As with other cloud apps, such as Microsoft Office 365 and Google Apps, Salesforce.com has invested heavily in securing their application and their infrastructure. After all, their entire business hinges on the ability to provide a secure offering for their customers. So is Salesforce fully secure right out of the box cloud? The answer is, "it depends."
Cloud app vendors are heavily focused on securing their applications from widespread, service impacting events. Things like DOS/DDOS attacks, malware outbreaks, and the like. These are the types of events that can (and will) garner huge amounts of unwanted press and will have an immediate, detrimental impact on their business. On the other hand, there is a class of security events that are important to the enterprise, but outside of what an app vendor like Salesforce might deem part of their responsibility.
These events include things like inappropriate use of user credentials, leakage of sensitive data by users, lost/stolen mobile devices containing sensitive data, etc. Even things like compliance with regulations like HIPAA, PCI, SOX, tend to fall outside of what a cloud app vendor is typically responsible for. Security best practices dictate that you fill in these gaps with the ability to:
- See what is happening with your data in Salesforce - for customers in regulated industries, this is a must have. Beyond regulated industries, all security-conscious organizations need to know what their users are doing in order to determine whether or not that behavior is suspect.
- Control who can do what in Salesforce - access control is table stakes in your typical enterprise security infrastructure. As you move to the cloud, being able to control, say, one of your west coast Inside Sales Reps from downloading the entire company forecast and contact database out of Salesforce might be a good thing to put in place.
- Data Leakage Prevention - There is simply too much important data in a system like Salesforce.com to allow any of it to be downloaded to employee devices, especially when you factor in BYOD. I have spoken with customers that store PHI, PII, and any matter of critical information in Salesforce that shouldn't be taken out of Salesforce by employees.
- Single Sign-On - Identity sprawl is quickly becoming a big issue in today's enterprises. Application deployments frequently start with a small group of users, sometimes outside of IT, and as a result, users end up with separate accounts for many cloud apps. This causes issues not only with password management and helpdesk calls,
As a Cloud Access Security Broker, Bitglass deploys between users and cloud apps like Salesforce, providing an information-centric data security layer for cloud apps in a solution that is completely transparent to users. Check out Bitglass' solution for Salesforce.com: