Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
-
Upload
paris-salesforce-developer-group -
Category
Technology
-
view
950 -
download
2
Transcript of Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
Introducing: Salesforce Shield The fastest way to build trusted apps
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Safe Harbor
SNA
Terminal
Mainframe LAN / WAN
Client
Server
LAN / WAN
Client
Server
Cloud
Mobile
Social
Data Science
Thousands customer interactions
connected things Billions Trillions Millions
The app revolution is opening up a world of innovation for businesses
Apps are generating more customer data than ever before
Apps
Financial Data
Health Data
Location Data
90% of the world’s data created in the last 12 months
World’s Most Trusted Enterprise Cloud Trust is our #1 value
Five Elements of Trust
Transparency
Always on availability
Performance at scale
Global data centers
Enterprise compliance
Q1 Transactions 211B+
Customers 150k
Apps 2M+
Salesforce Trust Services
Infrastructure Services
Analytics Community Marketing Service Sales Apps
Network Services
Application Services
Secure Data Centers
Backup and Disaster Recovery
47 Major Releases
HTTPS Encryption
Penetration Testing
Advanced Threat Detection
Identity & Single Sign On
Two Factor Authentication
User Roles & Permissions
Field & Row Level Security
Secure Firewalls
Real-time replication
Password Policies
Third Party Certifications
IP Login Restrictions
Customer Audits
150,000+ customers 2,000,000+ apps
Sixteen years of innovation on the world’s most trusted cloud
Introducing: Salesforce Shield
Infrastructure Services
Network Services
Application Services
Secure Data Centers
Backup and Disaster Recovery
HTTPS Encryption
Penetration Testing
Advanced Threat Detection
Identity & Single Sign On
Two Factor Authentication
User Roles & Permissions
Field & Row Level Security
Secure Firewalls
Real-time replication
Password Policies
Third Party Certifications
IP Login Restrictions
Customer Audits
Salesforce Shield Platform Encryption
Event Monitoring
Field Audit Trail
New services to help you build trusted apps fast
Monitor User Activity Know who is accessing data from where
Optimize Performance Troubleshoot application performance to improve end user experience
Track Application Usage Understand application usage to increase adoption
Gain Visibility Into User Actions with Event Monitoring
Retain Field History for Up to 10 Years with Field Audit Trail
Establish Data Retention Policies Know the state and value of data at any time Access Retained Data at Scale Normalize on big data back-end for performance
Comply with Industry Regulations Secure data archive with the highest trust standards
Encrypt Sensitive Data While Preserving Business Functionality
Seamlessly protect data at rest Encrypt standard & custom fields, files & attachments Natively integrated with key Salesforce features E.g., Search, Chatter, Lookups work with encrypted data
Customer managed keys Customer-driven encryption key lifecycle management
Salesforce Shield New services to help you build trusted apps fast
Encrypt Audit Monitor
Platform Encryption Field Audit Trail Event Monitoring
Salesforce Shield The Event Monitoring Story
Auditing, Analytics and Actions at a Glance Audit Fields Login History Setup Audit Trail Field History
Tracking Field Audit Trail Event Monitoring
Purpose Track who created or last modified a record user and time
Track end-user logins and login attempts (e.g. failures)
Track Administrative changes in setup like escalation of privileges or creation of new fields
Track state changes at the field level Analysis: Track a variety of server interactions including report exports, page views, and document downloads
Action: Automate actionable security policies such as limiting data export or notifying on concurrent login sessions
Example Adam Torman modified the Acme account earlier today
Adam Torman logged in using Chrome v 42.0 on Mac OSX
Permission set Modify All Data assigned to user Adam Torman
Adam Torman changed the Case status from Open to Closed
Adam Torman clicked on Marc Benioff’s patient record and downloaded the customer list
Jari Salomaa was prevented from logging into his iPad until he removed a previous login session
Interface Record Detail UI and API
Setup UI and API Setup UI and API Setup / Related List UI and API API (CSV download) + Wave Integration
Setup UI
[Profile or Sharing] Permissions Required
*Read/Query requires sharing access to parent record
Manage User permission
*View Setup and Configuration permission
Configure requires Customize Application permission *Read/Query requires sharing access to parent record
*View Event Log Files permission AND * View Login Forensics
Author Apex AND Customize Application
Data Retention Policy
Life of the record / 18 Months depending on org inception date
6 months FIFO 6 months FIFO 20 fields for 18 months
60 fields for 10 years
Up to 30 days for Event Log Files and 10 years for Login Forensics
N/A
Pricing $0 $0 $0 $0
** $add-on $0 - Login/Logout Event Log Files for 1 day ** $add-on - 29 log files for 30 days + Login Forensics + Transaction Security
Online Docs
Audit Fields Login History Setup Audit Field History Field Audit Event Monitoring Transaction Security
What we are hearing from CISOs
1. Visibility to user activity Report on what users are doing and where policies are needed
2. Generate security policies Generate real-time actions such as notifications and proactive prevention
3. Automate actions from policies Fine-tune your application portfolio and business process
4. Analyze, monitor results and audit Fine-tune your security policies and provide audit trails for auditors
Two halves of the same solution
Analytics
Actions
Policy Generation
Event Capture
Historical Analytics
Real Time Actions
Cycle of Security Historical
Logs
User Segmentation
Real-time Analytics
Audit
Event Generation
Policy Deployment
Policy Design
Policy Customization
Analytics Actions
Policy Design
Policy Enforcement Data Capture and Management
Reporting and Audit
Analytics For Event Monitoring
Support Provide better, data-driven support for your end users
Audit Track your user’s activities
Optimize Fine-tune your application portfolio and business process
Actions For Event Monitoring
Customizable Apex Policies Framework auto-generated policies
Define Real Time Actions Notify, Block, Force 2FA, Session Chooser
Enforce Session Constraints Control the number of active user sessions
An Example Concurrent Log Sessions
Problem set: Concurrent Login Sessions ● Users should not be logged in to
more than ‘n’ sessions ● Limit the number of concurrent
sessions to reduce risk with malicious activities ○ FedRamp requirement
● Security policy should understand who will be impacted and prompt the user to remove previous sessions that no longer apply
Policy Generation
Event Capture
Historical Analytics
Real Time Actions
Cycle of Security Historical
Logs
User Segmentation
Real-time Analytics
Audit
Event Generation
Policy Deployment
Policy Design
Policy Customization
Analytics Actions
Policy Design
Policy Enforcement Data Capture and Management
Reporting and Audit
Analyze current login behaviors using analytics
Track login trends and ask questions: ● Who will be impacted if you create a policy based
on Profile, Role, User, etc…? ● What integrations may break? ● How are user’s logging in - S1 Mobile, Web
Browser, integrations?
Policy Generation
Event Capture
Historical Analytics
Real Time Actions
Cycle of Security
Historical Logs
User Segmentatio
n
Real-time Analytics
Audit
Event Generation
Policy Deployme
nt
Policy Design
Policy Customizatio
n
Determine criteria for policy
By Profile: ● System Admin Profile >= 2
By Role: ● East Coast Exec Role >=5
By User: ● Adam Torman OR Jari Salomaa
>=1 By Time: ● Saturday OR Sundays >=1
Policy Generation
Event Capture
Historical Analytics
Real Time Actions
Cycle of Security
Historical Logs
User Segmentatio
n
Real-time Analytics
Audit
Event Generation
Policy Deployme
nt
Policy Design
Policy Customizatio
n
Decide which actions to take Policy Generation
Event Capture
Historical Analytics
Real Time Actions
Cycle of Security
Historical Logs
User Segmentatio
n
Real-time Analytics
Audit
Event Generation
Policy Deployme
nt
Policy Design
Policy Customizatio
n
Determine actions to take: ● None ● Block ● 2FA ● Session Chooser
Customize Apex policy and add criteria
Customize the policy ● Apply custom criteria such as
Profiles, Roles, Users, etc… ● Work closely with your developers to
customize it for your design
Policy Generation
Event Capture
Historical Analytics
Real Time Actions
Cycle of Security
Historical Logs
User Segmentatio
n
Real-time Analytics
Audit
Event Generation
Policy Deployme
nt
Policy Design
Policy Customizatio
n
Deploy policy
Deployment is as easy as selecting a checkbox on the policy
Policy Generation
Event Capture
Historical Analytics
Real Time Actions
Cycle of Security
Historical Logs
User Segmentatio
n
Real-time Analytics
Audit
Event Generation
Policy Deployme
nt
Policy Design
Policy Customizatio
n
Real-time action policy enforcement
In real-time, users will be forced to take an action based on the criteria you created
Policy Generation
Event Capture
Historical Analytics
Real Time Actions
Cycle of Security
Historical Logs
User Segmentatio
n
Real-time Analytics
Audit
Event Generation
Policy Deployme
nt
Policy Design
Policy Customizatio
n
Analyze policy enforcement and Audit
Track how many 2FA or session chooser screens were selected.
Policy Generation
Event Capture
Historical Analytics
Real Time Actions
Cycle of Security
Historical Logs
User Segmentatio
n
Real-time Analytics
Audit
Event Generation
Policy Deployme
nt
Policy Design
Policy Customizatio
n
Salesforce Platform Encryption Strongly encrypt data at rest while preserving critical business functionality
Encrypt data at rest when it is stored on the App Cloud
Encrypt Standard & Custom Fields, Files, & Attachments
Customers manage their encryption keys on the App Cloud platform
What Problems We Solve
Why It’s Unique Salesforce Platform Encryption
Quickly and seamlessly protect sensitive data
Setup takes minutes – no extra hardware or software
Makes the App Cloud ‘encryption aware’
Salesforce1 Mobile-ready, natively
Salesforce Platform Encryption
Encryption Services Standards based encryption built natively into the App Cloud Platform AES encryption using 256bit keys Layers seamlessly with other App Cloud security features
Key Management Customer driven key lifecycle management
Uses secure derived keys that are never persisted in the App Cloud Hardware Security Module based key management infrastructure FIPS 140-2 compliant
Policy Management Customer control over policy configuration
Select fields, files, and attachments to be encrypted Encryption controlled with metadata to take complexity out of deployments
App Cloud Integration Preserve important functionality like search and business rules Built-in capabilities to iteratively add additional feature support
Features and Functionality Overview
Architecture Overview
Encrypted Fields Encrypted Files
AES 256
DATA
Database File Storage FFX
Database File Storage FFX
Database File Storage FFX
Database File Storage FFX
Key Derivation Server
Embedded HSM
Key Derivation Server
Embedded HSM
Key Derivation Server
Embedded HSM
Key Derivation Server
Embedded HSM
Keys and Secrets Master Secret Master Wrapping Key
Master Salt Tenant Wrapping Key
Keys and Secrets Key Derivation Server RSA Key Pair
Hardware Security Modules Key Management Components
Master HSM Key Derivation Server
Embedded HSM
Functions
Generates Per-Release Secrets and Keys
Encrypts Secrets and Keys for Secure Distribution
Air-gapped from Production Network
Functions
Unwraps Per-Release Secrets and Keys
Generates and Encrypts Tenant Secret
Performs Key Derivation
Generated once per release by Salesforce Security Officer using air-gapped Master HSM Encrypted with the Master Wrapping Key and stored in Key Derivation Servers Decryptable only by Key Derivation Server’s Private Key and the Master Wrapping Key
Org-specific secret generated, managed, and rotated by customers Manage via Setup or SOAP API Encrypted using the per-release Tenant Wrapping Key and stored in the database Decryptable only by Key Derivation Server’s Private Key and Tenant Wrapping Key
Created by Key Derivation Servers via Password Based Key Derivation Function Decrypts and combines Master and Tenant Secrets and Master Salt as input to PBKDF2 function Output of KDF is an Org-specific Data Encryption Key used to encrypt customer field values and files Derived keys are cached on the App Cloud platform
Master Secret / Master Salt Tenant Secret Data Encryption Key
Key Derivation Creating Org-specific Data Encryption Keys
Deriving Data Encryption Keys Standards Based Key Derivation Function: PBDKF2 HMAC with SHA256 Runs 15,000 Iterations Outputs 256 bit length Data Encryption Key
Tenant Secret 1
Password Based Key Derivation Function
Data Encryption Key 1
Data Encryption Key 1
Cache
Master Secret Summer
‘15
Summer ‘15
Master Salt
Key Derivation Server
Embedded HSM
Key Derivation Server
Embedded HSM
Key Derivation Server
Embedded HSM
Key Derivation Server
Embedded HSM
Customer Driven Key Lifecycle Derived Encryption Keys Are Never Persisted Create, Manage, and Rotate Keys Declarative & API Based Key Management Import and Export Tenant Secrets on Demand
Field Encryption Policies Customer Driven Encryption Policies Declarative or API Policy Configuration Supports Both Standard and Custom Fields Natively Integrated with the App Cloud Features
Standard Field Encryption and Search
Standard Field Encryption • Account Name • Contact First/Middle/Last Name • Email • Phone • Home/Other Phone • Mobile • Fax • Mailing Street & City • Person Account fields • Case Subject, Description • Case Comments’ Body
Search Fields and Files (via Desktop, Salesforce1 Mobile and SOSL)
Custom Field Encryption
Custom Field Types • Email • Phone • Text • Text Area • Text Area (Long) • URL
Enable with Metadata Encrypt Existing Fields
Chatter Files and Attachments Encryption
Encrypt Content of Chatter Files Preview Encrypted Files File Content Search Encrypt Attachments
Thank you