Securing Your Salesforce Org: The Human Factor. February 2016 User Group Meeting

Similar documents
Connect Your Clouds with Force.com

Secure Coding: Storing Secrets In Your Salesforce Instance

Custom Metadata Types

Auto-Cascading Security Updates Through Docker Images

Build Data-rich Websites using Siteforce

Building Mobile Force.com Apps for the iphone and ipad

REST API Developer Preview

Introduction to Your Most Trusted Resource

Do Not Fear the Command Line

LEADING WITH GRC. Common Controls Framework. Sundar Venkat, Sr. Director Technology Compliance Salesforce

Making your Application Social with the Chatter API

Apex REST API. SUMMER OF APIs. Sandeep Bhanot Developer Alex Toussaint Senior Product

Spring 10: Platform Release Preview Webinar

Leveraging Adaptive Auth and Device Trust for Enhanced Security and Compliance

TRACKING & MARKETING CLOUD REPORTS

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter

Investor Overview 2018

W H IT E P A P E R. Salesforce Security for the IT Executive

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

Sync Your Contacts and Events with Lightning Sync

Microsoft 365 Business FAQs

Integrated Access Management Solutions. Access Televentures

General Data Protection Regulation (GDPR) FAQ

Deploy Enhancements from Sandboxes

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Keep the Door Open for Users and Closed to Hackers

Duo End User Education Templates

Cyber security tips and self-assessment for business

Qlik Sense Security. Understand security basics of the new Sense platform. 14 October, 2014 Magnus Berg Master Principal Enterprise Architect

Deploy Enhancements from Sandboxes

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

A company built on security

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Next Generation Authentication

How NOT To Get Hacked

Salesforce Security Guide

Best Practices Guide to Electronic Banking

Security Authentication and Authorization What s New in security in QlikView 11. Fredrik Lautrup Ralph Senseny

Cyber Security Guide. For Politicians and Political Parties

Google Identity Services for work

Salesforce Security Guide

Set Up and Maintain Sales Tools

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Salesforce Security Guide

Help Sales Reps Sync Contacts and Events with Lightning Sync

Salesforce External Identity Implementation Guide

10 FOCUS AREAS FOR BREACH PREVENTION

HPE to Acquire Nimble Storage

Salesforce Security Guide

Certification Exam Guide SALESFORCE CERTIFIED SHARING AND VISIBILITY DESIGNER. Spring Salesforce.com, inc. All rights reserved.

CARBONITE 2015 THIRD QUARTER FINANCIAL RESULTS OCTOBER 28, 2015

Security Awareness & Best Practices Best Practices for Maintaining Data Security in Your Business Environment

Locking down a Hitachi ID Suite server

Cyber Security Updates and Trends Affecting the Real Estate Industry

Mobile Security Overview Rob Greer, VP Endpoint Management and Mobility Product Management Dave Cole, Sr. Director Consumer Mobile Product Management

Financial Services Cloud Quick Start

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

How Cyber-Criminals Steal and Profit from your Data

BEST PRACTICES FOR PERSONAL Security

SALESFORCE CERTIFIED TECHNICAL ARCHITECT

Dell One Identity Cloud Access Manager 8.0. Overview

Getting Started with the Aloha Community Template for Salesforce Identity

IT & DATA SECURITY BREACH PREVENTION

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

First Quarter 2018 Earnings Presentation. May 8, 2018

SALESFORCE CERTIFIED ADMINISTRATOR

THE ROAD TO DIGITAL TRANSFORMATION

Welcome to the Jungle: (If we act like prey, they ll act like predators)

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

Help Sales Reps Sync Contacts and Events with Lightning Sync

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Red Hat Acquisition of Qumranet Adds next generation virtualization capabilities. September 4, 2008

InterCall Virtual Environments and Webcasting

Part 1: Anatomy of an Insider Threat Attack

Welcome. Password Management & Public Wi-Fi Security. Hosted by: Content by:

OpenText Buys Guidance Software

Sparta Systems TrackWise Digital Solution

Cyber Hygiene Guide. Politicians and Political Parties

Help Sales Reps Sync Contacts and Events with Lightning Sync

J.P. Morgan Healthcare Conference Investor Presentation Matt Wallach, President & Co-Founder January 14, Veeva Systems veeva.

Deploy Enhancements from Sandboxes

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Protecting your Data in the Cloud. Cyber Security Awareness Month Seminar Series

Upgrading Your Home Network Security

maxecurity Product Suite

Cloud Security Whitepaper

How to Build a Culture of Security

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Winter Salesforce.com, inc. All rights reserved.

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

Combating Common Web App Authentication Threats

Set Up and Manage Salesforce Communities

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

How do you decide what s best for you?

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Cybersecurity The Evolving Landscape

Privacy Notice. Introduction. What is personal data? Date Updated: 2/11/2019

Transcription:

Securing Your Salesforce Org: The Human Factor February 2016 User Group Meeting

Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include but are not limited to risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

Agenda 1 Setting the Stage: The Human Factor (15 mins) 2 Attack Card exercise and discussion (30 mins) 3 Secure Behavior (15 mins) 4 Secure Your Salesforce Org (15 mins) 5 Next Steps (15 mins)

Setting the Stage: The Human Factor

Why are we here? Estimated annual cost of global cybercrime

Today s Target: The User

Bugs in Human Hardware Everybody else does it, why shouldn t I? I d be wrong not to! If I don t do this, I ll get in trouble! Hmmmm. I wonder what will happen if I I ll get something if I do this! People are inherently good and I want to be helpful

Entry Point Methods

Attack Card Exercise 30 mins

Attack Card Instructions Step 1 Have one person in your group read an attack card aloud. Step 2 For each attack card discuss the following: What Bugs in Human hardware and Entry point methods were used in this attack? What's the earliest point that the victim should have known this was an attack? What could the individual have done to prevent it? Do you think you would have identified the attack in time? If not, how would you have defended yourself?

Attack Card Exercise #1: Linked-Into the Network 10 minutes What Bugs in Human Hardware and Entry Point Methods were used in this attack? What's the earliest point that the victim should have known this was an attack? What could the individual have done to prevent it? Do you think you would have identified the attack in time? If not, how would you have defended yourself?

Attack Card Exercise #2: Download on the Road 10 minutes What Bugs in Human Hardware and Entry Point Methods were used in this attack? What's the earliest point that the victim should have known this was an attack? What could the individual have done to prevent it? Do you think you would have identified the attack in time? If not, how would you have defended yourself?

Group Discussion 10 minutes What Bugs in Human Hardware and Entry Point Methods were used in this attack? What's the earliest point that the victim should have known this was an attack? What could the individual have done to prevent it? Do you think you would have identified the attack in time? If not, how would you have defended yourself?

Secure Behavior Educate Employees

Password Security Activate password complexity and rotation rules ü Password expiration/reset every 90 days ü Password length at least 8-10 characters ü Password complexity mix alpha and numeric characters User education ü No password/credential sharing ü Discourage password reuse across services ü Utilization of a strong password manager (example: LastPass) Utilize two-factor authentication (2FA) and single sign-on (SSO)

Phishing Education Pervasive and effective attack vector for installing malware Education is key to prevention https://trust.salesforce.com - recent threats If unsure about a Salesforce email, ask us via security@salesforce.com Don t open attachments that are unexpected or from unknown senders

Security Awareness for Users Small changes in behavior can have a major impact 14,000 50% 82% Salesforce Employees Less Likely to Click on a Phishing Link More Likely to Report Threats to security@salesforce.com

Key Principles The Human Factor Limit the number of users with admin rights Provide users with minimum access to do their job Create rigorous process for user termination/ deactivation Basic security training for all users on credential/ password security, phishing, and social engineering Trailhead for ongoing, role-focused education Effective security requires cross-org communication https://developer.salesforce.com/trailhead

Secure Your Salesforce Org

Trust: Security at Every Level Application-level Security Infrastructure-level Security Trusted Networks Authentication Options Object Level Security (CRUD) Field Level Security Audit Trail Object History Tracking Firewall SSL Accelerators Load Balancers Web/App Servers Database Servers Applicable to the Sales Cloud, Service Cloud, Communities, Chatter, database.com, site.com and Force.com. For audits, certification and security information or other services, please see the Trust & Compliance section of help.salesforce.com.

Salesforce Org Security

What is Two-Factor Authentication? +

Two-Factor Authentication (2FA) Provides an extra layer of security beyond a password If a user s credentials are compromised, much harder to exploit Require a numeric token on login Can be received via app, SMS, email, hardware (YubiKey)

Step-by-Step Guidance for Admins Try the 2FA Walkthrough created by the Salesforce Docs team Title: Walk Through It: Secure Logins with a Two Factor Authentication Shows you how to set up 2FA in an org Only in Classic, but if configured, applies to users assigned the permission in Classic or Lightning Experience

Login IP Ranges Limit IP addresses that users can log into Salesforce from (by profile) Can restrict by login or on every request Lock sessions to IP address they started on These features ensure that if a malicious actor steals credentials they cannot use them away from your corporate networks Working from home/road VPN login

Login IP Ranges Recommended and available for all customers Only access Salesforce from a designated set of IP Ranges Two levels: Org-level Trusted IP Ranges (permissive) Profile-level Login IP Ranges (restrictive) Enterprise, Unlimited, Performance, Developer: Manage Users Profiles Contact Mgr, Group, Professional: Security Controls Session Settings For more info, search Help & Training

User Deactivation Deactivate users as soon as possible Removes login access while preserving historical activity and records Sometimes users cannot be deactivated: assign new user or reassign approval responsibility first Know your IT department s termination process From Setup, click Manage Users Users. Click Edit next to a user s name. Deselect the Active checkbox and then click Save. Best practice: Freeze users first!

Next Steps

Key Takeaways Check your Security Settings! Activate and use turnkey security features: Enable two-factor authentication Implement identity confirmation Activate Login IP Ranges Deactivate users in a timely manner (freeze them first!) Consider the human factor when training Salesforce users: Password security Emails / phishing

Resources Security for Admins Quick Reference Guide (available today!) Security & Compliance Release Webinars What s New in Security & Compliance, Spring 16 (Feb. 25, 8am PST) Trailhead: Data Security module (more coming soon!) Who Sees What video series (YouTube) Dreamforce session recordings (www.dreamforce.com) Secure Salesforce series Create a Salesforce Force Field for Your Users Security Implementation Guide ButtonClickAdmin.com

thank y u

2FA Setup Step 1 Create a permission set titled Two Factor Authentication Name Setup Manage Users Permission Sets New

2FA Setup Step 2 Select the Two-Factor Authentication for User Interface Logins permission and save this permission set. Now assign this permission set to the required user by clicking: Manage Assignment Add Assignments Select users Assign

2FA Setup Step 3 Upon the next login, users will come across the following prompt:

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback