SlideShare ist ein Scribd-Unternehmen logo

Secure Salesforce: Org Access Controls

•
•
Salesforce Developers
Salesforce Developers

If you've seen the news lately, you know you need strong security protections for your online systems. Join us as we teach you that access control features like IP range restrictions, identity confirmation, and two-factor authentication are absolutely critical to the protection of your Salesforce instance. Hear from Salesforce security engineers about how these protections work, threats they mitigate, and possible drawbacks. We'll also teach you some tricks to securely using Salesforce alongside these features.

Technologie
1 von 61
Downloaden Sie, um offline zu lesen
Secure Salesforce: Organization Access Controls Mikel Otaegi Principal Security Engineer Jorge L CĂĄceres Senior Platform Security Engineer
Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward- looking statements.
Access Controls To Your Organization • We will be covering high level administrator-oriented topics on securing access to your Salesforce Organization
Access Controls To Your Organization Specific features that we will cover include: –  Locking The Gates With Strong Authentication • Password Policies • Two Factor Authentication • IP Restrictions • Single Sign-On –  Keeping The Bad Guys Out With Secure Sessions • Session Settings • Activations • Session Information • Expire All Passwords –  Connected Apps • OAuth Policies • Session Policies • Remote Site Settings –  Protecting Assets With Egress Control • File Upload and Download Security • CORS (Cross-Origin Resource Sharing)
Locking The Gates With Strong Authentication PHOTO: Ryan Green
Who knows what the most common cause of data breaches is?
Locking The Gates: Password Policies
Locking The Gates: Password Policies 1. Weak And Stolen Credentials, a.k.a. Passwords Hacking remains the single biggest cause of attacks don't depend on finding vulnerabilities in the application or network protocol to tunnel through. For years, experts have warned about the risks of relying on weak credentials to restrict who has access to the data, and this is still a problem. About 76% of network intrusions involved weak credentials, according to Verizon's data breach report. Authentication-based attacks, which includes guessing passwords, cracking using specific tools or trying out passwords from other sites on the target system, factored into about four of every five breaches that was classified as a hacking incident in 2012, Verizon says. (http://twimgs.com/darkreading/attacks-breaches/S6980513breachcauses.pdf)
Who knows what the most common used password is in America?
Locking The Gates: Password Policies
Locking The Gates: Two Factor Authentication Stolen passwords played a role in 48% of the data breaches that involved hacking, Verizon found. This could have been accomplished by using stolen password lists from previous data breaches, keylogging malware or phishing attacks. If that number isn't eye-popping enough, Verizon estimated that 80% of data breaches would have been stopped or forced to change tactics if a "suitable replacement" (such as multifactor authentication) to passwords had been used.
Locking The Gates: Two Factor Authentication What is Two Factor Authentication? Two factor authentication is using more than one of the following to login or process a transaction •  Something you know (account details or passwords) •  Something you have (tokens or mobile phones) •  Something you are (biometrics)
Locking The Gates: Two Factor Authentication Two Factor Authentication With Salesforce •  Two Factor Authentication introduces the ability to use an App to generate OTPs •  Policies may be set to force two-factor authentication on login •  Session Level policies allow you to block specific actions, or “step-up” authentication
Locking The Gates: Two Factor Authentication
Locking The Gates: Two Factor Authentication
Locking The Gates: Two Factor Authentication
Locking The Gates: Two Factor Authentication
Locking The Gates: Two Factor Authentication
Locking The Gates: Two Factor Authentication
Locking The Gates: IP Restrictions Trusted Login IP Ranges The salesforce platform allows administrators to define IP ranges that are trusted. Users who login from defined IP ranges are trusted and the login operation proceeds normally. It is important to understand that this only covers login operations. If a user already has a valid session id, they could make requests from IPs not in the trusted range unless you have specified the option to lock sessions to originating IP which we will cover later. There are two ways Trusted IP ranges can be defined, and each has unique security features: –  Organization level Trusted Login IP ranges –  Profile level Trusted Login IP ranges
Locking The Gates: IP Restrictions Organization Level Trusted Login IP Ranges Administrators define a list of IP addresses from which users can login without receiving a login challenge for verification of their identity, such as a code sent to their mobile phone. The main security behavior here is that login is not completely blocked. If the user succesfully completes the login challenge, they can proceed. The requirements and behavior is different based on entry point of login: UI/Browser, or API. UI/browser login: As defined above. User must go through a login challenge if coming from an IP outside the Organization Trusted range. After a succesful challenge, the user's client browser is now trusted and can login from any ip address without being challenged. This is accomplished with a unique cookie set on the client's browser. If the client's browser cookie is cleared, a login challenge will be required on login from an IP outside the Trusted range. This in effect turns the Trusted Login IP range into a type of Trusted client feature.
Locking The Gates: IP Restrictions Organization Level Trusted Login IP Ranges API login: In order to login from an IP outside the Organization Trusted range, the user must provide a security token appended to their password. Users can obtain their security token by changing their password or resetting their security token via the Salesforce user interface. Unlike the UI login, API login always requires the security token.
Locking The Gates: IP Restrictions
Locking The Gates: IP Restrictions Profile Level Trusted Login IP Ranges •  Administrators define a list of IP addresses from which users can log in. •  This list is defined per profile. •  The main security feature is that login is completely blocked if coming from an untrusted IP.
Locking The Gates: IP Restrictions
Locking The Gates: Single Sign-On Single Sign-On Options With Salesforce •  Delegated Authentication (not available by default, must submit a support case) •  SAML Federated Authentication
Locking The Gates: Single Sign-On SAML Federated Authentication ●  Federated authentication is a form of authentication (commonly referred to as single sign-on or SSO) that allows the portability of identity information to multiple services without the need for redundant identity management in each service. ●  This type of authentication is advantageous for the user because they can remember one password and gain access to many resources. ●  This type of authentication is also advantageous from a management perspective because it centralizes identity information and can provide a single location to disable access.
Locking The Gates: Single Sign-On Understanding SAML ●  In Salesforce, federated authentication employs SAML (Security Assertion Markup Language) which provides a secure, XML-based solution for exchanging user security information between two parties. o  There are 2 versions of SAML supported by Salesforce, 1.1 and 2.0. Version 2.0 is the default because it includes many more features and allows for multiple configurations within Salesforce. ●  The SAML assertion is the message sent by the identity service that the recipient uses for authentication. It provides several strong security features: o  All the details of the authentication request are contained in the SAML assertion.
Locking The Gates: Single Sign-On
Locking The Gates: Single Sign-On
Keeping The Bad Guys Out With Secured Sessions Picture licensed under a Creative Commons Attribution Share-Alike 3.0 License
Keeping The Bad Guys Out: Introduction Introduction Administrator functions to maintain secure sessions ●  Session Settings Set the session security and session expiration timeout for your organization. ●  Activations Maintain the list of IP addresses representing the device IP addresses that have been activated by a user. ●  Session Management The View information about or delete active user sessions. ●  Expire All Passwords Use to expire the passwords for all of the users in your
Keeping The Bad Guys Out: Session Settings
Keeping The Bad Guys Out: Activations
Keeping The Bad Guys Out: Session Management
Keeping The Bad Guys Out: Expire All Passwords
Connected Apps: Introduction •  A connected app integrates an application with Salesforce using APIs. •  The administrators can set various security policies and have explicit control over who may use the connected app. •  Two deployment modes: –  The app is created and used in the same organization. –  The app is created in one organization and installed on other organizations.
Connected Apps: Basic Information •  The administrators can set various security policies and have explicit control over who may use the connected app: •  Via the connected app configuration, administrators can install the connected app, enable SAML, use profiles, permission sets, and IP range restrictions to control which users can access the application •  Connected apps use SAML and OAuth to authenticate, provide Single Sign-On, and provide tokens for use with Salesforce APIs. •  Connected apps can be added to managed packages, only.
Connected Apps: OAuth Basics Supported OAuth flows: ●  Web Server flow ●  User-Agent flow ●  JWT Bearer Token Flow ●  SAML Bearer Assertion Flow ●  SAML Assertion Flow ●  Username and Password
OAuth Policies Make sure to always follow the principle of least privilege while defining this scope. Only provide the minimum access required for the application use case.
OAuth Policies
OAuth Permissions
Connected Apps: Session Policies
Remote Site Settings
Secure Salesforce at Dreamforce 2015 ​  10 DevZone Talks and 2 Lighting Zone Talks covering all aspects of Security on the Salesforce Platform ​  Visit our booth in the DevZone with any security questions ​  Check out the schedule and details at http://bit.ly/DF15Sec ​  Admin-related security questions? ​  Join us for coffee in the Admin Zone Security Cafe
Secure Salesforce – Thursday Morning ​  Org Access Controls ​  Jorge Caceres and Mikel Otaegi ​  9:30am in Moscone West 2007 ​  Secret Storage in your Salesforce Instance ​  Kyle Tobener and Ian Goldsmith ​  9:30am in Moscone West 2011 ​  External App Integration ​  Astha Singhal and Chris Vinecombe ​  12:00pm in Moscone West 2010
Secure Salesforce – Thursday Afternoon ​  Hardened Apps with the Mobile SDK ​  Martin Vigo and Maxwell Feldman ​  2:30pm in Moscone West 2008 ​  Code Scanning with Checkmarx ​  Robert Sussland and Gideon Kreiner ​  3:30pm in Moscone West 2011 ​  Lightning Components Best Practices ​  Robert Sussland and Sergey Gorbaty ​  4:45pm in Moscone West 2007 ​  Common Secure Coding Mistakes ​  Rachel Black and Alejandro Raigon Munoz ​  5:00pm in Moscone West 2006
Secure Salesforce – Friday ​  Chimera: External Integration Security ​  Tim Bach and Travis Safford ​  10:00am in Moscone West 2009
Q&A
Additional Resources •  Secure Coding Guidelines - https://developer.salesforce.com/page/Secure_Coding_Storing_Secrets •  Intro to Managed Packages - https://developer.salesforce.com/page/An_Introduction_to_Packaging •  Salesforce StackExchange - http://salesforce.stackexchange.com/questions/tagged/security •  Developer.Salesforce.com Security Forum - https://developer.salesforce.com/forums (full link hidden) •  Security Office Hours (Partners) - http://security.force.com/security/contact/ohours •  Security Implementation Guide - https://developer.salesforce.com/././securityImplGuide/ (full link hidden)
Additional Security Features For Access Control
Locking The Gates: Single Sign-On Delegated Authentication Delegated authentication is a form of authentication that forwards the username and password from Salesforce via web-service callout to an admin specified endpoint that can verify and authenticate the user. ●  To build the external webservice, a WSDL is available in the Salesforce setup menu. Navigate to Setup - > Build -> Develop -> Api and click “Delegated Authentication WSDL” ●  Users are enabled for delegated authentication via the “Single Sign-On Enabled” profile permission.
Locking The Gates: Single Sign-On
Keeping The Bad Guys Out: Activations
Locking The Gates: Single Sign-On
Connected Apps: Session Policies Features that use session level security: –  Reports and dashboard in Salesforce1 Reporting –  Connected apps. You can specify an action to take if the session used to access the resource is not High Assurance. •  Block — Blocks access to the resource by showing an insufficient privileges error. •  Raise session level — Redirects the user to log in based on the login method associated with High Assurance security level. When the user completes the login flow successfully, the user can access the resource. For reports and dashboards, you can apply this action when users access reports or dashboards, or just when they export and print reports.
Remote Site Settings Before any Visualforce page, Apex callout, or JavaScript code using XmlHttpRequest in an s-control or custom button can call an external site, that site must be registered in the Remote Site Settings page, or the call will fail. For security reasons, Salesforce restricts the outbound ports: ●  80: This port only accepts HTTP connections. ●  443: This port only accepts HTTPS connections. ●  1024–66535 (inclusive): These ports accept HTTP or HTTPS connections.
File Upload and Download Security •  Helps you control how various file types are handled during upload and download. •  Specify what happens when users attempt to download specific file types. •  Download (Recommended): The file is always downloaded. •  Execute in Browser: The file is displayed and executed automatically when accessed in a browser or through an HTTP request. •  Hybrid: Attachment and document records execute in the browser. Salesforce CRM and Chatter files are downloaded.
File Upload and Download Security
Egress Controls: CORS •  To allow code (such as JavaScript) running in a Web browser to communicate with Salesforce from a specific origin, whitelist the origin. •  If a browser that supports CORS makes a request to an origin in the Salesforce CORS whitelist, Salesforce returns the origin in the Access-Control-Allow-Origin HTTP header. •  For example, https://*.example.com adds all the subdomains of example.com to the whitelist.

Empfohlen

Secure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / SharingSecure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / SharingSalesforce Developers
 
Secure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSecure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSalesforce Developers
 
Salesforce Security Best Practices for Every Admin
Salesforce Security Best Practices for Every AdminSalesforce Security Best Practices for Every Admin
Salesforce Security Best Practices for Every AdminCloud Analogy
 
Secure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and RESTSecure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and RESTSalesforce Developers
 
Secure Salesforce: Secret Storage in Your Salesforce Instance
Secure Salesforce: Secret Storage in Your Salesforce InstanceSecure Salesforce: Secret Storage in Your Salesforce Instance
Secure Salesforce: Secret Storage in Your Salesforce InstanceSalesforce Developers
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelSalesforce Developers
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSalesforce Developers
 
Navi Mumbai Salesforce DUG meetup on integration
Navi Mumbai Salesforce DUG meetup on integrationNavi Mumbai Salesforce DUG meetup on integration
Navi Mumbai Salesforce DUG meetup on integrationRakesh Gupta
 

Empfohlen

Secure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / SharingSecure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / SharingSalesforce Developers
 
Secure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSecure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSalesforce Developers
 
Salesforce Security Best Practices for Every Admin
Salesforce Security Best Practices for Every AdminSalesforce Security Best Practices for Every Admin
Salesforce Security Best Practices for Every AdminCloud Analogy
 
Secure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and RESTSecure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and RESTSalesforce Developers
 
Secure Salesforce: Secret Storage in Your Salesforce Instance
Secure Salesforce: Secret Storage in Your Salesforce InstanceSecure Salesforce: Secret Storage in Your Salesforce Instance
Secure Salesforce: Secret Storage in Your Salesforce InstanceSalesforce Developers
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelSalesforce Developers
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSalesforce Developers
 
Navi Mumbai Salesforce DUG meetup on integration
Navi Mumbai Salesforce DUG meetup on integrationNavi Mumbai Salesforce DUG meetup on integration
Navi Mumbai Salesforce DUG meetup on integrationRakesh Gupta
 
Integrating The Cloud - How to integrate Salesforce
Integrating The Cloud - How to integrate SalesforceIntegrating The Cloud - How to integrate Salesforce
Integrating The Cloud - How to integrate SalesforceRoy Gilad
 
Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manishManish Thaduri
 
Authentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsAuthentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsSalesforce Developers
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedCalvin Noronha
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksRyan Flood
 
Dreamforce 15 - Platform Encryption for Developers
Dreamforce 15 - Platform Encryption for DevelopersDreamforce 15 - Platform Encryption for Developers
Dreamforce 15 - Platform Encryption for DevelopersPeter Chittum
 
Secure Coding: Field-level Security, CRUD, and Sharing
Secure Coding: Field-level Security, CRUD, and SharingSecure Coding: Field-level Security, CRUD, and Sharing
Secure Coding: Field-level Security, CRUD, and SharingSalesforce Developers
 
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudSalesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudDreamforce
 
OAuth for Non Developers in Salesforce
OAuth for Non Developers in SalesforceOAuth for Non Developers in Salesforce
OAuth for Non Developers in SalesforcePeter Chittum
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
Integration using Salesforce Canvas
Integration using Salesforce CanvasIntegration using Salesforce Canvas
Integration using Salesforce CanvasDhanik Sahni
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsJohn Bauer
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best PracticesSalesforce Developers
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On ConsiderationsVenkat Gattamaneni
 
Salesforce shield & summer 20 release
Salesforce shield & summer 20 releaseSalesforce shield & summer 20 release
Salesforce shield & summer 20 releaseDevendra Sawant
 
SAP Single Sign-On 2.0 Overview
SAP Single Sign-On 2.0 OverviewSAP Single Sign-On 2.0 Overview
SAP Single Sign-On 2.0 OverviewSAP Technology
 
AM Side details
AM Side detailsAM Side details
AM Side detailsRandhir Singh
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSalesforce Developers
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSOAjit Dadresa
 
SSO introduction
SSO introductionSSO introduction
SSO introductionAidy Tificate
 
What’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & ComplianceWhat’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & ComplianceShesh Kondi
 
What’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & ComplianceWhat’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & ComplianceShesh Kondi
 

Weitere ähnliche Inhalte

Was ist angesagt?

Integrating The Cloud - How to integrate Salesforce
Integrating The Cloud - How to integrate SalesforceIntegrating The Cloud - How to integrate Salesforce
Integrating The Cloud - How to integrate SalesforceRoy Gilad
 
Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manishManish Thaduri
 
Authentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsAuthentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsSalesforce Developers
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedCalvin Noronha
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksRyan Flood
 
Dreamforce 15 - Platform Encryption for Developers
Dreamforce 15 - Platform Encryption for DevelopersDreamforce 15 - Platform Encryption for Developers
Dreamforce 15 - Platform Encryption for DevelopersPeter Chittum
 
Secure Coding: Field-level Security, CRUD, and Sharing
Secure Coding: Field-level Security, CRUD, and SharingSecure Coding: Field-level Security, CRUD, and Sharing
Secure Coding: Field-level Security, CRUD, and SharingSalesforce Developers
 
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudSalesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudDreamforce
 
OAuth for Non Developers in Salesforce
OAuth for Non Developers in SalesforceOAuth for Non Developers in Salesforce
OAuth for Non Developers in SalesforcePeter Chittum
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
Integration using Salesforce Canvas
Integration using Salesforce CanvasIntegration using Salesforce Canvas
Integration using Salesforce CanvasDhanik Sahni
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsJohn Bauer
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On ConsiderationsVenkat Gattamaneni
 
Salesforce shield & summer 20 release
Salesforce shield & summer 20 releaseSalesforce shield & summer 20 release
Salesforce shield & summer 20 releaseDevendra Sawant
 
SAP Single Sign-On 2.0 Overview
SAP Single Sign-On 2.0 OverviewSAP Single Sign-On 2.0 Overview
SAP Single Sign-On 2.0 OverviewSAP Technology
 
AM Side details
AM Side detailsAM Side details
AM Side detailsRandhir Singh
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSalesforce Developers
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSOAjit Dadresa
 
SSO introduction
SSO introductionSSO introduction
SSO introductionAidy Tificate
 

Was ist angesagt? (20)

Integrating The Cloud - How to integrate Salesforce
Integrating The Cloud - How to integrate SalesforceIntegrating The Cloud - How to integrate Salesforce
Integrating The Cloud - How to integrate Salesforce
 
Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manish
 
Authentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsAuthentication with OAuth and Connected Apps
Authentication with OAuth and Connected Apps
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and Tricks
 
Dreamforce 15 - Platform Encryption for Developers
Dreamforce 15 - Platform Encryption for DevelopersDreamforce 15 - Platform Encryption for Developers
Dreamforce 15 - Platform Encryption for Developers
 
Secure Coding: Field-level Security, CRUD, and Sharing
Secure Coding: Field-level Security, CRUD, and SharingSecure Coding: Field-level Security, CRUD, and Sharing
Secure Coding: Field-level Security, CRUD, and Sharing
 
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudSalesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
 
OAuth for Non Developers in Salesforce
OAuth for Non Developers in SalesforceOAuth for Non Developers in Salesforce
OAuth for Non Developers in Salesforce
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
Integration using Salesforce Canvas
Integration using Salesforce CanvasIntegration using Salesforce Canvas
Integration using Salesforce Canvas
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
 
Salesforce shield & summer 20 release
Salesforce shield & summer 20 releaseSalesforce shield & summer 20 release
Salesforce shield & summer 20 release
 
SAP Single Sign-On 2.0 Overview
SAP Single Sign-On 2.0 OverviewSAP Single Sign-On 2.0 Overview
SAP Single Sign-On 2.0 Overview
 
AM Side details
AM Side detailsAM Side details
AM Side details
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDK
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSO
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 

Ähnlich wie Secure Salesforce: Org Access Controls

What’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & ComplianceWhat’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & ComplianceShesh Kondi
 
What’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & ComplianceWhat’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & ComplianceShesh Kondi
 
[Delivering Salesforce secure access to remote workforce
[Delivering Salesforce secure access to remote workforce[Delivering Salesforce secure access to remote workforce
[Delivering Salesforce secure access to remote workforceAnna Loughnan Colquhoun
 
(Salesforce) Lightning Login - Dreamforce 2017
(Salesforce) Lightning Login - Dreamforce 2017(Salesforce) Lightning Login - Dreamforce 2017
(Salesforce) Lightning Login - Dreamforce 2017Michael Smith
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Mark Adcock
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKMartin Vigo
 
How to Become a Security-Minded Admin
How to Become a Security-Minded AdminHow to Become a Security-Minded Admin
How to Become a Security-Minded AdminSalesforce Admins
 
Salesforce Identity Management
Salesforce Identity ManagementSalesforce Identity Management
Salesforce Identity ManagementJayant Jindal
 
Take Security to the Next Level w/ Lightning Login
Take Security to the Next Level w/ Lightning Login Take Security to the Next Level w/ Lightning Login
Take Security to the Next Level w/ Lightning Login Salesforce Admins
 
Secure Your Salesforce Org with Two-Factor Authentication
Secure Your Salesforce Org with Two-Factor AuthenticationSecure Your Salesforce Org with Two-Factor Authentication
Secure Your Salesforce Org with Two-Factor AuthenticationSalesforce Admins
 
Secure Salesforce: Common Secure Coding Mistakes
Secure Salesforce: Common Secure Coding MistakesSecure Salesforce: Common Secure Coding Mistakes
Secure Salesforce: Common Secure Coding MistakesSalesforce Developers
 
Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15Paris Salesforce Developer Group
 
Event Monitoring: Use Powerful Insights to Improve Performance and Security
Event Monitoring: Use Powerful Insights to Improve Performance and SecurityEvent Monitoring: Use Powerful Insights to Improve Performance and Security
Event Monitoring: Use Powerful Insights to Improve Performance and SecurityDreamforce
 
Mobile Application Security: How Financial Services Companies Do It
Mobile Application Security: How Financial Services Companies Do ItMobile Application Security: How Financial Services Companies Do It
Mobile Application Security: How Financial Services Companies Do ItSalesforce Developers
 
Introduction to lightning out df16
Introduction to lightning out df16Introduction to lightning out df16
Introduction to lightning out df16Mohith Shrivastava
 
Two-Factor Authentication: Easy Setup, Major Impact by Marco Erzingher
Two-Factor Authentication: Easy Setup, Major Impact by Marco ErzingherTwo-Factor Authentication: Easy Setup, Major Impact by Marco Erzingher
Two-Factor Authentication: Easy Setup, Major Impact by Marco ErzingherSalesforce Admins
 
Enterprise IoT: Data in Context
Enterprise IoT: Data in ContextEnterprise IoT: Data in Context
Enterprise IoT: Data in ContextPat Patterson
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)Salesforce Partners
 
Securing Your Salesforce Org: The Human Factor
Securing Your Salesforce Org: The Human FactorSecuring Your Salesforce Org: The Human Factor
Securing Your Salesforce Org: The Human FactorF Pindar
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile appsMartin Vigo
 

Ähnlich wie Secure Salesforce: Org Access Controls (20)

What’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & ComplianceWhat’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & Compliance
 
What’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & ComplianceWhat’s new in summer’15 release - Security & Compliance
What’s new in summer’15 release - Security & Compliance
 
[Delivering Salesforce secure access to remote workforce
[Delivering Salesforce secure access to remote workforce[Delivering Salesforce secure access to remote workforce
[Delivering Salesforce secure access to remote workforce
 
(Salesforce) Lightning Login - Dreamforce 2017
(Salesforce) Lightning Login - Dreamforce 2017(Salesforce) Lightning Login - Dreamforce 2017
(Salesforce) Lightning Login - Dreamforce 2017
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDK
 
How to Become a Security-Minded Admin
How to Become a Security-Minded AdminHow to Become a Security-Minded Admin
How to Become a Security-Minded Admin
 
Salesforce Identity Management
Salesforce Identity ManagementSalesforce Identity Management
Salesforce Identity Management
 
Take Security to the Next Level w/ Lightning Login
Take Security to the Next Level w/ Lightning Login Take Security to the Next Level w/ Lightning Login
Take Security to the Next Level w/ Lightning Login
 
Secure Your Salesforce Org with Two-Factor Authentication
Secure Your Salesforce Org with Two-Factor AuthenticationSecure Your Salesforce Org with Two-Factor Authentication
Secure Your Salesforce Org with Two-Factor Authentication
 
Secure Salesforce: Common Secure Coding Mistakes
Secure Salesforce: Common Secure Coding MistakesSecure Salesforce: Common Secure Coding Mistakes
Secure Salesforce: Common Secure Coding Mistakes
 
Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
 
Event Monitoring: Use Powerful Insights to Improve Performance and Security
Event Monitoring: Use Powerful Insights to Improve Performance and SecurityEvent Monitoring: Use Powerful Insights to Improve Performance and Security
Event Monitoring: Use Powerful Insights to Improve Performance and Security
 
Mobile Application Security: How Financial Services Companies Do It
Mobile Application Security: How Financial Services Companies Do ItMobile Application Security: How Financial Services Companies Do It
Mobile Application Security: How Financial Services Companies Do It
 
Introduction to lightning out df16
Introduction to lightning out df16Introduction to lightning out df16
Introduction to lightning out df16
 
Two-Factor Authentication: Easy Setup, Major Impact by Marco Erzingher
Two-Factor Authentication: Easy Setup, Major Impact by Marco ErzingherTwo-Factor Authentication: Easy Setup, Major Impact by Marco Erzingher
Two-Factor Authentication: Easy Setup, Major Impact by Marco Erzingher
 
Enterprise IoT: Data in Context
Enterprise IoT: Data in ContextEnterprise IoT: Data in Context
Enterprise IoT: Data in Context
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
 
Securing Your Salesforce Org: The Human Factor
Securing Your Salesforce Org: The Human FactorSecuring Your Salesforce Org: The Human Factor
Securing Your Salesforce Org: The Human Factor
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile apps
 

Mehr von Salesforce Developers

Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSalesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceSalesforce Developers
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base ComponentsSalesforce Developers
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsSalesforce Developers
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaSalesforce Developers
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentSalesforce Developers
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsSalesforce Developers
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsSalesforce Developers
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsSalesforce Developers
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingSalesforce Developers
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilitySalesforce Developers
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataSalesforce Developers
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionSalesforce Developers
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPSalesforce Developers
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceSalesforce Developers
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureSalesforce Developers
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DXSalesforce Developers
 
Get Into Lightning Flow Development
Get Into Lightning Flow DevelopmentGet Into Lightning Flow Development
Get Into Lightning Flow DevelopmentSalesforce Developers
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectSalesforce Developers
 

Mehr von Salesforce Developers (20)

Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component Performance
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base Components
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer Highlights
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX India
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local Development
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web Components
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web Components
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer Highlights
 
Live coding with LWC
Live coding with LWCLive coding with LWC
Live coding with LWC
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and Testing
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura Interoperability
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce data
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An Introduction
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCP
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in Salesforce
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data Capture
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DX
 
Get Into Lightning Flow Development
Get Into Lightning Flow DevelopmentGet Into Lightning Flow Development
Get Into Lightning Flow Development
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS Connect
 

KĂźrzlich hochgeladen

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂşjo
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

KĂźrzlich hochgeladen (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Secure Salesforce: Org Access Controls

  • 1. Secure Salesforce: Organization Access Controls Mikel Otaegi Principal Security Engineer Jorge L CĂĄceres Senior Platform Security Engineer
  • 2. Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward- looking statements.
  • 3. Access Controls To Your Organization • We will be covering high level administrator-oriented topics on securing access to your Salesforce Organization
  • 4. Access Controls To Your Organization Specific features that we will cover include: –  Locking The Gates With Strong Authentication • Password Policies • Two Factor Authentication • IP Restrictions • Single Sign-On –  Keeping The Bad Guys Out With Secure Sessions • Session Settings • Activations • Session Information • Expire All Passwords –  Connected Apps • OAuth Policies • Session Policies • Remote Site Settings –  Protecting Assets With Egress Control • File Upload and Download Security • CORS (Cross-Origin Resource Sharing)
  • 5. Locking The Gates With Strong Authentication PHOTO: Ryan Green
  • 6. Who knows what the most common cause of data breaches is?
  • 7. Locking The Gates: Password Policies
  • 8. Locking The Gates: Password Policies 1. Weak And Stolen Credentials, a.k.a. Passwords Hacking remains the single biggest cause of attacks don't depend on finding vulnerabilities in the application or network protocol to tunnel through. For years, experts have warned about the risks of relying on weak credentials to restrict who has access to the data, and this is still a problem. About 76% of network intrusions involved weak credentials, according to Verizon's data breach report. Authentication-based attacks, which includes guessing passwords, cracking using specific tools or trying out passwords from other sites on the target system, factored into about four of every five breaches that was classified as a hacking incident in 2012, Verizon says. (http://twimgs.com/darkreading/attacks-breaches/S6980513breachcauses.pdf)
  • 9. Who knows what the most common used password is in America?
  • 10. Locking The Gates: Password Policies
  • 11. Locking The Gates: Two Factor Authentication Stolen passwords played a role in 48% of the data breaches that involved hacking, Verizon found. This could have been accomplished by using stolen password lists from previous data breaches, keylogging malware or phishing attacks. If that number isn't eye-popping enough, Verizon estimated that 80% of data breaches would have been stopped or forced to change tactics if a "suitable replacement" (such as multifactor authentication) to passwords had been used.
  • 12. Locking The Gates: Two Factor Authentication What is Two Factor Authentication? Two factor authentication is using more than one of the following to login or process a transaction •  Something you know (account details or passwords) •  Something you have (tokens or mobile phones) •  Something you are (biometrics)
  • 13. Locking The Gates: Two Factor Authentication Two Factor Authentication With Salesforce •  Two Factor Authentication introduces the ability to use an App to generate OTPs •  Policies may be set to force two-factor authentication on login •  Session Level policies allow you to block specific actions, or “step-up” authentication
  • 14. Locking The Gates: Two Factor Authentication
  • 15. Locking The Gates: Two Factor Authentication
  • 16. Locking The Gates: Two Factor Authentication
  • 17. Locking The Gates: Two Factor Authentication
  • 18. Locking The Gates: Two Factor Authentication
  • 19. Locking The Gates: Two Factor Authentication
  • 20. Locking The Gates: IP Restrictions Trusted Login IP Ranges The salesforce platform allows administrators to define IP ranges that are trusted. Users who login from defined IP ranges are trusted and the login operation proceeds normally. It is important to understand that this only covers login operations. If a user already has a valid session id, they could make requests from IPs not in the trusted range unless you have specified the option to lock sessions to originating IP which we will cover later. There are two ways Trusted IP ranges can be defined, and each has unique security features: –  Organization level Trusted Login IP ranges –  Profile level Trusted Login IP ranges
  • 21. Locking The Gates: IP Restrictions Organization Level Trusted Login IP Ranges Administrators define a list of IP addresses from which users can login without receiving a login challenge for verification of their identity, such as a code sent to their mobile phone. The main security behavior here is that login is not completely blocked. If the user succesfully completes the login challenge, they can proceed. The requirements and behavior is different based on entry point of login: UI/Browser, or API. UI/browser login: As defined above. User must go through a login challenge if coming from an IP outside the Organization Trusted range. After a succesful challenge, the user's client browser is now trusted and can login from any ip address without being challenged. This is accomplished with a unique cookie set on the client's browser. If the client's browser cookie is cleared, a login challenge will be required on login from an IP outside the Trusted range. This in effect turns the Trusted Login IP range into a type of Trusted client feature.
  • 22. Locking The Gates: IP Restrictions Organization Level Trusted Login IP Ranges API login: In order to login from an IP outside the Organization Trusted range, the user must provide a security token appended to their password. Users can obtain their security token by changing their password or resetting their security token via the Salesforce user interface. Unlike the UI login, API login always requires the security token.
  • 23. Locking The Gates: IP Restrictions
  • 24. Locking The Gates: IP Restrictions Profile Level Trusted Login IP Ranges •  Administrators define a list of IP addresses from which users can log in. •  This list is defined per profile. •  The main security feature is that login is completely blocked if coming from an untrusted IP.
  • 25. Locking The Gates: IP Restrictions
  • 26. Locking The Gates: Single Sign-On Single Sign-On Options With Salesforce •  Delegated Authentication (not available by default, must submit a support case) •  SAML Federated Authentication
  • 27. Locking The Gates: Single Sign-On SAML Federated Authentication ●  Federated authentication is a form of authentication (commonly referred to as single sign-on or SSO) that allows the portability of identity information to multiple services without the need for redundant identity management in each service. ●  This type of authentication is advantageous for the user because they can remember one password and gain access to many resources. ●  This type of authentication is also advantageous from a management perspective because it centralizes identity information and can provide a single location to disable access.
  • 28. Locking The Gates: Single Sign-On Understanding SAML ●  In Salesforce, federated authentication employs SAML (Security Assertion Markup Language) which provides a secure, XML-based solution for exchanging user security information between two parties. o  There are 2 versions of SAML supported by Salesforce, 1.1 and 2.0. Version 2.0 is the default because it includes many more features and allows for multiple configurations within Salesforce. ●  The SAML assertion is the message sent by the identity service that the recipient uses for authentication. It provides several strong security features: o  All the details of the authentication request are contained in the SAML assertion.
  • 29. Locking The Gates: Single Sign-On
  • 30. Locking The Gates: Single Sign-On
  • 31. Keeping The Bad Guys Out With Secured Sessions Picture licensed under a Creative Commons Attribution Share-Alike 3.0 License
  • 32. Keeping The Bad Guys Out: Introduction Introduction Administrator functions to maintain secure sessions ●  Session Settings Set the session security and session expiration timeout for your organization. ●  Activations Maintain the list of IP addresses representing the device IP addresses that have been activated by a user. ●  Session Management The View information about or delete active user sessions. ●  Expire All Passwords Use to expire the passwords for all of the users in your
  • 33. Keeping The Bad Guys Out: Session Settings
  • 34. Keeping The Bad Guys Out: Activations
  • 35. Keeping The Bad Guys Out: Session Management
  • 36. Keeping The Bad Guys Out: Expire All Passwords
  • 37. Connected Apps: Introduction •  A connected app integrates an application with Salesforce using APIs. •  The administrators can set various security policies and have explicit control over who may use the connected app. •  Two deployment modes: –  The app is created and used in the same organization. –  The app is created in one organization and installed on other organizations.
  • 38. Connected Apps: Basic Information •  The administrators can set various security policies and have explicit control over who may use the connected app: •  Via the connected app configuration, administrators can install the connected app, enable SAML, use profiles, permission sets, and IP range restrictions to control which users can access the application •  Connected apps use SAML and OAuth to authenticate, provide Single Sign-On, and provide tokens for use with Salesforce APIs. •  Connected apps can be added to managed packages, only.
  • 39. Connected Apps: OAuth Basics Supported OAuth flows: ●  Web Server flow ●  User-Agent flow ●  JWT Bearer Token Flow ●  SAML Bearer Assertion Flow ●  SAML Assertion Flow ●  Username and Password
  • 40. OAuth Policies Make sure to always follow the principle of least privilege while defining this scope. Only provide the minimum access required for the application use case.
  • 45. Secure Salesforce at Dreamforce 2015 ​  10 DevZone Talks and 2 Lighting Zone Talks covering all aspects of Security on the Salesforce Platform ​  Visit our booth in the DevZone with any security questions ​  Check out the schedule and details at http://bit.ly/DF15Sec ​  Admin-related security questions? ​  Join us for coffee in the Admin Zone Security Cafe
  • 46. Secure Salesforce – Thursday Morning ​  Org Access Controls ​  Jorge Caceres and Mikel Otaegi ​  9:30am in Moscone West 2007 ​  Secret Storage in your Salesforce Instance ​  Kyle Tobener and Ian Goldsmith ​  9:30am in Moscone West 2011 ​  External App Integration ​  Astha Singhal and Chris Vinecombe ​  12:00pm in Moscone West 2010
  • 47. Secure Salesforce – Thursday Afternoon ​  Hardened Apps with the Mobile SDK ​  Martin Vigo and Maxwell Feldman ​  2:30pm in Moscone West 2008 ​  Code Scanning with Checkmarx ​  Robert Sussland and Gideon Kreiner ​  3:30pm in Moscone West 2011 ​  Lightning Components Best Practices ​  Robert Sussland and Sergey Gorbaty ​  4:45pm in Moscone West 2007 ​  Common Secure Coding Mistakes ​  Rachel Black and Alejandro Raigon Munoz ​  5:00pm in Moscone West 2006
  • 48. Secure Salesforce – Friday ​  Chimera: External Integration Security ​  Tim Bach and Travis Safford ​  10:00am in Moscone West 2009
  • 49. Q&A
  • 50.
  • 51. Additional Resources •  Secure Coding Guidelines - https://developer.salesforce.com/page/Secure_Coding_Storing_Secrets •  Intro to Managed Packages - https://developer.salesforce.com/page/An_Introduction_to_Packaging •  Salesforce StackExchange - http://salesforce.stackexchange.com/questions/tagged/security •  Developer.Salesforce.com Security Forum - https://developer.salesforce.com/forums (full link hidden) •  Security Office Hours (Partners) - http://security.force.com/security/contact/ohours •  Security Implementation Guide - https://developer.salesforce.com/././securityImplGuide/ (full link hidden)
  • 52. Additional Security Features For Access Control
  • 53. Locking The Gates: Single Sign-On Delegated Authentication Delegated authentication is a form of authentication that forwards the username and password from Salesforce via web-service callout to an admin specified endpoint that can verify and authenticate the user. ●  To build the external webservice, a WSDL is available in the Salesforce setup menu. Navigate to Setup - > Build -> Develop -> Api and click “Delegated Authentication WSDL” ●  Users are enabled for delegated authentication via the “Single Sign-On Enabled” profile permission.
  • 54. Locking The Gates: Single Sign-On
  • 55. Keeping The Bad Guys Out: Activations
  • 56. Locking The Gates: Single Sign-On
  • 57. Connected Apps: Session Policies Features that use session level security: –  Reports and dashboard in Salesforce1 Reporting –  Connected apps. You can specify an action to take if the session used to access the resource is not High Assurance. •  Block — Blocks access to the resource by showing an insufficient privileges error. •  Raise session level — Redirects the user to log in based on the login method associated with High Assurance security level. When the user completes the login flow successfully, the user can access the resource. For reports and dashboards, you can apply this action when users access reports or dashboards, or just when they export and print reports.
  • 58. Remote Site Settings Before any Visualforce page, Apex callout, or JavaScript code using XmlHttpRequest in an s-control or custom button can call an external site, that site must be registered in the Remote Site Settings page, or the call will fail. For security reasons, Salesforce restricts the outbound ports: ●  80: This port only accepts HTTP connections. ●  443: This port only accepts HTTPS connections. ●  1024–66535 (inclusive): These ports accept HTTP or HTTPS connections.
  • 59. File Upload and Download Security •  Helps you control how various file types are handled during upload and download. •  Specify what happens when users attempt to download specific file types. •  Download (Recommended): The file is always downloaded. •  Execute in Browser: The file is displayed and executed automatically when accessed in a browser or through an HTTP request. •  Hybrid: Attachment and document records execute in the browser. Salesforce CRM and Chatter files are downloaded.
  • 60. File Upload and Download Security
  • 61. Egress Controls: CORS •  To allow code (such as JavaScript) running in a Web browser to communicate with Salesforce from a specific origin, whitelist the origin. •  If a browser that supports CORS makes a request to an origin in the Salesforce CORS whitelist, Salesforce returns the origin in the Access-Control-Allow-Origin HTTP header. •  For example, https://*.example.com adds all the subdomains of example.com to the whitelist.