Dell and Deloitte: Managing Risk in the Cloud with Salesforce.com

Erica BellEnterprise Architect Sr ConsultantErica_Bell@dell.com

Timothy BrownDell Fellow and Executive Director for SecurityTimothy_g_brown@dell.com

“May you live in interesting times.”

–Chinese Curse

I always thought it was a blessing!

Salesforce.com at Dell

Dell Salesforce.com implementation is one of the largest • 28 production orgs and 44 full

copy sandboxes • Over 500,000 total consumed

licenses• 55 integration points (variety

methods used)

44 Full Copy Sdbx

28 Orgs

520,310 Total Licenses

55 Integration

Points

Our Salesforce.com Evolution1. Process & Governance 2. People

4. Acquisitions3. Strategy & Architecture

▪ Strong change management and governance processes

▪ Aligned globally and across all business units

▪ Align business strategy with architecture to deliver end-to-end scalable solutions

▪ Customizations to “fit” business needs/processes

▪ Best in class in-house Salesforce knowledge

▪ Training and certification programs

▪ Significant acquisition strategy (8-10 year)

▪ “Do no harm” approach

Managing Security in Salesforce.com

Established clear roles and responsibilities for business and IT resources. IT Administrator Business Administrator Data Administrator

Defined security protocols for development and governance. Profile Management Integration

Management Data Governance

Develop clear segregation of duties. IT processes

(development, testing, and migration)

User review and approval

Recognized the need to change our view and processes when deploying to the cloud. Procurement process RFP questions Enterprise Architect

review criteria

How does Dell manage security and risk in the cloud?

Inconsistent and unmanageable org strategy• Why? What happened?

• “All you can eat” contract proliferated Dell’s org growth• Aggressive acquisition strategy further increased Dell’s

org count

• How was ‘the’ strategy developed? • Engaged Deloitte for assessment and best practices• Conducted discovery sessions (interviews, review

documentation, etc.)• Evaluated each org and documented capabilities• Provided org consolidation recommendation (based on

evaluation)

• What are the results?• Certified org strategy and consolidation plan• 14 orgs decommissioned, 10 orgs outstanding, removed

19 full copy sandboxes

Partnering with DeloitteDeloitte assisted Dell in developing an org strategy

Broader Security Considerations Not just cloud providers responsibility – it’s the customers as well• Understand the crown Jewels• Manage the administrators, their access, and their

usage• Who users are and what their access is and what their

access should be• Understand the system entirely not just the individual

components• Deloitte/Dell CloudMix 2.0 example

• Audit and report appropriately per industry• Architect for containment of threats and minimized

exposure• Take responsibility for your users including the

potential for the insider threat

What is an Insider Threat

• Someone who is going to do harm to themselves or others• The companies responsibility not SFDCs• Insider threat program mandated by US government for all

Federal employees doing cleared work• Traitor, Masquerader, Naïve User

• Masqueraders, impersonators, infected machines• Traitors have gained access and but are both working for you as

well as someone else• Naïve users are trying to do the right thing but making costly

mistakes• Insider threat will increase as malware becomes less effective

and more costly to produce• Determine intent of access and data moving outside it’s

intent/mission• A program implemented by Dell and Deloitte that effects access

to all internal and cloud resources

The insider threat is also a concern to Dell

Risk Scoring Framework

IX. AdditionalRisk

Indicators*• Business Expenses Paid by Credit Card or Cash Alert

• Business or First Class Travel Alert

• Group Meals Alert • Recurring Expenses Alert

• Tips Alert

I. Financial Policy

Violations• Termination Date (i.e., Date Employee is Separating From Dell)

II. Separation Status

• Access Granted Anomalies

• Access Denied Anomalies

• Invalid Access Level• Invalid Card Format• Invalid Pin #• Invalid Facility Code

IV. Physical Security

Alerts• Destination Country• Pre-Travel Brief (Yes/No)

• Post-Travel Brief (Yes/No)

III. Foreign Travel

• Security Clearance Level

• Special Access Level

• Classification• Knowledge of Safe Combination

• Physical Access Privilege Profile Data

V. Specialized

Access Levels • Issue Summary

• Report Type• Primary and Secondary Allegation Classification

• Primary and Secondary Allegation Type

• Primary and Secondary Priority (Severity)

VI. Security Incidents

• Issue Summary• Report Type• Primary and Secondary Allegation Classification

• Primary and Secondary Allegation Type

• Primary and Secondary Priority (Severity)

VII. Ethics Incidents

• Performance Rating• Employee Review – Dimension Comments (Parts 1 -4) – Manager

• Performance Improvement Plan

VIII. Performance

History

Concur: Financial Compliance & Analysis System

PeopleSoft: Human Resources System of Record

Access Commander: Personnel Management System of Record

Lenel OnGuard: Physical Security System of Record

IntegriLink: Ethics and Security Case Tracking System

Taleo: Human Resources

Performance Rating

Appraisal System

HR Analytics: Performance Improvement

Plan Data

Dell BAP Pilot Domains Insider threats are influenced by a combination of virtual, non-virtual, and organizational factors (e.g., access and clearance level). In order to quantify risk, an individual’s behavior across each landscape

must be evaluated and weighted, based on the drivers of risk. The following eight domain areas have been identified for the pilot.

Security Information and Event

Management (SIEM) System

Data Loss Prevention

(DLP) System

• As Dell decides to expand the pilot to all Federal business segments, additional data sources and PRIs will be critical to the success of the detection capability.

Initial Pilot Data SourcesAn analysis of historical insider threat cases and interviews with Dell data owners identified seven target systems that could supply the PRIs outlined above.

A Framework for Understanding RiskR

isk

Scor

ing

Crit

eria

Dat

a So

urce

s

Conclusion and Discussion

• At Dell, maintaining a secure Salesforce.com ecosystem is high priority, and an ongoing process

• Success at Dell is driven by a strong partnership between Salesforce.com, Deloitte, and Dell

• A broad view of security, with shared responsibilities is essential to keeping one of the largest Salesforce.com implementations secure

Thank you