Data Security, The cloud, and Salesforce.com
Cloud computing blazed into the IT world as the red-caped, catchall savior from challenges faced by organizations both large and small. Limited budget, ease of access, user-friendly interfaces, flexible solutions for complex projects – cloud computing met the needs of just about every department. But with the highly-televised security breaches in the last few years (Home Depot, Target, WikiLeaks), the superhero seems to have revealed its kryptonite. The unfortunate repercussion of these security breaches is that consumers have become wary of using cloud technologies even though the they are, in fact, less vulnerable than other data storage options. In fact, no matter what security breach you are using, you should be aware of cyber threats and the ways to fight them off. For example, running Simulated Phishing Test can show if you are familiar with this threat and know how to act under the circumstances.
As the leader in cloud technology, Salesforce.com (SFDC) preemptively developed its product and services with data security in mind at all times, thus enhancing the strategy for ecommerce. With the invention of cloud services increasing along with concerns, consumers should feel comfortable knowing that SFDC continually adapts to trends in security. At Pracedo, we see the perceived vs. actual risk of cloud security to be an important topic that we want to address with our clients.
Like all data storage options, cloud computing is not exempt from vulnerabilities, whether malicious or accidental. But cloud-based storage is actually less at risk of security breaches than traditional storage, such as databases or fileservers. It is the perceived vulnerability that has so greatly affected the adoption of cloud-based storage solutions.
Vormetric recently conducted and released its 2015 Insider Threat Report by Atlanta Metro, revealing surprising and important insights about trends in data security. The report surveyed 818 IT professionals in the US, UK, Germany, Japan, and ASEAN.
According to the report, the actual risk of breaches to cloud storage is significantly less than that of traditional storage (36% compared to 47% respectively). And yet consumers perceive the traditional databases to be more secure. We believe this gap between perceived and actual risks is due to a lack of understanding about cloud technology in general, as well as a lack of understanding about security measures built into the cloud.
Cloud professionals, both designers and consultants, are responsible for bolstering consumers’ confidence in the cloud. As innovators, it is vital that we properly educate our clients to widen and strengthen the adoption of our technologies.
Other key findings from the Vormetric report:
• Perceived vulnerability and actual vulnerability did not align
• The top three locations by volume where company-sensitive data is stored and must be protected are: databases (49%), file servers (39%), and cloud service environments (36%).
• When asked about who posed the biggest internal threat to corporate data, a massive 55% of respondents said privileged users (system administrators, senior level management, etc.)
• The global survey results show that 56% of respondents will be looking to increase their security spend to deal with insider threats next year and the remaining 37% will be spending at least as much as they are now.
Pracedo consultants help both non-profit and for-profit clients develop and integrate a Salesforce.com (SFDC) solution that fits their unique operations. Like the companies and organizations surveyed in the two studies above, our clients also need the assurance that their data is secure.
As the cloud leader, Salesforce.com recognizes the rising concerns of data security. SFDC’s data security consists of three pillars: awareness, server and network security, and platform security.
Salesforce.com has a dedicated website to educate users on security: http://trust.salesforce.com. Here you can find best practices for setting up your SFDC platform, a list of the latest email and phishing scams, a data security webinar, and the list of privacy certifications and policies to which SFDC is compliant.
Server and Network Security
Salesforce.com physically secures data centers in the following ways:
• 24-hour manned security, including foot patrols and perimeter inspections
• Biometric scanning for access
• Dedicated concrete-walled Data Center rooms
• Computing equipment in access-controlled steel cages
• Video surveillance throughout facility and perimeter
• Building engineered for local seismic, storm, and flood risks
• Tracking of asset removal
Salesforce.com ensure network security in the following ways:
• Perimeter firewalls and edge routers block unused protocols
• Internal firewalls segregate traffic between the application and database tiers
• Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports
• A third-party service provider continuously scans the network externally and alerts changes in baseline configuration
Within the Salesforce.com platform itself there are several levels of security and data access that are customizable to the needs of the business or organization.
The Vormetric report recommends that “all user groups with internal access to business systems should be monitored and the access to corporate data they have should be appropriate and no more than they need to fulfill their specific roles.” IMB encourages the same practices when dealing with cloud technology. Salesforce.com has a multitude of ways to achieve this security objective.
Organization-wide defaults set the base-line level of data access across the entire Salesforce.com instance, or in other words the most restrictive data access settings. From there you can open up data access as needed using several options including profiles, permission sets, field-level security, role hierarchies, and sharing rules.
Salesforce.com also addresses one of the concerns found in the Vormetric report: 55% of respondents said privileged users represent the largest threat to security. This means that the people with the most data access are perceived to be the most likely to exploit that data access. In the case of SDFC, the system administrator has access to all data within the organization. Restricting the system administrator is counter-intuitive to the development and management of a SFDC organization, so to address this concern SFDC has integrated the Audit Trail to monitor all activities executed by the system administrator.
Also within a Salesforce.com organization, activities executed by all other users can be monitored in several ways: field history tracking, debug logs, event monitoring, and through customized tools and integrations that don’t come with the standard SFDC editions.
You can learn more about Salesforce.com data security here.
What makes Salesforce.com the industry leader in cloud computing technology is that it anticipates customer needs ahead of time. The very structure of the SFDC platform lends itself to data security.
– The Pracedo Team