Upload
dreamforce
View
1.660
Download
0
Embed Size (px)
Citation preview
Dell and Deloitte: Managing Risk in the Cloud with Salesforce.com
Erica BellEnterprise Architect Sr [email protected]
Timothy BrownDell Fellow and Executive Director for [email protected]
“May you live in interesting times.”
–Chinese Curse
I always thought it was a blessing!
Salesforce.com at Dell
Dell Salesforce.com implementation is one of the largest • 28 production orgs and 44 full
copy sandboxes • Over 500,000 total consumed
licenses• 55 integration points (variety
methods used)
44 Full Copy Sdbx
28 Orgs
520,310 Total Licenses
55 Integration
Points
Our Salesforce.com Evolution1. Process & Governance 2. People
4. Acquisitions3. Strategy & Architecture
▪ Strong change management and governance processes
▪ Aligned globally and across all business units
▪ Align business strategy with architecture to deliver end-to-end scalable solutions
▪ Customizations to “fit” business needs/processes
▪ Best in class in-house Salesforce knowledge
▪ Training and certification programs
▪ Significant acquisition strategy (8-10 year)
▪ “Do no harm” approach
Managing Security in Salesforce.com
Established clear roles and responsibilities for business and IT resources. IT Administrator Business Administrator Data Administrator
Defined security protocols for development and governance. Profile Management Integration
Management Data Governance
Develop clear segregation of duties. IT processes
(development, testing, and migration)
User review and approval
Recognized the need to change our view and processes when deploying to the cloud. Procurement process RFP questions Enterprise Architect
review criteria
How does Dell manage security and risk in the cloud?
Inconsistent and unmanageable org strategy• Why? What happened?
• “All you can eat” contract proliferated Dell’s org growth• Aggressive acquisition strategy further increased Dell’s
org count
• How was ‘the’ strategy developed? • Engaged Deloitte for assessment and best practices• Conducted discovery sessions (interviews, review
documentation, etc.)• Evaluated each org and documented capabilities• Provided org consolidation recommendation (based on
evaluation)
• What are the results?• Certified org strategy and consolidation plan• 14 orgs decommissioned, 10 orgs outstanding, removed
19 full copy sandboxes
Partnering with DeloitteDeloitte assisted Dell in developing an org strategy
Broader Security Considerations Not just cloud providers responsibility – it’s the customers as well• Understand the crown Jewels• Manage the administrators, their access, and their
usage• Who users are and what their access is and what their
access should be• Understand the system entirely not just the individual
components• Deloitte/Dell CloudMix 2.0 example
• Audit and report appropriately per industry• Architect for containment of threats and minimized
exposure• Take responsibility for your users including the
potential for the insider threat
What is an Insider Threat
• Someone who is going to do harm to themselves or others• The companies responsibility not SFDCs• Insider threat program mandated by US government for all
Federal employees doing cleared work• Traitor, Masquerader, Naïve User
• Masqueraders, impersonators, infected machines• Traitors have gained access and but are both working for you as
well as someone else• Naïve users are trying to do the right thing but making costly
mistakes• Insider threat will increase as malware becomes less effective
and more costly to produce• Determine intent of access and data moving outside it’s
intent/mission• A program implemented by Dell and Deloitte that effects access
to all internal and cloud resources
The insider threat is also a concern to Dell
Risk Scoring Framework
IX. AdditionalRisk
Indicators*• Business Expenses Paid by Credit Card or Cash Alert
• Business or First Class Travel Alert
• Group Meals Alert • Recurring Expenses Alert
• Tips Alert
I. Financial Policy
Violations• Termination Date (i.e., Date Employee is Separating From Dell)
II. Separation Status
• Access Granted Anomalies
• Access Denied Anomalies
• Invalid Access Level• Invalid Card Format• Invalid Pin #• Invalid Facility Code
IV. Physical Security
Alerts• Destination Country• Pre-Travel Brief (Yes/No)
• Post-Travel Brief (Yes/No)
III. Foreign Travel
• Security Clearance Level
• Special Access Level
• Classification• Knowledge of Safe Combination
• Physical Access Privilege Profile Data
V. Specialized
Access Levels • Issue Summary
• Report Type• Primary and Secondary Allegation Classification
• Primary and Secondary Allegation Type
• Primary and Secondary Priority (Severity)
VI. Security Incidents
• Issue Summary• Report Type• Primary and Secondary Allegation Classification
• Primary and Secondary Allegation Type
• Primary and Secondary Priority (Severity)
VII. Ethics Incidents
• Performance Rating• Employee Review – Dimension Comments (Parts 1 -4) – Manager
• Performance Improvement Plan
VIII. Performance
History
Concur: Financial Compliance & Analysis System
PeopleSoft: Human Resources System of Record
Access Commander: Personnel Management System of Record
Lenel OnGuard: Physical Security System of Record
IntegriLink: Ethics and Security Case Tracking System
Taleo: Human Resources
Performance Rating
Appraisal System
HR Analytics: Performance Improvement
Plan Data
Dell BAP Pilot Domains Insider threats are influenced by a combination of virtual, non-virtual, and organizational factors (e.g., access and clearance level). In order to quantify risk, an individual’s behavior across each landscape
must be evaluated and weighted, based on the drivers of risk. The following eight domain areas have been identified for the pilot.
Security Information and Event
Management (SIEM) System
Data Loss Prevention
(DLP) System
• As Dell decides to expand the pilot to all Federal business segments, additional data sources and PRIs will be critical to the success of the detection capability.
Initial Pilot Data SourcesAn analysis of historical insider threat cases and interviews with Dell data owners identified seven target systems that could supply the PRIs outlined above.
A Framework for Understanding RiskR
isk
Scor
ing
Crit
eria
Dat
a So
urce
s
Conclusion and Discussion
• At Dell, maintaining a secure Salesforce.com ecosystem is high priority, and an ongoing process
• Success at Dell is driven by a strong partnership between Salesforce.com, Deloitte, and Dell
• A broad view of security, with shared responsibilities is essential to keeping one of the largest Salesforce.com implementations secure
Thank you