Security Best Practices

Benji Jasik, salesforce.com

IT Executive: Chief Innovation Officer

Safe Harbor Statement

“Safe harbor” statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements including but not limited to statements concerning the potential market for our existing service offerings and future offerings. All of our forward looking statements involve risks, uncertainties and assumptions. If any such risks or uncertainties materialize or if any of the assumptions proves incorrect, our results could differ materially from the results expressed or implied by the forward-looking statements we make.

The risks and uncertainties referred to above include - but are not limited to - risks associated with possible fluctuations in our operating results and cash flows, rate of growth and anticipated revenue run rate, errors, interruptions or delays in our service or our Web hosting, our new business model, our history of operating losses, the possibility that we will not remain profitable, breach of our security measures, the emerging market in which we operate, our relatively limited operating history, our ability to hire, retain and motivate our employees and manage our growth, competition, our ability to continue to release and gain customer acceptance of new and improved versions of our service, customer and partner acceptance of the AppExchange, successful customer deployment and utilization of our services, unanticipated changes in our effective tax rate, fluctuations in the number of shares outstanding, the price of such shares, foreign currency exchange rates and interest rates.

Further information on these and other factors that could affect our financial results is included in the reports on Forms 10-K, 10-Q and 8-K and in other filings we make with the Securities and Exchange Commission from time to time. These documents are available on the SEC Filings section of the Investor Information section of our website at www.salesforce.com/investor. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements, except as required by law.

Agenda

Security risks on the internet

Security trade-offs

Salesforce security features

Future Directions

Anatomy of a phishing attack

User Education

Questions

Risks in today’s world

System is hacked

Internal user steals data

Individual user connection is hacked

User password is stolen

Phishing

Easy to guess

User doesn’t manage password well

Large companies trust salesforce.com

~1,700 Subscribers ~1,300 Subscribers~1,500 Subscribers

~7,600 Subscribers

~1,000 Subscribers

~4,200 Subscribers

~5,100 Subscribers

~2,000 Subscribers ~2,500 Subscribers

~5,000 Subscribers

~15,000 Subscribers~15,000 Subscribers ~5,500 Subscribers

~1,800 Subscribers

~2,600 Subscribers~5,500 Subscribers

~2,030 Subscribers

~25,000 Subscribers

~2,600 Subscribers

~4,000 Subscribers

Salesforce.com Security

Dedicated Security Organization Mitigate risks while complying with legal, statutory, contractual, and

internally developed requirements  Develop and enforce policies and procedures

• Develop and integrate security architecture into business processes (CobiT, ISO27001)

Conduct employee security awareness training classes Perform regular vulnerability assessments and audits

Addresses all layers Physical Security Logical Network Security Host Security Transmission Level Security Database Security

Salesforce.com Security Highlights

Separation of Duties (roles & responsibilities)

Server Hardening

2 Factor Authentication (internal network)

Single Sign on (Delegated Authority)

Intrusion Detection

Minimum Ports Open (80 & 443)

SSL 128-bit minimum

On going Vulnerability Testing & Logging

Security Monitoring

SAS 70 Type II (Semi-Annually)

3rd party Vulnerability Assessments

Security Trade-Offs

Every business makes security trade-offs

People usually choose convenience over security

The most secure system is inaccessible.

Security is something we must all actively manage

Salesforce gives you many options to lock down

security

Salesforce Security Features

128-bit SSL for all connections to Salesforce

Network restrictions

IP Restrictions• Idea: Require IP restrictions for admin users

• Enable IP restrictions for integration users

• Realities

Salesforce Security Features

Require https

Session timeouts

Password Management

Password complexity and previous passwords

Single Sign On and LDAP Integration

LDAP / Active Directory Integration

Single Sign On

SSO Benefits

One-time use tokens

Less passwords to remember for end user

Faster login

Greater adoption

Data Restrictions

Sharing and Field Level Security

Provide users with the right amount of data

necessary to do their jobs

Sharing – Choose private when possible

Field Level Security• Hide fields users should not see

Report Security

Profile options to disable export and running of

reports

Desktop Security

Practice good desktop security

Anti-Virus• Consider offering solutions for home computers

Spam filters and phishing detection

Anti-malware (to prevent programs such as

keyloggers)

Future Directions

Security Assertion Markup Language (SAML)

API Client Whitelisting

IP Geolocation Restrict login by location

Ask for second factor of authentication when logging from untrusted network(s)

Fraud detection notifications

Apex triggers on login, setpassword, resetpassword

Anatomy of a phishing attack

Forged email address

Forged image

Verify your account!

Link goes to forged site

Not addressed by name

End user training

The boss has to care

Clear policy on what is allowable

Phishing awareness

Social engineering awareness

Password complexity

Do not use public PCs

Know who to contact when something is suspicious

What can you do today?

Analyze your security risks

Decide if you should enable optional security

features

Setup security training for end users

Submit ideas for security feature enhancements to

the IdeaExchange

Session FeedbackLet us know how we’re doing!

Please score the session from 5 to 1 (5=excellent,1=needs improvement) in the following categories:

Overall rating of the session Quality of content Strength of presentation delivery Relevance of the session to your organization

We strive to improve, thank you for filling out our survey.

Additionally, please score each individual speaker on: Overall delivery of session

Questions