2. Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties
materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or
implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking,
including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements
regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded
services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality
for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and
rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with
completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our
ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer
deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further
information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for
the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing
important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and
may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are
currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Safe Harbor
3. SNA
Terminal
Mainframe LAN / WAN
Client
Server
LAN / WAN
Client
Server
Cloud
Mobile
Social
Data Science
Thousands customer
interactions
connected
thingsBillions TrillionsMillions
The app revolution is opening up a world of innovation for businesses
4. Apps are generating more customer data than ever before
Apps
Financial Data
Health Data
Location Data
90% of the world’s data created in the last 12 months
5. World’s Most Trusted Enterprise Cloud
Trust is our #1 value
Five Elements of Trust
Transparency
Always on availability
Performance at scale
Global data centers
Enterprise compliance
Q1 Transactions
211B+
Customers
150k
Apps
2M+
6. Salesforce Trust Services
Infrastructure Services
AnalyticsCommunityMarketingServiceSales Apps
Network Services
Application Services
Secure Data
Centers
Backup and
Disaster Recovery
47 Major Releases
HTTPS
Encryption
Penetration
Testing
Advanced
Threat Detection
Identity & Single
Sign On
Two Factor
Authentication
User Roles &
Permissions
Field & Row
Level Security
Secure
Firewalls
Real-time
replication
Password
Policies
Third Party
Certifications
IP Login
Restrictions
Customer
Audits
150,000+ customers 2,000,000+ apps
Sixteen years of innovation on the world’s most trusted cloud
7. Introducing: Salesforce Shield
Infrastructure Services
Network Services
Application Services
Secure Data
Centers
Backup and
Disaster Recovery
HTTPS
Encryption
Penetration
Testing
Advanced
Threat Detection
Identity & Single
Sign On
Two Factor
Authentication
User Roles &
Permissions
Field & Row
Level Security
Secure
Firewalls
Real-time
replication
Password
Policies
Third Party
Certifications
IP Login
Restrictions
Customer
Audits
Salesforce Shield
Platform
Encryption
Event
Monitoring
Field
Audit Trail
New services to help you build trusted apps fast
8. Monitor User Activity
Know who is accessing data from where
Optimize Performance
Troubleshoot application performance to improve
end user experience
Track Application Usage
Understand application usage to increase adoption
Gain Visibility Into User Actions with Event Monitoring
9. Retain Field History for Up to 10 Years with Field Audit Trail
Establish Data Retention Policies
Know the state and value of data at any time
Access Retained Data at Scale
Normalize on big data back-end for performance
Comply with Industry Regulations
Secure data archive with the highest trust standards
10. Encrypt Sensitive Data While Preserving Business Functionality
Seamlessly protect data at rest
Encrypt standard & custom fields, files & attachments
Natively integrated with key Salesforce features
E.g., Search, Chatter, Lookups work with encrypted data
Customer managed keys
Customer-driven encryption key lifecycle management
11. Salesforce Shield
New services to help you build trusted apps fast
EncryptAuditMonitor
Platform EncryptionField Audit TrailEvent Monitoring
13. Auditing, Analytics and Actions at a Glance
Audit Fields Login History Setup Audit Trail Field History
Tracking
Field Audit Trail Event Monitoring
Purpose Track who
created or last
modified a record
user and time
Track end-user
logins and login
attempts (e.g.
failures)
Track
Administrative
changes in setup
like escalation of
privileges or
creation of new
fields
Track state changes at the field level Analysis: Track a variety of
server interactions including
report exports, page views,
and document downloads
Action: Automate actionable security
policies such as limiting data export
or notifying on concurrent login
sessions
Example Adam Torman
modified the
Acme account
earlier today
Adam Torman
logged in using
Chrome v 42.0 on
Mac OSX
Permission set
Modify All Data
assigned to user
Adam Torman
Adam Torman changed the Case
status from Open to Closed
Adam Torman clicked on
Marc Benioff’s patient record
and downloaded the
customer list
Jari Salomaa was prevented from
logging into his iPad until he removed
a previous login session
Interface Record Detail UI
and API
Setup UI and API Setup UI and API Setup / Related List UI and API API (CSV download) + Wave
Integration
Setup UI
[Profile or
Sharing]
Permission
s Required
*Read/Query
requires sharing
access to parent
record
Manage User
permission
*View Setup and
Configuration
permission
Configure requires Customize
Application permission
*Read/Query requires sharing access
to parent record
*View Event Log Files
permission AND
* View Login Forensics
Author Apex
AND
Customize Application
Data
Retention
Policy
Life of the record
/ 18 Months
depending on org
inception date
6 months FIFO 6 months FIFO 20 fields for 18
months
60 fields for 10
years
Up to 30 days for Event Log
Files and 10 years for Login
Forensics
N/A
Pricing $0 $0 $0 $0 ** $add-on $0 - Login/Logout Event Log Files for 1 day
** $add-on - 29 log files for 30 days + Login Forensics + Transaction
Security
Online Audit Fields Login History Setup Audit Field History Field Audit Event Monitoring Transaction Security
14. What we are hearing from CISOs
1. Visibility to user activity
Report on what users are doing and where policies are
needed
2. Generate security policies
Generate real-time actions such as notifications and proactive
prevention
3. Automate actions from policies
Fine-tune your application portfolio and business process
4. Analyze, monitor results and audit
Fine-tune your security policies and provide audit trails for
auditors
15. Two halves of the same solution
Analytics
Actions
17. Analytics For Event Monitoring
Support
Provide better, data-driven support for your end users
Audit
Track your user’s activities
Optimize
Fine-tune your application portfolio and business process
18. Actions For Event Monitoring
Customizable Apex Policies
Framework auto-generated policies
Define Real Time Actions
Notify, Block, Force 2FA, Session Chooser
Enforce Session Constraints
Control the number of active user sessions
20. Problem set: Concurrent Login Sessions
● Users should not be logged in to
more than ‘n’ sessions
● Limit the number of concurrent
sessions to reduce risk with malicious
activities
○ FedRamp requirement
● Security policy should understand
who will be impacted and prompt the
user to remove previous sessions
that no longer apply
22. Analyze current login behaviors using analytics
Track login trends and ask questions:
● Who will be impacted if you create a policy based
on Profile, Role, User, etc…?
● What integrations may break?
● How are user’s logging in - S1 Mobile, Web
Browser, integrations?
Policy
Generation
Event
Capture
Historical
Analytics
Real Time
Actions
Cycle of
Security
Historical
Logs
User
Segmentatio
n
Real-time
Analytics
Audit
Event
Generation
Policy
Deployme
nt
Policy
Design
Policy
Customizatio
n
23. Determine criteria for policy
By Profile:
● System Admin Profile >= 2
By Role:
● East Coast Exec Role >=5
By User:
● Adam Torman OR Jari Salomaa
>=1
By Time:
● Saturday OR Sundays >=1
Policy
Generation
Event
Capture
Historical
Analytics
Real Time
Actions
Cycle of
Security
Historical
Logs
User
Segmentatio
n
Real-time
Analytics
Audit
Event
Generation
Policy
Deployme
nt
Policy
Design
Policy
Customizatio
n
24. Decide which actions to take Policy
Generation
Event
Capture
Historical
Analytics
Real Time
Actions
Cycle of
Security
Historical
Logs
User
Segmentatio
n
Real-time
Analytics
Audit
Event
Generation
Policy
Deployme
nt
Policy
Design
Policy
Customizatio
n
Determine actions to take:
● None
● Block
● 2FA
● Session Chooser
25. Customize Apex policy and add criteria
Customize the policy
● Apply custom criteria such as
Profiles, Roles, Users, etc…
● Work closely with your developers to
customize it for your design
Policy
Generation
Event
Capture
Historical
Analytics
Real Time
Actions
Cycle of
Security
Historical
Logs
User
Segmentatio
n
Real-time
Analytics
Audit
Event
Generation
Policy
Deployme
nt
Policy
Design
Policy
Customizatio
n
26. Deploy policy
Deployment is as easy as selecting a
checkbox on the policy
Policy
Generation
Event
Capture
Historical
Analytics
Real Time
Actions
Cycle of
Security
Historical
Logs
User
Segmentatio
n
Real-time
Analytics
Audit
Event
Generation
Policy
Deployme
nt
Policy
Design
Policy
Customizatio
n
27. Real-time action policy enforcement
In real-time, users will be forced to take an action based on
the criteria you created
Policy
Generation
Event
Capture
Historical
Analytics
Real Time
Actions
Cycle of
Security
Historical
Logs
User
Segmentatio
n
Real-time
Analytics
Audit
Event
Generation
Policy
Deployme
nt
Policy
Design
Policy
Customizatio
n
28. Analyze policy enforcement and Audit
Track how many 2FA or session chooser screens were
selected.
Policy
Generation
Event
Capture
Historical
Analytics
Real Time
Actions
Cycle of
Security
Historical
Logs
User
Segmentatio
n
Real-time
Analytics
Audit
Event
Generation
Policy
Deployme
nt
Policy
Design
Policy
Customizatio
n
30. Encrypt data at rest when it is stored on the App Cloud
Encrypt Standard & Custom Fields, Files, & Attachments
Customers manage their encryption keys on the App Cloud platform
What Problems We Solve
31. Why It’s Unique
Salesforce Platform Encryption
Quickly and seamlessly protect sensitive data
Setup takes minutes – no extra hardware or software
Makes the App Cloud ‘encryption aware’
Salesforce1 Mobile-ready, natively
32. Salesforce Platform Encryption
Encryption Services
Standards based
encryption built natively into
the App Cloud Platform
AES encryption using
256bit keys
Layers seamlessly with
other App Cloud security
features
Key Management
Customer driven key
lifecycle management
Uses secure derived keys
that are never persisted in
the App Cloud
Hardware Security Module
based key management
infrastructure
FIPS 140-2 compliant
Policy Management
Customer control over
policy configuration
Select fields, files, and
attachments to be
encrypted
Encryption controlled with
metadata to take
complexity out of
deployments
App Cloud Integration
Preserve important
functionality like search and
business rules
Built-in capabilities to
iteratively add additional
feature support
Features and Functionality Overview
33. Architecture Overview
Encrypted Fields Encrypted Files
AES 256
DATA
Database File Storage
FFX
Database File Storage
FFX
Database File Storage
FFX
Database File Storage
FFX
Key Derivation Server
Embedded HSM
Key Derivation Server
Embedded HSM
Key Derivation Server
Embedded HSM
Key Derivation Server
Embedded HSM
34. Keys and Secrets
Master Secret Master Wrapping Key
Master Salt Tenant Wrapping Key
Keys and Secrets
Key Derivation Server RSA Key Pair
Hardware Security Modules
Key Management Components
Master HSM Key Derivation Server
Embedded HSM
Functions
Generates Per-Release Secrets and Keys
Encrypts Secrets and Keys for Secure Distribution
Air-gapped from Production Network
Functions
Unwraps Per-Release Secrets and Keys
Generates and Encrypts Tenant Secret
Performs Key Derivation
35. Generated once per release by
Salesforce Security Officer using
air-gapped Master HSM
Encrypted with the Master
Wrapping Key and stored in Key
Derivation Servers
Decryptable only by Key
Derivation Server’s Private Key
and the Master Wrapping Key
Org-specific secret generated,
managed, and rotated by
customers
Manage via Setup or SOAP API
Encrypted using the per-release
Tenant Wrapping Key and stored
in the database
Decryptable only by Key
Derivation Server’s Private Key
and Tenant Wrapping Key
Created by Key Derivation
Servers via Password Based Key
Derivation Function
Decrypts and combines Master
and Tenant Secrets and Master
Salt as input to PBKDF2 function
Output of KDF is an Org-specific
Data Encryption Key used to
encrypt customer field values and
files
Derived keys are cached on the
App Cloud platform
Master Secret / Master Salt Tenant Secret Data Encryption Key
Key Derivation
Creating Org-specific Data Encryption Keys
36. Deriving Data Encryption Keys
Standards Based Key
Derivation Function:
PBDKF2 HMAC with
SHA256
Runs 15,000
Iterations
Outputs 256 bit length
Data Encryption Key
Tenant
Secret 1
Password
Based Key
Derivation
Function
Data Encryption
Key 1
Data Encryption
Key 1
Cache
Master
Secret
Summer
‘15
Summer
‘15
Master
Salt
Key Derivation Server
Embedded HSM
Key Derivation Server
Embedded HSM
Key Derivation Server
Embedded HSM
Key Derivation Server
Embedded HSM
37. Customer Driven Key Lifecycle Derived Encryption
Keys Are Never
Persisted
Create, Manage, and
Rotate Keys
Declarative & API
Based Key
Management
Import and Export
Tenant Secrets on
Demand
38. Field Encryption Policies Customer Driven
Encryption Policies
Declarative or API
Policy Configuration
Supports Both
Standard and Custom
Fields
Natively Integrated
with the App Cloud
Features
39. Standard Field Encryption and Search
Standard Field Encryption
• Account Name
• Contact First/Middle/Last Name
• Email
• Phone
• Home/Other Phone
• Mobile
• Fax
• Mailing Street & City
• Person Account fields
• Case Subject, Description
• Case Comments’ Body
Search Fields and Files
(via Desktop, Salesforce1 Mobile and SOSL)
40. Custom Field Encryption
Custom Field Types
• Email
• Phone
• Text
• Text Area
• Text Area (Long)
• URL
Enable with Metadata
Encrypt Existing Fields
41. Chatter Files and Attachments Encryption
Encrypt Content of Chatter Files
Preview Encrypted Files
File Content Search
Encrypt Attachments