SlideShare une entreprise Scribd logo

Sensibilisation à la Sécurité Salesforce

Paris Salesforce Developer Group
Paris Salesforce Developer Group

Sensibilisation à la Sécurité Salesforce

Technologie
1  sur  34
Télécharger pour lire hors ligne
Securing Your Salesforce Org: The Human Factor February 2016 User Group Meeting
Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Agenda ①  Setting the Stage: The Human Factor (15 mins) ②  Attack Card exercise and discussion (30 mins) ③  Secure Behavior (15 mins) ④  Secure Your Salesforce Org (15 mins) ⑤  Next Steps (15 mins)
Setting the Stage: The Human Factor
Why are we here? Estimated annual cost of global cybercrime
Today’s Target: The User
Bugs in Human Hardware “Everybody else does it, why shouldn´t I?” “People are inherently good and I want to be helpful” “Hmmmm…. I wonder what will happen if I…” “I´d be wrong not to!” “If I don´t do this, I´ll get in trouble!” “I´ll get something if I do this!”
Entry Point Methods
Attack Card Exercise 30 mins
Attack Card Instructions Step 1 Have one person in your group read an attack card aloud. •  What “Bugs in Human hardware” and “Entry point methods” were used in this attack? •  What's the earliest point that the victim should have known this was an attack? •  What could the individual have done to prevent it? •  Do you think you would have identified the attack in time? If not, how would you have defended yourself? Step 2 For each attack card discuss the following:
Attack Card Exercise #1: Linked-Into the Network 10 minutes •  What Bugs in Human Hardware and Entry Point Methods were used in this attack? •  What's the earliest point that the victim should have known this was an attack? •  What could the individual have done to prevent it? •  Do you think you would have identified the attack in time? If not, how would you have defended yourself?
Attack Card Exercise #2: Download on the Road 10 minutes •  What Bugs in Human Hardware and Entry Point Methods were used in this attack? •  What's the earliest point that the victim should have known this was an attack? •  What could the individual have done to prevent it? •  Do you think you would have identified the attack in time? If not, how would you have defended yourself?
Group Discussion 10 minutes •  What Bugs in Human Hardware and Entry Point Methods were used in this attack? •  What's the earliest point that the victim should have known this was an attack? •  What could the individual have done to prevent it? •  Do you think you would have identified the attack in time? If not, how would you have defended yourself?
Secure Behavior Educate Employees
Password Security •  Activate password complexity and rotation rules ü  Password expiration/reset every 90 days ü  Password length at least 8-10 characters ü  Password complexity – mix alpha and numeric characters •  User education ü  No password/credential sharing ü  Discourage password reuse across services ü  Utilization of a strong password manager (example: LastPass) •  Utilize two-factor authentication (2FA) and single sign-on (SSO)
Phishing Education •  Pervasive and effective attack vector for installing malware •  Education is key to prevention •  https://trust.salesforce.com - recent threats •  If unsure about a Salesforce email, ask us via security@salesforce.com •  Don’t open attachments that are unexpected or from unknown senders
Security Awareness for Users Small changes in behavior can have a major impact 14,000 50% 82% Less Likely to Click on a Phishing Link More Likely to Report Threats to security@salesforce.com Salesforce Employees
Key Principles – The Human Factor •  Limit the number of users with admin rights •  Provide users with minimum access to do their job •  Create rigorous process for user termination/ deactivation •  Basic security training for all users on credential/ password security, phishing, and social engineering •  Trailhead for ongoing, role-focused education •  Effective security requires cross-org communication https://developer.salesforce.com/trailhead
Secure Your Salesforce Org
Trust: Security at Every Level Applicable to the Sales Cloud, Service Cloud, Communities, Chatter, database.com, site.com and Force.com. For audits, certification and security information or other services, please see the Trust & Compliance section of help.salesforce.com. Infrastructure-level SecurityApplication-level Security Firewall SSL Accelerators Web/App Servers Load Balancers Database Servers Trusted Networks Authentication Options Field Level Security Object Level Security (CRUD) Audit Trail Object History Tracking
Salesforce Org Security
What is Two-Factor Authentication? +
Two-Factor Authentication (2FA) •  Provides an extra layer of security beyond a password •  If a user’s credentials are compromised, much harder to exploit •  Require a numeric token on login •  Can be received via app, SMS, email, hardware (YubiKey)
Step-by-Step Guidance for Admins •  Try the 2FA Walkthrough created by the Salesforce Docs team •  Title: “Walk Through It: Secure Logins with a Two Factor Authentication” •  Shows you how to set up 2FA in an org •  Only in “Classic”, but if configured, applies to users assigned the permission in Classic or Lightning Experience
Login IP Ranges •  Limit IP addresses that users can log into Salesforce from (by profile) •  Can restrict by login or on every request •  Lock sessions to IP address they started on •  These features ensure that if a malicious actor steals credentials they cannot use them away from your corporate networks •  Working from home/road – VPN login
Login IP Ranges •  Recommended and available for all customers •  Only access Salesforce from a designated set of IP Ranges •  Two levels: •  Org-level Trusted IP Ranges (permissive) •  Profile-level Login IP Ranges (restrictive) Enterprise, Unlimited, Performance, Developer: Manage Users | Profiles Contact Mgr, Group, Professional: Security Controls | Session Settings For more info, search Help & Training
User Deactivation •  Deactivate users as soon as possible •  Removes login access while preserving historical activity and records •  Sometimes users cannot be deactivated: assign new user or reassign approval responsibility first •  Know your IT department’s termination process Best practice: Freeze users first! From Setup, click Manage Users | Users. Click Edit next to a user’s name. Deselect the Active checkbox and then click Save.
Next Steps
Key Takeaways Check your Security Settings! Activate and use turnkey security features: •  Enable two-factor authentication •  Implement identity confirmation •  Activate Login IP Ranges •  Deactivate users in a timely manner (freeze them first!) Consider the human factor when training Salesforce users: •  Password security •  Emails / phishing
Resources •  Security for Admins Quick Reference Guide (available today!) •  Security & Compliance Release Webinars – What’s New in Security & Compliance, Spring ‘16 (Feb. 25, 8am PST) •  Trailhead: Data Security module (more coming soon!) •  Who Sees What video series (YouTube) •  Dreamforce session recordings (www.dreamforce.com) •  Secure Salesforce series •  Create a Salesforce Force Field for Your Users •  Security Implementation Guide •  ButtonClickAdmin.com
thank y u
2FA Setup ​ Create a permission set titled “Two Factor Authentication” ​ Name | Setup | Manage Users | Permission Sets | New Step 1
2FA Setup ​ Select the “Two-Factor Authentication for User Interface Logins” permission and save this permission set. ​ Now assign this permission set to the required user by clicking: ​ Manage Assignment | Add Assignments | Select users | Assign Step 2
2FA Setup ​ Upon the next login, users will come across the following prompt: Step 3

Recommandé

Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
Paris Salesforce Developer Group
 
Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manish
Manish Thaduri
 
Paris Salesforce Developer Group - 16 09 2014 - Summer '14
Paris Salesforce Developer Group - 16 09 2014 - Summer '14Paris Salesforce Developer Group - 16 09 2014 - Summer '14
Paris Salesforce Developer Group - 16 09 2014 - Summer '14
Paris Salesforce Developer Group
 
How Securematics Reseller can Sell its Products using VARStreet Ecommmerce Pl...
How Securematics Reseller can Sell its Products using VARStreet Ecommmerce Pl...How Securematics Reseller can Sell its Products using VARStreet Ecommmerce Pl...
How Securematics Reseller can Sell its Products using VARStreet Ecommmerce Pl...
Shane Emerson
 
Dreamforce 15 - Platform Encryption for Developers
Dreamforce 15 - Platform Encryption for DevelopersDreamforce 15 - Platform Encryption for Developers
Dreamforce 15 - Platform Encryption for Developers
Peter Chittum
 
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudSalesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Dreamforce
 
Salesforce Platform Encryption Developer Strategy
Salesforce Platform Encryption Developer StrategySalesforce Platform Encryption Developer Strategy
Salesforce Platform Encryption Developer Strategy
Peter Chittum
 
You've Changed: Field Audit Trails and the Salesforce Time Machine
You've Changed: Field Audit Trails and the Salesforce Time MachineYou've Changed: Field Audit Trails and the Salesforce Time Machine
You've Changed: Field Audit Trails and the Salesforce Time Machine
Dreamforce
 

Recommandé

Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
Paris Salesforce Developer Group
 
Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manish
Manish Thaduri
 
Paris Salesforce Developer Group - 16 09 2014 - Summer '14
Paris Salesforce Developer Group - 16 09 2014 - Summer '14Paris Salesforce Developer Group - 16 09 2014 - Summer '14
Paris Salesforce Developer Group - 16 09 2014 - Summer '14
Paris Salesforce Developer Group
 
How Securematics Reseller can Sell its Products using VARStreet Ecommmerce Pl...
How Securematics Reseller can Sell its Products using VARStreet Ecommmerce Pl...How Securematics Reseller can Sell its Products using VARStreet Ecommmerce Pl...
How Securematics Reseller can Sell its Products using VARStreet Ecommmerce Pl...
Shane Emerson
 
Dreamforce 15 - Platform Encryption for Developers
Dreamforce 15 - Platform Encryption for DevelopersDreamforce 15 - Platform Encryption for Developers
Dreamforce 15 - Platform Encryption for Developers
Peter Chittum
 
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudSalesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Dreamforce
 
Salesforce Platform Encryption Developer Strategy
Salesforce Platform Encryption Developer StrategySalesforce Platform Encryption Developer Strategy
Salesforce Platform Encryption Developer Strategy
Peter Chittum
 
You've Changed: Field Audit Trails and the Salesforce Time Machine
You've Changed: Field Audit Trails and the Salesforce Time MachineYou've Changed: Field Audit Trails and the Salesforce Time Machine
You've Changed: Field Audit Trails and the Salesforce Time Machine
Dreamforce
 
Secure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSecure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with Checkmarx
Salesforce Developers
 
Security and Your Salesforce Org
Security and Your Salesforce OrgSecurity and Your Salesforce Org
Security and Your Salesforce Org
Salesforce Admins
 
Secure Salesforce: Org Access Controls
Secure Salesforce: Org Access ControlsSecure Salesforce: Org Access Controls
Secure Salesforce: Org Access Controls
Salesforce Developers
 
Salesforce Security Best Practices for Every Admin
Salesforce Security Best Practices for Every AdminSalesforce Security Best Practices for Every Admin
Salesforce Security Best Practices for Every Admin
Cloud Analogy
 
What’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & ComplianceWhat’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & Compliance
Shesh Kondi
 
Salesforce Security: Fully Automated
Salesforce Security: Fully AutomatedSalesforce Security: Fully Automated
Salesforce Security: Fully Automated
Salesforce.org
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security Model
Salesforce Developers
 
Managing the Role Hierarchy at Enterprise Scale
Managing the Role Hierarchy at Enterprise ScaleManaging the Role Hierarchy at Enterprise Scale
Managing the Role Hierarchy at Enterprise Scale
Salesforce Developers
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and Tricks
Ryan Flood
 
Single Sign-On and User Provisioning with Salesforce Identity
Single Sign-On and User Provisioning with Salesforce IdentitySingle Sign-On and User Provisioning with Salesforce Identity
Single Sign-On and User Provisioning with Salesforce Identity
Salesforce Developers
 
Navi Mumbai Salesforce DUG meetup on integration
Navi Mumbai Salesforce DUG meetup on integrationNavi Mumbai Salesforce DUG meetup on integration
Navi Mumbai Salesforce DUG meetup on integration
Rakesh Gupta
 
Introducing Salesforce Identity
Introducing Salesforce IdentityIntroducing Salesforce Identity
Introducing Salesforce Identity
Salesforce Developers
 
Symplified datasheet
Symplified datasheetSymplified datasheet
Symplified datasheet
Symplified
 
Integrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity ConnectIntegrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity Connect
Salesforce Developers
 
Using Custom Permissions to Simplify Security
Using Custom Permissions to Simplify SecurityUsing Custom Permissions to Simplify Security
Using Custom Permissions to Simplify Security
Daniel Peter
 
Setting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce InstanceSetting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce Instance
Salesforce Developers
 
Salesforce Identity: Don't Treat Your Customers Like Your Employees
Salesforce Identity: Don't Treat Your Customers Like Your EmployeesSalesforce Identity: Don't Treat Your Customers Like Your Employees
Salesforce Identity: Don't Treat Your Customers Like Your Employees
Salesforce Developers
 
SAP Identity Management Overview
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management Overview
SAP Technology
 
Integrating Active Directory with Salesforce
Integrating Active Directory with SalesforceIntegrating Active Directory with Salesforce
Integrating Active Directory with Salesforce
Salesforce Developers
 
Summer '15: User Provisioning for Connected Apps
Summer '15: User Provisioning for Connected AppsSummer '15: User Provisioning for Connected Apps
Summer '15: User Provisioning for Connected Apps
Salesforce Developers
 
Securing Your Salesforce Org: The Human Factor
Securing Your Salesforce Org: The Human FactorSecuring Your Salesforce Org: The Human Factor
Securing Your Salesforce Org: The Human Factor
F Pindar
 
Salesforce New Jersey User Group - Security Awareness
Salesforce New Jersey User Group - Security Awareness Salesforce New Jersey User Group - Security Awareness
Salesforce New Jersey User Group - Security Awareness
InternetCreations
 

Contenu connexe

Tendances

Salesforce Security: Fully Automated
Salesforce Security: Fully AutomatedSalesforce Security: Fully Automated
Salesforce Security: Fully Automated
Salesforce.org
 
Managing the Role Hierarchy at Enterprise Scale
Managing the Role Hierarchy at Enterprise ScaleManaging the Role Hierarchy at Enterprise Scale
Managing the Role Hierarchy at Enterprise Scale
Salesforce Developers
 
Symplified datasheet
Symplified datasheetSymplified datasheet
Symplified datasheet
Symplified
 
Summer '15: User Provisioning for Connected Apps
Summer '15: User Provisioning for Connected AppsSummer '15: User Provisioning for Connected Apps
Summer '15: User Provisioning for Connected Apps
Salesforce Developers
 

Tendances (20)

Secure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSecure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with Checkmarx
 
Security and Your Salesforce Org
Security and Your Salesforce OrgSecurity and Your Salesforce Org
Security and Your Salesforce Org
 
Secure Salesforce: Org Access Controls
Secure Salesforce: Org Access ControlsSecure Salesforce: Org Access Controls
Secure Salesforce: Org Access Controls
 
Salesforce Security Best Practices for Every Admin
Salesforce Security Best Practices for Every AdminSalesforce Security Best Practices for Every Admin
Salesforce Security Best Practices for Every Admin
 
What’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & ComplianceWhat’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & Compliance
 
Salesforce Security: Fully Automated
Salesforce Security: Fully AutomatedSalesforce Security: Fully Automated
Salesforce Security: Fully Automated
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security Model
 
Managing the Role Hierarchy at Enterprise Scale
Managing the Role Hierarchy at Enterprise ScaleManaging the Role Hierarchy at Enterprise Scale
Managing the Role Hierarchy at Enterprise Scale
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and Tricks
 
Single Sign-On and User Provisioning with Salesforce Identity
Single Sign-On and User Provisioning with Salesforce IdentitySingle Sign-On and User Provisioning with Salesforce Identity
Single Sign-On and User Provisioning with Salesforce Identity
 
Navi Mumbai Salesforce DUG meetup on integration
Navi Mumbai Salesforce DUG meetup on integrationNavi Mumbai Salesforce DUG meetup on integration
Navi Mumbai Salesforce DUG meetup on integration
 
Introducing Salesforce Identity
Introducing Salesforce IdentityIntroducing Salesforce Identity
Introducing Salesforce Identity
 
Symplified datasheet
Symplified datasheetSymplified datasheet
Symplified datasheet
 
Integrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity ConnectIntegrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity Connect
 
Using Custom Permissions to Simplify Security
Using Custom Permissions to Simplify SecurityUsing Custom Permissions to Simplify Security
Using Custom Permissions to Simplify Security
 
Setting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce InstanceSetting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce Instance
 
Salesforce Identity: Don't Treat Your Customers Like Your Employees
Salesforce Identity: Don't Treat Your Customers Like Your EmployeesSalesforce Identity: Don't Treat Your Customers Like Your Employees
Salesforce Identity: Don't Treat Your Customers Like Your Employees
 
SAP Identity Management Overview
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management Overview
 
Integrating Active Directory with Salesforce
Integrating Active Directory with SalesforceIntegrating Active Directory with Salesforce
Integrating Active Directory with Salesforce
 
Summer '15: User Provisioning for Connected Apps
Summer '15: User Provisioning for Connected AppsSummer '15: User Provisioning for Connected Apps
Summer '15: User Provisioning for Connected Apps
 

Similaire à Sensibilisation à la Sécurité Salesforce

Event Monitoring: Use Powerful Insights to Improve Performance and Security
Event Monitoring: Use Powerful Insights to Improve Performance and SecurityEvent Monitoring: Use Powerful Insights to Improve Performance and Security
Event Monitoring: Use Powerful Insights to Improve Performance and Security
Dreamforce
 
Best Practices for the Service Cloud
Best Practices for the Service CloudBest Practices for the Service Cloud
Best Practices for the Service Cloud
Ross Bauer
 
Threat from within
Threat from withinThreat from within
Threat from within
Nuxeo
 

Similaire à Sensibilisation à la Sécurité Salesforce (20)

Securing Your Salesforce Org: The Human Factor
Securing Your Salesforce Org: The Human FactorSecuring Your Salesforce Org: The Human Factor
Securing Your Salesforce Org: The Human Factor
 
Salesforce New Jersey User Group - Security Awareness
Salesforce New Jersey User Group - Security Awareness Salesforce New Jersey User Group - Security Awareness
Salesforce New Jersey User Group - Security Awareness
 
Secure Your Salesforce Org with Two-Factor Authentication
Secure Your Salesforce Org with Two-Factor AuthenticationSecure Your Salesforce Org with Two-Factor Authentication
Secure Your Salesforce Org with Two-Factor Authentication
 
How to Become a Security-Minded Admin
How to Become a Security-Minded AdminHow to Become a Security-Minded Admin
How to Become a Security-Minded Admin
 
Event Monitoring: Use Powerful Insights to Improve Performance and Security
Event Monitoring: Use Powerful Insights to Improve Performance and SecurityEvent Monitoring: Use Powerful Insights to Improve Performance and Security
Event Monitoring: Use Powerful Insights to Improve Performance and Security
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
Dreamforce 2015 How to Create an Amazing Experience
Dreamforce 2015 How to Create an Amazing ExperienceDreamforce 2015 How to Create an Amazing Experience
Dreamforce 2015 How to Create an Amazing Experience
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
What’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & ComplianceWhat’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & Compliance
 
Salesforce shield & summer 20 release
Salesforce shield & summer 20 releaseSalesforce shield & summer 20 release
Salesforce shield & summer 20 release
 
Planning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperiencePlanning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning Experience
 
ISV Tech Enablement Webinar April 2017
ISV Tech Enablement Webinar April 2017ISV Tech Enablement Webinar April 2017
ISV Tech Enablement Webinar April 2017
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
 
Best Practices for the Service Cloud
Best Practices for the Service CloudBest Practices for the Service Cloud
Best Practices for the Service Cloud
 
Cmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEWCmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEW
 
CMGT 400 Entire Course NEW
CMGT 400 Entire Course NEWCMGT 400 Entire Course NEW
CMGT 400 Entire Course NEW
 
10 Easy Steps to Mastering Org Security
10 Easy Steps to Mastering Org Security10 Easy Steps to Mastering Org Security
10 Easy Steps to Mastering Org Security
 
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
 
Threat from within
Threat from withinThreat from within
Threat from within
 
How to Create an Amazing User Experience - Dreamforce '15
How to Create an Amazing User Experience - Dreamforce '15How to Create an Amazing User Experience - Dreamforce '15
How to Create an Amazing User Experience - Dreamforce '15
 

Plus de Paris Salesforce Developer Group

Plus de Paris Salesforce Developer Group (17)

Pour Noël, devenez chrome extensioniste!
Pour Noël, devenez chrome extensioniste!Pour Noël, devenez chrome extensioniste!
Pour Noël, devenez chrome extensioniste!
 
GraphQL (la nouvelle API de référence de Salesforce ?!)
GraphQL (la nouvelle API de référence de Salesforce ?!)GraphQL (la nouvelle API de référence de Salesforce ?!)
GraphQL (la nouvelle API de référence de Salesforce ?!)
 
La Tooling API, est-ce pour moi ? Bien sûr, viens voir pourquoi !
La Tooling API, est-ce pour moi ? Bien sûr, viens voir pourquoi !La Tooling API, est-ce pour moi ? Bien sûr, viens voir pourquoi !
La Tooling API, est-ce pour moi ? Bien sûr, viens voir pourquoi !
 
Introduction à la plateforme Anypoint de MuleSoft
Introduction à la plateforme Anypoint de MuleSoftIntroduction à la plateforme Anypoint de MuleSoft
Introduction à la plateforme Anypoint de MuleSoft
 
Release spring '22 - Community Groups français
Release spring '22 - Community Groups françaisRelease spring '22 - Community Groups français
Release spring '22 - Community Groups français
 
Scratch orgs...vous pensiez en avoir terminé avec les sandboxes ?
Scratch orgs...vous pensiez en avoir terminé avec les sandboxes ?Scratch orgs...vous pensiez en avoir terminé avec les sandboxes ?
Scratch orgs...vous pensiez en avoir terminé avec les sandboxes ?
 
Mon Expérience avec le Certified Technical Architect Review Board
Mon Expérience avec le Certified Technical Architect Review Board Mon Expérience avec le Certified Technical Architect Review Board
Mon Expérience avec le Certified Technical Architect Review Board
 
Mieux acheminer les emails avec salesforce
Mieux acheminer les emails avec salesforceMieux acheminer les emails avec salesforce
Mieux acheminer les emails avec salesforce
 
DX@Scale: Optimizing Salesforce Development and Deployment for large scale pr...
DX@Scale: Optimizing Salesforce Development and Deployment for large scale pr...DX@Scale: Optimizing Salesforce Development and Deployment for large scale pr...
DX@Scale: Optimizing Salesforce Development and Deployment for large scale pr...
 
Dreamforce Global Gathering
Dreamforce Global GatheringDreamforce Global Gathering
Dreamforce Global Gathering
 
Getting started with Salesforce DX
Getting started with Salesforce DXGetting started with Salesforce DX
Getting started with Salesforce DX
 
Pratiques administration avancées et techniques de développement
Pratiques administration avancées et techniques de développementPratiques administration avancées et techniques de développement
Pratiques administration avancées et techniques de développement
 
Salesforce Performance hacks - Client Side
Salesforce Performance hacks - Client SideSalesforce Performance hacks - Client Side
Salesforce Performance hacks - Client Side
 
Meetup 06/2015 - @testsetup
Meetup 06/2015 - @testsetupMeetup 06/2015 - @testsetup
Meetup 06/2015 - @testsetup
 
Meetup Custom Metadata - 1st Part
Meetup Custom Metadata - 1st PartMeetup Custom Metadata - 1st Part
Meetup Custom Metadata - 1st Part
 
Lightning week - Paris DUG
Lightning week - Paris DUGLightning week - Paris DUG
Lightning week - Paris DUG
 
Versionning et travail en équipe avec Salesforce - 27/11/2014
Versionning et travail en équipe avec Salesforce - 27/11/2014Versionning et travail en équipe avec Salesforce - 27/11/2014
Versionning et travail en équipe avec Salesforce - 27/11/2014
 

Dernier

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Dernier (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Sensibilisation à la Sécurité Salesforce

  • 1. Securing Your Salesforce Org: The Human Factor February 2016 User Group Meeting
  • 2. Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
  • 3. Agenda ①  Setting the Stage: The Human Factor (15 mins) ②  Attack Card exercise and discussion (30 mins) ③  Secure Behavior (15 mins) ④  Secure Your Salesforce Org (15 mins) ⑤  Next Steps (15 mins)
  • 4. Setting the Stage: The Human Factor
  • 5. Why are we here? Estimated annual cost of global cybercrime
  • 7. Bugs in Human Hardware “Everybody else does it, why shouldn´t I?” “People are inherently good and I want to be helpful” “Hmmmm…. I wonder what will happen if I…” “I´d be wrong not to!” “If I don´t do this, I´ll get in trouble!” “I´ll get something if I do this!”
  • 10. Attack Card Instructions Step 1 Have one person in your group read an attack card aloud. •  What “Bugs in Human hardware” and “Entry point methods” were used in this attack? •  What's the earliest point that the victim should have known this was an attack? •  What could the individual have done to prevent it? •  Do you think you would have identified the attack in time? If not, how would you have defended yourself? Step 2 For each attack card discuss the following:
  • 11. Attack Card Exercise #1: Linked-Into the Network 10 minutes •  What Bugs in Human Hardware and Entry Point Methods were used in this attack? •  What's the earliest point that the victim should have known this was an attack? •  What could the individual have done to prevent it? •  Do you think you would have identified the attack in time? If not, how would you have defended yourself?
  • 12. Attack Card Exercise #2: Download on the Road 10 minutes •  What Bugs in Human Hardware and Entry Point Methods were used in this attack? •  What's the earliest point that the victim should have known this was an attack? •  What could the individual have done to prevent it? •  Do you think you would have identified the attack in time? If not, how would you have defended yourself?
  • 13. Group Discussion 10 minutes •  What Bugs in Human Hardware and Entry Point Methods were used in this attack? •  What's the earliest point that the victim should have known this was an attack? •  What could the individual have done to prevent it? •  Do you think you would have identified the attack in time? If not, how would you have defended yourself?
  • 15. Password Security •  Activate password complexity and rotation rules ü  Password expiration/reset every 90 days ü  Password length at least 8-10 characters ü  Password complexity – mix alpha and numeric characters •  User education ü  No password/credential sharing ü  Discourage password reuse across services ü  Utilization of a strong password manager (example: LastPass) •  Utilize two-factor authentication (2FA) and single sign-on (SSO)
  • 16. Phishing Education •  Pervasive and effective attack vector for installing malware •  Education is key to prevention •  https://trust.salesforce.com - recent threats •  If unsure about a Salesforce email, ask us via security@salesforce.com •  Don’t open attachments that are unexpected or from unknown senders
  • 17. Security Awareness for Users Small changes in behavior can have a major impact 14,000 50% 82% Less Likely to Click on a Phishing Link More Likely to Report Threats to security@salesforce.com Salesforce Employees
  • 18. Key Principles – The Human Factor •  Limit the number of users with admin rights •  Provide users with minimum access to do their job •  Create rigorous process for user termination/ deactivation •  Basic security training for all users on credential/ password security, phishing, and social engineering •  Trailhead for ongoing, role-focused education •  Effective security requires cross-org communication https://developer.salesforce.com/trailhead
  • 20. Trust: Security at Every Level Applicable to the Sales Cloud, Service Cloud, Communities, Chatter, database.com, site.com and Force.com. For audits, certification and security information or other services, please see the Trust & Compliance section of help.salesforce.com. Infrastructure-level SecurityApplication-level Security Firewall SSL Accelerators Web/App Servers Load Balancers Database Servers Trusted Networks Authentication Options Field Level Security Object Level Security (CRUD) Audit Trail Object History Tracking
  • 22. What is Two-Factor Authentication? +
  • 23. Two-Factor Authentication (2FA) •  Provides an extra layer of security beyond a password •  If a user’s credentials are compromised, much harder to exploit •  Require a numeric token on login •  Can be received via app, SMS, email, hardware (YubiKey)
  • 24. Step-by-Step Guidance for Admins •  Try the 2FA Walkthrough created by the Salesforce Docs team •  Title: “Walk Through It: Secure Logins with a Two Factor Authentication” •  Shows you how to set up 2FA in an org •  Only in “Classic”, but if configured, applies to users assigned the permission in Classic or Lightning Experience
  • 25. Login IP Ranges •  Limit IP addresses that users can log into Salesforce from (by profile) •  Can restrict by login or on every request •  Lock sessions to IP address they started on •  These features ensure that if a malicious actor steals credentials they cannot use them away from your corporate networks •  Working from home/road – VPN login
  • 26. Login IP Ranges •  Recommended and available for all customers •  Only access Salesforce from a designated set of IP Ranges •  Two levels: •  Org-level Trusted IP Ranges (permissive) •  Profile-level Login IP Ranges (restrictive) Enterprise, Unlimited, Performance, Developer: Manage Users | Profiles Contact Mgr, Group, Professional: Security Controls | Session Settings For more info, search Help & Training
  • 27. User Deactivation •  Deactivate users as soon as possible •  Removes login access while preserving historical activity and records •  Sometimes users cannot be deactivated: assign new user or reassign approval responsibility first •  Know your IT department’s termination process Best practice: Freeze users first! From Setup, click Manage Users | Users. Click Edit next to a user’s name. Deselect the Active checkbox and then click Save.
  • 29. Key Takeaways Check your Security Settings! Activate and use turnkey security features: •  Enable two-factor authentication •  Implement identity confirmation •  Activate Login IP Ranges •  Deactivate users in a timely manner (freeze them first!) Consider the human factor when training Salesforce users: •  Password security •  Emails / phishing
  • 30. Resources •  Security for Admins Quick Reference Guide (available today!) •  Security & Compliance Release Webinars – What’s New in Security & Compliance, Spring ‘16 (Feb. 25, 8am PST) •  Trailhead: Data Security module (more coming soon!) •  Who Sees What video series (YouTube) •  Dreamforce session recordings (www.dreamforce.com) •  Secure Salesforce series •  Create a Salesforce Force Field for Your Users •  Security Implementation Guide •  ButtonClickAdmin.com
  • 32. 2FA Setup ​ Create a permission set titled “Two Factor Authentication” ​ Name | Setup | Manage Users | Permission Sets | New Step 1
  • 33. 2FA Setup ​ Select the “Two-Factor Authentication for User Interface Logins” permission and save this permission set. ​ Now assign this permission set to the required user by clicking: ​ Manage Assignment | Add Assignments | Select users | Assign Step 2
  • 34. 2FA Setup ​ Upon the next login, users will come across the following prompt: Step 3