1 july, 2020
TRANSCRIPT
Forward-Looking StatementStatement under the Private Securities Litigation Reform Act of 1995:
This presentation contains forward-looking statements about the company’s financial and operating results, which may include expected GAAP and non-GAAP financial and other operating and non-operating results, including revenue, net income, diluted earnings per share, operating cash flow growth, operating margin improvement, expected revenue growth, expected current remaining performance obligation growth, expected tax rates, the one-time accounting non-cash charge that was incurred in connection with the Salesforce.org combination; stock-based compensation expenses, amortization of purchased intangibles, shares outstanding, market growth and sustainability goals. The achievement or success of the matters covered by such forward-looking statements involves risks, uncertainties and assumptions. If any such risks or uncertainties materialize or if any of the assumptions prove incorrect, the company’s results could differ materially from the results expressed or implied by the forward-looking statements we make.
The risks and uncertainties referred to above include -- but are not limited to -- risks associated with the effect of general economic and market conditions; the impact of geopolitical events; the impact of foreign currency exchange rate and interest rate fluctuations on our results; our business strategy and our plan to build our business, including our strategy to be the leading provider of enterprise cloud computing applications and platforms; the pace of change and innovation in enterprise cloud computing services; the seasonal nature of our sales cycles; the competitive nature of the market in which we participate; our international expansion strategy; the demands on our personnel and infrastructure resulting from significant growth in our customer base and operations, including as a result of acquisitions; our service performance and security, including the resources and costs required to avoid unanticipated downtime and prevent, detect and remediate potential security breaches; the expenses associated with new data centers and third-party infrastructure providers; additional data center capacity; real estate and office facilities space; our operating results and cash flows; new services and product features, including any efforts to expand our services beyond the CRM market; our strategy of acquiring or making investments in complementary businesses, joint ventures, services, technologies and intellectual property rights; the performance and fair value of our investments in complementary businesses through our strategic investment portfolio; our ability to realize the benefits from strategic partnerships, joint ventures and investments; the impact of future gains or losses from our strategic investment portfolio, including gains or losses from overall market conditions that may affect the publicly traded companies within the company's strategic investment portfolio; our ability to execute our business plans; our ability to successfully integrate acquired businesses and technologies, including delays related to the integration of Tableau due to regulatory review by the United Kingdom Competition and Markets Authority; our ability to continue to grow unearned revenue and remaining performance obligation; our ability to protect our intellectual property rights; our ability to develop our brands; our reliance on third-party hardware, software and platform providers; our dependency on the development and maintenance of the infrastructure of the Internet; the effect of evolving domestic and foreign government regulations, including those related to the provision of services on the Internet, those related to accessing the Internet, and those addressing data privacy, cross-border data transfers and import and export controls; the valuation of our deferred tax assets and the release of related valuation allowances; the potential availability of additional tax assets in the future; the impact of new accounting pronouncements and tax laws; uncertainties affecting our ability to estimate our tax rate; the impact of expensing stock options and other equity awards; the sufficiency of our capital resources; factors related to our outstanding debt, revolving credit facility, term loan and loan associated with 50 Fremont; compliance with our debt covenants and lease obligations; current and potential litigation involving us; and the impact of climate change.
Further information on these and other factors that could affect the company’s financial results is included in the reports on Forms 10-K, 10-Q and 8-K and in other filings it makes with the Securities and Exchange Commission from time to time. These documents are available on the SEC Filings section of the Investor Information section of the company’s website at www.salesforce.com/investor.
Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements, except as required by law.
Speakers
Director, Security EnablementSalesforce
CISSP
Principal Success GuideSalesforce
Paul Gilmore Colin Cheevers
Today’s Agenda
● Salesforce security overview
● Org health at a glance
● Demo - Security Health Check
● Security best practices and controls
● Q&A
Security Partnership
Salesforce’s Responsibility
● Prepare customers for an evolving threat landscape
● Provide solutions that enable the customer to keep their data secure
● Educate customers on the need and options for enhanced security
Customer’s Responsibility
● Adopt the latest security controls and features available
● Continually monitor user behaviors and event logs
● Protect sensitive customer data in alignment with compliance standards
● Stay up to date with patching
Control access to your org and protect your data
Salesforce Application Services
Infrastructure Services
Network Services
Secure Data Centers
Backup and Disaster Recovery
HTTPS Encryption
Penetration Testing
AdvancedThreat Detection
Secure Firewalls
Real-time replication
Third Party Certifications
IP Login Restrictions
CustomerAudits
Salesforce ShieldPlatform Encryption
Event Monitoring
Field Audit Trail
Application ServicesIdentity & Single Sign On
Two Factor Authentication
User Roles & Permissions
Password Policies
Field and Row Security
Control access to your org and protect your dataSalesforce Application Services
● IP Range Restrictions
● Multiple User Authentication options
● Organization Wide Defaults
● Sharing Rules
● Profiles and Permission Sets
● Objects and Field Level Security
● Field Audit Trail
● Setup Audit Trail
● Field-Level Security
● Event Monitoring and Data Encryption
Trusted Networks
Authentication Field Level Security
Object Level
Security (CRUD)
Audit Trail Object History
Tracking
Security Health Check
Measure your org’s security against Salesforce’s standard baseline
Easily identify at-risk security settings
Fix with one click for immediate results
Customize based on your company’s compliance/reporting needs
OrgMonitor
Quickly scans all Salesforce orgs
Consolidates findings into one view
Health Check for Multiple Orgs
Security Command CenterComplement and extend existing products and features
Data Classification
Threat Detection
Event Monitoring
Commerce Cloud
Data Mask
Platform Encryption
Marketing Cloud
Key Management
Heroku
Quip
Pardot
Salesforce Optimizer
Identify Security Risks
Equip admins with actionable insights and personalized recommendations.
Understand Organization Usage
Identify what roles, profiles, and permission sets are being used and who has admin permissions.
Maximize User Adoption
See user login behavior and understand what fields, pages, and record types are not being used.
Provide an Added Layer of Security for User AccountsMulti-Factor Authentication (MFA)
Something you knowLogin Credentials
Something you haveSalesforce AuthenticatorTOTP Authenticator App
Security Key
MFA
Salesforce Authenticator
Salesforce Authenticator is a mobile app that can be used with MFA in your Salesforce org or tenant, driving a seamless user experience for your end users.
Salesforce Authenticator tells the user:● What action needs to be approved
● What user is requesting the action
● From which service is the requested action coming
● What device the user is using
● From what location would the user approve or deny this request
With this information, the user can simply tap the "Approve" or "Deny" button to execute the decision, completing authentication quickly as part of their login process.
Fast, frictionless, free authentication
Restrict Login AccessBy IP address or login hours
To further enhance access security,
restrict the hours during which users
can log in and the range of IP
addresses from which they can log in
and access Salesforce.
These restrictions help protect your
data from unauthorized access and
phishing attacks.
Profile Best Practices
Use descriptive names and the complete the Description fieldThis enables you to easily sort profiles in List Views and define a governance policy for creating profiles.
Create a governance policy for creating ProfilesDefine policies for creating new user profiles to simplify maintenance and increase flexibility and scalability.
Use Custom Profiles instead of Standard ProfilesMake copies of standard profiles and customize the copies to fit your needs.
Set up Enhanced List Views for your ProfilesCreate custom list views to organize and mass edit the profiles and permissions most important to you.
Create User Reports to identify unused ProfilesReport on the User object and group by Profile to see which Profiles have no active users and can be removed.
Limit the number of users with administrative rightsOnly grant Modify All Data or View All Data permissions to users who need it.
Permission Set Best Practices
Align permission sets to business functionsIdentify the job functions, tasks, and processes critical to your users and define permission sets appropriately.
Consolidate profiles to represent minimum required permissions Remove high-risk permissions from profiles and add them back to users as necessary through permission sets.
Mass assign or unassign permission setsPerform mass assignment via the sObject API by inserting or deleting PermissionSetAssignment records.
Reuse, reduce, and recycleAdjust permission sets to match job function changes rather than creating new permission sets.
Grant temporary access to resourcesUse permission sets when users need to fill in for another user or complete short-term projects.
Field Level Security (FLS)
Field-level security settings control whether a
user can see, edit, and delete the value for a
particular field on an object.
● Grant access to an object but limit
access to individual fields in that object.
● Protect sensitive fields without having to
hide the object.
● Define field-level security for multiple
fields on a single permission set or
profile, or for a single field on all
profiles.
Add Visibility to Your Data
Data OwnerLook-up to user or group
Field UsageCurrent status of the field
Data Sensitivity LevelLevel of sensitivity of the data typically housed in the field
Data classification
Add Visibility to Your Data - Event Monitoring Monitoring and preventative controls
Monitor and take action on user activityKnow who is accessing data from where with daily and hourly event log files
Drive user adoptionAnalyze user behavior to drive training and adoption of Salesforce
Optimize PerformanceProactively identify bottlenecks and high demand pages to improve user experience
Teams deliver secure apps fast on the Salesforce PlatformSandboxes mirror production data enabling teams to build and test faster
Code
Release
Plan
Build
App Dev Test Production Sandbox
CONTACTPh: 309 373 [email protected]: 123 45 6789
NOTESAverage of 3 purchases/month
PaulCONTACTPh: 309 373 [email protected]: 123 45 6789
NOTESAverage of 3 purchases/month
Paul
Production Sandbox
Access to Production is controlled and regulated
Access to Sandboxes is flexible
A broader set of employees and contractors may have access to sandboxes.
Sandboxes with un-masked sensitive data can be risky
Introducing Salesforce Data Mask
Meet compliance needsProtect your PI and PII data easily with a 100% native approach so that data never leaves the platform
Address data security Empower everyone to build and customize without exposing protected data to leaks and breaches.
Develop and manage with agilityLeverage proprietary pre-processing for speed and to automate compliance
Increase productivityMove fast, without breaking things, by leveraging a variety of obfuscation features
Protect sensitive data when testing apps
Masking Data in a Variety of Ways
AnonymizationScrambles a field’s contents into unreadable results e.g. Blake becomes gB1ff95-$
PseudonymizationConverts a field into readable values unrelated to the original e.g. Kelsey becomes Amber
Pattern-MatchingReplace data with user-specified patterns.
DeletionConverts a field into an empty data set
Obfuscate data based on business needs and privacy laws