Nerd @ Work

When Salesforce is life!

Tag: security

Is SalesForce Quip Secure? What You Need to Know

By

On September 25, 2022

In Post

Today’s guest post is delivered by Gilad David Maayan, a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.

What Is SalesForce Quip? 

Quip is a solution that facilitates team collaboration. It combines spreadsheet and document creation and editing capabilities with comment and chat functions, allowing teams to communicate directly about projects and tasks as they work.

Quip allows you to collaboratively create and edit spreadsheets, documents, and lists in real time using a smart inbox interface. The inbox can filter and flag documents for faster searches. It saves all document revisions to let users track changes and annotate documents and spreadsheets. You can mark completed tasks on a checklist to notify all team members when a task is finished. 

Users can chat directly within the document instead of sending and receiving emails. You can message and comment on any content using the built-in one-to-one feature. You can also use @mentions to guide team members to specific spreadsheet cells or insert items into documents, including images or code. The team can leverage user-managed notifications to keep up-to-date with mentions and messages.

Quip can work on native Android and iOS applications across mobile and desktop devices. Its offline capabilities allow users to work on documents when an Internet connection is unavailable, updating the changes whenever a connection appears.

SalesForce acquired Quip in July 2016 for a total price of approximately $750 million.

Benefits of SalesForce Quip Integration

The main advantage of integrating SalesForce Quip is exporting real-time data from SalesForce to Quip. You can open SalesForce reports in a Quip spreadsheet with a single click. The data is always live, and Quip immediately reflects all changes. 

You can also quickly export a Quip document to an Excel, Word, CSV, or PDF format. Users can invite each other by sending a link to the document—they can continue editing the document after sharing using the browser or a dedicated app.

Quip improves interaction and collaboration between team members, helping them make well-informed decisions. It lets you better understand your data and receive real-time, actionable information. The regularly updated data helps you make the right decisions for your business.

Another benefit of this tool is the tracking feature for historical data—it allows you to view changes made over a specific period. If necessary, you can undo changes to keep the app’s functionality.

Is SalesForce Quip Secure?

Quip is SalesForce’s cloud document platform, obligating it to maintain a high degree of security. Security of document management tools like Quip is critical to ensure endpoint security for your employee’s corporate and personal devices. Below are some of the security capabilities Quip offers your organization.

Audits, Certifications and Compliance 

Quip has the following auditing and regulatory certifications: 

  • SOC 2 (Type 2 Certification)
  • EU-US Privacy Shield Framework
  • Swiss-US Privacy Shield Framework

All customer data stored in Quip falls under the annual certification to the EU-US and Swiss-US privacy shield frameworks awarded to SalesForce. The US DoC administered these frameworks, requiring independent SOC 2 audits of the SalesForce IT security environment, which extends to Quip. 

The SalesForce executive for your organization’s account can provide the latest Service Organization Control 2 report. Quip is also GDPR-compliant, with its systems undergoing annual security audits by a leading, independent auditor.

Penetration Testing and Bug Bounties

Achieving robust application security requires testing by security professionals. Quip contracts with an external organization to conduct annual penetration tests on Quip services. The management team reviews the results and tracks the findings to resolution. Penetration tests are performed in a controlled environment without exposing customer data.

Apart from penetration testing, Quip offers a bug bounty to encourage developers to discover and disclose vulnerabilities to the company. It continuously triages submissions and tracks them to find resolutions.

Access Authentication

Quip restricts access to your production infrastructure based on the job function of authorized persons. Only a limited number of system admins and managers have privileged access to the system. 

Quip authenticates users to production according to modern security best practices that use Secure Shell (SSH) keys and require two-factor authentication (2FA). It restricts access to the public cloud management console to authorized users who need access to perform their job duties, also using 2FA.

Encryption

Quip encrypts all customer data stored in its services at rest and in transit. It uses Transport Layer Security (TLS) to encrypt data and protect its integrity and security during transmission between Quip services and the user’s browser. It securely stores and manages encryption keys in a cloud-based infrastructure. 

Identity and Access Management (IAM) roles can control access and support audits. Quip never stores encryption keys in the source code, and it rotates the keys according to industry standards. You can use the Enterprise Key Management feature for additional visibility and control—it lets you create and manage encryption keys for your Quip data in the AWS cloud. 

Incident Management

The management team provides documentation of all incident management procedures and policies to ensure the following:

  • Contributors identify potential security incidents and report them to the relevant team members for resolution.
  • Employees adhere to the defined protocols to resolve security incidents.
  • Quip documents all procedures for making changes and notifying external and internal users.
  • Quip triages and tracks incidents to enable their resolution on time.

Service Monitoring

The Quip infrastructure monitors the performance and availability of its services and notifies the engineering team if a service diverges from performance, reliability, or availability thresholds. On-call engineers can quickly address these issues. 

Quip’s service monitoring also covers security issues and uses the production access logs to identify anomalous activity. When Quip identifies anomalous behavior, it tracks the issue until it finds a solution. It logs all logins to each production system for monthly reviews—security staff investigates, records, and remediates suspicious and unexpected login attempts. 

Quip’s intrusion detection system (IDS) helps detect and record unusual behavior. Quip continuously monitors the system’s capacity for strategic, long-term planning.

Conclusion

In this article, I explained the basics of SalesForce Quip and covered the security measures put in place by SalesForce to protect your data:

  • Certifications and compliance – Quip complies with SOC 2 (Type 2), EU-US Privacy Shield Framework, and Swiss-US Privacy Shield Framework.
  • Access authentication – Quip supports SSH and 2-factor authentication.
  • Penetration testing – Quip performs annual penetration testing and has a bug bounty program to discover security weaknesses.
  • Encryption – Quip encrypts all data at rest and in transit and uses TLS for all communications.
  • Incident management – Quip has well documented incident management procedures, as required by compliance standards.
  • Service monitoring – Quip infrastructure is continuously monitored and anomalous events are immediately investigated.

I hope this will help you make an informed decision when adopting Quip for a security-conscious enterprise.

How to Secure Salesforce Workloads: Tips and Best Practices

By

On March 28, 2020

In Post

Today’s guest post is delivered by Gilad David Maayan, a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.

Salesforce provides security controls for your data, categorized according to organization, object, field, and record level. To properly secure your Salesforce workloads, you must first understand the Salesforce data security model, as explained in this article. You will also learn tips and best practices for data sharing, auditing, session configuration, and encryption.

Salesforce Data Security Model

Within Salesforce, you have full control over what information users can access. This extends to articles, records, and individual fields. Each security concern is categorized into a level, which enables you to control certain aspects of security.

Organization Level Security

Organization level security settings enable you to determine who has access to your Salesforce system, including from where and when.

At the organizational level, you can define:

  • IP restrictions—determines what IP addresses users can access data from.
  • Login access—determines timeframes when users can access data.
  • Password policies—determines the life cycle of passwords, required complexity levels, and reusability. 

Object Level Security

Object level security settings enable you to guide how objects are handled, including creation, access, and modification.

At the object level, you can define:

  • Profiles—determines who is allowed to do what with objects. This is based on individual users with individual create, read, edit, delete (CRED) settings. 
  • Permission sets—enables you to extend permissions granted to user profiles in a standardized way.

Field Level Security

Field level security settings enable you to restrict specific fields according to user profile. For example, you can determine who can see an employee’s compensation information. For those without permission, this information is hidden from view or access.

Record Level Security

Record level security settings enable you to determine how and by whom records are accessed or shared. 

At the record level, you can define:

  • Organization-wide sharing defaults—determines how freely records can be accessed if profile permissions are not defined. 
  • Role hierarchy—enables you to grant tiered permissions. This grants higher level users, such as supervisors, access to all data of the users below them. 
  • Sharing rules—determine how you can share information and who with. You can use these rules to define lateral sharing or to allow access outside your organization.
  • Manual sharing—enables you to grant record limited sharing permissions. For example, if only one specific user needs access to a record. 

Salesforce Security Best Practices

When configuring or auditing your data security settings, there are several best practices you should apply. These practices can help you increase the overall security of your data and ensure that customer and employee privacy is protected.

Data Sharing

Data sharing policies often aren’t used exclusively for security purposes but these policies can significantly impact security.

For example, you should carefully choose between hierarchical sharing and use of Public Groups. Keep in mind that hierarchical sharing provides a higher tier user access to all data of those below them. In contrast, Public Groups enable you to define sharing rules regardless of where users fall in a larger hierarchy. 

You should also take care with how you allow owner sharing. When records are shared manually by owners you have limited ability to track who has access. You can use the Developer Console to manually identify which records are shared but this is not practical on a larger scale. Additionally, when records swap owners, this information is lost. The lack of visibility this creates can be a liability if owners are sharing sensitive information without approval. 

Audit Regularly and Watch for Vulnerabilities

As with any system, you should make sure to regularly audit your configurations and settings. Audits can help you identify configurations that have been changed manually or automatically due to updates. It helps you identify users or roles that are no longer valid and that should be removed. Auditing can also help you identify inefficiencies in your current roles and groups and point to how these aspects can be streamlined or refined. 

It is also a good idea to regularly check for Salesforce security vulnerabilities in a vulnerability database, and take action if necessary. There is also a standard SalesForce procedure that allows you to perform a full security assessment and penetration test of the SalesForce platform to ensure it meets your security requirements.

Session Settings

Session settings provide you control over individual user sessions, including verification and timeout settings. Verification settings enable you to specify whether or not multi-factor authentication is needed. This is activated via the “Raise session to high assurance” setting. This feature is available for a variety of data and services, including reports, dashboards, and connected applications. 

Timeout settings enable you to define for how long a session is authenticated and for how long inactive sessions should persist. When setting this, you need to find a balance between convenience and security. You don’t want your users to have to log-in every thirty minutes but you also don’t want sessions active for hours after a user is done with the system for the day. 

Shield Platform Encryption

Shield Platform Encryption is a natively integrated service that enables you to encrypt your data in-transit or at-rest. You can use it to extend the built-in encryption that comes with Salesforce by default. 

With Shield Platform you can encrypt a range of data, including:

  • Fields—includes a range of standard and custom fields
  • Files—includes attachments, notes, PDFs, and images
  • Data elements—includes analytics, search indexes, Chatter feeds, and Change Data Capture information

Shield Platform Encryption works via keys managed either by you or Salesforce. If you use Salesforce managed keys, you can create keys based on a master secret and organization-defined key material. If you wish to manage your own keys, you can use the Cache-Only Key Service to fetch the key as needed. 

Apply the Principle of Least Privilege

When creating permissions, access controls, and roles, be sure to enforce the principle of least privilege. This principle specifies that only the minimum functional amount of access is provided. These limitations help reduce the damage that users can accidentally or purposely create. It also limits any access provided by compromised credentials. 

Conclusion

Salesforce provides you with the majority of the features and tooling needed for basic security. The organization level enables you to configure access control, object level is for profiles and permissions, field level restricts access to fields, and record level enables you to create a record access hierarchy. 

Once you configure your security settings, you should set up sharing procedures, audit regularly, configure and monitor session restrictions, encrypt data, and apply the principle of least privileges. 

Small Business Solutions for Protecting Against Cybercrime

By

On February 26, 2019

In Post

This article has been packed up by Lindsey Weiss, who will tell us some suggestions to keep an eye on security.

Lindsey enjoys marketing and promoting one’s brand. She believes that to move your market, you must know your market. She loves writing articles on helping people build buzz around their brand and boosting their online presence.

For small business owners, fraud and data breaches are a nightmare. Not only can those issues bring work to a standstill, but it can also mean lost consumer confidence and even the closure of a business. It’s crucial to guard against threats, and if you should fall victim to one, expediting your response is the best chance for a sound recovery. 

Are You in Their Bullseye?

Big businesses often make the news when they become victims of cybercrime. However, it’s important for small business owners to recognize their own vulnerability. Gone are the days when it was safe to fly under the radar of cyber scoundrels; in fact, they are catching the eyes of criminals more than ever. Some statistics indicate small businesses are being attacked more each year, with average losses ranging from $84,000 to $148,000. Most of those companies go under within six months of being attacked, and according to studies cited by IBM, for each stolen record, you can expect a loss of nearly $150. 

Take a Careful Inventory

When it comes to evaluating your company’s vulnerability, the easiest place to start is with a careful look at your hardware and software. Making solid choices means you have a wall of defense in every direction. Start with a thorough evaluation using a checklist. Data should be backed up to a remote location routinely, and all computers and devices should have antivirus software installed. If you aren’t using a firewall, that is another a must-have. 

Examine Your Equipment

Research whether the electronics you’re using are known for being secure, and if not, invest in better equipment. For instance, shimming is an unfortunate but growing trend that threatens many small businesses. Data protection ultimately protects your customer base since a breach means lost confidence on the part of consumers. Consider investing in a more secure payment system with features such as safeguards against fraud and real-time data security. 

Where Is Your Data?

If you haven’t already done so, now is a perfect time to start using the cloud. It protects your data by saving it offsite while also freeing up some of your overhead, thereby reducing the amount of time and money your company has to spend updating software and saving files to external drives. It also means your business can operate more freely. Instead of being tethered to the office, you and your staff can do more work on the fly. Better flexibility can mean increased productivity and a better bottom line. Think through what your particulars are, such as how many devices your business requires and how much storage you need, and check reviews to find the right cloud storage option for your situation. 

Add Encryption

If your company handles sensitive data, encryption is another must-have in your line of defense. Basically, encryption uses a cipher to turn your clean data into gobbledygook, keeping would-be criminals at bay. As Business News Daily points out, the law requires encryption if you handle sensitive data such as health records, credit card numbers, or Social Security numbers, but even if you don’t handle that kind of information, it’s a worthwhile layer of protection against to help cybercrime. In fact, some operating systems have built-in encryption options, and there are plenty of encryption software packages available. 

Other Negative Influences

Once you shore up your hardware and software defenses, it’s time to examine the human element. As part of the equation where you have the least control, staying abreast of the people handling your data can be especially challenging for small business owners. Disgruntled or dishonest employees can worm their way into your confidence and your systems, leaving you vulnerable to fraud. With that in mind, make sure you’re hiring people based on their talents and integrity, and mesh your quality staff with top-notch bookkeeping software so you can keep your finger on the pulse of your accounts. 

A strong defense is your key to protecting your business against fraud and data breaches, so ensure your systems are well-protected with carefully thought out choices. When a cybercriminal has your company in his sights, you’ll be ready. 

Powered by WordPress & Theme by Anders Norén