View
1.632
Download
3
Embed Size (px)
DESCRIPTION
Full session information and video available on successforce.com.
Citation preview
Security Best Practices
Benji Jasik, salesforce.com
IT Executive: Chief Innovation Officer
Safe Harbor Statement
“Safe harbor” statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements including but not limited to statements concerning the potential market for our existing service offerings and future offerings. All of our forward looking statements involve risks, uncertainties and assumptions. If any such risks or uncertainties materialize or if any of the assumptions proves incorrect, our results could differ materially from the results expressed or implied by the forward-looking statements we make.
The risks and uncertainties referred to above include - but are not limited to - risks associated with possible fluctuations in our operating results and cash flows, rate of growth and anticipated revenue run rate, errors, interruptions or delays in our service or our Web hosting, our new business model, our history of operating losses, the possibility that we will not remain profitable, breach of our security measures, the emerging market in which we operate, our relatively limited operating history, our ability to hire, retain and motivate our employees and manage our growth, competition, our ability to continue to release and gain customer acceptance of new and improved versions of our service, customer and partner acceptance of the AppExchange, successful customer deployment and utilization of our services, unanticipated changes in our effective tax rate, fluctuations in the number of shares outstanding, the price of such shares, foreign currency exchange rates and interest rates.
Further information on these and other factors that could affect our financial results is included in the reports on Forms 10-K, 10-Q and 8-K and in other filings we make with the Securities and Exchange Commission from time to time. These documents are available on the SEC Filings section of the Investor Information section of our website at www.salesforce.com/investor. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements, except as required by law.
Agenda
Security risks on the internet
Security trade-offs
Salesforce security features
Future Directions
Anatomy of a phishing attack
User Education
Questions
Risks in today’s world
System is hacked
Internal user steals data
Individual user connection is hacked
User password is stolen
Phishing
Easy to guess
User doesn’t manage password well
Large companies trust salesforce.com
~1,700 Subscribers ~1,300 Subscribers~1,500 Subscribers
~7,600 Subscribers
~1,000 Subscribers
~4,200 Subscribers
~5,100 Subscribers
~2,000 Subscribers ~2,500 Subscribers
~5,000 Subscribers
~15,000 Subscribers~15,000 Subscribers ~5,500 Subscribers
~1,800 Subscribers
~2,600 Subscribers~5,500 Subscribers
~2,030 Subscribers
~25,000 Subscribers
~2,600 Subscribers
~4,000 Subscribers
Salesforce.com Security
Dedicated Security Organization Mitigate risks while complying with legal, statutory, contractual, and
internally developed requirements Develop and enforce policies and procedures
• Develop and integrate security architecture into business processes (CobiT, ISO27001)
Conduct employee security awareness training classes Perform regular vulnerability assessments and audits
Addresses all layers Physical Security Logical Network Security Host Security Transmission Level Security Database Security
Salesforce.com Security Highlights
Separation of Duties (roles & responsibilities)
Server Hardening
2 Factor Authentication (internal network)
Single Sign on (Delegated Authority)
Intrusion Detection
Minimum Ports Open (80 & 443)
SSL 128-bit minimum
On going Vulnerability Testing & Logging
Security Monitoring
SAS 70 Type II (Semi-Annually)
3rd party Vulnerability Assessments
Security Trade-Offs
Every business makes security trade-offs
People usually choose convenience over security
The most secure system is inaccessible.
Security is something we must all actively manage
Salesforce gives you many options to lock down
security
Salesforce Security Features
128-bit SSL for all connections to Salesforce
Network restrictions
IP Restrictions• Idea: Require IP restrictions for admin users
• Enable IP restrictions for integration users
• Realities
Salesforce Security Features
Require https
Session timeouts
Password Management
Password complexity and previous passwords
Single Sign On and LDAP Integration
LDAP / Active Directory Integration
Single Sign On
SSO Benefits
One-time use tokens
Less passwords to remember for end user
Faster login
Greater adoption
Data Restrictions
Sharing and Field Level Security
Provide users with the right amount of data
necessary to do their jobs
Sharing – Choose private when possible
Field Level Security• Hide fields users should not see
Report Security
Profile options to disable export and running of
reports
Desktop Security
Practice good desktop security
Anti-Virus• Consider offering solutions for home computers
Spam filters and phishing detection
Anti-malware (to prevent programs such as
keyloggers)
Future Directions
Security Assertion Markup Language (SAML)
API Client Whitelisting
IP Geolocation Restrict login by location
Ask for second factor of authentication when logging from untrusted network(s)
Fraud detection notifications
Apex triggers on login, setpassword, resetpassword
Anatomy of a phishing attack
Forged email address
Forged image
Verify your account!
Link goes to forged site
Not addressed by name
End user training
The boss has to care
Clear policy on what is allowable
Phishing awareness
Social engineering awareness
Password complexity
Do not use public PCs
Know who to contact when something is suspicious
What can you do today?
Analyze your security risks
Decide if you should enable optional security
features
Setup security training for end users
Submit ideas for security feature enhancements to
the IdeaExchange
Session FeedbackLet us know how we’re doing!
Please score the session from 5 to 1 (5=excellent,1=needs improvement) in the following categories:
Overall rating of the session Quality of content Strength of presentation delivery Relevance of the session to your organization
We strive to improve, thank you for filling out our survey.
Additionally, please score each individual speaker on: Overall delivery of session
Questions