Security & Compliance on Salesforce.comPractical Advice for the Financial Services Industry
Zahid AfzalCIO/COOCapital Bank
Rich CampagnaVP, ProductsBitglass
Malware Stealing Salesforce Data ● Sep 8 2014, Dyre Malware captures user credentials & data
Gramm-Leach-Bliley Act (GLBA) ● Financial institutions must protect their customers’ non-public personally
identifiable information (PII). Federal Financial Institutions Examination Council (FFIEC)● Financial institutions should employ encryption to mitigate the risk of
disclosure or alteration of sensitive information in storage and transit. ● Encryption strength sufficient to protect the information from
disclosure until such time as disclosure poses no material risk,● Effective key management practices,● Robust reliability, and● Appropriate protection of the encrypted communication endpoints.
Security & Compliance in the Cloud
Refs: GLBA - http://www.business.ftc.gov/, FFIEC - http://ffiec.gov
● Have you deployed Salesforce in your organization?• Yes• No, but we plan to in the next 6-12 months• No, but we plan to if/when we can find a way
to secure our data• No, no short term plans.
Placeholder: Audience Poll Question
• Business Goals• Agile response to customer• Unified view of data from 16 business segments• Grow customer relationships• Targeted data for sales, service and marketing
● Business Solution● Enterprise wide sales and service realignment● Move from sales playbook to relationship playbook
● IT Solution: Salesforce.com for CRM
Case Study
1. Adopt Salesforce “as-is.”2. Leverage special on-premises database option.3. Encrypt data in Salesforce with a cloud
encryption gateway.
Available Options
● Pros• Easier migration• Cost effective
● Cons• Risks compliance• Limited visibility• Data stored in the cloud
Adopting Salesforce “As Is”
● Pros• Full control over data • Compliance and security
Cons• Custom development, installation and
maintenance• Potential response time issues• Higher cost
On-Premise Database for Salesforce
● Pros• Full control over data• Compliance and security• Cost effective
● Cons• First-gen solutions offered weak encryption
Employ a Cloud Encryption Gateway
● Have you deployed a Cloud Encryption Gateway?• Yes• No, but we plan to in the next 6-12 months• No, we will adopt cloud apps without one• No, we have no plans to adopt cloud apps
Placeholder: Audience Poll Question
Fast-forward to today
© 2014 Bitglass – Confidential: Do Not Distribute
Bitglass Cloud Encryption Gateway
Local Employees
Corporate Office
BYODRemote Employees
Public-Cloud App + Private-Cloud Data● Unlimited mobility - any device, anywhere● Encrypted data stored in private cloud
© 2014 Bitglass – Confidential: Do Not Distribute
Bitglass Cloud Encryption Technology
● AJAX VM tech robust to application updates● Ease-of-management, one-click setup● True encryption: AES-256 + 256-bit initialization● Sort, search, auto-complete, wild-card…● Validated by top crypto experts
• Taher Elgamal, CTO Security, Salesforce.com• Marty Hellman, Professor, Stanford University
*Patents pending
© 2014 Bitglass – Confidential: Do Not Distribute
Total Data Protection
SSN → LZKAFDKLZ
Visibility, AlertsAccess ControlDLPNo software, any device30 min deployment
In the Cloud
At Access
On the DeviceClientless Selective WipeDevice Security PoliciesFile EncryptionWatermarking/Data TrackingNo software, any device30 min deployment
Full strength AES-256Searchable, sortableReviewed by security expertsNo software, any device30 min deployment
www.bitglass.com
Thank You!
Top Related