Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter

Transcription

1 White Paper Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter Overcoming Security, Privacy & Compliance Concerns 333 W. San Carlos Street San Jose, CA 95110

2 Table of Contents Abstract... 1 Introduction to Security & Privacy in the Cloud... 2 Data Classification A First Step to Cloud Data Migration... 2 Compliance and Risk Management... 2 Identity & Access Management... 3 Advanced User Sign-On... 4 Authorization Controls... 5 Data Protection Controls... 6 Encryption... 7 Key Management... 8 Malware Detection... 9 Continuous Auditing & Monitoring Conclusion About CipherCloud i

3 Abstract The technology industry has changed dramatically over the last 10 years. In economic times like these, leading companies are looking to cloud computing platforms to deliver business functions ranging from packaged business applications to custom application development at a fraction of the time and cost of traditional on-premises platforms. With this growth in the use of cloud computing comes a corresponding increase in responsibility to protect sensitive data in the cloud. For many businesses, the essential questions about security, privacy, compliance, and control of corporate data remain unanswered. According to the KPMG 2010 Cloud Computing Survey, security is the biggest obstacle to cloud adoption, followed closely by legal, compliance, and privacy issues. Salesforce.com is the leader in enterprise cloud computing, with more than 12 years of experience in all aspects of service delivery, from infrastructure scalability to availability, policies, and procedures. A growing number of enterprises trust the Force.com cloud computing platform to deliver critical business applications, in large part because of a combination of native Force.com security features and partner solutions that allow enterprises to extend their internal security controls to Force.com data. This paper first explains the terms security, privacy, and trust, and then explores the basic requirements for secure cloud computing. Subsequent sections of this paper provide a comprehensive introduction to the inherent security and privacy features of the Force.com enterprise cloud computing platform. Finally, it highlights the additional controls needed to overcome emerging cloud threats and secure applications and customer data. 1

4 Introduction to Security & Privacy in the Cloud In the context of computing, the terms security, privacy, and trust are related, but have different meanings. Security refers to a computing system s level of resistance to threats. Privacy is a key concern that most often relates to the digital collection, storage, and sharing of information and data, including the transparency of such practices. Can you be sure that salesforce.com s controls over data access would match your own? Data Classification A First Step to Cloud Data Migration The sensitivity of data involved in the use of a service is critical to determining whether the service can be managed by salesforce.com and, if so, which security and privacy controls should be used to ensure that compliance obligations are met throughout the process. Defining and systematically adhering to a sound data classification policy for instance, specifying which types of data are considered confidential and which are not is critical to determining the control mechanisms that will protect each data type. While this principle also applies to on-premises systems, risks derived from having no data classification policy, or one that is incorrect, are greater in the cloud because data might not be afforded the appropriate protective measures. There is little that salesforce.com or any third-party can do in this area; the responsibility mostly lies with the enterprise that is moving data to the cloud. Compliance and Risk Management With an on-premises computing system, organizations have primary control over how the environment is built and run. In the cloud scenario, some of the related tasks and decisions are delegated to salesforce.com. This can present new challenges, such as the need to entrust parts of the organization s fundamental compliance and risk management processes to salesforce.com. Delegation does not discharge the enterprise from managing risk and compliance, or from having to prove compliance to the appropriate authorities. In fact, cloud providers generally exclude themselves from 2

5 compliance responsibility in their service agreements. Nevertheless, salesforce.com s 3 rd party certification efforts, including ISO27001, SAS70 and vulnerability assessments, might contribute to the enterprise s compliance efforts. Enterprises should request salesforce.com for a copy of such reports. Identity & Access Management By default, web access to Force.com is granted by requiring users to provide a username and password that match values stored within Salesforce tables. Users are directed to a single form-based sign-in page to enter their credentials. Once users sign in, they can access any Force.com property that is authorized by their profile, including their own applications, Salesforce CRM, Portals, Sites, Ideas or VisualForce pages without re-authenticating. Administrators are able to force a reset of single or bulk user passwords, as well as setting password policy around password expiration (forcing the user to reset their password after a certain time), password lockout (refusing access to an account if an incorrect password is used too many times), and requirements for length and complexity of new passwords. Password Policies are managed at Setup Security Controls Password Policies. Force.com includes the ability to restrict the hours during which users can connect and the range of IP addresses from which they can connect. When an organization imposes IP address restrictions and a connection request originates from an unknown address, 3

6 Force.com denies the connection request, thus helping to protect data from unauthorized access and phishing attacks. To protect established sessions, Force.com monitors and terminates idle sessions after a configurable period of time. Force.com s session security limits help defend system access when a user leaves his/her computer unattended without first disconnecting. Advanced User Sign-On Many organizations use single sign-on mechanisms to simplify and standardize user authentication across a portfolio of applications. Force.com supports two single sign-on options: Federated Authentication: Uses industry standard protocols to communicate between the organization and the Force.com platform for authentication purposes. The organization configures the platform to trust "assertions" about users made using SAML (Security Assertion Markup Language). The Force.com platform is able to natively validate these assertions and create a session for the user when appropriate. Compared to delegated authentication, which requires the organization to host a service that makes proprietary web services API calls, SAML is an industry standard protocol that can securely communicate information between multiple Internet sites without proprietary coding. To use federated authentication, your Enterprise must have a SAML Identity Provider (or IdP). This Identity Provider can use either version 1.1 or version 2.0 of SAML. Delegated Authentication: Enables an organization to integrate Force.com cloud applications with an authentication method of choice, such as an LDAP (Lightweight Directory Access Protocol) service or authentication using a token instead of a password. The delegated authority can be set up to validate users in three different combinations: o Password Validation: The Salesforce login page is used to collect a username and password, but the username and password are validated against the delegated authority instead of the internal Salesforce password store. o Token Validation: The Salesforce login page no longer works for sign-in. Users must first authenticate to their Enterprise, and the Enterprise must then create a Salesforce session by sending (via HTTP POST) the username and a token to Salesforce for validation by the delegated authority. Once this has occurred, the user may travel between Salesforce and the Enterprise without re-authentication. 4

7 o Hybrid Model: Users are required to use token validation when accessing the Salesforce website directly, but are allowed to authenticate using password validation when using a client application. Authorization Controls Two primary mechanisms control user access to resources on the Force.com platform: user profiles and sharing rules. User profiles: An organization can control the access its users have to objects by customizing profiles. Within objects, organizations can then control the access users have to fields using field-level security. Sharing settings allow for further data access control at the record level. Sharing settings: Organization-wide default sharing settings provide a baseline level of access for each object and let the organization extend that level of access using hierarchies or sharing rules. For example, an organization can set the default access for an object to Private when users should only be able to view and edit the records they own, and then create sharing rules to extend access of the object to particular users or groups. 5

8 Sharing rules: Sharing rules allow for exceptions to organization-wide default settings that give additional users access to records they don t own. Sharing rules can be based on the record owner or on field values in the record. Manual sharing: When individual users have specific access requirements, owners can manually share records. Although manual sharing is not automatic like organizationwide defaults, role hierarchies, or sharing rules, it lets record owners share particular records with particular users, as necessary. Data Protection Controls Organizations migrating to the Force.com platform imminently run into data security challenges, primarily because the cloud computing model has introduced a unique set of threats that are not addressed by legacy security technologies: Encrypting data 'at rest' or in storage has a performance impact data must be decrypted when accessed, and encrypted again when written to storage. Added to the inherent latency of the cloud, this can affect endpoint performance. As a result, salesforce.com does not uniformly encrypt data at rest. Who controls encryption keys? If encryption keys reside within salesforce.com s infrastructure, then once again the status of the encrypted data is in question. According to the SANS Institute, a security research and education organization, attacks against web applications constitute 60% of the total attack attempts observed on the internet. Encryption applied on the cloud database fails to protect against such attacks, as data is decrypted prior to being presented to the web application. 6

9 According to Osterman Research, 78% of organizations experienced malware attacks in the last 12 months. As a result of the cloud s multi-tenant architecture and ease of sharing (across customers and partners), exposure to untrusted (malicious) data is elevated. Encryption Salesforce.com does not encrypt customer data stored within its databases. While some rudimentary encryption options are provided out-of-the-box, these are inadequate to provide enterprise level security. CipherCloud TM Encryption Gateway uses flexible, configurable policies to identify sensitive data and automatically encrypt/decrypt data between your business users and the Force.com platform, using encryption keys that remain under your control at all times. You can identify which data you consider sensitive (such as proprietary information, personally-identifiable information, or other regulated data). When that data is posted or updated into the cloud, CipherCloud applies the selected encryption method to protect that data before it leaves the enterprise network. CipherCloud's highly secure encryption preserves both the format and function of the data, so that the cloud application remains operational, but its real content remains locked within the enterprise. CipherCloud reverses the process when employees access the cloud application through the appliance, decrypting data in real time so the users see the actual data rather than the encrypted version that resides within the cloud. This is best illustrated with an example. The following screens compare what the user sees when accessing an account through CipherCloud, and what someone would see when accessing the same account directly in the cloud: 7

10 Key Management While data encryption is important to a secure cloud strategy, it s even more critical to protect your encryption keys. The native encryption provided by salesforce.com requires them to have access to your keys in order to encrypt, decrypt and process data appropriately. On the other hand, CipherCloud s ability to encrypt and decrypt data within the enterprise s control ensures that enterprises retain possession of their encryption keys at all times. It s recommended that customers rotate their encryption keys at a frequency determined by their regulatory or internal security requirements. CipherCloud s advanced key management user-interface makes this process seamless and does not impact legacy data. The following chart compares the Force.com platform s native encryption and key management functions to those provided by the CipherCloud Encryption Gateway. 8

11 Salesforce Encrypted Fields CipherCloud Encryption Gateway Native Solution Yes No, Appliance which can be installed at customer site Standard Fields No Yes Field Limits 1MB - Initial No Field Length Yes (175 chars) No Restrictions Field Type Special encrypted field type Text, Text Area, Phone, (more coming soon) Search No Yes Search Results Yes Yes Reports No Near Full Functionality Workflow No Yes Validation Rules/Apex Yes Yes Scripts Encryption Options AES 256 Multi-Region N/A Deployment Incremental Latency Key Ownership Salesforce.com Customer Key Rotation No Yes Partial Encryption No Yes Encryption over Wire Attachment Encryption AES-256, Function Preserving Encryption, Length Restricting Encryption, etc. Ability to select on a field-by-field basis Yes 0 + 3% (compensated by static content caching) No No Yes Yes Malware Detection As a result of the salesforce.com s multi-tenant architecture and ability to share data with 3 rd parties via Customer Portal and Partner Portal, exposure to untrusted (malicious) data is elevated. However, salesforce.com does not scan any customer data for malware and/or viruses. With built-in cloud malware detection, CipherCloud provides real time protection against viruses, spyware, trojans, bots, rootkits, and more. The CipherCloud Gateway scans all in-bound and out-bound content (files & attachments) for malicious code and cleans and/or quarantines infected content on-the-fly. Signatures are updated several times a day to provide zero-day malware protection with easy access to all protection status information and settings. 9

12 The controls discussed in this section ensure that your data is protected from the following threats: Malicious insiders at salesforce.com Account, service and traffic hijacking Insecure APIs & shared technology vulnerabilities Unknown risk profile of internet-based applications Continuous Auditing & Monitoring Auditing and monitoring features do not secure your organization by themselves, but these features provide information about usage of the system, which can be critical in diagnosing potential or real security issues. To satisfy compliance and forensics requirements, it s critical to monitor all user interactions across all clouds and transparently capture data to generate an automatic audit trail of all user activity. Administrators have access to login history logs natively in Force.com. In addition, modifications to standard and custom fields (write access) can be tracked in a decentralized manner, as long as such fields have Field History Tracking enabled. CipherCloud supplements the limited logs provided by salesforce.com by centrally logging all read and write actions. User activity logs can then be fed into existing log management solutions. For specific cloud interactions, CipherCloud records the user involved in the activity, a timestamp capturing the date and time, what actions users performed, and what records they accessed. In addition, CipherCloud records both the source and destination IP addresses of user activity. Conclusion As with most other enterprises challenges, there is no silver bullet for addressing cloud security threats. Delegation of responsibility to cloud providers like salesforce.com does not discharge the enterprise from managing risk and compliance, or from having to prove compliance to the appropriate authorities. Regardless of the protections put forth in legal contracts, the ultimate impact (financial and reputational) of any cloud data breach will be borne by the enterprise whose data is breached. Enterprises must compliment the native security capabilities offered by cloud providers, by implementing additional layers of security controls that provide adequate assurance for data protection. 10

13 About CipherCloud CipherCloud provides a unified cloud encryption gateway with award-winning technology to encrypt sensitive data in real time before it's sent to the cloud. CipherCloud protects enterprise data using format and operations-preserving encryption and tokenization in any private or public cloud environment without impacting functionality, usability, or performance. CipherCloud eliminates data privacy, data residency, security, and regulatory compliance concerns, and accelerates cloud adoption. CipherCloud has been recognized by Gartner as a Cool Vendor in Cloud Security for Visit CipherCloud at 11