Security

Security Manager's Journal: Plugging a SaaS access hole

We have a lot of sensitive data on Salesforce.com servers, and until now, you could access it from any device.

By Mathias Thurman

March 12, 2012 06:00 AM ET

Computerworld -

Trouble Ticket

At issue: The sales team is using Salesforce to access sensitive data from any device, anywhere.

Action plan: Rein in accessibility by requiring VPN connectivity for SaaS apps.

The access police have struck again.

That would be me, of course. I am forever seeking to control accessibility to the company's sensitive data. Naturally, when I tighten things up, some people get unhappy. Our salespeople, among others, always want access to be as easy as possible, and they want to be able to get to the data they need anywhere and from any device. For me, though, that sort of ease of access just sounds like a disaster waiting to happen.

My latest candidate for more restrictive access is our Salesforce.com deployment. We've been using this software-as-a-service customer relationship management and sales application for more than six months with pretty wide-open accessibility.

I have a policy regulating remote access to our internal infrastructure or sensitive data. It requires encryption (i.e., VPN) and two-factor authentication (i.e., RSA SecurID tokens). The problem with SaaS applications like Salesforce is that their use does not really involve our internal infrastructure, but it does involve our sensitive data, though it doesn't reside in our data center. After discussing things with our legal counsel, we decided that the policy should more clearly define sensitive data to include source code and financial, human resources, healthcare, customer and sales data. Salesforce contains quite a bit of this sort of information, especially customer data, sales data and sales forecasting reports. As a publicly traded company, we can't risk unauthorized access to such data, which could be used to make illegal stock trades based on insider information.

With this tighter policy in hand, I decided to take advantage of a Salesforce configuration option that allows companies to restrict access by IP address. That would essentially force all users to be connected to one of the following: a port in one of our offices, a corporate wireless access point or the network via VPN.

Cue grumbling from the sales department. They were used to logging in to Salesforce from anywhere on any device. Of course, that convenience is exactly the risk we are concerned about, since we can't vouch for the integrity of "anywhere" or "any device." Some employees have even accessed corporate SaaS applications from Internet cafes and hotel-lobby kiosks. Such "unknown" devices are often infected with malware, and when connected to our network, they have compromised the login credentials of our employees. OK, said sales, no more public machines, but at least grant us the convenience of accessing Salesforce from our iPads.

That we did, by deploying the Cisco AnyConnect VPN client and RSA SecureID token for the iPad. We had been planning to deploy these applications for the iPad later in the year anyway, in conjunction with our mobile device management rollout.

A Lot of Work

Restricting Salesforce by IP address is a big job. We had to obtain all the IP addresses that Salesforce uses, as well as those of third parties. Then we had to modify our firewalls to allow access to each of those destinations. We also had to modify our VPN client profiles to recognize when a connected VPN user is accessing Salesforce. Finally, we had to let Salesforce know all of our company's IP address ranges. Gathering this data took time, and more time will be needed for monitoring, so that when a change occurs -- the addition of a new office, for example --we can modify the configuration.

This latest change hasn't been pain-free, but the grumbling has subsided. The sales team seems to understand our reasoning and agrees that, given recent security events in the news, this change makes sense.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Join in the discussions about security!

More by Mathias Thurman

Security Manager's Journal: NAC deployment means better access control at last
Security Manager's Journal: Plans and processes are made to be revised
Security Manager's Journal: A little housecleaning
Security Manager's Journal: R&D's new security lab is a promising step
Security Manager's Journal: Spam makes a comeback
Security Manager's Journal: Did DLP tool prevent an assault?
Security Manager's Journal: When technologies collide
Security Manager's Journal: Tracking down rogue IT
Security Manager's Journal: Not-so-innocent email distribution lists
Security Manager's Journal: A reality check for the department's maturity

Security

Read more about Security in Computerworld's Security Topic Center.

Comments ()

Print

Today's Top Stories

How to prevent IT unit overload

Yahoo on Tumblr: We won't 'screw it up'

Immigration reform may spur software robotics

Jonny Evans: Now even iPads seem delayed as Apple targets fall

Lawmakers seek Google Glass privacy plan

Yahoo Japan says 22 million user IDs may have been stolen

Google, Microsoft and Yahoo are secret backers behind European Privacy Association

From CSOonline and CIO

12 iPhones Apps That Will Make You a Networking Star

10 Careers Robots Are Taking From You

Big Data Gold Isn't Always Where You Would Expect It

6 Tips to Build Your Social Media Strategy

A walking tour: 33 questions to ask about your company's security

15 social media scams

The 7 elements of a successful security awareness program

Additional Resources

WHITE PAPER

How Cloud Communications Reduce Costs and Increase Productivity

Small and midsize businesses are moving to the cloud to host their communications capabilities. Learn how enterprise-quality phone benefits, online management, conferencing, auto attendant, and ease of use are built into a system that is half the cost of a PBX.

Read now.

Free Insider Guide

IT Certification Study Tips

Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.

Register for FREE now! »

Security Resources

A Comprehensive Strategy to Leverage Mobile A successful mobile strategy begins with a common platform for integrating and managing mobile devices and the corporate assets that are stored on...

IDC - SAP Enterprise Mobility: Bringing a Cohesive Approach to a Complex Market This IDC white paper discusses key mobility trends and examines how SAP's mobile enterprise solutions map to meet organization's mobile requirements.

The App Happy Enterprise This Computerworld playbook explores key aspects of the enterprise mobile revolution and provides a set of step-by-step directions on how to productively manage...

Navigating the New Mobile World Over the next five years, companies will evolve to mobile-empowered businesses in three phases, which include extending existing systems, accelerating decisions and responses,...

Live Webcast
Storage Validation at Go Daddy: Best Practices from the World's #1 Web Hosting Provider

Storage Validation at Go Daddy: Best Practices from the World's #1 Web Hosting Provider

Live Webcast
MFT and FileXpress - An Overview

Business users and applications exchange files on a regular basis. File transfer is a core part of the flow of business activity.

Live Webcast
Bridging HTTP and FTP with FileXpress Internet Server

What if you could take an FTP server on your internal network, and allow external users (partners or customers) to securely access it...

Bridging HTTP and FTP with FileXpress Internet Server What if you could take an FTP server on your internal network, and allow external users (partners or customers) to securely access it...

MFT and FileXpress - An Overview Business users and applications exchange files on a regular basis. File transfer is a core part of the flow of business activity.
All Security White Papers | Webcasts

IT Jobs

See All Jobs Post a job for $295

Jobs by SimplyHired

Security White Papers | All Security White Papers

A Comprehensive Strategy to Leverage Mobile

The App Happy Enterprise

Streamlining Information Workflows

Streamlining Information Workflows

Secure Data Streaming with Attachmate FileXpress

Data loss prevention: Refreshing data security to meet an evolving threat environment

DLP Is Not Just Good for Business, It's Vital for Business

Mapping security for your virtual environment

Best Practices for a Mobility Center of Excellence

Take Back Control of Your Active Directory Auditing

IDC - SAP Enterprise Mobility: Bringing a Cohesive Approach to a Complex Market

Navigating the New Mobile World

Streamlining Information Workflows

Securing Internet File Transfers

Controlling the Cost of File Transfers

Two-Factor Authentication

Expert Help to Assess Your Data Loss Risks

How Mobility is Changing the Enterprise

Top 10 Features of BlackBerry Enterprise Service 10

sudo or sudoesn't

Sponsored Links

Improve your ROI by the power of three with HP Converged Storage.

Splunk - Machine data goes in, business insight comes out. Learn more.

Focus on business, not infrastructure with VblockTM Systems from VCE

Platform without Boundaries - Extend your Datacenter

What's your Integration Strategy? View Gartner Predicts 2013: Application Integration.

MIT Sloan: cutting-edge short courses for busy executives

AirWatch - Leader in the Gartner Magic Quadrant Report for MDM. Download Now

Connect to the Cloud faster with Comcast Business

MIT Sloan: cutting-edge short courses for busy executives

BlackBerry for business. Built to keep your business moving.

IDC Report: Managing the I/O Explosion Without Extra Hardware

Top Ten Myths About Recovering Deleted Files

Online Master of Science in Information Systems at Northwestern University

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

"The Definitive Guide to Security Management" Chapter 1: Introduction to Security Management

Introducing: Project Icebreaker

Intel ProLiant -Double compute density to tackle bigger workloads with HP ProLiant servers. Learn more

Cervalis-S.S.A.E. 16 data centers keep critical IT applications running.

Jumpstart business transformation with VCE solutions for SAP

Check out Gartner Predicts 2013: Application Integration

Rugged and reliable Panasonic Toughbook® mobile computers.

New CIO Playbook helps you commit to SLAs with confidence.

Transform enterprise IT with ServiceNow. See how easy IT can be.

DEMO Velocity: Create branded interactive live events & training.

See how Royal Caribbean is unlocking intelligence w/ Windows Embedded.

Join the Peer-Driven Community For All Things Mobility

openBench Labs: How Diskeeper 12 Keeps the Latest Windows OS Running Like New

Redefine Mobility Mgmt at Enterprise Mobile Hub

Download Microsoft's latest Data Protection Management tool

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

"The Definitive Guide to Security Management" Chapter 1: Introduction to Security Management

Resource Center

See your link here

Skip to top

About Us

Advertise

Contacts

Editorial Calendar

Subscribe to Computerworld Magazine

Help Desk

Newsletters

Careers at IDG

Privacy Policy

Reprints

Site Map

Ad Choices

The IDG Network:

CFOworld

CIO

CITEworld

Computerworld

CSO

DEMO

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

TechHive

Technology Briefcase

Copyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.