salesforce_security_impl_guide

More documents

Recommendations

Info

Security Overview Trust and Salesforce.com Trust and Salesforce.com Trust starts with transparency. That’s why salesforce.com displays real-time information on system performance and security on the trust site at http://trust.salesforce.com. This site provides live data on system performance, alerts for current and recent phishing and malware attempts, and tips on best security practices for your organization. The Security tab on the trust site includes valuable information that can help you to safeguard your company's data. In particular, phishing and malware are Internet scams on the rise. Phishing is a social engineering technique that attempts to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishers often direct users to enter details at a fake website whose URL and look-and-feel are almost identical to the legitimate one. As the salesforce.com community grows, it has become an increasingly appealing target for phishers. You will never get an email or a phone call from a salesforce.com employee asking you to reveal a password, so you should refuse to reveal it to anyone. You can report any suspicious activities by clicking the Report a Suspicious Email link under the Trust tab at http://trust.salesforce.com. Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a general term used to cover a variety of forms of hostile, intrusive, or annoying software, and it includes computer viruses and spyware. What Salesforce.com is Doing Customer security is the foundation of customer success, so salesforce.com will continue to implement the best possible practices and technologies in this area. Recent and ongoing actions include: • Actively monitoring and analyzing logs to enable proactive alerts to customers who have been affected. • Collaborating with leading security vendors and experts on specific threats. • Executing swift strategies to remove or disable fraudulent sites (often within an hour of detection). • Reinforcing security education and tightening access policies within salesforce.com. • Evaluating and developing new technologies both for our customers and for deployment within our infrastructure. What Salesforce.com Recommends You Do Salesforce.com is committed to setting the standards in software-as-a-service as an effective partner in customer security. So, in addition to internal efforts, salesforce.com strongly recommends that customers implement the following changes to enhance security: • Modify your Salesforce implementation to activate IP range restrictions. This will allow users to access Salesforce only from your corporate network or VPN, thus providing a second factor of authentication. For more information, see Setting Session Security on page 83 and Restricting Login To Trusted IP Ranges for Your Organization on page 81. • Educate your employees not to open suspect emails and to be vigilant in guarding against phishing attempts. • Use security solutions from leading vendors such as Symantec to deploy spam filtering and malware protection. • Designate a security contact within your organization so that salesforce.com can more effectively communicate with you. Contact your salesforce.com representative with this information. • Consider using two-factor authentication techniques, such as RSA tokens, to restrict access to your network. Salesforce.com has a Security Incident Response Team to respond to any security issues. To report a security incident or vulnerability to salesforce.com, please contact security@salesforce.com. Describe the issue in detail, and the team will respond promptly. 2
Security Overview User Security Overview User Security Overview Salesforce provides each user in your organization with a unique username and password that must be entered each time a user logs in. Salesforce issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include either the username or password of the user. Salesforce does not use cookies to store other confidential user and session information, but instead implements more advanced security methods based on dynamic data and encoded session IDs. About Passwords There are several settings you can configure to ensure that your users’ passwords are strong and secure: • Password policies—set various password and login policies, such as specifying an amount of time before all users’ passwords expire, the level of complexity required for passwords, and so on. See Setting Password Policies on page 78. • User password expiration—expire the passwords for all the users in your organization, except for users with “Password Never Expires” permission. See Expiring Passwords on page 81. • User password resets—reset the password for specified users. See “Resetting Passwords for Your Users” in the Salesforce Help. • Login attempts and lockout periods—if a user is locked out of Salesforce due to too many failed login attempts, you can unlock them. See “Editing Users” in the Salesforce Help. Password Requirements A password cannot contain your User Name and cannot match your first or last name. For all editions, a new organization has the following default password requirements: • A password must contain at least eight characters. • A password must contain at least one alphabetic character and one number. • The answer to the question posed if you forget your password cannot contain your password. • The last three passwords are remembered and cannot be reused when you are changing your password. The password policies, including these defaults, can be updated for all editions except for Personal Edition. User Authentication EDITIONS Password policies available in: All Editions USER PERMISSIONS To set password policies: • “Manage Password Policies” To reset user passwords and unlock users: • “Reset User Passwords and Unlock Users” Salesforce has its own system of user authentication, but some companies prefer to use an existing single sign-on capability to simplify and standardize their user authentication. You have two options to implement single sign-on—federated authentication using Security Assertion Markup Language (SAML) or delegated authentication. • Federated authentication using Security Assertion Markup Language (SAML) allows you to send authentication and authorization data between affiliated but unrelated Web services. This enables you to sign on to Salesforce from a client application. Federated authentication using SAML is enabled by default for your organization. • Delegated authentication single sign-on enables you to integrate Salesforce with an authentication method that you choose. This enables you to integrate authentication with your LDAP (Lightweight Directory Access Protocol) server, or perform single sign-on by authenticating using a token instead of a password. You manage delegated authentication at the permission level, allowing some 3
Page 1 and 2: Security Implementation Guide Versi
Page 3 and 4: CONTENTS Chapter 1: Security Overvi
Page 5 and 6: Contents Editing Lead Sharing Rules
Page 7: CHAPTER 1 Security Overview Salesfo
Page 11 and 12: Security Overview Custom Permission
Page 13 and 14: Security Overview CAPTCHA Security
Page 15 and 16: Security Overview Auditing • Role
Page 17 and 18: Securing and Sharing Data Revoking
Page 19 and 20: Securing and Sharing Data Viewing P
Page 21 and 22: Securing and Sharing Data Cloning P
Page 23 and 24: Securing and Sharing Data App and S
Page 25 and 26: Securing and Sharing Data Working w
Page 27 and 28: Securing and Sharing Data Enable Cu
Page 29 and 30: Securing and Sharing Data Assigning
Page 31 and 32: Securing and Sharing Data Creating
Page 33 and 34: Securing and Sharing Data Editing P
Page 35 and 36: Securing and Sharing Data Searching
Page 37 and 38: Securing and Sharing Data Enable Cu
Page 39 and 40: Securing and Sharing Data Object Pe
Page 41 and 42: Securing and Sharing Data Comparing
Page 43 and 44: Securing and Sharing Data Setting F
Page 45 and 46: Securing and Sharing Data Working w
Page 47 and 48: Securing and Sharing Data Setting L
Page 49 and 50: Securing and Sharing Data Restricti
Page 51 and 52: Securing and Sharing Data Managing
Page 53 and 54: Securing and Sharing Data External
Page 55 and 56: Securing and Sharing Data Disabling
Page 57 and 58: Securing and Sharing Data Creating
Page 59 and 60:
Securing and Sharing Data Creating
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Securing and Sharing Data Editing L
Page 69 and 70:
Securing and Sharing Data Editing C
Page 71 and 72:
Securing and Sharing Data Editing C
Page 73 and 74:
Securing and Sharing Data Sharing R
Page 75 and 76:
Securing and Sharing Data User Shar
Page 77 and 78:
Securing and Sharing Data Sharing U
Page 79 and 80:
Page 81 and 82:
Securing and Sharing Data Viewing A
Page 83 and 84:
Securing and Sharing Data Granting
Page 85 and 86:
Configuring Salesforce Security Fea
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
CHAPTER 4 Enabling Single Sign-On S
Page 97 and 98:
Enabling Single Sign-On • Before
Page 99 and 100:
Monitoring Your Organization's Secu
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Security Tips for Apex and Visualfo
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
INDEX A Access about 10 revoking 11
Page 115 and 116:
Index Profiles (continued) object p
show all

salesforce_security_impl_guide

Create successful ePaper yourself

Delete template?

Save as template?