fix the code issues found by the Code Scanner • SOQL injections - Where data from UI/API is put into a SOQL query without protection • Stored XSS - Where data from the database is shown in the UI without protection Use Least Privilege principles Copyright © 2023 Platinum7
Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
Secure your Data • Remove permissions not needed (View All Data, API Access, …) • Use Event Monitoring’s Transaction Security policies to minimise data exfiltration • Use data masking in sandboxes to lower the attack surface • Data Mask by Salesforce, DataMasker by Cloud Compliance or Data Masking by Backup tools • Use archiving/deletion to remove data you no longer need • Don’t have too many System Admins • Backup your data • Look at Privacy and Consent • Embedded PII and other information • Look at David Norris’ Medium posts – https://dave-norris.medium.com or Blackthorn.io Copyright © 2023 Platinum7
Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
Improve Security Awareness • Educate users on Cybersecurity for home and work • Educate Developers and Admins on security best practices • Look at using new techniques in your development cycles • Have a playbook for what to do in cyber events • Look at frameworks – eg NIST Cybersecurity Framework Copyright © 2023 Platinum7
Q&A Please reach out if you have any questions – I do not bite! And I am happy to have a chat about anything security related… Contact Details • doug@platinum7.com.au • +61 404 005 435 • https://www.platinum7.com.au • https://doug-merrett.medium.com
Interesting information Salesforce Security Information • Architecture: https://architect.salesforce.com/well-architected/trusted/overview • Security: https://developer.salesforce.com/developer-centers/security • Code Scanner from Salesforce blog post: https://www.linkedin.com/feed/update/urn:li:activity:6986508274858696704/ NIST Framework • https://www.nist.gov/cyberframework Platinum7 Salesforce Security Assessments • https://www.platinum7.com.au/assessments : NFP get 10% discount
Companies to investigate Backup • OwnData (fka OwnBackup) and Odaseva are the top tier • Salesforce has re-released their backup tool Event Monitoring tools • Imprivata’s FairWarning – prebuilt alerts and dashboards for Salesforce • Platinum7 Event Storage – keep your logs “forever” • Platinum7 Transaction Security Policies – complex and capable policies to block data exfiltration Let me know if you would like an introduction

Recommended

Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...Ulf Mattsson
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information SecurityAhmed Sayed-
 
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Cloudera, Inc.
 
Azure Fundamentals Part 3
Azure Fundamentals Part 3Azure Fundamentals Part 3
Azure Fundamentals Part 3CCG
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data SecurityCareer Communications Group
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsTechcello
 

Recommended

Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...Ulf Mattsson
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information SecurityAhmed Sayed-
 
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Cloudera, Inc.
 
Azure Fundamentals Part 3
Azure Fundamentals Part 3Azure Fundamentals Part 3
Azure Fundamentals Part 3CCG
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data SecurityCareer Communications Group
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsTechcello
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskPrecisely
 
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitTop 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitAmazon Web Services
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid themKarl Ots
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentityFredBrandonAuthorMCP
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSymosis Security (Previously C-Level Security)
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...MongoDB
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubDataWorks Summit
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014Cloudera, Inc.
 
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Karim Vaes
 
Datacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGeeDatacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGeeMediehuset Ingeniøren Live
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldShannon Lietz
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreJoel Oleson
 
5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service Provider5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service ProviderTyrone Systems
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...Amazon Web Services
 
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...Anna Loughnan Colquhoun
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 

More Related Content

Similar to Salesforce Security: Zero Trust and Beyond

Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskPrecisely
 
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitTop 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitAmazon Web Services
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid themKarl Ots
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentityFredBrandonAuthorMCP
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...MongoDB
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubDataWorks Summit
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014Cloudera, Inc.
 
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Karim Vaes
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldShannon Lietz
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreJoel Oleson
 
5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service Provider5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service ProviderTyrone Systems
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...Amazon Web Services
 

Similar to Salesforce Security: Zero Trust and Beyond (20)

Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
 
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitTop 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data Hub
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014
 
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
 
Datacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGeeDatacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGee
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure Score
 
5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service Provider5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service Provider
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
 

More from Anna Loughnan Colquhoun

Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...Anna Loughnan Colquhoun
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Winter24-Welly Release Overview - Stephen Stanley.pdf
Winter24-Welly Release Overview - Stephen Stanley.pdfWinter24-Welly Release Overview - Stephen Stanley.pdf
Winter24-Welly Release Overview - Stephen Stanley.pdfAnna Loughnan Colquhoun
 
SFWelly dreamforce wrap up September 2023
SFWelly dreamforce wrap up September 2023SFWelly dreamforce wrap up September 2023
SFWelly dreamforce wrap up September 2023Anna Loughnan Colquhoun
 
Summer23-Welly Release Highlights - Stephen Stanley.pdf
Summer23-Welly Release Highlights - Stephen Stanley.pdfSummer23-Welly Release Highlights - Stephen Stanley.pdf
Summer23-Welly Release Highlights - Stephen Stanley.pdfAnna Loughnan Colquhoun
 
Salesforce Wellington User Group - devops for admins by David Smith
Salesforce Wellington User Group - devops for admins by David SmithSalesforce Wellington User Group - devops for admins by David Smith
Salesforce Wellington User Group - devops for admins by David SmithAnna Loughnan Colquhoun
 
Emily McCowan - My CTA Journey - Wellington User Group
Emily McCowan - My CTA Journey - Wellington User GroupEmily McCowan - My CTA Journey - Wellington User Group
Emily McCowan - My CTA Journey - Wellington User GroupAnna Loughnan Colquhoun
 
Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023
Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023
Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023Anna Loughnan Colquhoun
 
DevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdf
DevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdfDevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdf
DevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdfAnna Loughnan Colquhoun
 
Stephen Stanley - Spring 23 highlights.pdf
Stephen Stanley - Spring 23 highlights.pdfStephen Stanley - Spring 23 highlights.pdf
Stephen Stanley - Spring 23 highlights.pdfAnna Loughnan Colquhoun
 
First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...
First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...
First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...Anna Loughnan Colquhoun
 
Dreamforce review Wellington Salesforce User Group October 2022
Dreamforce review Wellington Salesforce User Group October 2022Dreamforce review Wellington Salesforce User Group October 2022
Dreamforce review Wellington Salesforce User Group October 2022Anna Loughnan Colquhoun
 
Ministry of Health / Health NZ Public Health response to Covid using Salesforce
Ministry of Health / Health NZ Public Health response to Covid using SalesforceMinistry of Health / Health NZ Public Health response to Covid using Salesforce
Ministry of Health / Health NZ Public Health response to Covid using SalesforceAnna Loughnan Colquhoun
 
Salesforce Wellington User Group - August 2022 - Salesforce integration witho...
Salesforce Wellington User Group - August 2022 - Salesforce integration witho...Salesforce Wellington User Group - August 2022 - Salesforce integration witho...
Salesforce Wellington User Group - August 2022 - Salesforce integration witho...Anna Loughnan Colquhoun
 
Wellington Salesforce User Group - Summer 22 Release
Wellington Salesforce User Group - Summer 22 ReleaseWellington Salesforce User Group - Summer 22 Release
Wellington Salesforce User Group - Summer 22 ReleaseAnna Loughnan Colquhoun
 
March 2022 Salesforce Welly _ Chch meeting.pdf
March 2022 Salesforce Welly _ Chch meeting.pdfMarch 2022 Salesforce Welly _ Chch meeting.pdf
March 2022 Salesforce Welly _ Chch meeting.pdfAnna Loughnan Colquhoun
 
SFWelly user group spring '22 release highlights with Mel Macdonald
SFWelly user group spring '22 release highlights with Mel MacdonaldSFWelly user group spring '22 release highlights with Mel Macdonald
SFWelly user group spring '22 release highlights with Mel MacdonaldAnna Loughnan Colquhoun
 
Wellington Salesforce Trailblazer Community August 2021 Virtual Meeting with ...
Wellington Salesforce Trailblazer Community August 2021 Virtual Meeting with ...Wellington Salesforce Trailblazer Community August 2021 Virtual Meeting with ...
Wellington Salesforce Trailblazer Community August 2021 Virtual Meeting with ...Anna Loughnan Colquhoun
 

More from Anna Loughnan Colquhoun (20)

Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Winter24-Welly Release Overview - Stephen Stanley.pdf
Winter24-Welly Release Overview - Stephen Stanley.pdfWinter24-Welly Release Overview - Stephen Stanley.pdf
Winter24-Welly Release Overview - Stephen Stanley.pdf
 
Eva Sherwood Dreamforce Reflections
Eva Sherwood Dreamforce ReflectionsEva Sherwood Dreamforce Reflections
Eva Sherwood Dreamforce Reflections
 
SFWelly dreamforce wrap up September 2023
SFWelly dreamforce wrap up September 2023SFWelly dreamforce wrap up September 2023
SFWelly dreamforce wrap up September 2023
 
SFWelly - Backups Presentation
SFWelly - Backups PresentationSFWelly - Backups Presentation
SFWelly - Backups Presentation
 
Summer23-Welly Release Highlights - Stephen Stanley.pdf
Summer23-Welly Release Highlights - Stephen Stanley.pdfSummer23-Welly Release Highlights - Stephen Stanley.pdf
Summer23-Welly Release Highlights - Stephen Stanley.pdf
 
Salesforce Wellington User Group - devops for admins by David Smith
Salesforce Wellington User Group - devops for admins by David SmithSalesforce Wellington User Group - devops for admins by David Smith
Salesforce Wellington User Group - devops for admins by David Smith
 
Emily McCowan - My CTA Journey - Wellington User Group
Emily McCowan - My CTA Journey - Wellington User GroupEmily McCowan - My CTA Journey - Wellington User Group
Emily McCowan - My CTA Journey - Wellington User Group
 
Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023
Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023
Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023
 
DevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdf
DevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdfDevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdf
DevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdf
 
Stephen Stanley - Spring 23 highlights.pdf
Stephen Stanley - Spring 23 highlights.pdfStephen Stanley - Spring 23 highlights.pdf
Stephen Stanley - Spring 23 highlights.pdf
 
First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...
First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...
First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...
 
Dreamforce review Wellington Salesforce User Group October 2022
Dreamforce review Wellington Salesforce User Group October 2022Dreamforce review Wellington Salesforce User Group October 2022
Dreamforce review Wellington Salesforce User Group October 2022
 
Ministry of Health / Health NZ Public Health response to Covid using Salesforce
Ministry of Health / Health NZ Public Health response to Covid using SalesforceMinistry of Health / Health NZ Public Health response to Covid using Salesforce
Ministry of Health / Health NZ Public Health response to Covid using Salesforce
 
Salesforce Wellington User Group - August 2022 - Salesforce integration witho...
Salesforce Wellington User Group - August 2022 - Salesforce integration witho...Salesforce Wellington User Group - August 2022 - Salesforce integration witho...
Salesforce Wellington User Group - August 2022 - Salesforce integration witho...
 
Wellington Salesforce User Group - Summer 22 Release
Wellington Salesforce User Group - Summer 22 ReleaseWellington Salesforce User Group - Summer 22 Release
Wellington Salesforce User Group - Summer 22 Release
 
March 2022 Salesforce Welly _ Chch meeting.pdf
March 2022 Salesforce Welly _ Chch meeting.pdfMarch 2022 Salesforce Welly _ Chch meeting.pdf
March 2022 Salesforce Welly _ Chch meeting.pdf
 
SFWelly user group spring '22 release highlights with Mel Macdonald
SFWelly user group spring '22 release highlights with Mel MacdonaldSFWelly user group spring '22 release highlights with Mel Macdonald
SFWelly user group spring '22 release highlights with Mel Macdonald
 
Wellington Salesforce Trailblazer Community August 2021 Virtual Meeting with ...
Wellington Salesforce Trailblazer Community August 2021 Virtual Meeting with ...Wellington Salesforce Trailblazer Community August 2021 Virtual Meeting with ...
Wellington Salesforce Trailblazer Community August 2021 Virtual Meeting with ...
 

Recently uploaded

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Salesforce Security: Zero Trust and Beyond

  • 1. Let’s discuss Salesforce Security Doug Merrett – Platinum7 Wellington Salesforce User Group Meetup October 2023
  • 2. What is Zero Trust? • Zero Trust describes an approach to the strategy, design and implementation of IT systems. • The main concept is "never trust, always verify." • This brings about zero trust data security where every request to access the data needs to be authenticated dynamically and ensure least privileged access to resources. • In order to determine if access can be granted, policies can be applied based on the attributes of the data, who the user is, and the type of environment using Attribute-Based Access Control. • This zero-trust data security approach can protect access to the data. Besides a buzzword Source: https://en.wikipedia.org/wiki/Zero_trust_security_model
  • 3. Hmmm… Not all hacks are complicated
  • 4. Shared Responsibility Model Salesforce does not do all of it for you… Copyright © 2023 Platinum7 Foundational International Infrastructure Hardware Compute Storage Scalability Availability Datacentre Security Security Foundational Network (inc encryption) Server (inc encryption) Administrative Capacity High Availability Disaster Recovery Operational Management Audits Site Reliability CSIRT Secure SDLC Security Foundational Persona Level Record Level Field Level Performance Monitor / Audit Backup / Archive Secure SDLC Org Level Privacy / Data Gov Customer
  • 5. Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
  • 6. Assessments • Health Check • Portal Health Check • Optimizer • Code Scan with Checkmarx/DigitSec S4/AutoRabit/Salesforce’s own Code Scanner • Third parties (shameless plug) Copyright © 2023 Platinum7
  • 7. Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
  • 8. Secure your Application • Reconfigure broad sharing access (Public R/W, Public Read, …) • Ensure Aura based communities are protected : https://links.platinum7.com.au/Aura-Issue • Reconfigure API Users that are System Admins • Especially with the new Integration User license • Restrict access to Connected Apps with API Access Control • Raise a case with Salesforce Support to get enabled • Use Lightning Login to go passwordless • Fix the code issues found by the Code Scanner • SOQL injections - Where data from UI/API is put into a SOQL query without protection • Stored XSS - Where data from the database is shown in the UI without protection Use Least Privilege principles Copyright © 2023 Platinum7
  • 9. Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
  • 10. Secure your Data • Remove permissions not needed (View All Data, API Access, …) • Use Event Monitoring’s Transaction Security policies to minimise data exfiltration • Use data masking in sandboxes to lower the attack surface • Data Mask by Salesforce, DataMasker by Cloud Compliance or Data Masking by Backup tools • Use archiving/deletion to remove data you no longer need • Don’t have too many System Admins • Backup your data • Look at Privacy and Consent • Embedded PII and other information • Look at David Norris’ Medium posts – https://dave-norris.medium.com or Blackthorn.io Copyright © 2023 Platinum7
  • 11. Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
  • 12. Improve Security Awareness • Educate users on Cybersecurity for home and work • Educate Developers and Admins on security best practices • Look at using new techniques in your development cycles • Have a playbook for what to do in cyber events • Look at frameworks – eg NIST Cybersecurity Framework Copyright © 2023 Platinum7
  • 13. Q&A Please reach out if you have any questions – I do not bite! And I am happy to have a chat about anything security related… Contact Details • doug@platinum7.com.au • +61 404 005 435 • https://www.platinum7.com.au • https://doug-merrett.medium.com
  • 14. Interesting information Salesforce Security Information • Architecture: https://architect.salesforce.com/well-architected/trusted/overview • Security: https://developer.salesforce.com/developer-centers/security • Code Scanner from Salesforce blog post: https://www.linkedin.com/feed/update/urn:li:activity:6986508274858696704/ NIST Framework • https://www.nist.gov/cyberframework Platinum7 Salesforce Security Assessments • https://www.platinum7.com.au/assessments : NFP get 10% discount
  • 15. Companies to investigate Backup • OwnData (fka OwnBackup) and Odaseva are the top tier • Salesforce has re-released their backup tool Event Monitoring tools • Imprivata’s FairWarning – prebuilt alerts and dashboards for Salesforce • Platinum7 Event Storage – keep your logs “forever” • Platinum7 Transaction Security Policies – complex and capable policies to block data exfiltration Let me know if you would like an introduction