secure your salesforce org with two-factor authentication
TRANSCRIPT
Secure Your Salesforce Org with Two-Factor Authentication March 17, 2016
Speakers
Mary Scotton Principal Developer Evangelist Salesforce @rockchick322004
Josh Alexander Director, Product Management Salesforce @ToopherJosh
Forward-Looking Statements
Statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Get Social with Us!
@salesforceadmns
#awesomeadmin
Salesforce Admins
Salesforce Admins
The video will be posted to YouTube & the webinar recap page
(same URL as registration).
This webinar is being recorded!
Join the Admin Webinar Group for Q&A!
Don’t wait until the end to ask your
question! • We have team members on hand to answer
questions in the webinar group.
• Stick around for live Q&A at the end!
• Speakers will tackle more questions at the end, time-allowing
bit.ly/AdminWebinarGroup
Today’s Agenda
• Best Practices for Keeping Your Org
Secure
• What is Two-Factor Authentication?
• Overview: Salesforce Authenticator App
• Demo: Salesforce Authenticator App
Best Practices
Today’s Target: The User
Key Principles – The Human Factor
• Limit the number of users with admin rights
• Provide users with minimum access to do their job
• Create rigorous process for user termination/
deactivation
• Basic security training for all users on credential/
password security, phishing, and social engineering
• Effective security requires cross-org
communication
Phishing Education
• Pervasive and effective attack vector for installing malware
• Don’t open attachments that are unexpected or from unknown senders
• If unsure about a Salesforce email, ask us via [email protected]
• Education is key to prevention: Http://trust.salesforce.com
Password Security
• Activate password complexity and rotation rules ü Password expiration/reset every 90 days
ü Password length at least 8-10 characters
ü Password complexity – mix alpha and numeric characters
• Use the new Health Check to check the security of your org!
• User education ü No password/credential sharing
ü Discourage password reuse across services
ü Utilization of a strong password manager (example: LastPass)
• Utilize two-factor authentication (2FA) and single sign-on (SSO)
What Is Two-Factor Authentication?
There are Three Types of Authentication
1. Something you know (such as a password)
2. Something you are (such as a fingerprint)
3. Something you have (such as a smart card)
There are Three Types of Authentication
1. Something you know (such as a password)
2. Something you are (such as a fingerprint)
3. Something you have (such as a smart card)
How we used passwords historically
We grunted to unlock meaning
Used them to get into speakeasies
…alas they’re not strong enough to face a cyborg
password
annabelle1020
Annabelle1020
Annab3ll31020!
Password Evolution
If you…
CAN remember your password…
It’s not a good password.
CANNOT remember your password…
It’s not a good password.
There are Three Types of Authentication
1. Something you know (such as a password)
2. Something you are (such as a fingerprint)
3. Something you have (such as a smart card)
Who you are
A child recognizing you
Greeks invented biometrics A scanner recognizing your eye
There are Three Types of Authentication
1. Something you know (such as a password)
2. Something you are (such as a fingerprint)
3. Something you have (such as a smart card)
Something you have..
credibility or respect a key fob
Overview: Salesforce Authenticator Intelligent Mobile Two-Factor Authentication
Salesforce Authenticator uses Two-Factor Authentication
1. Something you know (such as a password)
2. Something you are (such as a fingerprint)
3. Something you have (such as a smart card)
Salesforce Authenticator Delivers Simplicity and Security
View all details in a single glance User, Action, Service, Computer, Location Single Button Approve or Deny Additional Deny triage to flag a transaction Automate Authentication If these items are the same in the future, AND the mobile device is in the same location, then Salesforce Authenticator can automate the user’s response in the future.
Protect Your Data With Enhanced Security
• Full out-of-band two-factor removes phishing vector
• Expanded use of 2FA within session (reports, connected apps)
• User triage of requests scales detection
• Deny operation can engage Salesforce Incident response
Salesforce Authenticator Two-Step Setup
At login, users will be invited to use 2FA Setup a 2FA permission set
Step 1 Step 2
Salesforce Authenticator Demo
Resources
New Trail on
Download the Salesforce Authenticator App:
Join the Admin Webinar
Group for Q&A!
bit.ly/AdminWebinarGroup