One of the most important factors in choosing a cloud-based ERP solution remains security. Companies are justified in their concerns about the security of their data and applications in the cloud. Rootstock Software is proud to be part of the Salesforce cloud ecosystem, whose secure and flexible platform allows our cloud-based ERP software for manufacturers to be seamlessly integrated with other Salesforce-based applications to provide a true, end-to-end enterprise solution. How secure is Salesforce? Let’s take a look.
The most important thing to remember is that security on Salesforce (and on any cloud platform) is really a partnership between you the manufacturing enterprise and Salesforce. Salesforce uses a multi-layered approach to protect critical data; and constantly monitors and improves their application, systems, and processes to meet the demands of security in the cloud. However, part of the responsibility for ensuring security in the cloud rests with you and your firm. While Salesforce’s security is designed to protect your data and applications, Salesforce also provides a wide array of tools and options that you can use to customize security to meet the needs of your organization.
How Salesforce Protects Your Data
Salesforce stores your critical at secure, dedicated data centers, adheres to privacy policies designed to protect your data, and applies the latest technology to all of its security measures.
- Data center security – Salesforce adheres to stringent physical security measures, including but not restricted to 24-hour manned security, biometric scanning for access, dedicated concrete-walled Data Center rooms with computing equipment in access-controlled steel cages, video surveillance and environmental controls.
- Network security – Salesforce protects its network with multiple layers of external firewalls, internal firewalls that segregate traffic between the application and database tiers, intrusion detection sensors throughout the internal network that report events to a security event management system for logging, alerts, redundant internal networks, high bandwidth capacity, and secure transmission and sessions. Network security measures:
- Redundancy and Scalability – The Salesforce service is highly scalable and redundant, which allows for fluctuation in demand and expansion of users while greatly reducing the threat of long-term outages. They also feature load-balanced networks, pools of application servers, and clustered databases as part of their design.
- Connectivity – Users connect to the Salesforce environment via TLS cryptographic protocols, using global step-up certificates, which ensure that all users have a secure connection from their browsers to Salesforce’s service. Individual user sessions are identified and re-verified with each transaction using a unique token created at login.
- Disaster recovery – All customer data is replicated over secure, encrypted links to a disaster recovery data center, which lets Salesforce rapidly restore their service in the case of a catastrophic loss.
- Backups – Not only does Salesforce backup all data to tape at each data center on a rotating schedule of incremental and full backups, but the backups are cloned over secure links to a secure tape archive, with tapes never transported off site and securely destroyed when retired.
- Security testing and threat assessments – Salesforce tests all code for security vulnerabilities before release and regularly scans their network and systems for vulnerabilities. Salesforce also regularly runs application vulnerability threat assessments, network vulnerability threat assessments, selected penetration testing and code review and security control framework review and testing.
- Security monitoring – Salesforce has a dedicated security team that monitors notifications from different sources and alerts from internal systems to identify and manage threats.
- Contractual privacy protection – Salesforce’s contracts include confidentiality provisions that prohibit them from disclosing confidential customer information including customer data. Salesforce never accesses customer accounts and data, except to resolve maintenance, technical or service issues. Salesforce also adheres to a strict Code of Conduct, Confidentiality Agreements, and Information Security Policies.
- Default privacy and security features – In addition to the physical, network and connectivity security measures described above, hardware and software configurations are designed to provide secure, logical separations of customer data so that each customer views only its related information. Customer passwords are inaccessible to Salesforce personnel and application logs record the creator, originating IP address, last updater and timestamps for every record and transaction completed. Last but not least, Salesforce uses multitenant security controls that include unique, non-predictable session tokens, configurable session timeout values, password policies, sharing rules, and user profiles.
We noted above that security is a partnership between Salesforce and its customers. In our next article, we’ll take a look at the role your firm plays in the security of your data and applications.