Security & Compliance on Salesforce.com Practical Advice for the Financial Services Industry Zahid Afzal CIO/COO Capital Bank Rich Campagna VP, Products Bitglass
Jun 12, 2015
Security & Compliance on Salesforce.com
Practical Advice for the Financial Services Industry
Zahid AfzalCIO/COOCapital Bank
Rich CampagnaVP, ProductsBitglass
Malware Stealing Salesforce Data ● Sep 8 2014, Dyre Malware captures user credentials & data
Gramm-Leach-Bliley Act (GLBA) ● Financial institutions must protect their customers’ non-public personally
identifiable information (PII).
Federal Financial Institutions Examination Council (FFIEC)● Financial institutions should employ encryption to mitigate the risk of
disclosure or alteration of sensitive information in storage and transit. ● Encryption strength sufficient to protect the information from
disclosure until such time as disclosure poses no material risk,● Effective key management practices,● Robust reliability, and● Appropriate protection of the encrypted communication endpoints.
Security & Compliance in the Cloud
Refs: GLBA - http://www.business.ftc.gov/, FFIEC - http://ffiec.gov
• Business Goals• Agile response to customer
• Unified view of data from 16 business segments
• Grow customer relationships
• Targeted data for sales, service and marketing
● Business Solution● Enterprise wide sales and service realignment
● Move from sales playbook to relationship playbook
● IT Solution: Salesforce.com for CRM
Case Study
1. Adopt Salesforce “as-is.”
2. Leverage special on-premises database option.
3. Encrypt data in Salesforce with a cloud
encryption gateway.
Available Options
● Pros
• Easier migration
• Cost effective
● Cons
• Risks compliance
• Limited visibility
• Data stored in the cloud
Adopting Salesforce “As Is”
● Pros
• Full control over data
• Compliance and security
Cons
• Custom development, installation and
maintenance
• Potential response time issues
• Higher cost
On-Premise Database for Salesforce
● Pros
• Full control over data
• Compliance and security
• Cost effective
● Cons
• First-gen solutions offered weak encryption
Employ a Cloud Encryption Gateway
Fast-forward to today
© 2014 Bitglass – Confidential: Do Not Distribute
Bitglass Cloud Encryption Gateway
Local Employees
Corporate Office
BYODRemote Employees
Public-Cloud App + Private-Cloud Data● Unlimited mobility - any device, anywhere
● Encrypted data stored in private cloud
© 2014 Bitglass – Confidential: Do Not Distribute
Bitglass Cloud Encryption Technology
● AJAX VM tech robust to application updates
● Ease-of-management, one-click setup
● True encryption: AES-256 + 256-bit initialization
● Sort, search, auto-complete, wild-card…
● Validated by top crypto experts
• Taher Elgamal, CTO Security, Salesforce.com
• Marty Hellman, Professor, Stanford University
*Patents pending
© 2014 Bitglass – Confidential: Do Not Distribute
Total Data Protection
SSN → LZKAFDKLZ
Visibility, AlertsAccess ControlDLPNo software, any device30 min deployment
In the Cloud
At Access
On the DeviceClientless Selective WipeDevice Security PoliciesFile EncryptionWatermarking/Data TrackingNo software, any device30 min deployment
Full strength AES-256Searchable, sortableReviewed by security expertsNo software, any device30 min deployment
www.bitglass.com
Thank You!