Security & Compliance on Salesforce.com

Practical Advice for the Financial Services Industry

Zahid AfzalCIO/COOCapital Bank

Rich CampagnaVP, ProductsBitglass

Malware Stealing Salesforce Data ● Sep 8 2014, Dyre Malware captures user credentials & data

Gramm-Leach-Bliley Act (GLBA) ● Financial institutions must protect their customers’ non-public personally

identifiable information (PII).

Federal Financial Institutions Examination Council (FFIEC)● Financial institutions should employ encryption to mitigate the risk of

disclosure or alteration of sensitive information in storage and transit. ● Encryption strength sufficient to protect the information from

disclosure until such time as disclosure poses no material risk,● Effective key management practices,● Robust reliability, and● Appropriate protection of the encrypted communication endpoints.

Security & Compliance in the Cloud

Refs: GLBA - http://www.business.ftc.gov/, FFIEC - http://ffiec.gov

• Business Goals• Agile response to customer

• Unified view of data from 16 business segments

• Grow customer relationships

• Targeted data for sales, service and marketing

● Business Solution● Enterprise wide sales and service realignment

● Move from sales playbook to relationship playbook

● IT Solution: Salesforce.com for CRM

Case Study

1. Adopt Salesforce “as-is.”

2. Leverage special on-premises database option.

3. Encrypt data in Salesforce with a cloud

encryption gateway.

Available Options

● Pros

• Easier migration

• Cost effective

● Cons

• Risks compliance

• Limited visibility

• Data stored in the cloud

Adopting Salesforce “As Is”

● Pros

• Full control over data

• Compliance and security

Cons

• Custom development, installation and

maintenance

• Potential response time issues

• Higher cost

On-Premise Database for Salesforce

● Pros

• Full control over data

• Compliance and security

• Cost effective

● Cons

• First-gen solutions offered weak encryption

Employ a Cloud Encryption Gateway

Fast-forward to today

© 2014 Bitglass – Confidential: Do Not Distribute

Bitglass Cloud Encryption Gateway

Local Employees

Corporate Office

BYODRemote Employees

Public-Cloud App + Private-Cloud Data● Unlimited mobility - any device, anywhere

● Encrypted data stored in private cloud

© 2014 Bitglass – Confidential: Do Not Distribute

Bitglass Cloud Encryption Technology

● AJAX VM tech robust to application updates

● Ease-of-management, one-click setup

● True encryption: AES-256 + 256-bit initialization

● Sort, search, auto-complete, wild-card…

● Validated by top crypto experts

• Taher Elgamal, CTO Security, Salesforce.com

• Marty Hellman, Professor, Stanford University

*Patents pending

© 2014 Bitglass – Confidential: Do Not Distribute

Total Data Protection

SSN → LZKAFDKLZ

Visibility, AlertsAccess ControlDLPNo software, any device30 min deployment

In the Cloud

At Access

On the DeviceClientless Selective WipeDevice Security PoliciesFile EncryptionWatermarking/Data TrackingNo software, any device30 min deployment

Full strength AES-256Searchable, sortableReviewed by security expertsNo software, any device30 min deployment

Questions?

info@bitglass.com@bitglass

www.bitglass.com

Thank You!