Security Best Practices Webinar for All Salesforce.com Customers

Security Webinar for All Salesforce.com Customers

Join salesforce.com security experts for this educational webinar. In this webinar, we share best practices for raising awareness about phishing and security, provide educational content on how to defend against these attacks, and walk you through how you can quickly and easily increase the security of your salesforce.com deployment.

View Webinar

In this webinar we will discuss the following security recommendations:

  • Modify your salesforce.com implementation to activate IP range restrictions. This will allow users to access salesforce.com only from your corporate network or VPN, thus providing a second factor of authentication.
  • Educate your employees not to open suspect emails and to be vigilant in guarding against phishing attempts.
  • Use security solutions from leading vendors such as Symantec to deploy spam filtering and malware protection.
  • Designate a security contact within your organization so that salesforce.com can more effectively communicate with you. Contact your salesforce.com representative with this information.
  • Consider using other two-factor authentication techniques such as RSA tokens or Smart Cards.

Administrators - Protect Your Company

SMS Identity Confirmation

Salesforce.com is dedicated to ensuring our service is as secure as possible and helping our customers strengthen security in their own environments. Starting March 6, 2013, we will begin a phased rollout that changes our Identity Confirmation default option. Salesforce.com will replace email Identity Confirmation with SMS Identity Confirmation for all verified mobile users. This further safeguards our customers by adding an extra layer of protection when verifying login from an unknown source. Once the change is activated, verified mobile users will only receive SMS identity confirmation. Users without mobile phones will still have the option to use email identity confirmation.

For more information, we have provided the following:

[back to top]

Implement IP Restrictions in Salesforce.com

A great tool for protecting your applications is restricting login to those IP addresses that you specifically approve.

To restrict IP addresses, click:

Setup>Manage Users>Profiles

 If you are using Personal Edition or Group Edition, click:

Setup>Security Controls>Session Settings 

[back to top]

Consider Two-Factor Authentication

User names and passwords are the most commonly used forms of authentication. Several technologies are available for second-level authorization, including requiring secure IT tokens. Note that this technology does not protect against "man-in-the-middle" attacks, where messages are intercepted. Also, applications that may be integrated with salesforce.com are not protected by two-factor authentication.

Please contact your account team for more information.

[back to top]

Secure Employee Systems

One of your goals is to keep email fraud from reaching your users in the first place. To help do that, secure all computers used by your employees.
  • Update all users to the latest browser version.
  • Deploy email filtering technology. Make sure you whitelist the salesforce.com IP address.
  • Install and maintain desktop protection software on all user machines and keep all applications and definitions up to date.
[back to top]

Strengthen Password Policies

You can make passwords more secure and harder to break by requiring users to define complex passwords, setting up password expirations, and implementing lockouts.

To set password policies, click:

Setup>Security Controls>Password Policies

To force users to reset their passwords, click:

Setup>Security Controls>Expire All Passwords

[back to top]

Require Secure Sessions

By mandating that all sessions are encrypted and secure, you protect messages in transit.

Your administrator should verify these settings:

Setup>Manage Users>Profiles

[back to top]

Decrease Session Timeout Thresholds

Users sometimes leave their computers unattended or they don't log off. You can protect your applications against unauthorized access by automatically closing sessions when there is no session activity for a period of time. The default timeout is 2 hours; you can set this value from between 30 minutes and 8 hours.

To change the session timeout, click:
Setup>Security Controls>Session Settings  
[back to top]

Identify a Primary Security Contact

Please identify a person in your company who is responsible for application security. He or she should have a thorough understanding of your security policies. Make this person your single point of contact for salesforce.com.

To notify salesforce.com about your security contact, please contact your account team.

[back to top]