Monday, October 13, 2008

Practicing Safe SaaS: Understanding the Identity Confirmation Feature

In yesterday’s blog, I advocated User Education as your best and for all pratical purposes, your only real defense against Phishing. This article is written to help system administrators understand the security options available in Salesforce.com. In particular, we're going to focus on the Identity Confirmation feature.

In November 2007, Salesforce.com implemented a new feature called Identity Confirmation. This feature basically restricts what computers can access your data in Salesforce.com. The idea is that if a scammer somehow gains access to one of your employees usernames and passwords (through a phishing scam), they wouldn't be able to use that information from their own computer. The first time they tried to login, Salesforce.com would detect that they were not logging in from a trusted network location, and their computer was not authenticated.

Say again? In order to access your Salesforce.com instance, a computer must either reside on an “trusted” network, or the computer must have the security activation feature enabled.

What is a "Trusted" Network

Click Setup -> Security Controls -> Network Access. The listing shows all IP Address Ranges that are considered “safe”. Any computer that tries to login to your Salesforce.com instance from one of these IP Network Address ranges will not be challenged by the Identity Confirmation feature. In general, you’ll want to keep this list as narrow as possible. The most secure configuration would be an empty list -- delete EVERY IP Address range. That means that no IP Network is trusted, and every computer that accesses your instance of Salesforce.com must be individually authenticated. It’s more practical, however, to allow your corporate network, and perhaps those of your remote branch offices.

If you’re looking at the Network Access list for the first time, you might be surprised at the number of Trusted IP Ranges already in the list. I sure was! I had IP ranges in Belgium, Columbia, Ecuador, El Salvador, and the USA. Where did they all come from?



When the Identify Confirmation feature was enabled this past November, Salesforce.com initialized this trusted IP address list based on the login history of your users. If you have a lot of traveling sales folks, or corporate users accessing Salesforce.com from home, their login history made its way into this Network Access listing. Appropriately, Salesforce wanted to minimize the impact of the new Identity Confirmation feature on existing users, so it assumed that any location existing users had accessed the system from over the past several months were trusted IP networks.

Salesforce.com Administrators should review this list with their IT organization, identify which IP Address ranges are valid, and then gradually delete the rest. Before you delete any entries, take a screenshot or record all of the IP addresses. If you delete the wrong entries, you'll want to refer to that "backup" copy, so you can re-add the IP Addresses mask values correctly. Don’t delete the non-valid IP address ranges all at once, or you might be swamped with users seeing the unfamiliar identity confirmation login feature for the first time. Instead, gradually delete a few of the entries over time.

What Happens If a User Logs In from a Non-Trusted Network?
The first a user tries to login to Salesforce.com from outside the trusted network (perhaps they're on the road, logging in from a hotel, or logging in from their personal home computer), they will be prompted to "activate" (authenticate) that computer.



Click the "Send Activiation Link" button, and Salesforce.com sends an Activation Email. The email contains a link, which can either be clicked, or copy/pasted into a web browser. That computer is not "activated" (authenticated), and will be able to log in successfully.

It's not bullet proof, especially if you're using web-based mail services, like Gmail, Lycos, Yahoo, etc. In recent US political campaign news, we've seen how easy it is for some runny-nosed punk to gain unauthorized access to someone's web service email account. If the Phishing Scammer does not have also have access to your users email account, the Identity Confirmation feature in SFDC is an effective safeguard on your corporate data.

What Other Security Measures Can I Take to Safeguard My Corporate Data?

1.) Enforce strong Password policies. Click Setup -> Security Controls -> Password Policies. For the most part, the default settings are pretty good. I changed the 90-day password expiratin to a 60-day password expiration, to match our other system security profiles. I also set the lockout effective period to Forever -- users have to come knocking on my door (or rining up my phone) if they locked themselves out with 10 failed password attempts.



2.) Enforce strong Session security. Click Setup --> Security Controls --> Session Settings.



- Set your session time-out value, based on the content of your system data. If you have a lot of sensitive data (credit card numbers, user account / password information, etc.), select a shorter time-out period.
- Always lock sessions to the IP Address from which they originate. This will protect your user community from a more sophisticated type of hacking known as browser hijacking.
- Always require secure connection (HTTPS)
- Disable caching and autocomplete on the login page. Most browsers can store user name and passwords. After a user logs in once, the browser prompts if they would like to auto login on subsequent attempts. Very useful, if you forget your password a lot. Imagine one of your users absent-mindledly taking advantage of this feature -- while logging in from the Internet Cafe. Now any one who accesses that same terminal can come along and login to your Salesforce.com instance, without even knowing anyone's password! Disabling caching and autocomplete prevents this problem.


3.) Contact Salesforce.com and request a FREE security briefing. Salesforce will do a tailored approach, specific to your own instance of Salesforce.com, and the way in which you and your users work every day. Their security experts will review your implementation, and recommend a set of security measures to deploy. To get more infomraiton, contact security@salesforce.com.

There are many other options that you can implement, such as restricting login to certain IP ranges (for specific profiles), two-factor authentication (such as secure IT tokens), and third party solutions, like the Barracuda Spam Firewall. Taking advantage of the free security briefing from Salesforce.com will help you identify the best solution for your specific business need.

No comments:

Post a Comment