2. Andrey Bosak
• 8 years experience in IT
• .Net, Java, ABAP, C++ hands-on
development >2 years each
• SAP NetWever trainer at SAP CIS
partner academy
• 4 years experience in project
management and solutions
architecture design
• Now inspired by Salesforce.com
• Head of VRP Cloud Minsk
3. PaaS security challenges
• Is IT infrastructure reliable?
• Is data channel secured?
• Who can access my data?
• What data is accessible?
• Is 3rd party application from
App Exchange secure?
• Is my custom code secure?
• …
• What are the long term costs?
4. Force.com PaaS solution
overview
• Shared database and middleware
• Proprietary programming and markup languages
(APEX & Visualforce)
• Governor limits
• Standard objects from Sales and Service cloud
• APIs: REST, SOAP, BULK, Metadata
• Configurable layouts, views, workflows and approval
• Reports & Dashboards
5. Force.com pros & CONS
Pros:
• Easy to start (free environment, workbooks, examples,
declarative approach)
• Standard business objects and functionality
• Declarative point & click tools
• Proven scalability
• Transparent security
• App Exchange
• Governor limits
• Powerful API
6. Force.com pros & CONS
Cons:
• Proprietary language
• Governor limits
• Less powerful
development tools
than mainstream
technologies provide
7. Force.com: PaaS security vision
of Salesforce
• Infrastructure and network
• Users and security
• API security
• Platform security
• Limits
• Custom applications security
8. trust.salesforce.com
Infrastructure security
• Success is built on trust. And trust starts
with transparency.
• Trust.salesforce.com is the
salesforce.com community’s home for
real-time information on system
performance and security. On this site
you'll find:
• Live and historical data on
system performance
• Up-to-the minute information on
planned maintenance
• Phishing, malicious software, and
social engineering threats
• Best security practices for your
organization
• Information on how we safeguard
your data
Information is taken from trust.salesforce.com site
9. Users and security
Users are managed centrally by administrator
User Authentication
• Delegated Authentication
• Federated Authentication (based on SAML)
Network-based Security
Session Security
System Auditing
Data Auditing
10. Platform security: User Profile
• System Permissions
• Administrative Permissions
• Reports
• Data
• Component Permissions
• Applications
• Tabs
• Record types
• Apex classes
• Visualforce pages
• Record-based Sharing
12. Governor limits as security
mechanism
• Heap size
• Attachment size
• Page size
• Number of code-lines
• Outbound calls
• Page requests
• API calls
• Database queries
• …
and other possibilities of your application are
limited thus limiting security vulnerabilities
14. Summary
• Force.com uses industry standards and best practices to
provide centralized, powerful and flexible security architecture
for cloud solutions
• Reliable and distributed IT infrastructure, energy-effectiveness
and transparency are considered now to be a MUST for PaaS
providers
• Security in all its aspects now is among the most important
things why customers choose Cloud. And taking into account
emerging information security threats soon it might become the
most important. So build your cloud right or choose right PaaS
provider