12 May 2015

Security Monitoring 101

Normally, when I get on the phone with a customer, they’re familiar with the audit capabilities within Salesforce and we just discuss the Event Monitoring add-on. However, while on the phone the other day with an IT security professional, I realized that we needed to take a step back and review the different options around auditing and monitoring user activity before we could dig into the add-on value of Event Monitoring.

This post is designed as a high-level introduction to security monitoring to better understand some of the different options security professionals have to audit data and user actions within their organization.

In general, the topic of auditing user behaviors in Salesforce can be summed up in just a few key features:



Audit Fields
Login History
Setup Audit Trail
Field History Tracking
Event Monitoring (Event Log Files)
Purpose
Track who created or last modified a record by user and time
Track end-user logins and login attempts (e.g. failures)
Track administrative changes in setup like escalation of privileges or creation of new fields
Track state changes at the field level
Track a variety of server interactions including report exports, page views, and document downloads
Example
Adam Torman modified the Acme account earlier today
Adam Torman logged in using Chrome v 42.0 on Mac OSX
Permission set Modify All Data: assigned to user Adam Torman
Adam Torman changed the Case status from Open to Closed
Adam Torman clicked on Marc Benioff’s patient record and downloaded the customer list
Interface
UI and API
UI (CSV Download) and API
UI Only
(CSV download)
UI and API
API Only (CSV download)
[Profile or Sharing] Permissions Required
* Read / Query requires sharing access to parent record
Manage Users permission
* View Setup and Configuration permission
Configure requires Customize Application permission

* Read / Query requires sharing access to parent record
* View Event Log Files permission
Data Retention Policy
Life of the record
6 months FIFO
6 months FIFO
Up to 10 years
Up to 30 days
Pricing
$0
$0
$0
$0 - 20 fields for 18 months

** $add-on - 60 fields for 10 years
$0 - Login/Logout lines for 1 day

** $add-on - 28 log files for 30 days
Online Help Documentation

* - View All Data will also enable access to everything but Login History
** - Talk with your account executive about the add-on price

Where do you go from here? There are great in-depth online documentation and best practices guides:
  1. Auditing documentation - high level overview
  2. Salesforce Security Implementation Guide - in depth best practices guide
  3. Salesforce Security Workbook - self-paced and interactive exercises
There are many more advanced features that help enable security professionals to audit user behavior and track activity.

Some additional solutions worth exploring in this area include:


Salesforce is a trusted cloud service. These solutions help you to trust but verify your user's behaviors.

1 comment:

  1. I prefer http://www.softinventive.com/total-network-monitor/. It combines most of these functions and it's comfortable, because it's one package, you don't need to install a lot of tools for security monitoring.

    ReplyDelete