Ensuring Security on a Cloud-Based Platform — 5 ways Salesforce and ComplianceQuest Nail the Challenge
Flexibility, accessibility and capacity are often cited as the best features of the Cloud. Limited budget, ease of use and great user interface has ushered in many legacy system users into the new age with many of them making cloud and/or mobile first strategy. IT in any organization prefers cloud due to ease of deployment, upgrades that are managed by the vendor, use of application from anywhere and from any device. This begs the question, how secure is the application and even more the data that is considered critical for the company’s success. Security is rarely highlighted as a Cloud attribute, and in many instances mentioned with skepticism. It is often cited the biggest barrier to Cloud adoption, especially amongst enterprise customers.
The 2015 Volumetric insider threat report highlights some important data about security. Though consumers perceive traditional databases to be more secure than the Cloud, this is not the case. The actual risk of breaches to Cloud storage is 36% as compared to 47% in traditional storage. Clearly there is a knowledge gap between perceived Cloud security or lack thereof, and what Cloud has to offer.
Salesforce.com (SFDC) has pioneered Cloud since the 90’s. With the passage of time, SFDC’s security measures have evolved greatly. When selecting a Cloud service provider, there’s no such thing as too much emphasis on security. With ComplianceQuest built on the Salesforce.com cloud platform and fully leveraging the power of the cloud, the security of Salesforce infrastructure, database and the platform is crucial for ComplianceQuest to be embraced.
Here’s how Salesforce has stayed on top of ever demanding security challenges.
Datacenters are used for the remote storage, processing, or distribution of large amounts of data. They ensure that businesses run efficiently. Thus datacenter security is one of the most important aspects of Cloud security. It is understandable why so many companies invest in so many resources into keeping their facilities and data secure. Datacenters need to ward off physical threats, be protected against natural disasters and be compliant with the law. Salesforce physically secures its datacenters through 24-hour manned security, biometric scanning for access, dedicated concrete-walled data center rooms, computing equipment in access-controlled steel cages, video surveillance throughout facility and perimeter etc. In addition, SFDC takes into account environment controls (humidity, temperature etc.), power etc. Disaster recovery, secure transmission and sessions, backups, internal and third-party testing and assessments are all incorporated as a part of the datacenter continuity. Finally, to secure the data, the information is replicated in a secure manner in real-time to secondary data centers thus ensuring business continuity in case of catastrophic failures.
From initial architecture considerations to post-release, all aspects of platform development factor in security. Salesforce.com incorporates security into its platform development processes at all stages of the development life cycle. For example, at the design phase, guiding security principles and security training are put in place to help ensure salesforce.com technologists make the best security decisions possible. Threat assessments on high-risk features help to identify potential security issues as early in the development lifecycle as possible. At the coding phase, SFDC addresses standard vulnerability types through secure coding patterns, and uses static code analysis tools to identify security flaws. Proprietary tools and manual testing is used to identify potential security issues at the testing phase. Prior to release, SFDC validates whether the functionality being developed and maintained meets with internal security requirements. Post release independent security service providers analyze potential security issues.
Administrators (admins) in an organization have unlimited access. Unwittingly the people with the most data access are perceived to be the most likely to exploit that data access. On the other hand, restricting the admin accesses is counterproductive. An audit trail helps monitor admin user activity. An organization can be aware of who made what changes when and where. SFDC has integrated audit trail to monitor all activities executed by the admin. This is especially useful in the case of multiple admins. Also within a Salesforce.com organization, activities performed by other users can be monitored through field history tracking, debug logs, event monitoring, and through customized tools.
4. Event Monitoring
Process, security and usage data is critical to understanding overall performance of a system. Signaling event occurrence in a timely manner is critical to security. SFDC’s event monitoring makes available the granular details of user activity in an organization. Events include logins and logouts, API calls, report extracts and more. A log file is generated when an event occurs and can be downloaded. Tracking trends helps spot abnormal behavior which can be a security threat. Every interaction is tracked and accessible via API, therefore one can view any data visualization app of choice. User experience can be improved by troubleshooting and optimizing performance.
The importance of awareness can’t be stressed enough. While no one expects employees to be security experts, they must be vigilant and know the company policies. Some common threats include scam emails (phishing and malware) and phone calls attempting to gather information. Storing information online, sharing permission and password protection are some of the topics that employees need to be trained on to reduce the risk associated with using Cloud serviced. Salesforce has a dedicated website to educate users on security. At Trust.salesforce.com you can find real-time information on system performance and security, information on how Salesforce safeguards data, system status regarding service availability and performance and information on the technology and legal compliance. Employee awareness about existing security features could potentially save the company millions. The salesforce community of partners, developers and users is strong as well. It’s a place to discover new trends in the industry, find likeminded individuals, share new information and help find quick solutions to problems.
In the 2015 Volumetric insider threat report, the global survey results show that 56% of respondents will be looking to increase their security spend to deal with insider threats in the following year and the remaining 37% will be spending at least as much as they are now.
Companies need the assurance that their data is safe and is managed well. SFDC has prioritized security from its inception and continues to invest in keeping their systems protected. Through server and network security, platform security and creating user awareness, salesforce anticipates Cloud needs ahead of time and builds solutions to cater to these needs.
ComplianceQuest chose the Salesforce platform because it offers all the benefits of the Cloud. In addition, with Salesforce comes benefits of audit, event monitoring and overall enhanced security than an on-premise system.
At ComplianceQuest, the phrase next-generation is not just marketing speak. It is a key part of our quest to build a truly useful, cutting-edge EQMS workflow for our customers across sectors.
Visit www.compliancequest.com to schedule a demo or speak with an expert.