12 May 2015

Security Monitoring 101

Normally, when I get on the phone with a customer, they’re familiar with the audit capabilities within Salesforce and we just discuss the Event Monitoring add-on. However, while on the phone the other day with an IT security professional, I realized that we needed to take a step back and review the different options around auditing and monitoring user activity before we could dig into the add-on value of Event Monitoring.

This post is designed as a high-level introduction to security monitoring to better understand some of the different options security professionals have to audit data and user actions within their organization.

In general, the topic of auditing user behaviors in Salesforce can be summed up in just a few key features:

Audit Fields
Login History
Setup Audit Trail
Field History Tracking
Event Monitoring (Event Log Files)
Track who created or last modified a record by user and time
Track end-user logins and login attempts (e.g. failures)
Track administrative changes in setup like escalation of privileges or creation of new fields
Track state changes at the field level
Track a variety of server interactions including report exports, page views, and document downloads
Adam Torman modified the Acme account earlier today
Adam Torman logged in using Chrome v 42.0 on Mac OSX
Permission set Modify All Data: assigned to user Adam Torman
Adam Torman changed the Case status from Open to Closed
Adam Torman clicked on Marc Benioff’s patient record and downloaded the customer list
UI and API
UI (CSV Download) and API
UI Only
(CSV download)
UI and API
API Only (CSV download)
[Profile or Sharing] Permissions Required
* Read / Query requires sharing access to parent record
Manage Users permission
* View Setup and Configuration permission
Configure requires Customize Application permission

* Read / Query requires sharing access to parent record
* View Event Log Files permission
Data Retention Policy
Life of the record
6 months FIFO
6 months FIFO
Up to 10 years
Up to 30 days
$0 - 20 fields for 18 months

** $add-on - 60 fields for 10 years
$0 - Login/Logout lines for 1 day

** $add-on - 28 log files for 30 days
Online Help Documentation

* - View All Data will also enable access to everything but Login History
** - Talk with your account executive about the add-on price

Where do you go from here? There are great in-depth online documentation and best practices guides:
  1. Auditing documentation - high level overview
  2. Salesforce Security Implementation Guide - in depth best practices guide
  3. Salesforce Security Workbook - self-paced and interactive exercises
There are many more advanced features that help enable security professionals to audit user behavior and track activity.

Some additional solutions worth exploring in this area include:

Salesforce is a trusted cloud service. These solutions help you to trust but verify your user's behaviors.

17 April 2015

Clone This User

Have you ever been at lunch and received an emergency email from your CEO to create a new user so they can be up and running immediately?

In this connected, real-time world, there's no reason why you have to leave a perfectly good lunch to go online and create a user when you can create one from your mobile phone in two minutes or less.

I wrote about cloning users last year. It's the fastest path to creating a new user and follows a simple premise that new users are similar to existing users. Therefore existing users can be used as a template for creating creating new users.

Arkus made this incredibly easy with Clone This User, a mobile app built on the Salesforce1 platform that takes the fewest number of inputs to clone a user so they can be up and running immediately.

This app came up in several conversations just the other day.

The first use case was around ensuring the newly onboarded user had access to Wave which requires a permission set license. When cloning a user with Clone This User, both the permission set licenses and permission sets for Wave came over from the template user without having to think about it. The template becomes a black box that doesn't require the administrator to think about the minutiae of permissions a new user needs.

The second use case was around a custom user provisioning app built on top of the API. The custom app asked the administrator cloning the user to pick and choose additional permission sets above and beyond what the template user already had. This somewhat defeats the idea of a clone since now the administrator has to go back to the difficult task of figuring out all the permissions a user needs to get up and running. This created additional decision points for the administrator during what should have been a time savings workflow of cloning a user.

Cloning users with Clone This User is a great way to simplify the workflow of creating new users, even when you're at lunch.

09 April 2015

The Power of Compression

I had an interesting customer case come up last week. The customer was using the Splunk App for Salesforce. But unfortunately, they kept getting an error when trying to download Event Log Files.

We finally discovered that there is a ten minute timeout on API requests by default. That means an API call must complete within ten minutes or an error will occur. Because we were trying to download a large amount content in California, but the data center was based in Chicago, the addition of network latency and file size contributed to the ten minute timeout.

Upon further investigation, we determined that weren't compressing the CSV file content over the network and instead downloading everything in an uncompressed format. However, we also determined that there is a white list of content types where you can request compression during download including:
  • text/html
  • application/json
  • text/css
  • text/javascript
  • text/xml
  • application/javascript
  • application/x-javascript
  • application/vnd.edgemart
As a result, even when requesting text/csv content in a compressed format, we were still delivering it uncompressed. We have since patched a fix to allow compression when you request text/csv file content using the API.

It's important to know that this is an optional configuration. Nothing changes from current functionality while downloading Event Log Files. Your scripts that worked previously should still work. However, if you add the compression flag to your API request or header, we'll transmit your Event Log File in a compressed format enabling quicker delivery.

How much quicker?

With some initial testing I conducted downloading NA1 files from California using a modified python download script, I was able to download files on average 65% faster than before with this option.

To request compression with cURL, it's as easy as adding the --compression flag:

curl --compressed "https://na8.soma.salesforce.com/services/data/v33.0/sobjects/EventLogFile/0ATD00000000HnXOB3/LogFile" -H "Authorization: Bearer ${access_token}" -H "X-PrettyPrint:1" -o "compressedELF.csv"

Otherwise, you typically can request compression via a header. For example, with Python:

request.add_header('Accept-encoding', 'gzip')

So regardless of whether your files are large or you are in a different region from the data center, it's still worth downloading your files using compression.

Icons by DryIcons