What’s new in summer’15 release - Security & Compliance
1. What’s new in Summer’15 Release
Security and Compliance
Shesh Kondi
Director, Security and Compliance - Customer Success
2. Safe Harbor
Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-
looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the
assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or
implied by the forward-looking statements we make. All statements other than statements of historical fact could be
deemed forward-looking, including any projections of subscriber growth, earnings, revenues, or other financial items and
any statements regarding strategies or plans of management for future operations, statements of belief, any statements
concerning new, planned, or upgraded services or technology developments and customer contracts or use of our
services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and
delivering new functionality for our service, our new business model, our past operating losses, possible fluctuations in
our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the
immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate
our employees and manage our growth, new releases of our service and successful customer deployment, our limited
history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further
information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual
report on Form 10-K for the fiscal year ended January 31, 2009 and our other filings. These documents are available on
the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other press releases or public statements are not currently
available and may not be delivered on time or at all. Customers who purchase our services should make the purchase
decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not
intend to update these forward-looking statements.
3. Agenda
❏ Platform Encryption
❏ Identity and Authentication
❏ Event Monitoring - Transaction Security & Data Leakage
❏ Security Best Practices
❏ Compliance
❏ SHA-256 Upgrade
❏ Q & A
5. The Problem: Sensitive, Confidential, Private, Regulated Data
… so that I can build new kinds of
apps and deliver more value to my
customers and business users
I want to store new, more
sensitive data on Salesforce…
6. The fastest, easiest and robust way to apply encryption on your sensitive data
Introducing: Salesforce1 Platform Encryption
Seamlessly protect your data at rest
Encrypt standard & custom fields, files & attachments
Easy to set up
Point and click setup in minutes
Manage your encryption keys
Customer-driven encryption key lifecycle management
Preserve important platform functionality
Features, like Validation and Workflow Rules,
made ‘encryption aware’
7. Key GA Features
Turn encryption on custom field types,
declaratively or via the MDAPI
While data is strongly encrypted at
rest, field length is not affected
Turn encryption on standard fields,
declaratively or via the MDAPI
Files and Attachments can be encrypted
while at rest in just one-click
Manage organization encryption keys declaratively
via the Setup UI or API, including Generate/Rotate,
Export, re-Import and Destroy Keys
8. Authorized User vs. Non-Authorized User
Authorized users are granted with the “View Encrypted Data” user perm to read
encrypted field values in plain text.
10. Automated User
Provisioning
With the Summer ‘15 release,
administrators can automate the
task of creating, updating, and
disabling user account
information across all
applications using Salesforce as
an Identity Provider.
Identity Feature Overview
My Domain Enhancements
With the Summer ‘15 release,
administrators can now test the
My Domain login page without
having to deploy My Domain to
all users.
The initial check to verify DNS
propagation has also been
reduced from 10 mins to 30
secs.
Session timeout for OAuth
connected apps
Administrators can set specific
session timeout (aka access
token timeout) for OAuth
connected apps that overrides
the session timeout set at the
profile or org level.
14. Continuous IP
Restriction
Enforce Login IP range on
every request (rather than
during login only)
Add Geographic Info to
Login Events
Track the approximate
geographic location of the
IP address of user login
attempts
Export Control
Block access from
embargoed countries
Create SAML Settings
from a File or URL
Create SAML SSO
settings by importing a
metadata file or URL
SAML IdP Metadata
Discovery Endpoint
Expose Salesforce and
Community Identity
Provider metadata via a
public URL
Authentication Feature Overview
Custom Logout URL
Direct users to a specific
logout destination after
they log out of Salesforce
Custom Auth Provider
Endpoints
Edit the authorization,
token, and user info
endpoints for Google and
LinkedIn auth providers
Track Auth Service ID
with Login History
Associate the
authentication service ID
with a user’s login history
15. Continuous IP Restriction
Org level setting that
allows admins to
enforce the IP restriction
check on every access,
not just during login.
Disabled by default.
16. Custom Logout URL
Direct users to a specific web page
after they log out of Salesforce.
From Setup, go to Security
Controls > Session Settings.
17. Add Geographic Info to Login Events
Approximate geographic location
of the IP address of a user’s login.
More fields can be shown in a
custom view, such as Postal Code
and Lat/Long.
Geolocation info is also available
in Session Management and the
new LoginGeo object.
18. Export Control
STOP: Important Information
In June 2015, we will turn on Export Control to block IPs from embargoed countries from accessing the Salesforce service. The
purpose is to ensure compliance with U.S. law related to embargoed territories. If you attempt to access Salesforce from one of
these restricted IP ranges, they will receive the error below and can’t log in.
For more information go to http://trust.salesforce.com/trust/blocked
A user accessing Salesforce with an
IP located in an embargoed country*
will be blocked and get this error
message with a link to
http://trust.salesforce.com/trust/blocked
[*Syria, Iran, Cuba, Sudan, North Korea or Crimea]
19. Create SAML Settings from a File or URL
Configure single sign-on
by importing the settings
from an XML file or public
URL containing SAML 2.0
metadata.
20. SAML IdP Metadata Discovery Endpoint
Share the SAML configuration metadata for your
Salesforce or Community identity provider with
service providers via public URLs.
Available on the Identity Provider page and
Manage Apps > Connected Apps detail (for
SAML)
Example of the metadata XML
content retrieved from the endpoint
21. Custom Auth. Provider Endpoints
You can edit the authorization, token
and user info endpoints and customize
the Oauth flows.
Admins that want to use custom
endpoints must create an external
third-party application and update
the consumer key and secret in the
Auth. Provider configuration.
22. Track Auth Service ID with Login History
You can use the AuthenticationServiceId in
the Login History to verify which
authentication service or configuration a user
logged in with.
23. Event Monitoring: Transaction
Security and Data Leakage
Eric Leach
Sr. Director, Product Management
Adam Torman,
Director, Product Management
Real time security actions
Historic data leakage detection
24. Monitor User Activity
Know who is accessing data from where
Optimize Performance
Troubleshoot application performance to improve
end user experience
Track Application Usage
Understand application usage to increase adoption
Gain Visibility Into User Actions with Event Monitoring
25. Real Time Security Actions For User Activity Monitoring
Customizable Apex Policies
Framework auto-generates policies
Define Real Time Actions
Notify, Block, Force 2FA, Session Chooser
Enforce Session Constraints
Control the number of active user sessions
PILOT
26. Transaction Security Policy Framework: Concurrent Sessions
Pre-generated policy to control the
number of concurrent user sessions
Control access based on profile, IP
address or other common user info
New session chooser page allows
users to select sessions to terminate
PILOT
28. Spring ‘15
Login Forensics - API Only
Summer ‘15
API Query Events - API Only
Session Correlation - API Only
Roadmap
Report, List View, and Click Events
Wave App Integration
Data Leakage Detection Pilot
PILOT
30. Security
is
a
partnership
with
our
customers.
Se3ng
and
reviewing
Security
Controls
will
improve
your
org’s
health.
Users
are
on
the
front
line.
31. Password security
Passwords are the first line of defense.
Security Risk
Loss of access control.
Compromise will be blamed on the account owner.
Teach your users about password ownership
No password/credential sharing. No exceptions.
Discourage password reuse.
Effective insider threat technique.
Address internally or report to security@salesforce.com.
32. Phishing
● Educate your Salesforce users!
● If your users get a “Salesforce” e-mail, have them reach out to you or your
security team to double check that it is legitimate
● If you are not sure about a ”Salesforce" e-mail, ask us, by forwarding to
security@salesforce.com
● What is phishing?
● One of the most effective and pervasive attack techniques
● Luring a user to click on a link that carries a malicious payload
● Resources:
○ trust.salesforce.com
○ staysafeonline.org
33. Phishing: Real World Example
● Hover over links to validate.
● Does the e-mail context make
sense?
● Does the e-mail sender make
sense?
● Does Salesforce send
receipts in this manner? Are
you normally a recipient?
● Look for typos/grammatical
errors.
● Beware Clickbait!
34. Look for:
● Legitimate @salesforce.com or
@exacttarget.com address
● Current Salesforce logo
● Links go to www.salesforce.com or App Stores
(hover with your mouse)
● Call to action not overly aggressive
Legitimate Salesforce Emails
36. Salesforce Authenticator
Protects account access
even if the user’s password
is compromised
Significantly reduces
vulnerability
Great resource:
www.twofactorauth.org
37. Login IP Ranges
Available to all customers
Only access Salesforce from a designated set of IP Ranges. Two levels:
Org-level Trusted IP Ranges (permissive)
Profile-level Login IP Ranges (restrictive)
Enterprise, Unlimited, Performance, Developer:
Manage Users | Profiles
Contact Mgr, Group, Professional:
Security Controls | Session Settings
38. Recommendation
✓ Org-wide Trusted IP Ranges → all users in your organization
✓ Profile- based login IP range restrictions → employees with
access to lots of data or sensitive materials (Admins,
Developers)
✓ Profile- based login IP range restrictions --> users connecting
from the same locations.
39. ● Deactivate users as soon as
possible
● Deactivation removes login access
while preserving historical activity
and records
● Sometimes users cannot be
deactivated: assign new user or
reassign approval responsibility first
● Know your IT department’s
termination process
User Deactivation
Best practice:
Freeze users first!
From Setup, click Manage Users | Users.
Click Edit next to a user’s name.
Deselect the Active checkbox and then click Save.
41. Update on Certifications
❏ ISO 27001
❏ Updated to 2013 Standard
❏ Certification Document available
❏ PCI-DSS v3
❏ Pre-Assessment complete
❏ Audit in progress.
❏ SOC2 Type 2 for Marketing Cloud
❏ Certification Document available
43. SHA-256 Upgrade
What’s Changing?
Salesforce will be moving from utilizing certificates with a SHA-1 hash algorithm to new certificates with a SHA-256 hash
algorithm. This change is to maintain alignment with the industry-wide security best practices.
Core production instances will start being updated in August 2015.
Operating Systems
(OS) & Browsers
Must meet minimum
version requirements
TEST SITE: https://sha2test.salesforce.com/s/
More Information: HTTPS Security Certificate Change from SHA -1 to SHA-256 hash algorithms
What do I need to do to be prepared?
Users
Must use OS’s and
browsers compatible
with SHA-256
Middleware /
Integrations*
Should be tested to
ensure continuous
access
*Customers who locally cache certificates in their middleware should join the Success Community group:
“Official: Certificate Changes” in order to receive the necessary updates and information required in order to