Update To Salesforce Security Setting - what you should know
Salesforce Security Update
Salesforce has recently provided additional security features that you should know about for two reasons:
• Their already excellent security just got better
• You might need to update the manner in which you login, especially if you are away from your office.
Here’s the scoop:
Salesforce already has a terrific security setup. In fact - it’s at least as secure as typical VPN (virtual private network) connection. That means that when you login to Salesforce, your information is encrypted, so that others can’t see or manipulate it. Still - anytime you are using a tool that exists outside of the physical location of your own desktop or server, you have a different set of security requirements to consider.
For instance - if you wish to login to Salesforce from a public place such as the library or the local coffee shop, and you are using a wireless connection - someone may try to “sniff” the wireless information that moves from your machine over the air. And - if you have an easy to guess password, or have shared it with others - that’s a risk, too. Salesforce isn’t alone in this regard - Hotmail, Google, eTapestry and any other software that is provided to you over the internet has the same exposure.
To strengthen their system, Salesforce is implementing an additional layer of security. They will analyze the internet address that you generally use to login to Salesforce (usually your office, or perhaps your house if you frequently work from home) and they’ll add that to a “safe” list in your Salesforce account. For many users - you won’t notice a change!
However, if you login from a new place - Salesforce will want to confirm your identity to make sure that it is really you. You’ll only have to do this once from each new location. When you try to login, you’ll see an error message which will include a “Send Activation” link. When you click on that, you’ll receive an email with a new link - and you can copy and paste that into your web browser and login as usual. Of course, this assumes that you can access your email remotely; if you can’t, you may want read about how to request a “security token” that you can take with you from the office, allowing you to log in remotely.
Salesforce has also made it easy for you to add to the list of safe places - this is especially handy for those who frequently work from home, or for any agency that has an internet address that changes regularly.
Finally - if your Salesforce account is automatically sending information to your website - you’ll need to address that, too. NPower Seattle can help in a pair of different ways - and we’ll make sure that your website and database continue to “talk” to each other. Remember - your website is really a Salesforce user, too!
There are a few additional technical details and lots of information available from Salesforce. Here’s a quick list:
- Note about new security feature
- Webinar about how to login
- Information for Salesforce Administrators (near the bottom of the page).
Josh Whiting wrote:
Being “at least as secure as typical VPN” is not good enough, especially for a company the size of Salesforce.com. A typical security level does not ensure the safety of the countless clients Salesforce has to be responsible for. Their size has made them a target to phishing attacks and this can only increase over time, if Salesforce was breached once, it’s likely to happen again. Somebody needs to take CRM security to the next level, whoever takes the first step in ending phishing attacks on CRM Software whether it is Salesforce, Salesboom.com or Netsuite would be the only company I would trust my personal, let alone my companies data with.
Posted on 29-Nov-07 at 8:18 am | Permalink
patricks wrote:
Josh,
I agree that ANY hosted solution should become more secure (and Salesforce just introduced additional security measures).
At the same time - I wonder if you’re asking the wrong people (A CRM vendor) to solve a ubiquitous challenge where all of the moving pieces don’t fall into their purview.
Do you expect Apple to solve all spam issues? Ebay to solve identity fraud? Google to address hijack mal-ware?
Many agencies successfully use hosted solutions and VPN’s without trouble - but those companies also use strong passwords, change them regularly, educate their users, update their software and take measures on their own rather than expecting a third party vendor to have all of the answers.
Posted on 29-Nov-07 at 7:12 pm | Permalink