Security risk is often considered to be one of the major determining factors when it comes to the adoption of cloud solutions. For most large companies, data is one of the most valuable assets and its safety cannot be compromised. Naturally therefore, the biggest challenge faced by cloud providers is gaining the trust of enterprises.
As the biggest player in the CRM domain and a major cloud solutions provider, Salesforce has invested tremendously in security which makes its cloud solutions at least as secure as any other legacy system or even more.
(Have concerns about cloud CRM? We have debunked common myths in this post: Cloud CRM a Myth or Reality?)
The certified data centers responsible for the physical safety are highly fortified and comparable to the best data centers in the world. Closed-circuit television (CCTV) coverage, alarm systems, bullet proof building, biometric scans are only some of the features. Talking about software, Salesforce has immensely secured the metadata driven and multi tenant architecture of its platform.
Let’s look into the various components of Salesforce Cloud Security.
Information Security Governance
Salesforce’s security governance encompasses the involvement of its major resources as well as the design and upkeep of a secure architecture. It also includes the privacy program policies and security practices that are incorporated in all the stages of the development processes. Some of these are listed below.
- Security staff including Chief Trust Officer and security experts
- Privacy counsel including lawyers who ensure the company’s compliance with global privacy laws
- Employees receive information security and privacy training
- Assessments are regularly conducted to detect and eradicate any vulnerability to internal and external threats
- Privacy policies that include how the company detects and responds to security incidents
- Design phase where experts make design decisions based on security principles
- Coding phase in which they use secure coding patterns and anti patterns to tackle standard vulnerability types and identify security issues through static code analysis
- Testing phase where external security consultants and internal staff use professional tools to identify security flaws
Users are created in a Salesforce Organization before they can login. A user has to be logged in to access most parts of the Force.com platform. There are multiple ways in which users can be authenticated including traditional username/password authentication, federated authentication single sign-on (e.g. SAML), delegated authentication (e.g. LDAP), or OAuth2.
Network Security controls the location of logging in users and at what time can they log in. This limits the chances of phishing attacks through stolen credentials. Administrators can add trusted IP ranges and users outside of these ranges are either sent verification emails or completely denied access, depending on organisation configurations. Log in hours can also be set to limit access in only specific hours.
Digging deeper into the technical details, Force.com implements this network security by using SSL/TLS cryptographic protocols which encrypt data transmissions, stateful packet inspection (SPI) firewalls that check network packets and prevent un-trusted login attempts, two-factor authentication to verify the identity of access requests.
Salesforce provides a flexible design for its customers to control the level of data access to users. There are several features such as Profiles, Permission Sets, Organization Wide Settings, Sharing models, Hierarchies that can be used to limit access to objects, fields, folders or certain records at different levels.
Salesforce also secures data in case of device flaws or catastrophic failures through regular backups in order to allow data recovery whenever needed.
There is a free application on AppExchange Salesforce Health Check that customers can install to perform a review of their security related settings and to get recommendations for security improvement.