Join us for this interactive session with Dell Fellow Tim Brown to discuss how Dell manages security for one of the largest Salesforce implementations in the world. Tim will discuss the ways Dell and Deloitte identify and mitigate security threats in a very large enterprise - starting with the Salesforce Trust platform and extending into policies and processes - from user and admin management to integration security to insider threat detection. Watch the video now: https://www.youtube.com/watch?v=Mhzm6Q6QSyQ
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Dell and Deloitte: Managing Risk in the Cloud with Salesforce
1. Dell and Deloitte: Managing Risk in the
Cloud with Salesforce.com
Erica Bell
Enterprise Architect Sr Consultant
Erica_Bell@dell.com
Timothy Brown
Dell Fellow and Executive Director for Security
Timothy_g_brown@dell.com
2. “May you live in
interesting times.”
–Chinese Curse
I always thought it was a blessing!
3. Salesforce.com at Dell
Dell Salesforce.com
implementation is one of the
largest
• 28 production orgs and 44 full
copy sandboxes
• Over 500,000 total consumed
licenses
• 55 integration points (variety
methods used)
44 Full
Copy Sdbx
28 Orgs
520,310
Total Licenses
55
Integration
Points
4. Our Salesforce.com Evolution
1. Process &
Governance
2. People
4. Acquisitions
3. Strategy &
Architecture
▪ Strong change
management and
governance processes
▪ Aligned globally and
across all business units
▪ Align business strategy
with architecture to deliver
end-to-end scalable
solutions
▪ Customizations to “fit”
business
needs/processes
▪ Best in class in-house
Salesforce knowledge
▪ Training and certification
programs
▪ Significant acquisition
strategy (8-10 year)
▪ “Do no harm” approach
5. Managing Security in Salesforce.com
Established clear roles
and responsibilities for
business and IT
resources.
IT Administrator
Business Administrator
Data Administrator
Defined security
protocols for development
and governance.
Profile Management
Integration
Management
Data Governance
Develop clear
segregation of duties.
IT processes
(development, testing,
and migration)
User review and
approval
Recognized the need to
change our view and
processes when deploying
to the cloud.
Procurement process
RFP questions
Enterprise Architect
review criteria
How does Dell manage security and risk in the cloud?
6. Inconsistent and unmanageable org strategy
• Why? What happened?
• “All you can eat” contract proliferated Dell’s org growth
• Aggressive acquisition strategy further increased Dell’s
org count
• How was ‘the’ strategy developed?
• Engaged Deloitte for assessment and best practices
• Conducted discovery sessions (interviews, review
documentation, etc.)
• Evaluated each org and documented capabilities
• Provided org consolidation recommendation (based on
evaluation)
• What are the results?
• Certified org strategy and consolidation plan
• 14 orgs decommissioned, 10 orgs outstanding, removed
19 full copy sandboxes
Partnering with Deloitte
Deloitte assisted Dell in developing an org strategy
7. Broader Security Considerations
Not just cloud providers responsibility –
it’s the customers as well
• Understand the crown Jewels
• Manage the administrators, their access, and their
usage
• Who users are and what their access is and what their
access should be
• Understand the system entirely not just the individual
components
• Deloitte/Dell CloudMix 2.0 example
• Audit and report appropriately per industry
• Architect for containment of threats and minimized
exposure
• Take responsibility for your users including the
potential for the insider threat
8. What is an Insider Threat
• Someone who is going to do harm to themselves or others
• The companies responsibility not SFDCs
• Insider threat program mandated by US government for all
Federal employees doing cleared work
• Traitor, Masquerader, Naïve User
• Masqueraders, impersonators, infected machines
• Traitors have gained access and but are both working for you as
well as someone else
• Naïve users are trying to do the right thing but making costly
mistakes
• Insider threat will increase as malware becomes less effective
and more costly to produce
• Determine intent of access and data moving outside it’s
intent/mission
• A program implemented by Dell and Deloitte that effects access
to all internal and cloud resources
The insider threat is also a concern to Dell
9. Risk Scoring Framework
IX. Additional
Risk
Indicators*
• Business Expenses
Paid by Credit Card
or Cash Alert
• Business or First
Class Travel Alert
• Group Meals Alert
• Recurring Expenses
Alert
• Tips Alert
I. Financial
Policy
Violations
• Termination Date (i.
e., Date Employee is
Separating From
Dell)
II. Separation
Status
• Access Granted
Anomalies
• Access Denied
Anomalies
• Invalid Access Level
• Invalid Card Format
• Invalid Pin #
• Invalid Facility Code
IV. Physical
Security
Alerts
• Destination Country
• Pre-Travel Brief
(Yes/No)
• Post-Travel Brief
(Yes/No)
III. Foreign
Travel
• Security Clearance
Level
• Special Access
Level
• Classification
• Knowledge of Safe
Combination
• Physical Access
Privilege Profile
Data
V.
Specialized
Access
Levels • Issue Summary
• Report Type
• Primary and
Secondary
Allegation
Classification
• Primary and
Secondary
Allegation Type
• Primary and
Secondary Priority
(Severity)
VI. Security
Incidents
• Issue Summary
• Report Type
• Primary and
Secondary
Allegation
Classification
• Primary and
Secondary
Allegation Type
• Primary and
Secondary Priority
(Severity)
VII. Ethics
Incidents
• Performance Rating
• Employee Review –
Dimension
Comments (Parts 1
-4) – Manager
• Performance
Improvement Plan
VIII.
Performance
History
Concur:
Financial
Compliance &
Analysis
System
PeopleSoft:
Human
Resources
System of
Record
Access Commander: Personnel
Management System of Record
Lenel OnGuard: Physical Security
System of Record
IntegriLink: Ethics and Security
Case Tracking System
Taleo: Human
Resources
Performance
Rating
Appraisal
System
HR Analytics:
Performance
Improvement
Plan Data
Dell BAP Pilot Domains
Insider threats are influenced by a combination of virtual, non-virtual, and organizational factors (e.g., access and clearance level). In order to quantify risk, an individual’s behavior across each landscape
must be evaluated and weighted, based on the drivers of risk. The following eight domain areas have been identified for the pilot.
Security
Information
and Event
Management
(SIEM)
System
Data Loss
Prevention
(DLP) System
• As Dell decides to
expand the pilot to
all Federal
business
segments,
additional data
sources and PRIs
will be critical to the
success of the
detection
capability.
Initial Pilot Data Sources
An analysis of historical insider threat cases and interviews with Dell data owners identified seven target systems that could supply the PRIs outlined above.
A Framework for Understanding Risk
RiskScoring
Criteria
Data
Sources
10. Conclusion and Discussion
• At Dell, maintaining a secure Salesforce.com ecosystem is high priority, and an ongoing process
• Success at Dell is driven by a strong partnership between Salesforce.com, Deloitte, and Dell
• A broad view of security, with shared responsibilities is essential to keeping one of the largest
Salesforce.com implementations secure