09 October 2015

Cause and Consequence: Need of real time security actions

Hi there! I'm Jari Salomaa (@salomaa) and I recently joined Salesforce to work with security product management with various exciting new features, frameworks and capabilities in always interesting world of security, privacy and compliance. I have history with static, dynamic and behavioral analysis that we can talk about some other time..

One of these cutting edge projects that I'm collaborating with the founder of this fantastic blog, Adam Torman, is Transaction Security.

Introduction

Transaction Security is a real time security event framework built inside Salesforce Shield, which is a new very focused security offering from Salesforce for our most sophisticated customers with specific security needs. Having security built in to the Salesforce platform gives customers the best breed performance, rich intelligence and flexible user experience ready to integrate with customer's existing security investments, visualizations, dashboards and so on.

Salesforce Shield offers various security components, where Event Monitoring offers the most value in the areas of forensic investigations to dig deep, who - where - what and how.

Having access to Salesforce Shield - Event Monitoring logs gives Salesforce administrators capabilities to integrate the different events flows such as "login", "resource access", "entity" and "data exfiltration" event information to their data visualization dashboards like Splunk, New Relic, Salesforce Wave etc.

Once administrators and organizations have come to terms with their prioritized security use cases from their Event Monitoring Logs they can use Transaction Security framework to build real time security policies. Transaction Security can apply Concurrent Session Login Policy logic, for example, to enable only two administrator sessions may be open at any given time or users with the Standard User Profile should be limited to five active concurrent sessions. If for some reason end users would have more open sessions, they would be automatically forced to close them before continuing. Real time. As it happens.

Building Real Time Security Policies

Discussions with many security teams around the world highlight the question that who is accessing my data, exfiltrating or downloading my data and what can I do about it? Since Salesforce touches the many aspects of business lifecycle, what is important and confidential may be different from one company to another. This is why we have chosen to introduce Transaction Security in the form of a easy to use interface where you define the event type.

We currently support four (4) different event types:
  1. Login - for user sessions
  2. Entity - for authentication providers, sessions, client browsers and IP
  3. DataExport - for Account, Contact, Lead and Opportunity objects
  4. AccessResource - for connected apps, reports and dashboards
Each of the corresponding real time event has a set of defined actions. 

Administrators can choose from receiving email notifications and in-app notifications to real time actions of either block, enforcing two factor authentication (2FA) or choosing to end the active session. You can also choose to take no action and just receive real-time alerts. Isn't that neat?

Each policy type automatically generates APEX code, that is highly customizable for your needs around defining the specific condition or additional criteria around the action.

As a security administrator in Salesforce you can edit the APEX to define more specific condition for the action. As an example you can define the action to only exhibit when specific platform conditions occur. 

For example you may want to restrict access to specific corporate platforms, if you have corporate phone program like iOS or Android or specific operating systems in use, like Windows or OS X or Safari or Chrome, you can block those access requests coming from different environment unapproved by IT. Or at least ask a higher assurance with two factor authentication to validate they are not coming from unwanted and untrusted sources. This might be a really useful way for you to protect sensitive reports and dashboards, mass data exports with Dataloader or just simply user or administrator logins.

Next Steps

So what can customers do to enable real time security policies for their Salesforce applications?

You are required to have Salesforce Shield and Event Monitoring as a prerequisite to have Transaction Security enabled to your production Orgs. Please have a conversation with your Salesforce Account Executive about Salesforce Shield. We have also enabled Transaction Security policies in the developer org's enabling you to try before you buy.

Once enabled, you should point your mouse to Setup -> Transaction Security and Enable Transaction Security Policies. Have a look at the security release notes and product help documentation for additional Apex class examples.

You can also follow me and send questions on Twitter with handle @salomaa or send in your questions or comments below here. Looking forward hearing what you think!

5 comments:

  1. This is very interesting. Where do you see your strongest ROI? If i need to put a value proposition infront of my management, what would it look like?

    ReplyDelete
  2. Hi William! Thanks for your interest! Depending on the security use case, you can obtain many different business benefits in forms of $$$ savings, amount of data protected/saved, attempted hacks or overall assurance of compliance according to your company's security regulations using automation. I can highlight a couple of additional customer examples here 1) compliance with infosec policy use case: automating the process for what you already know to be bad ie configuring and building policies for untrusted IPs, bad logins, unauthorized platforms reduces forensic workload and having the system operate on your behalf and 2) DLP use case: Tx Security can prevent against the victim's single click from a targeted attack against an organization with applying real-time action to protect the most sensitive parts of corporate data to separate human behavior from machine behavior by applying 2FA for reports and dashboards and finally 3) the insider threat: can be helped by building policies to e.g. blocking a disgruntled employee with extensive API privileges to use data loader to extract thousands of rows of data - will be limited to some data and getting caught before the damage is actually done. Hope this helps! Looking forward working with you. Cheers, Jari

    ReplyDelete
  3. For Resource Access, how can you specify you want 2FA to apply to an individual, specific report? Does it have to be customized in the generated Apex? I only see one item to select, which is for all dashboards and reports, and not an option to select which one you want the policy to apply to...

    ReplyDelete
    Replies
    1. It's a hybrid approach today. In the User Interface you specify (1) the event you'd like to apply the real time action and then decide (2) the appropriate action. Then in the Apex you add and describe additional criteria like user, profile, location, report ID etc that you want the e.g. two factor authentication to be triggered. Here's an example (probably won't display correctly here) how that would look like for on my reports in my own org (all users).:

      global class FireActionOnReportPolicyCondition implements TxnSecurity.PolicyCondition {

      public boolean evaluate(TxnSecurity.Event e) {
      if(e.​entityId.equals('00OB0000001Ogd3')){
      return true;
      }
      }}

      Delete
  4. For Resource Access, how can you specify you want 2FA to apply to an individual, specific report? Does it have to be customized in the generated Apex? I only see one item to select, which is for all dashboards and reports, and not an option to select which one you want the policy to apply to...

    ReplyDelete