Security and Trust in the Cloud

Cloud users rely on accessing data quickly and from anywhere, whether it’s financial data, customer information, or intellectual property. Information remains the business’ crown jewels, highly valuable and extremely important.

The only thing is, it’s moving faster than ever before, being accessed by mobile and web-based users, combined and manipulated in multiple different ways.

The upshot of all this is that security and trust remain of paramount importance to today’s enterprises.

As one of the world’s biggest cloud service providers, Salesforce cites trust is it’s number one value, and, therefore, builds security into every level of its offerings, from the data centre up.

Salesforce deploys multiple levels of security, some delivered as standard for every customer and some tailored for customers with specific security needs, combining profiles, policies, encryption & monitoring apps. This illustrates just how secure enterprise cloud services have grown to become.

At the physical level, Salesforce has built security into its data centres, to protect customer data. It uses biometric controls to ensure that only certain employees have access to servers and customer data, to maintain the security and integrity of that data.

The data centres themselves have to comply with industry, national or global security regulations and can, therefore, be audited for compliance purposes, which Salesforce frequently does for its enterprise customers. This is particularly important for regulated industries such as financial services, healthcare or government, who are increasingly entrusting their information to the cloud.

Salesforce also follows security and business continuity best practice for its data centres, such as backup, disaster recovery, and real time replication.

The next tier is network services, where Salesforce deploys HTTPS encryption to secure data in transit; and operates secure firewalls. There is also a dedicated team, the Red Team, that carries out proactive penetration testing to locate and anticipate attacks on the infrastructure. Additionally, there is a Security Response Team that performs advanced threat detection.

An extra network-level option for business users is to set up IP-range login restrictions, to ensure, for example, that remote users who log into business apps are doing it from within the secure company VPN.

The third tier is application-level security, which Salesforce offers to customers regardless of the size of their business. This includes access control through identity management, single sign on, password policies, two-factor authentication, and user roles and permissions.

Users can also set their own file sharing rules, permissions, and even file- and row-level security within applications. These capabilities enable businesses to build additional security into their business applications depending on their specific requirements.

Where companies need an extra layer to protect sensitive data, particularly if they operate within industries for which this is necessary or mandatory, they have the option of deploying Salesforce Shield.

This further level of security could apply to types of data such as private customer information, highly-competitive intellectual property, or sensitive legal documents.

Salesforce Shield offers three security elements: Platform Encryption, Event Monitoring, and Field Audit Trail.

Platform Encryption provides the ability to encrypt data ‘at rest’ – for example, protecting certain sensitive data fields – both standard and custom – within a customer record. This is particularly important for companies that need to meet legal, regulatory or contractual obligations that require them to secure specific data, perhaps for reasons of protection or confidentiality.

Among other things, Event Monitoring lets you know who is accessing data from where, and their login histories, and whether they extracted or ran any reports from the information they looked at, or downloaded a file to a thumb drive, something that is useful for enterprises who use external or contract workers. An additional feature of Event Monitoring, called Transaction Security, allows organisations to set policies so that proactive steps can be taken to intercept and prevent malicious behaviour based on pre-defined criteria.

Field Audit Trail helps to ensure data integrity by giving companies the tools to track changes to data and files over an extended time period. So, for example, it can tell you who accessed a file, what data changes they made and when. The facility ensures data is accurate, complete and reliable and helps security officers to enforce their data retention policies and comply with internal and industry regulations.

Although there is a misconception amongst many organisations that the cloud is not secure enough to entrust it with business information, the reality is quite the opposite: cloud provider networks are often more secure than company networks!

Salesforce is an example of a cloud service provider that has built multi-level security into its cloud services. As a result, over a hundred and fifty thousand businesses worldwide trust Salesforce with their valuable business information and processes, companies like Coca-Cola Corporation, Unilever and O2. Are you ready to trust the cloud with your business?