Security and Your Salesforce Org
•Transferir como PPT, PDF•
1 gostou•2,259 visualizações
Presented in the Admin Theatre at London World Tour on 19 May 2016.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Security and Your Salesforce Org
Semelhante a Security and Your Salesforce Org (20)
Mais de Salesforce Admins
Mais de Salesforce Admins (20)
Último
Último (20)
Security and Your Salesforce Org
- 1. Security and your Salesforce Org CyberSecurity techniques to harden your org. Francis Pindar Technical Architect francis@netstronghold.com @radnip
- 2. Security and your Salesforce org CyberSecurity techniques to harden your org. Francis Pindar Technical Architect francis@netstronghold.com @radnip www.radnip.com LinkedIn.com/in/francisuk
- 4. I think of security as…
- 5. Salesforce Security Applicable to the Sales Cloud, Service Cloud, Communities, Chatter, database.com, site.com and Force.com. For audits, certification and security information or other services, please see the Trust & Compliance section of help.salesforce.com. Infrastructure-level SecurityApplication-level Security Firewall SSL Accelerators Web/App Servers Load Balancers Database Servers Trusted Networks Authentication Options Field Level Security Object Level Security (CRUD) Audit Trail Object History Tracking
- 6. Where are these cyber attacks coming from?
- 7. Where are these cyber attacks coming from?
- 9. Rogue Devices - Keyboard Logger
- 10. Two Factor Authentication (2FA) • Provides an extra layer of security beyond a password • If a user’s credentials are compromised, much harder to exploit • Require a numeric token on login • Can be received via app, SMS, email, hardware (YubiKey)
- 11. Health Check
- 12. My Top Risky System Permissions “System Admin” Permission Set Standard Profile Export Report* Yes Yes No Data Export No No No Modify All Data No? No No Manage Profile Permission Sets Yes No No View Setup Yes Yes No View All Data Yes? No No View Encrypted Data No No No Manage Remote Access Yes No No Password Never Expires No No No Bulk API Hard Delete No No No Permissions you need to have * Enable reCapture -> Send case to Salesforce
- 13. My Top Risky System Permissions “System Admin” Permission Set Standard Profile API Enabled No Yes No Manage Interactions Yes No No Manage Two Factor Authentication No No No Permissions you need to have Source: placeholder
- 14. Permission Comparator By @_johnbrock https://perm-comparator.herokuapp.com/
- 15. Auditing your Salesforce org
- 16. Salesforce Toolkit by @benedwards44 http://sftoolkit.co/
- 17. Salesforce Toolkit by @benedwards44 http://sftoolkit.co/
- 18. Salesforce Toolkit by @benedwards44 http://sftoolkit.co/
- 19. Salesforce Toolkit by @benedwards44 http://sftoolkit.co/
- 20. CyberSecurity by FutureLearn/Open University https://www.futurelearn.com/courses/introduction-to-cyber-security • FREE online course • Duration: 8 weeks • 3 hours a week • Certificates available Next Start dates: • 4th July 2016 • 3rd October 2016
- 21. Key Principles – The Human Factor • Limit the number of users with admin rights • Provide users with minimum access to do their job • Create rigorous process for user termination/deactivation • Basic security training for all users on credential/password security, phishing, and social engineering • Trailhead for ongoing, role-focused education • Effective security requires cross-org communication https://developer.salesforce.com/trailhead
- 22. thank y u Francis Pindar francis@netstronghold.com @radnip www.radnip.com LinkedIn.com/in/francisuk
Notas do Editor
- BBC Good Food Show tomorrow.
- Experts are saying British businesses are not doing enough to protect themselves. Cyber attacks are exacting a heavy toll on british businesses. Research company Cebr last year reported £34bn of increase IT expenditure and lost revenue. [CLICK] The UK Government found boards of half of FTSE 350 companies only hear about cyber incidents only on an occasional basis or when something goes wrong. But Damage can sometimes harm a companies reputation more than the actual attack. UK Governments Public Policy Exchange is saying the threat from cyber attacks to the UK’s national security is “Real and Growing”. Such attacks have been called a “Tier One” threat to the UK. [CLICK] A recent report of UK companies showed that nearly half (46%) of small business owners have no employee responsible for data security and more alarming 27% have no process or policy at all. But its not just isolated to small companies. Last year saw an conservative estimate 487,731,758 records (based on public information) of data leaks from companies like Hyatt, Hilton Hhonors, Costa Coffee, Mumsnet, 56 Deans Street clinic leaks 780 HIV patients (NHS Trust fined £180k), JD Wetherspoon nearly 700,000 personal details were stolen and TalkTalk 156,000.
- Secure Your Salesforce Org Some administrators are surprised when they learn that security is part of their job. Salesforce is built with security as the foundation for the entire service. This foundation includes both protection for your data and applications, as well as the ability to implement your own security scheme to reflect the needs of your organization. However, protecting your data is a joint responsibility between you and Salesforce but it ultimately your responsibility under EU Data Protection Laws. The security features in Salesforce enable you to help your users to do their jobs efficiently, while also limiting exposure of data to users that need to act upon it. Implement security controls that you think are appropriate for the sensitivity of your data. Your data is protected from unauthorized access from outside your company, and you should also safeguard it from inappropriate usage by your own users. There are features built into the platform that you have the opportunity to activate to make the experience as secure as possible for your company. Today we will focus on two of the key features that Salesforce highly recommends that customers enable – Two Factor Authentication and Login IP Ranges. We will also talk at a high level about protecting data by “who sees what”, or setting up roles and profiles. No security strategy or feature is bullet-proof, but shoring up your implementation with these capabilities will decrease the likelihood that your org is compromised and may reduce the amount of data that can be stolen by attackers.
- For any organization, its people present the biggest security threat and the greatest opportunity for hackers. Cyber criminals have shifted their tactics from technological attacks to targeted assaults on employees by manipulating basic human behaviors. Now more than ever, every person has an impact on security regardless of their function or title. According to the PWC Global State of Information Security Survey, 2015, employees remain the most cited source of security compromise (over 55%), and incidents attributed to business partners also climbed 22 percent. Only 17% of firms have given staff Cyber Security Training. Open University warned last week that businesses believe upgrading their systems will keep them safe. It takes only one employee to set off a chain of events that can compromise your company’s data. In this way, security is a job expectation critical to your company’s success. There are basic behaviors that every employee can do to make the company more secure. Potential steps your users can take in the spirit of protecting data are:checking links in emails by hovering over them with their mouse, stop letting people in their office without checking for a badge, and continue to update logins using stronger passwords. We will talk about specifics later on.
- For any organization, its people present the biggest security threat and the greatest opportunity for hackers. Cyber criminals have shifted their tactics from technological attacks to targeted assaults on employees by manipulating basic human behaviors. Now more than ever, every person has an impact on security regardless of their function or title. According to the PWC Global State of Information Security Survey, 2015, employees remain the most cited source of security compromise (over 55%), and incidents attributed to business partners also climbed 22 percent. Only 17% of firms have given staff Cyber Security Training. Open University warned last week that businesses believe upgrading their systems will keep them safe. It takes only one employee to set off a chain of events that can compromise your company’s data. In this way, security is a job expectation critical to your company’s success. There are basic behaviors that every employee can do to make the company more secure. Potential steps your users can take in the spirit of protecting data are:checking links in emails by hovering over them with their mouse, stop letting people in their office without checking for a badge, and continue to update logins using stronger passwords. We will talk about specifics later on.
- Setting the Stage: The Human Factor These entry point methods represent common techniques that cyber criminals use to prey on our humanity and get what they want. 1. Phishing/Malware – An attempt to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity. This can be used to trick users into downloading software intended to damage a computer, mobile device, computer system, or computer network, or to gain access to its operation. 2. Social Engineering - In the context of security, it is understood to mean the art of manipulating people into taking action or revealing confidential information. 3. Exploiting Public Info - Using publicly available information to help design a social engineering attack, crack a password login, or create a targeted phishing email. 4. Badge Surfing - A method of gaining unauthorized entry into a secured area. Typically, an intruder simply follows behind a legitimate badge holder as they pass through to the secured area or somehow convince that individual to hold the door open for them and knowingly give them access. 5. Eavesdropping - Secretly listening in on private conversations. 6. Rubbish Collection - Collecting sensitive information from the recycling or rubbish that was not appropriately destroyed. 7. Installing Rogue Devices - Malicious wireless routers or USB thumb drives installed on premise to allow a hacker access to a secure network.
- Software Engineer for Salesforce.com
- Secure Behavior There are a few more key principles that can help augment the layers of security at your company. First, limit the number of users with admin rights, and check periodically to make sure that, the same individuals need to have admin permissions. This can change over time. A key principle of security in general is to provide users with the minimum access they need to do their job. There is no need, for example, for a business analyst to see billing information for customers. For those of you who haven’t checked out Trailhead yet, we highly encourage you to check out this fun and engaging educational tool available for self-paced training. There is a Data Security module that will give you hands-on for some of the things we reviewed today. And last, cross-org communication is critical to security, not only between org admins, but also with your IT and security departments. Some key things you can talk about with IT: How can you partner to improve security awareness of Salesforce users How can you better understand company security policies and integrate into your administration of Salesforce, including password policies Creating a process for notifying you when a user should be deactivated What are the most common IP addresses that employees log in from As foreign as it may seem to some, there is a lot to gain from building a relationship with your IT and Security departments.