PaaS security challenges and solutions*

vision

VRP Cloud

Andrey Bosak

Technical Architect

*

Andrey Bosak

• 8 years experience in IT• .Net, Java, ABAP, C++ hands-on

development >2 years each• SAP NetWever trainer at SAP CIS

partner academy• 4 years experience in project

management and solutions architecture design

• Now inspired by Salesforce.com• Head of VRP Cloud Minsk

PaaS security challenges

• Is IT infrastructure reliable?• Is data channel secured?• Who can access my data?• What data is accessible?• Is 3rd party application from App Exchange secure?• Is my custom code secure?• …• What are the long term costs?

Force.com PaaS solution overview• Shared database and middleware

• Proprietary programming and markup languages

(APEX & Visualforce)

• Governor limits

• Standard objects from Sales and Service cloud

• APIs: REST, SOAP, BULK, Metadata

• Configurable layouts, views, workflows and approval

• Reports & Dashboards

Force.com pros & CONS

Pros:

• Easy to start (free environment, workbooks, examples,

declarative approach)

• Standard business objects and functionality

• Declarative point & click tools

• Proven scalability

• Transparent security

• App Exchange

• Governor limits

• Powerful API

Cons:

• Proprietary language

• Governor limits

• Less powerful

development tools

than mainstream

technologies provide

Force.com pros & CONS

Force.com: PaaS security vision of Salesforce

• Infrastructure and network• Users and security• API security• Platform security• Limits• Custom applications security

trust.salesforce.com Infrastructure security• Success is built on trust. And trust starts

with transparency.

• Trust.salesforce.com is the salesforce.com community’s home for real-time information on system performance and security. On this site you'll find:

• Live and historical data on system performance

• Up-to-the minute information on planned maintenance

• Phishing, malicious software, and social engineering threats

• Best security practices for your organization

• Information on how we safeguard your data

Information is taken from trust.salesforce.com site

Users and securityUsers are managed centrally by administrator

User Authentication• Delegated Authentication• Federated Authentication (based on SAML)

Network-based Security

Session Security

System Auditing

Data Auditing

Platform security: User Profile

• System Permissions• Administrative Permissions• Reports• Data

• Component Permissions• Applications• Tabs• Record types• Apex classes• Visualforce pages

• Record-based Sharing

API and programmatic security

• Security tokens• OAuth 2.0• API-enabled and API-Only

permissions• Crypto library

Governor limits as security mechanism• Heap size• Attachment size• Page size• Number of code-lines• Outbound calls• Page requests• API calls• Database queries• … and other possibilities of your application are

limited thus limiting security vulnerabilities

Force.com Security Scanner

• Force.com Security Source Scanner

• Web Application Security Scanner

Summary

• Force.com uses industry standards and best practices to provide centralized, powerful and flexible security architecture for cloud solutions

• Reliable and distributed IT infrastructure, energy-effectiveness and transparency are considered now to be a MUST for PaaS providers

• Security in all its aspects now is among the most important things why customers choose Cloud. And taking into account emerging information security threats soon it might become the most important. So build your cloud right or choose right PaaS provider

Questions?