Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What’s new in summer’15 release - Security & Compliance


Published on

The Salesforce Summer'15 release is going live in mid-June.

Find out 'What's new in Summer'15 Release' in the Security and Compliance areas.

Published in: Technology
  • Be the first to comment

What’s new in summer’15 release - Security & Compliance

  1. 1. What’s new in Summer’15 Release Security and Compliance ​ Shesh Kondi ​ Director, Security and Compliance - Customer Success ​ 
  2. 2. Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward- looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of, inc. is included in our annual report on Form 10-K for the fiscal year ended January 31, 2009 and our other filings. These documents are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available., inc. assumes no obligation and does not intend to update these forward-looking statements.
  3. 3. Agenda ❏  Platform Encryption ❏  Identity and Authentication ❏  Event Monitoring - Transaction Security & Data Leakage ❏  Security Best Practices ❏  Compliance ❏  SHA-256 Upgrade ❏  Q & A
  4. 4. Platform Encryption ​ Eric Leach ​ Sr Director, Product Management ​  Encrypt Sensitive Data At Rest While Preserving Business Functionality
  5. 5. The Problem: Sensitive, Confidential, Private, Regulated Data … so that I can build new kinds of apps and deliver more value to my customers and business users I want to store new, more sensitive data on Salesforce…
  6. 6. The fastest, easiest and robust way to apply encryption on your sensitive data Introducing: Salesforce1 Platform Encryption Seamlessly protect your data at rest Encrypt standard & custom fields, files & attachments Easy to set up Point and click setup in minutes Manage your encryption keys Customer-driven encryption key lifecycle management Preserve important platform functionality Features, like Validation and Workflow Rules, made ‘encryption aware’
  7. 7. Key GA Features Turn encryption on custom field types, declaratively or via the MDAPI While data is strongly encrypted at rest, field length is not affected Turn encryption on standard fields, declaratively or via the MDAPI Files and Attachments can be encrypted while at rest in just one-click Manage organization encryption keys declaratively via the Setup UI or API, including Generate/Rotate, Export, re-Import and Destroy Keys
  8. 8. Authorized User vs. Non-Authorized User Authorized users are granted with the “View Encrypted Data” user perm to read encrypted field values in plain text.
  9. 9. Identity and Authentication ​ Chuck Mortimore ​ Vice President, Product Management ​ 
  10. 10. Automated User Provisioning With the Summer ‘15 release, administrators can automate the task of creating, updating, and disabling user account information across all applications using Salesforce as an Identity Provider. Identity Feature Overview My Domain Enhancements With the Summer ‘15 release, administrators can now test the My Domain login page without having to deploy My Domain to all users. The initial check to verify DNS propagation has also been reduced from 10 mins to 30 secs. Session timeout for OAuth connected apps Administrators can set specific session timeout (aka access token timeout) for OAuth connected apps that overrides the session timeout set at the profile or org level.
  11. 11. Key Capabilities User Provisioning Setup Wizard
  12. 12. Key Capabilities User Provisioning Accounts List of user accounts in Google Apps
  13. 13. Key Capabilities Connected Apps Session Timeout
  14. 14. Continuous IP Restriction Enforce Login IP range on every request (rather than during login only) Add Geographic Info to Login Events Track the approximate geographic location of the IP address of user login attempts Export Control Block access from embargoed countries Create SAML Settings from a File or URL Create SAML SSO settings by importing a metadata file or URL SAML IdP Metadata Discovery Endpoint Expose Salesforce and Community Identity Provider metadata via a public URL Authentication Feature Overview Custom Logout URL Direct users to a specific logout destination after they log out of Salesforce Custom Auth Provider Endpoints Edit the authorization, token, and user info endpoints for Google and LinkedIn auth providers Track Auth Service ID with Login History Associate the authentication service ID with a user’s login history
  15. 15. Continuous IP Restriction Org level setting that allows admins to enforce the IP restriction check on every access, not just during login. Disabled by default.
  16. 16. Custom Logout URL Direct users to a specific web page after they log out of Salesforce. From Setup, go to Security Controls > Session Settings.
  17. 17. Add Geographic Info to Login Events Approximate geographic location of the IP address of a user’s login. More fields can be shown in a custom view, such as Postal Code and Lat/Long. Geolocation info is also available in Session Management and the new LoginGeo object.
  18. 18. Export Control STOP: Important Information In June 2015, we will turn on Export Control to block IPs from embargoed countries from accessing the Salesforce service. The purpose is to ensure compliance with U.S. law related to embargoed territories. If you attempt to access Salesforce from one of these restricted IP ranges, they will receive the error below and can’t log in. For more information go to A user accessing Salesforce with an IP located in an embargoed country* will be blocked and get this error message with a link to [*Syria, Iran, Cuba, Sudan, North Korea or Crimea]
  19. 19. Create SAML Settings from a File or URL Configure single sign-on by importing the settings from an XML file or public URL containing SAML 2.0 metadata.
  20. 20. SAML IdP Metadata Discovery Endpoint Share the SAML configuration metadata for your Salesforce or Community identity provider with service providers via public URLs. Available on the Identity Provider page and Manage Apps > Connected Apps detail (for SAML) Example of the metadata XML content retrieved from the endpoint
  21. 21. Custom Auth. Provider Endpoints You can edit the authorization, token and user info endpoints and customize the Oauth flows. Admins that want to use custom endpoints must create an external third-party application and update the consumer key and secret in the Auth. Provider configuration.
  22. 22. Track Auth Service ID with Login History You can use the AuthenticationServiceId in the Login History to verify which authentication service or configuration a user logged in with.
  23. 23. Event Monitoring: Transaction Security and Data Leakage ​ Eric Leach ​ Sr. Director, Product Management ​ Adam Torman, ​ Director, Product Management Real time security actions Historic data leakage detection
  24. 24. Monitor User Activity Know who is accessing data from where Optimize Performance Troubleshoot application performance to improve end user experience Track Application Usage Understand application usage to increase adoption Gain Visibility Into User Actions with Event Monitoring
  25. 25. Real Time Security Actions For User Activity Monitoring ​ Customizable Apex Policies ​ Framework auto-generates policies ​ Define Real Time Actions ​ Notify, Block, Force 2FA, Session Chooser ​ Enforce Session Constraints ​ Control the number of active user sessions PILOT
  26. 26. Transaction Security Policy Framework: Concurrent Sessions Pre-generated policy to control the number of concurrent user sessions Control access based on profile, IP address or other common user info New session chooser page allows users to select sessions to terminate PILOT
  27. 27. 5 Dashboards Audit Fix Optimize Adopt Overview Roadmap Name denormalization Automated ETL Integrated dashboards Event Monitoring Wave App Pilot PILOT
  28. 28. Spring ‘15 Login Forensics - API Only Summer ‘15 API Query Events - API Only Session Correlation - API Only Roadmap Report, List View, and Click Events Wave App Integration Data Leakage Detection Pilot PILOT
  29. 29. Security Best Practices ​ Masha Sedova ​ Sr. Director, Trust Engagement ​ 
  30. 30. Security  is  a  partnership  with  our  customers.   Se3ng  and  reviewing  Security  Controls  will  improve  your  org’s  health.   Users  are  on  the  front  line.    
  31. 31. Password security Passwords are the first line of defense. Security Risk ​ Loss of access control. Compromise will be blamed on the account owner. Teach your users about password ownership No password/credential sharing. No exceptions. Discourage password reuse. Effective insider threat technique. Address internally or report to
  32. 32. Phishing ●  Educate your Salesforce users! ●  If your users get a “Salesforce” e-mail, have them reach out to you or your security team to double check that it is legitimate ●  If you are not sure about a ”Salesforce" e-mail, ask us, by forwarding to ●  What is phishing? ●  One of the most effective and pervasive attack techniques ●  Luring a user to click on a link that carries a malicious payload ●  Resources: ○ ○
  33. 33. Phishing: Real World Example ●  Hover over links to validate. ●  Does the e-mail context make sense? ●  Does the e-mail sender make sense? ●  Does Salesforce send receipts in this manner? Are you normally a recipient? ●  Look for typos/grammatical errors. ●  Beware Clickbait!
  34. 34. Look for: ●  Legitimate or address ●  Current Salesforce logo ●  Links go to or App Stores (hover with your mouse) ●  Call to action not overly aggressive Legitimate Salesforce Emails
  35. 35. How Two Factor Authentication Works +
  36. 36. Salesforce Authenticator Protects account access even if the user’s password is compromised Significantly reduces vulnerability Great resource:
  37. 37. Login IP Ranges Available to all customers Only access Salesforce from a designated set of IP Ranges. Two levels: Org-level Trusted IP Ranges (permissive) Profile-level Login IP Ranges (restrictive) Enterprise, Unlimited, Performance, Developer: Manage Users | Profiles Contact Mgr, Group, Professional: Security Controls | Session Settings
  38. 38. Recommendation ✓  Org-wide Trusted IP Ranges → all users in your organization ✓  Profile- based login IP range restrictions → employees with access to lots of data or sensitive materials (Admins, Developers) ✓  Profile- based login IP range restrictions --> users connecting from the same locations.
  39. 39. ●  Deactivate users as soon as possible ●  Deactivation removes login access while preserving historical activity and records ●  Sometimes users cannot be deactivated: assign new user or reassign approval responsibility first ●  Know your IT department’s termination process User Deactivation Best practice: Freeze users first! From Setup, click Manage Users | Users. Click Edit next to a user’s name. Deselect the Active checkbox and then click Save.
  40. 40. Compliance ​ Shesh Kondi ​ Director, Security and Compliance ​ 
  41. 41. Update on Certifications ❏  ISO 27001 ❏  Updated to 2013 Standard ❏  Certification Document available ❏  PCI-DSS v3 ❏  Pre-Assessment complete ❏  Audit in progress. ❏  SOC2 Type 2 for Marketing Cloud ❏  Certification Document available
  42. 42. SHA-256 Upgrade
  43. 43. SHA-256 Upgrade What’s Changing? Salesforce will be moving from utilizing certificates with a SHA-1 hash algorithm to new certificates with a SHA-256 hash algorithm. This change is to maintain alignment with the industry-wide security best practices. Core production instances will start being updated in August 2015. Operating Systems (OS) & Browsers Must meet minimum version requirements TEST SITE: More Information: HTTPS Security Certificate Change from SHA -1 to SHA-256 hash algorithms What do I need to do to be prepared? Users Must use OS’s and browsers compatible with SHA-256 Middleware / Integrations* Should be tested to ensure continuous access *Customers who locally cache certificates in their middleware should join the Success Community group: “Official: Certificate Changes” in order to receive the necessary updates and information required in order to
  44. 44. Questions? Please email questions/feedback to:
  45. 45. Thank you