Security: There Is No Finish Line on Security

1
Security There Is No Finish Line on Security
Track IT Executives

• Peter Dapkus, salesforce.com
• John Maxey, salesforce.com
• Susan Perdew, salesforce.com

2
Safe Harbor Statement
Safe harbor statement under the Private
Securities Litigation Reform Act of 1995 This
presentation may contain forward-looking
statements including but not limited to
statements concerning the potential market for
our existing service offerings and future
offerings. All of our forward looking statements
involve risks, uncertainties and assumptions. If
any such risks or uncertainties materialize or if
any of the assumptions proves incorrect, our
results could differ materially from the results
expressed or implied by the forward-looking
statements we make. The risks and uncertainties
referred to above include - but are not limited
to - risks associated with possible fluctuations
in our operating results and cash flows, rate of
growth and anticipated revenue run rate, errors,
interruptions or delays in our service or our Web
hosting, our new business model, our history of
operating losses, the possibility that we will
not remain profitable, breach of our security
measures, the emerging market in which we
operate, our relatively limited operating
history, our ability to hire, retain and motivate
our employees and manage our growth, competition,
our ability to continue to release and gain
customer acceptance of new and improved versions
of our service, customer and partner acceptance
of the AppExchange, successful customer
deployment and utilization of our services,
unanticipated changes in our effective tax rate,
fluctuations in the number of shares outstanding,
the price of such shares, foreign currency
exchange rates and interest rates. Further
information on these and other factors that could
affect our financial results is included in the
reports on Forms 10-K, 10-Q and 8-K and in other
filings we make with the Securities and Exchange
Commission from time to time. These documents are
available on the SEC Filings section of the
Investor Information section of our website at
www.salesforce.com/investor. Salesforce.com, inc.
assumes no obligation and does not intend to
update these forward-looking statements, except
as required by law.
3
Our Mission

• Lead the industry in on-demand security by
  partnering with our customers to deliver
  best-in-class security practices to protect
  customer data and trust. Employ proven, secure
  practices through world-class awareness,
  education, and technology.

4
Large companies trust salesforce.com
30,000
9,000
5,000
Number of Subscribers
5
Agenda

• Salesforce.com security fundamentals
• Secure information sharing within your company
• Preventing unauthorized outside access
• Common End User Security Questions and Answers
• Our Security Roadmap
• QA

6
Peter Dapkus Product Manager Platform Security
7
The Most Trusted Infrastructure
Security
Visibility
SAS 70 Type II SysTrust Certified Network and
Physical Security Separation of Roles
Responsibilities Regular Code Reviews and
Audits Exhaustive Automated Test Suites Phishing
and Malware Response
8
Multi-tenancy improves security

• Comprehensive Set of Security Features
• Reflects sum total of security requirements of
  all customers
• Ability to tune security controls to meet needs
  of your business
• Economies of Scale Speed
• Patching headaches
• Penetration Testing
• Customers
• Vendors
• Internal

9
Security is core to our platform
Manage any information, share any data, and build
any app more efficiently in the cloud.
10
Secure the weakest link
11
Agenda

• Salesforce.com security fundamentals
• Secure information sharing within your company
• Preventing unauthorized outside access
• Common End User Security Questions and Answers
• Our Security Roadmap
• QA

12
The enemy withinStudies show the largest risks
come from employees

• Data theft
• Data vandalism
• Abuse of privileges
• Lost or stolen hardware
• From computers to memory sticks
• Mismanaged IDs and passwords
• Poor User Management

13
Managing Internal Risks

• Limit Employee Access to Data
• Minimize convenience compromises
• Manage Security Settings Carefully
• Automate User Management

14
(No Transcript)
15
Available Security Options

• Profile security settings
• Folder access rights
• Delegated admin rights
• UE and EE

16
Decrease Session Timeout

• Prevent unauthorized computer access after user
  leaves computer
• Expire sessions after no activity
• Requires login to access service

Timeout Application Sessions Faster
Decrease Time Before Session Timeout in Salesforce
Click Setup Security Controls Session Settings
17
Configure a strict password policy

• Complexity and Length
• Make passwordsdifficult to guess
• Expiration and History
• Limit impact of stolen credentials
• Invalid Login Attempts
• Prevent brute force attacks

18
Enable History Tracking
19
Implement Change Control Process
20
Automate User Management

• Integrate with internal user management software
• E.g. ActiveDirectory
• Single source of user information / status
• Integration Options
• Build your own using the Force.com API (Users,
  Profiles)
• Use a Partner Offering (e.g. Ping)

21
Agenda

• Salesforce.com security fundamentals
• Secure information sharing within your company
• Preventing unauthorized outside access
• Common End User Security Questions and Answers
• Our Security Roadmap
• QA

22
Phishing Targets Your Confidential
InformationPrimary tactic tricks users to reveal
information at bogus websites
1. User Receives Bogus Email from Phisher
2. User Enters Credentials on Bogus Website
3. Phisher Uses Credentials Steals Confidential
Information
23
Malware Takes Over Your PC and Steals Data
2. Malicious Software Installs Itself on PC
1. User Receives Email
3. Malware Tracks User and Steals Data
24
Managing External Risks

• Secure Employee Systems
• Manage Network Access
• Challenge Unusual / Suspicious Activity
• Implement Single Sign-On

25
Secure Employee Systems

• Helps user identify bogus sites
• More secure than previous versions

Update to Latest Browser Version

• Stop phish and spam from reaching users
• White list salesforce.com IP Addresses

Deploy Email Filtering Technology

• Virus and malware detection and removal
• Keep application and definitions up-to-date

Install and Maintain Desktop Protection
26
Managing Network Access
Restrict login completely
Or, specify networks you trust
27
Computer Activation

• The ability for an end-user to activate
  additional IP addresses for accessing
  salesforce.com
• Only necessary if IP address is unknown and
  browser cookie does not exist
• Simple activation procedures

• Any computer that will be used to access
  Saleforce CRM through the Web interface

Web Clients
28
Enable CAPTCHA on Reports and Export

• Requires users to complete a CAPTCHA
• Covers report export, printable list views, and
  weekly export
• Challenges once per Session
• Protects against some types of malware
• Contact Support tohave it enabled

29
Implement Web Single Sign-On with SAML

• SAML is an industry standard for Single Sign-on
• A secure mechanism for passing authentication
  decisions
• Salesforce supports SAML 1.1 (Browser POST
  profile)
• SAML 2.0 is available as a pilot
• API in Spring 09
• Benefits
• Better User Adoption
• Fewer passwords, stronger policy
• Perform authentication within your enterprise
• Integrate with existing user management via
  off-the-shelf products

30
Agenda

• Salesforce.com security fundamentals
• Secure information sharing within your company
• Preventing unauthorized outside access
• Common End User Security Questions and Answers
• Our Security Roadmap
• QA

31
John Maxey Premier Support Analyst Security
Subject Matter Expert
32
Most Common Security Questions To Our Support

• Sharing model
• ID Confirmation
• Trusted IP ranges Vs. Network Access
• Additional Security Documentation

33
Sharing Model

• How do we troubleshoot questions about sharing
  when a private sharing model has been
  implemented?

34
ID Confirmation

• Why am I not getting the activation email?
• Why am I being asked again to activate the same
  computer again?
• What are Security tokens and when
• are they used?

35
Trusted IP Ranges Vs. Network Access

• What is the difference between trusted IP ranges
  and Network Access?
• Trusted IP ranges are implemented on the profile
  and when implemented users can only log in from
  that IP address
• Network access is implemented for the
  organization as part of the ID Confirmation
  feature and users can log in from other addresses
  by activation

36
Additional Security Documentation

• SAS 70
• Security Assessment
• Application Load Testing

37
Where can I learn more?

• Dreamforce campground
• trust.salesforce.com
• salesforce.com/community
• Help training
• System administrator training certification
• www.salesforce.com/developer
• Contact your support representative

38
Agenda

• Salesforce.com security fundamentals
• Secure information sharing within your company
• Preventing unauthorized outside access
• Common End User Security Questions and Answers
• Our Security Roadmap
• QA

39
Roadmap Security Themes for 2009
40
Enhanced Network Access Controls

• Login IP Range Restrictions is our most effective
  tool against phishing and were making it easier
  to use
• Customers have too many profiles to update
• Admins dont always know their network IP Ranges
• Customers want to manage by site not by profile
• Features
• Global IP Range Restrictions
• One-click Configuration based on login history
• Manage Restrictions by Site
• Geography-based Login Restrictions

41
Open Security for Integration Extension

• Open up our Security via APIs and Apex to allow
  customers and partners to enhance security
• Planned Features
• Apex Handlers for Security Events
• E.g., Login, Logout, changePassword,
  resetPassword
• Replace default behaviors with custom logic and
  callouts
• APIs for IP Ranges, Password Policies, etc
• Monitoring API for Security Events
• Allow customers to integrate w/existing security
  monitoring

42
Federated Single Sign-on with SAML

• Customers want Single Sign-On but want standards
  instead of proprietary Delegated Authentication
• Customers are converging on SAML as the standard
• Features
• General Availability for SAML 2.0
• SAML for Portals and Sites
• API Authentication via Browser (Oauth)

43
Harden Phishing Defense

• Know our users and their behavior better and
  challenge suspicious and high-risk actions
• Planned Features
• Message Center for Secure Communication in the
  Application
• Challenge Abnormal User Activity
• Offer More Challenge types, e.g. SMS, CAPTCHA

44
Apply what youve learned

• Identify sources of risk for your organization
• Internal
• External
• Make educated security decisions
• Capitalize on Security features available in
  Salesforce CRM
• Be Aware of Common issues and impact on end-users

45
Agenda

• Salesforce.com security fundamentals
• Secure information sharing within your company
• Preventing unauthorized outside access
• Common End User Security Questions and Answers
• Our Security Roadmap
• QA

46
Session FeedbackLet us know how were doing and
enter to win an iPod nano!

• Please score the session from 5 to 1
  (5excellent,1needs improvement) in the
  following categories
• Overall rating of the session
• Quality of content
• Strength of presentation delivery
• Relevance of the session to your organization

Additionally, please fill in the name of each
speaker score them on overall delivery.
We strive to improve, thank you for filling out
our survey.
47
QUESTION ANSWER SESSION
PETER DAPKUS
salesforce.com
PRODUCT MANAGER
JOHN MAXEY
salesforce.com
PREMIER SUPPORT ANALYST
SUSAN PERDEW
salesforce.com
CUSTOMER SUCCESS MANAGER