Successfully reported this slideshow.

I T E010 Jasik 091907


Published on

Full session information and video available on

Published in: Business, Technology
  • Be the first to comment

I T E010 Jasik 091907

  1. 1. Security Best Practices Benji Jasik, IT Executive: Chief Innovation Officer
  2. 2. Safe Harbor Statement <ul><li>“ Safe harbor” statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements including but not limited to statements concerning the potential market for our existing service offerings and future offerings. All of our forward looking statements involve risks, uncertainties and assumptions. If any such risks or uncertainties materialize or if any of the assumptions proves incorrect, our results could differ materially from the results expressed or implied by the forward-looking statements we make. </li></ul><ul><li>The risks and uncertainties referred to above include - but are not limited to - risks associated with possible fluctuations in our operating results and cash flows, rate of growth and anticipated revenue run rate, errors, interruptions or delays in our service or our Web hosting, our new business model, our history of operating losses, the possibility that we will not remain profitable, breach of our security measures, the emerging market in which we operate, our relatively limited operating history, our ability to hire, retain and motivate our employees and manage our growth, competition, our ability to continue to release and gain customer acceptance of new and improved versions of our service, customer and partner acceptance of the AppExchange, successful customer deployment and utilization of our services, unanticipated changes in our effective tax rate, fluctuations in the number of shares outstanding, the price of such shares, foreign currency exchange rates and interest rates. </li></ul><ul><li>Further information on these and other factors that could affect our financial results is included in the reports on Forms 10-K, 10-Q and 8-K and in other filings we make with the Securities and Exchange Commission from time to time. These documents are available on the SEC Filings section of the Investor Information section of our website at /investor ., inc. assumes no obligation and does not intend to update these forward-looking statements, except as required by law. </li></ul>
  3. 3. Agenda <ul><li>Security risks on the internet </li></ul><ul><li>Security trade-offs </li></ul><ul><li>Salesforce security features </li></ul><ul><li>Future Directions </li></ul><ul><li>Anatomy of a phishing attack </li></ul><ul><li>User Education </li></ul><ul><li>Questions </li></ul>
  4. 4. Risks in today’s world <ul><li>System is hacked </li></ul><ul><li>Internal user steals data </li></ul><ul><li>Individual user connection is hacked </li></ul><ul><li>User password is stolen </li></ul><ul><ul><li>Phishing </li></ul></ul><ul><ul><li>Easy to guess </li></ul></ul><ul><ul><li>User doesn’t manage password well </li></ul></ul>
  5. 5. Large companies trust ~1,700 Subscribers ~1,300 Subscribers ~1,500 Subscribers ~7,600 Subscribers ~1,000 Subscribers ~4,200 Subscribers ~5,100 Subscribers ~2,000 Subscribers ~2,500 Subscribers ~5,000 Subscribers ~15,000 Subscribers ~15,000 Subscribers ~5,500 Subscribers ~1,800 Subscribers ~2,600 Subscribers ~5,500 Subscribers ~2,030 Subscribers ~25,000 Subscribers ~2,600 Subscribers ~4,000 Subscribers
  6. 6. Security <ul><li>Dedicated Security Organization </li></ul><ul><ul><li>Mitigate risks while complying with legal, statutory, contractual, and internally developed requirements   </li></ul></ul><ul><ul><li>Develop and enforce policies and procedures </li></ul></ul><ul><ul><ul><li>Develop and integrate security architecture into business processes (CobiT, ISO27001) </li></ul></ul></ul><ul><ul><li>Conduct employee security awareness training classes </li></ul></ul><ul><ul><li>Perform regular vulnerability assessments and audits </li></ul></ul><ul><li>Addresses all layers </li></ul><ul><ul><li>Physical Security </li></ul></ul><ul><ul><li>Logical Network Security </li></ul></ul><ul><ul><li>Host Security </li></ul></ul><ul><ul><li>Transmission Level Security </li></ul></ul><ul><ul><li>Database Security </li></ul></ul>
  7. 7. Security Highlights <ul><li>Separation of Duties (roles & responsibilities) </li></ul><ul><li>Server Hardening </li></ul><ul><li>2 Factor Authentication (internal network) </li></ul><ul><li>Single Sign on (Delegated Authority) </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Minimum Ports Open (80 & 443) </li></ul><ul><li>SSL 128-bit minimum </li></ul><ul><li>On going Vulnerability Testing & Logging </li></ul><ul><li>Security Monitoring </li></ul><ul><li>SAS 70 Type II (Semi-Annually) </li></ul><ul><li>3 rd party Vulnerability Assessments </li></ul>
  8. 8. Security Trade-Offs <ul><li>Every business makes security trade-offs </li></ul><ul><li>People usually choose convenience over security </li></ul><ul><li>The most secure system is inaccessible. </li></ul><ul><ul><li>Security is something we must all actively manage </li></ul></ul><ul><li>Salesforce gives you many options to lock down security </li></ul>
  9. 9. Salesforce Security Features <ul><li>128-bit SSL for all connections to Salesforce </li></ul><ul><li>Network restrictions </li></ul><ul><ul><li>IP Restrictions </li></ul></ul><ul><ul><ul><li>Idea: Require IP restrictions for admin users </li></ul></ul></ul><ul><ul><ul><li>Enable IP restrictions for integration users </li></ul></ul></ul><ul><ul><ul><li>Realities </li></ul></ul></ul>
  10. 10. Salesforce Security Features <ul><ul><li>Require https </li></ul></ul><ul><ul><li>Session timeouts </li></ul></ul>
  11. 11. Password Management <ul><li>Password complexity and previous passwords </li></ul>
  12. 12. Single Sign On and LDAP Integration <ul><li>LDAP / Active Directory Integration </li></ul><ul><li>Single Sign On </li></ul><ul><li>SSO Benefits </li></ul><ul><ul><li>One-time use tokens </li></ul></ul><ul><ul><li>Less passwords to remember for end user </li></ul></ul><ul><ul><li>Faster login </li></ul></ul><ul><ul><li>Greater adoption </li></ul></ul>
  13. 14. Data Restrictions <ul><li>Sharing and Field Level Security </li></ul><ul><ul><li>Provide users with the right amount of data necessary to do their jobs </li></ul></ul><ul><ul><li>Sharing – Choose private when possible </li></ul></ul><ul><ul><li>Field Level Security </li></ul></ul><ul><ul><ul><li>Hide fields users should not see </li></ul></ul></ul><ul><li>Report Security </li></ul><ul><ul><li>Profile options to disable export and running of reports </li></ul></ul>
  14. 15. Desktop Security <ul><li>Practice good desktop security </li></ul><ul><ul><li>Anti-Virus </li></ul></ul><ul><ul><ul><li>Consider offering solutions for home computers </li></ul></ul></ul><ul><ul><li>Spam filters and phishing detection </li></ul></ul><ul><ul><li>Anti-malware (to prevent programs such as keyloggers) </li></ul></ul>
  15. 16. Future Directions <ul><li>Security Assertion Markup Language (SAML) </li></ul><ul><li>API Client Whitelisting </li></ul><ul><li>IP Geolocation </li></ul><ul><ul><li>Restrict login by location </li></ul></ul><ul><ul><li>Ask for second factor of authentication when logging from untrusted network(s) </li></ul></ul><ul><li>Fraud detection notifications </li></ul><ul><li>Apex triggers on login, setpassword, resetpassword </li></ul>
  16. 17. Anatomy of a phishing attack Forged email address Forged image Verify your account! Link goes to forged site Not addressed by name
  17. 18. End user training <ul><li>The boss has to care </li></ul><ul><li>Clear policy on what is allowable </li></ul><ul><li>Phishing awareness </li></ul><ul><li>Social engineering awareness </li></ul><ul><li>Password complexity </li></ul><ul><li>Do not use public PCs </li></ul><ul><li>Know who to contact when something is suspicious </li></ul>
  18. 19. What can you do today? <ul><li>Analyze your security risks </li></ul><ul><li>Decide if you should enable optional security features </li></ul><ul><li>Setup security training for end users </li></ul><ul><li>Submit ideas for security feature enhancements to the IdeaExchange </li></ul>
  19. 20. Session Feedback Let us know how we’re doing! <ul><li>Please score the session from 5 to 1 (5=excellent,1=needs improvement) in the following categories: </li></ul><ul><ul><li>Overall rating of the session </li></ul></ul><ul><ul><li>Quality of content </li></ul></ul><ul><ul><li>Strength of presentation delivery </li></ul></ul><ul><ul><li>Relevance of the session to your organization </li></ul></ul>We strive to improve, t hank you for filling out our survey. <ul><li>Additionally, please score each individual speaker on: </li></ul><ul><ul><li>Overall delivery of session </li></ul></ul>
  20. 21. Questions