SlideShare a Scribd company logo

Let's Discuss Security with SFWelly

A
Anna Loughnan Colquhoun

Doug Merrett presents a focus on Salesforce security to the Wellington Salesforce trailblazer community group in cybersecurity month - October 2023.

Technology
1 of 15
Download to read offline
Let’s discuss Salesforce Security Doug Merrett – Platinum7 Wellington Salesforce User Group Meetup October 2023
What is Zero Trust? • Zero Trust describes an approach to the strategy, design and implementation of IT systems. • The main concept is "never trust, always verify." • This brings about zero trust data security where every request to access the data needs to be authenticated dynamically and ensure least privileged access to resources. • In order to determine if access can be granted, policies can be applied based on the attributes of the data, who the user is, and the type of environment using Attribute-Based Access Control. • This zero-trust data security approach can protect access to the data. Besides a buzzword Source: https://en.wikipedia.org/wiki/Zero_trust_security_model
Hmmm… Not all hacks are complicated
Shared Responsibility Model Salesforce does not do all of it for you… Copyright © 2023 Platinum7 Foundational International Infrastructure Hardware Compute Storage Scalability Availability Datacentre Security Security Foundational Network (inc encryption) Server (inc encryption) Administrative Capacity High Availability Disaster Recovery Operational Management Audits Site Reliability CSIRT Secure SDLC Security Foundational Persona Level Record Level Field Level Performance Monitor / Audit Backup / Archive Secure SDLC Org Level Privacy / Data Gov Customer
Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
Assessments • Health Check • Portal Health Check • Optimizer • Code Scan with Checkmarx/DigitSec S4/AutoRabit/Salesforce’s own Code Scanner • Third parties (shameless plug) Copyright © 2023 Platinum7
Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
Secure your Application • Reconfigure broad sharing access (Public R/W, Public Read, …) • Ensure Aura based communities are protected : https://links.platinum7.com.au/Aura-Issue • Reconfigure API Users that are System Admins • Especially with the new Integration User license • Restrict access to Connected Apps with API Access Control • Raise a case with Salesforce Support to get enabled • Use Lightning Login to go passwordless • Fix the code issues found by the Code Scanner • SOQL injections - Where data from UI/API is put into a SOQL query without protection • Stored XSS - Where data from the database is shown in the UI without protection Use Least Privilege principles Copyright © 2023 Platinum7
Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
Secure your Data • Remove permissions not needed (View All Data, API Access, …) • Use Event Monitoring’s Transaction Security policies to minimise data exfiltration • Use data masking in sandboxes to lower the attack surface • Data Mask by Salesforce, DataMasker by Cloud Compliance or Data Masking by Backup tools • Use archiving/deletion to remove data you no longer need • Don’t have too many System Admins • Backup your data • Look at Privacy and Consent • Embedded PII and other information • Look at David Norris’ Medium posts – https://dave-norris.medium.com or Blackthorn.io Copyright © 2023 Platinum7
Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
Improve Security Awareness • Educate users on Cybersecurity for home and work • Educate Developers and Admins on security best practices • Look at using new techniques in your development cycles • Have a playbook for what to do in cyber events • Look at frameworks – eg NIST Cybersecurity Framework Copyright © 2023 Platinum7
Q&A Please reach out if you have any questions – I do not bite! And I am happy to have a chat about anything security related… Contact Details • doug@platinum7.com.au • +61 404 005 435 • https://www.platinum7.com.au • https://doug-merrett.medium.com
Interesting information Salesforce Security Information • Architecture: https://architect.salesforce.com/well-architected/trusted/overview • Security: https://developer.salesforce.com/developer-centers/security • Code Scanner from Salesforce blog post: https://www.linkedin.com/feed/update/urn:li:activity:6986508274858696704/ NIST Framework • https://www.nist.gov/cyberframework Platinum7 Salesforce Security Assessments • https://www.platinum7.com.au/assessments : NFP get 10% discount
Companies to investigate Backup • OwnData (fka OwnBackup) and Odaseva are the top tier • Salesforce has re-released their backup tool Event Monitoring tools • Imprivata’s FairWarning – prebuilt alerts and dashboards for Salesforce • Platinum7 Event Storage – keep your logs “forever” • Platinum7 Transaction Security Policies – complex and capable policies to block data exfiltration Let me know if you would like an introduction

Recommended

Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...
Ulf Mattsson
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information Security
Ahmed Sayed-
 
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Cloudera, Inc.
 
Azure Fundamentals Part 3
Azure Fundamentals Part 3Azure Fundamentals Part 3
Azure Fundamentals Part 3
CCG
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
Mark Williams
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
Techcello
 

Recommended

Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...
Ulf Mattsson
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information Security
Ahmed Sayed-
 
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Cloudera, Inc.
 
Azure Fundamentals Part 3
Azure Fundamentals Part 3Azure Fundamentals Part 3
Azure Fundamentals Part 3
CCG
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
Mark Williams
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
Techcello
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
UnifyCloud
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
Precisely
 
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitTop 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Amazon Web Services
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
GovCloud Network
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
Karl Ots
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
FredBrandonAuthorMCP
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
Symosis Security (Previously C-Level Security)
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...MongoDB
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubDataWorks Summit
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014
Cloudera, Inc.
 
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Karim Vaes
 
Datacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGeeDatacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGee
Mediehuset Ingeniøren Live
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure Score
Joel Oleson
 
5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service Provider5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service Provider
Tyrone Systems
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
IBM
 
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Amazon Web Services
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
 
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
Anna Loughnan Colquhoun
 

More Related Content

Similar to Let's Discuss Security with SFWelly

Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
UnifyCloud
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
Precisely
 
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitTop 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Amazon Web Services
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
GovCloud Network
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
Karl Ots
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
FredBrandonAuthorMCP
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
Symosis Security (Previously C-Level Security)
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...MongoDB
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubDataWorks Summit
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014
Cloudera, Inc.
 
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Karim Vaes
 
Datacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGeeDatacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGee
Mediehuset Ingeniøren Live
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure Score
Joel Oleson
 
5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service Provider5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service Provider
Tyrone Systems
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
IBM
 
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Amazon Web Services
 

Similar to Let's Discuss Security with SFWelly (20)

Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
 
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitTop 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data Hub
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014
 
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
 
Datacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGeeDatacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGee
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure Score
 
5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service Provider5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service Provider
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
 

More from Anna Loughnan Colquhoun

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
 
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
Anna Loughnan Colquhoun
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
Anna Loughnan Colquhoun
 
Winter24-Welly Release Overview - Stephen Stanley.pdf
Winter24-Welly Release Overview - Stephen Stanley.pdfWinter24-Welly Release Overview - Stephen Stanley.pdf
Winter24-Welly Release Overview - Stephen Stanley.pdf
Anna Loughnan Colquhoun
 
Eva Sherwood Dreamforce Reflections
Eva Sherwood Dreamforce ReflectionsEva Sherwood Dreamforce Reflections
Eva Sherwood Dreamforce Reflections
Anna Loughnan Colquhoun
 
SFWelly dreamforce wrap up September 2023
SFWelly dreamforce wrap up September 2023SFWelly dreamforce wrap up September 2023
SFWelly dreamforce wrap up September 2023
Anna Loughnan Colquhoun
 
SFWelly - Backups Presentation
SFWelly - Backups PresentationSFWelly - Backups Presentation
SFWelly - Backups Presentation
Anna Loughnan Colquhoun
 
Summer23-Welly Release Highlights - Stephen Stanley.pdf
Summer23-Welly Release Highlights - Stephen Stanley.pdfSummer23-Welly Release Highlights - Stephen Stanley.pdf
Summer23-Welly Release Highlights - Stephen Stanley.pdf
Anna Loughnan Colquhoun
 
Salesforce Wellington User Group - devops for admins by David Smith
Salesforce Wellington User Group - devops for admins by David SmithSalesforce Wellington User Group - devops for admins by David Smith
Salesforce Wellington User Group - devops for admins by David Smith
Anna Loughnan Colquhoun
 
Emily McCowan - My CTA Journey - Wellington User Group
Emily McCowan - My CTA Journey - Wellington User GroupEmily McCowan - My CTA Journey - Wellington User Group
Emily McCowan - My CTA Journey - Wellington User Group
Anna Loughnan Colquhoun
 
Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023
Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023
Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023
Anna Loughnan Colquhoun
 
DevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdf
DevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdfDevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdf
DevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdf
Anna Loughnan Colquhoun
 
Stephen Stanley - Spring 23 highlights.pdf
Stephen Stanley - Spring 23 highlights.pdfStephen Stanley - Spring 23 highlights.pdf
Stephen Stanley - Spring 23 highlights.pdf
Anna Loughnan Colquhoun
 
First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...
First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...
First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...
Anna Loughnan Colquhoun
 
Dreamforce review Wellington Salesforce User Group October 2022
Dreamforce review Wellington Salesforce User Group October 2022Dreamforce review Wellington Salesforce User Group October 2022
Dreamforce review Wellington Salesforce User Group October 2022
Anna Loughnan Colquhoun
 
Ministry of Health / Health NZ Public Health response to Covid using Salesforce
Ministry of Health / Health NZ Public Health response to Covid using SalesforceMinistry of Health / Health NZ Public Health response to Covid using Salesforce
Ministry of Health / Health NZ Public Health response to Covid using Salesforce
Anna Loughnan Colquhoun
 
Salesforce Wellington User Group - August 2022 - Salesforce integration witho...
Salesforce Wellington User Group - August 2022 - Salesforce integration witho...Salesforce Wellington User Group - August 2022 - Salesforce integration witho...
Salesforce Wellington User Group - August 2022 - Salesforce integration witho...
Anna Loughnan Colquhoun
 
Wellington Salesforce User Group - Summer 22 Release
Wellington Salesforce User Group - Summer 22 ReleaseWellington Salesforce User Group - Summer 22 Release
Wellington Salesforce User Group - Summer 22 Release
Anna Loughnan Colquhoun
 
March 2022 Salesforce Welly _ Chch meeting.pdf
March 2022 Salesforce Welly _ Chch meeting.pdfMarch 2022 Salesforce Welly _ Chch meeting.pdf
March 2022 Salesforce Welly _ Chch meeting.pdf
Anna Loughnan Colquhoun
 
SFWelly user group spring '22 release highlights with Mel Macdonald
SFWelly user group spring '22 release highlights with Mel MacdonaldSFWelly user group spring '22 release highlights with Mel Macdonald
SFWelly user group spring '22 release highlights with Mel Macdonald
Anna Loughnan Colquhoun
 

More from Anna Loughnan Colquhoun (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
Anna Loughnan Top 10 Salesforce Apps for Christchurch Salesforce user group M...
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Winter24-Welly Release Overview - Stephen Stanley.pdf
Winter24-Welly Release Overview - Stephen Stanley.pdfWinter24-Welly Release Overview - Stephen Stanley.pdf
Winter24-Welly Release Overview - Stephen Stanley.pdf
 
Eva Sherwood Dreamforce Reflections
Eva Sherwood Dreamforce ReflectionsEva Sherwood Dreamforce Reflections
Eva Sherwood Dreamforce Reflections
 
SFWelly dreamforce wrap up September 2023
SFWelly dreamforce wrap up September 2023SFWelly dreamforce wrap up September 2023
SFWelly dreamforce wrap up September 2023
 
SFWelly - Backups Presentation
SFWelly - Backups PresentationSFWelly - Backups Presentation
SFWelly - Backups Presentation
 
Summer23-Welly Release Highlights - Stephen Stanley.pdf
Summer23-Welly Release Highlights - Stephen Stanley.pdfSummer23-Welly Release Highlights - Stephen Stanley.pdf
Summer23-Welly Release Highlights - Stephen Stanley.pdf
 
Salesforce Wellington User Group - devops for admins by David Smith
Salesforce Wellington User Group - devops for admins by David SmithSalesforce Wellington User Group - devops for admins by David Smith
Salesforce Wellington User Group - devops for admins by David Smith
 
Emily McCowan - My CTA Journey - Wellington User Group
Emily McCowan - My CTA Journey - Wellington User GroupEmily McCowan - My CTA Journey - Wellington User Group
Emily McCowan - My CTA Journey - Wellington User Group
 
Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023
Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023
Anna Loughnan - The Power of the Community, CodeCamp Wellington April 2023
 
DevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdf
DevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdfDevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdf
DevOps Journey - BCITO Te Pukenga Presentation - Copado additions v2.pdf
 
Stephen Stanley - Spring 23 highlights.pdf
Stephen Stanley - Spring 23 highlights.pdfStephen Stanley - Spring 23 highlights.pdf
Stephen Stanley - Spring 23 highlights.pdf
 
First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...
First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...
First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...
 
Dreamforce review Wellington Salesforce User Group October 2022
Dreamforce review Wellington Salesforce User Group October 2022Dreamforce review Wellington Salesforce User Group October 2022
Dreamforce review Wellington Salesforce User Group October 2022
 
Ministry of Health / Health NZ Public Health response to Covid using Salesforce
Ministry of Health / Health NZ Public Health response to Covid using SalesforceMinistry of Health / Health NZ Public Health response to Covid using Salesforce
Ministry of Health / Health NZ Public Health response to Covid using Salesforce
 
Salesforce Wellington User Group - August 2022 - Salesforce integration witho...
Salesforce Wellington User Group - August 2022 - Salesforce integration witho...Salesforce Wellington User Group - August 2022 - Salesforce integration witho...
Salesforce Wellington User Group - August 2022 - Salesforce integration witho...
 
Wellington Salesforce User Group - Summer 22 Release
Wellington Salesforce User Group - Summer 22 ReleaseWellington Salesforce User Group - Summer 22 Release
Wellington Salesforce User Group - Summer 22 Release
 
March 2022 Salesforce Welly _ Chch meeting.pdf
March 2022 Salesforce Welly _ Chch meeting.pdfMarch 2022 Salesforce Welly _ Chch meeting.pdf
March 2022 Salesforce Welly _ Chch meeting.pdf
 
SFWelly user group spring '22 release highlights with Mel Macdonald
SFWelly user group spring '22 release highlights with Mel MacdonaldSFWelly user group spring '22 release highlights with Mel Macdonald
SFWelly user group spring '22 release highlights with Mel Macdonald
 

Recently uploaded

Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 

Recently uploaded (20)

Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 

Let's Discuss Security with SFWelly

  • 1. Let’s discuss Salesforce Security Doug Merrett – Platinum7 Wellington Salesforce User Group Meetup October 2023
  • 2. What is Zero Trust? • Zero Trust describes an approach to the strategy, design and implementation of IT systems. • The main concept is "never trust, always verify." • This brings about zero trust data security where every request to access the data needs to be authenticated dynamically and ensure least privileged access to resources. • In order to determine if access can be granted, policies can be applied based on the attributes of the data, who the user is, and the type of environment using Attribute-Based Access Control. • This zero-trust data security approach can protect access to the data. Besides a buzzword Source: https://en.wikipedia.org/wiki/Zero_trust_security_model
  • 3. Hmmm… Not all hacks are complicated
  • 4. Shared Responsibility Model Salesforce does not do all of it for you… Copyright © 2023 Platinum7 Foundational International Infrastructure Hardware Compute Storage Scalability Availability Datacentre Security Security Foundational Network (inc encryption) Server (inc encryption) Administrative Capacity High Availability Disaster Recovery Operational Management Audits Site Reliability CSIRT Secure SDLC Security Foundational Persona Level Record Level Field Level Performance Monitor / Audit Backup / Archive Secure SDLC Org Level Privacy / Data Gov Customer
  • 5. Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
  • 6. Assessments • Health Check • Portal Health Check • Optimizer • Code Scan with Checkmarx/DigitSec S4/AutoRabit/Salesforce’s own Code Scanner • Third parties (shameless plug) Copyright © 2023 Platinum7
  • 7. Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
  • 8. Secure your Application • Reconfigure broad sharing access (Public R/W, Public Read, …) • Ensure Aura based communities are protected : https://links.platinum7.com.au/Aura-Issue • Reconfigure API Users that are System Admins • Especially with the new Integration User license • Restrict access to Connected Apps with API Access Control • Raise a case with Salesforce Support to get enabled • Use Lightning Login to go passwordless • Fix the code issues found by the Code Scanner • SOQL injections - Where data from UI/API is put into a SOQL query without protection • Stored XSS - Where data from the database is shown in the UI without protection Use Least Privilege principles Copyright © 2023 Platinum7
  • 9. Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
  • 10. Secure your Data • Remove permissions not needed (View All Data, API Access, …) • Use Event Monitoring’s Transaction Security policies to minimise data exfiltration • Use data masking in sandboxes to lower the attack surface • Data Mask by Salesforce, DataMasker by Cloud Compliance or Data Masking by Backup tools • Use archiving/deletion to remove data you no longer need • Don’t have too many System Admins • Backup your data • Look at Privacy and Consent • Embedded PII and other information • Look at David Norris’ Medium posts – https://dave-norris.medium.com or Blackthorn.io Copyright © 2023 Platinum7
  • 11. Security is never “finished” Copyright © 2023 Platinum7 Assess Your Org Health Secure Your Application Secure Your Data Improve Security Awareness
  • 12. Improve Security Awareness • Educate users on Cybersecurity for home and work • Educate Developers and Admins on security best practices • Look at using new techniques in your development cycles • Have a playbook for what to do in cyber events • Look at frameworks – eg NIST Cybersecurity Framework Copyright © 2023 Platinum7
  • 13. Q&A Please reach out if you have any questions – I do not bite! And I am happy to have a chat about anything security related… Contact Details • doug@platinum7.com.au • +61 404 005 435 • https://www.platinum7.com.au • https://doug-merrett.medium.com
  • 14. Interesting information Salesforce Security Information • Architecture: https://architect.salesforce.com/well-architected/trusted/overview • Security: https://developer.salesforce.com/developer-centers/security • Code Scanner from Salesforce blog post: https://www.linkedin.com/feed/update/urn:li:activity:6986508274858696704/ NIST Framework • https://www.nist.gov/cyberframework Platinum7 Salesforce Security Assessments • https://www.platinum7.com.au/assessments : NFP get 10% discount
  • 15. Companies to investigate Backup • OwnData (fka OwnBackup) and Odaseva are the top tier • Salesforce has re-released their backup tool Event Monitoring tools • Imprivata’s FairWarning – prebuilt alerts and dashboards for Salesforce • Platinum7 Event Storage – keep your logs “forever” • Platinum7 Transaction Security Policies – complex and capable policies to block data exfiltration Let me know if you would like an introduction