Professional Documents
Culture Documents
(COS) (DF16Circles) Circles of Success - Security and Compliance On Salesforce - What You Need To Know
(COS) (DF16Circles) Circles of Success - Security and Compliance On Salesforce - What You Need To Know
Release Readiness
Getting Started
Community today! Premier Central
salesforce.com/success
Forward-Looking Statements
Statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize
or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by
the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any
projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or
plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology
developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our
service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth,
interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible
mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our
employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com
products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of
salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most
recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information
section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be
delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available.
Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Game Plan
ü Share your successes.
Data Residency
• Comply with country-specific data regulations which may prohibit the retention/processing of data in another country
Data Privacy
• Restrict access to intended users based on business and regulatory parameters (Least Privilege – need to know access
only)
Data Protection
• Conform with data handling standards for how PII needs to be secured in transit, at-rest, and while in-use
• Balance business critical functionality against security and risk measures
`
Apps Are Generating More Customer Data Than Ever Before
90% of the World’s Data Created in the Last 12 Months
Health Data
Apps
Delete Modify
Recall / Distribute
Audit
Archive Prevent
Data Security Principles
Visibility
Deletion Detection
Monitoring Control
Protection Prevention
Security Lifecycle Paradigms
Unwarranted or
Unintended Access
to Data, Devices,
Resources and
Systems
Salesforce Multi-Tenancy Architecture
How does Salesforce securely store and process customer data?
What’s a Metadata-Driven Multi-Tenancy?
How does it work?
• The underlying Force.com platform supports multiple Cloud-based Applications (Salesforce CRM,
Service, WAVE Analytics, Marketing Cloud, etc)
• The Platform uses meta-data in real-time to instantiate the requested application AND to retrieve the
require data field elements to populate the user-defined (and permissioned) page layouts,
dashboards, and reports.
• Consistent granular access controls determine Who can see What data field elements, When, and
from Where
Salesforce Metadata-Driven Multi-Tenant Architecture
Salesforce Inherent Security Controls
Supporting the Least Privilege Access Model
• Data is stored in a unique Multi-Tenant Environment which separates data components into disparate and
de-identifiable tables
• Customer-specific meta data is then used to re-cast the record which is displayed in the customer-defined
page layout(s) and represented in our API
• Database Column headings contain a simple VALUE reference (from Value 1 to Value 800)
• Organizational Access Controls establish user baseline access to specific data within a Salesforce ORG
• Roles, Profiles, and Permission Sets establish user entitlement rights to specific Objects, Records, and Fields.
• Field-level security and Platform Encryption techniques can be used at the individual field level to deny
access to specific data elements.
• Field Level Security – Users are prevented from accessing specific fields with a Record/Object and cannot
search or create reports or dashboards based on the specific field
• Platform Encryption – ONLY removes the user’s ability read the data in the plain text. User is still aware
that the data exists but will see ****** in the field value on page layouts, reports, and dashboards.
Multi-Tenant Architecture and Security Controls
Salesforce
Application
RunTime
Engine
Common Salesforce
Metadata
Database
Data Table is Stored as Raw Collection of Fields
Metadata Maintains Relational Integrity
Data Table is Partitioned by OrgID
Metadata Metadata
Leads Contacts
Metadata Metadata
Salesforce Platform Security Services
Defense in Depth
Identity
Authentication &
SSO
Profiles/Permissions
Field History
Tracking
Event Monitoring
Encryption
Data Security Principle/Control Matrix
Data Handling Control Salesforce Security Technique
Visibility Field Audit Trails, Set-up Audit Trails, User Login History
Salesforce Shield
Event Field
Audit Platform
Monitoring Trail Encryption
Application Services
Identity & Single Password Two Factor User Roles & Field & Row
Sign On Policies Authentication Permissions Level Security
Network Services
HTTPS Penetration Advanced Secure IP Login
Encryption Testing Threat Detection Firewalls Restrictions
Infrastructure Services
Secure Data Backup and Real-time Third Party Customer
Centers Disaster Recovery replication Certifications Audits
Companies Are Running Their Business on Salesforce1
Provide insight into how users are consuming data
• Who is accessing my data?
• What changes did they make to my data?
• Who made the changes?
• Who is downloading data?
• What data fields were included in the report?
• Who is entitled to see what data?
• From where? What Device? What location?
Track Illicit behavior
• Integration with Forensic Tools to discover and alert
on illicit behavior
Ability to protect data from malicious compromise
• In transit
• At-rest
Admin Analytics Wave Datasets
Import Start
Add App
ELF Exploring
29 Datasets:
REPORT APEX SOAP
LOGIN AS WORKFLOW
• Identity forensics
Salesforce Platform
Admin Analytics Wave Lenses
Import Start
Add App
ELF Exploring
9 Lenses:
Audit Login-As
Lightning Sync
(Forward-Looking Statements)
Planned Key Features (Forward-Looking Statements)
The ROI is based on a customer survey conducted by independent, third-party Market Tools.
All other metrics are based on Premier customer metadata.
Gartner
Security concerns remain the most common reason for avoiding the use of public cloud services.
However, only a small percentage of the security incidents impacting enterprises using the cloud have
been due to vulnerabilities that were the provider's fault. This does not mean that organizations should
assume that using a cloud means that whatever they do within that cloud will necessarily be secure. The
characteristics of the parts of the cloud stack under customer control can make cloud computing a
highly efficient way for naive users to leverage poor practices, which can easily result in widespread
security or compliance failures.
The growing recognition of the enterprise's responsibility for the appropriate use of the public cloud is
reflected in the growing market for cloud control tools. By 2018, 50 percent of enterprises with more
than 1,000 users will use cloud access security broker products to monitor and manage their use of SaaS
and other forms of public cloud, reflecting the growing recognition that although clouds are usually
secure, the secure use of public clouds requires explicit effort on the part of the cloud customer.
Source: http://www.gartner.com/newsroom/id/3143718