Salesforce Cloud Security
By Amer Wilson
Security is often considered to be the biggest risk when it comes to adoption of cloud solutions. For most large companies, data is one of the most valuable assets and its safety cannot be compromised, be it in terms of data privacy or resistance to external threats. Naturally therefore, the biggest challenge faced by cloud providers is gaining trust of enterprises.
The biggest player in CRM domain and cloud solutions provider, Salesforce has invested tremendously in security which makes its cloud solutions at least as secure as any other legacy system or even more.
(Have concerns about cloud CRM? We have debunked common myths in this post: Cloud CRM-Myth VS Reality)
The certified data centers responsible for physical safeguard are highly fortified and comparable to the best data centers in the world. Closed-circuit television coverage, alarm systems, bullet proof building, biometric scans are only some of the features. Talking about software, Salesforce has immensely secured the metadata driven and multi tenant architecture of its platform.
Let’s look into the various components of Salesforce cloud security.
Information Security Governance
Salesforce’s security governance encompasses the involvement of its major resources as well as the design and upkeep of a secure architecture. It also includes the privacy program policies and security practises that are incorporated in all the stages of development processes. Some of these are listed below.
- Security Staff including Chief Trust Officer and security experts
- Privacy Counsel including lawyers who ensure the company’s compliance with global privacy laws
- Employees receive information security and privacy training
- Assessments that are regularly conducted to detect and eradicate any vulnerability to internal and external threats
- Privacy Policies that include how the company detects and responds to security incidents
- Design Phase where experts make design decisions based on security principles
- Coding Phase in which they use secure coding patterns and anti patterns to tackle standard vulnerability types and identify security issues through static code analysis
- Testing Phase where external security consultants and internal staff use professional tools to identify security flaws
Users are created in a Salesforce Organization before they can login. A user has to be logged in to access most parts of the Force.com platform. There are multiple ways in which users can be authenticated including traditional username/password authentication, federated authentication single sign-on (e.g. SAML), delegated authentication (e.g. LDAP), or OAuth2.
Network Security controls the location of logging in users and at what time can they log in. This limits the chances of phishing attacks through stolen credentials. Administrators can add trusted IP ranges and users outside of these ranges are either sent verification emails or completely denied access, depending on organisation configurations. Log in hours can also be set to limit access in only specific hours.
Digging deeper into the technical details, Force.com implements this network security by using SSL/TLS cryptographic protocols which encrypt data transmissions, stateful packet inspection (SPI) firewalls that check network packets and prevent untrusted login attempts, two-factor authentication to verify the identity of access requests.
Salesforce provides a flexible design for its customers to control the level of data access to users. There are several features such as Profiles, Permission Sets, Organization Wide Settings, Sharing models, Hierarchies that can be used to limit access to objects, fields, folders or certain records at different levels.
Salesforce also secures data in case of device flaws or catastrophic failures through regular backups in order to allow data recovery whenever needed.
There is a free application on app exchange Salesforce Health Check that customers can install to perform a review of their security related settings and to get recommendations for security improvement.
Rolustech is an official Salesforce partner. Contact our team of experts if you want consultancy regarding any app integration with Salesforce and we would be delighted to assist and guide you.