Security & Compliance on Salesforce.comPractical Advice for the Financial Services Industry

Zahid AfzalCIO/COOCapital Bank

Rich CampagnaVP, ProductsBitglass

Malware Stealing Salesforce Data ● Sep 8 2014, Dyre Malware captures user credentials & data

Gramm-Leach-Bliley Act (GLBA) ● Financial institutions must protect their customers’ non-public personally

identifiable information (PII). Federal Financial Institutions Examination Council (FFIEC)● Financial institutions should employ encryption to mitigate the risk of

disclosure or alteration of sensitive information in storage and transit. ● Encryption strength sufficient to protect the information from

disclosure until such time as disclosure poses no material risk,● Effective key management practices,● Robust reliability, and● Appropriate protection of the encrypted communication endpoints.

Security & Compliance in the Cloud

Refs: GLBA - http://www.business.ftc.gov/, FFIEC - http://ffiec.gov

● Have you deployed Salesforce in your organization?• Yes• No, but we plan to in the next 6-12 months• No, but we plan to if/when we can find a way

to secure our data• No, no short term plans.

Placeholder: Audience Poll Question

• Business Goals• Agile response to customer• Unified view of data from 16 business segments• Grow customer relationships• Targeted data for sales, service and marketing

● Business Solution● Enterprise wide sales and service realignment● Move from sales playbook to relationship playbook

● IT Solution: Salesforce.com for CRM

Case Study

1. Adopt Salesforce “as-is.”2. Leverage special on-premises database option.3. Encrypt data in Salesforce with a cloud

encryption gateway.

Available Options

● Pros• Easier migration• Cost effective

● Cons• Risks compliance• Limited visibility• Data stored in the cloud

Adopting Salesforce “As Is”

● Pros• Full control over data • Compliance and security

Cons• Custom development, installation and

maintenance• Potential response time issues• Higher cost

On-Premise Database for Salesforce

● Pros• Full control over data• Compliance and security• Cost effective

● Cons• First-gen solutions offered weak encryption

Employ a Cloud Encryption Gateway

● Have you deployed a Cloud Encryption Gateway?• Yes• No, but we plan to in the next 6-12 months• No, we will adopt cloud apps without one• No, we have no plans to adopt cloud apps

Placeholder: Audience Poll Question

Fast-forward to today

© 2014 Bitglass – Confidential: Do Not Distribute

Bitglass Cloud Encryption Gateway

Local Employees

Corporate Office

BYODRemote Employees

Public-Cloud App + Private-Cloud Data● Unlimited mobility - any device, anywhere● Encrypted data stored in private cloud

© 2014 Bitglass – Confidential: Do Not Distribute

Bitglass Cloud Encryption Technology

● AJAX VM tech robust to application updates● Ease-of-management, one-click setup● True encryption: AES-256 + 256-bit initialization● Sort, search, auto-complete, wild-card…● Validated by top crypto experts

• Taher Elgamal, CTO Security, Salesforce.com• Marty Hellman, Professor, Stanford University

*Patents pending

© 2014 Bitglass – Confidential: Do Not Distribute

Total Data Protection

SSN → LZKAFDKLZ

Visibility, AlertsAccess ControlDLPNo software, any device30 min deployment

In the Cloud

At Access

On the DeviceClientless Selective WipeDevice Security PoliciesFile EncryptionWatermarking/Data TrackingNo software, any device30 min deployment

Full strength AES-256Searchable, sortableReviewed by security expertsNo software, any device30 min deployment

Questions?

info@bitglass.com@bitglass

www.bitglass.com

Thank You!