Multi-tenancy is now an established model, and a highly effective one, in many cloud based applications. Salesforce is no exception. In fact, Force.com platform champions the cause of multi-tenancy.
Multi-tenant solutions allow one instance of the application to handle the needs of multiple clients, or tenants, on different instances. Salesforce’s model of multi-tenancy offers everyone the same version of the application, with data stored in a shared database. Clients seeking to customize their application create and configure new metadata for new screens, database fields or desired behavior.
In such a set-up, the software vendor has to worry about only one version of the software, sparing them the hassles of supporting multiple versions of the software for different software and hardware configurations. Improvements made to the system become available to all clients at the same time, with clients having the choice to turn new features on or opt out.
However, such a set-up raises grave security concerns. When the data is stored in the same database, there is a real possibility of a bug or malfunction exposing one tenant’s data to another tenant. Worse, vulnerabilities could give unauthorized third-parties, ranging from rogue insiders to malicious hackers, access to sensitive data.
Here are the ways Salesforce enforces security to ensure each client has access only to its own information, and in the process repose the trust hundreds of clients have on the Force.com platform.
Conjuring up Robust Architecture
The extent to which system bugs create vulnerability, which leaves the door ajar for malicious intruders, depends on the architecture of the platform.
Reliable multi-tenant systems operate with much higher security standards compared to standalone systems. It goes without saying that Salesforce has a reputation for always offering a stable and rigorous architecture. Salesforce embeds security into the platform at all stages of the development and even post-development lifecycle.
The Force.com platform co-opts detailed internal policies related to detection of security threats, response mechanisms, and forensics. It deploys several layers of defense to resist different types of threats. It offers SAS 70 Type II, SysTrust, and ISO 27001 certifications—all without sacrificing application performance.
At the design phase, the system mandates a comprehensive threat assessment exercise to identify potential security issues early in the development lifecycle.
At the coding stage, Salesforce lays down policies to use secure coding patterns, and leverages static code analysis tools to identify security flaws.
Salesforce opts for comprehensive testing, involving both internal staff and third-party external consultants. The tests are comprehensive, and use scanners, proprietary tools, and manual processes.
Enforcing Strict Security Protocols and Access Control
Sound security requires backing up robust system architecture with strong security policies. Salesforce is up for the task, deploying strong network security protocols and access control mechanisms, to ensure a client’s data in the multi-tenanted environment is as safe as it gets.
The Force.com platform secures its network on many different fronts. Some of the security policies enforced include:
- Stateful packet inspection (SPI) firewalls, which inspect all network packets and prevent unauthorized connections.
- Bastion hosts, which serves as hardened barriers between the perimeter and core firewalls, and are capable of withstanding even major attacks.
- Two-factor authentication, to verify identity of access requests
- Strong encryption, using end-to-end TLS/SSL cryptographic protocols, to prevent data theft during transmissions.
- Use of MD5 one-way cryptographic hash function to protect customer passwords in the database layer.
- Encryption of field data in custom fields in the database layer.
Salesforce adopts industry-accepted best practices to strengthen the underlying host computers supporting the various software layers of the Force.com cloud platform. A case in point is the well-established policy of host systems using Solaris or Linux distributions, with non-default software configurations.
Another key highlight is Force.com’s innovative metadata-driven, multi-tenant database architecture, which strengthens security, while delivering operational and cost efficiencies simultaneously.
Monitoring on a Proactive Basis
Salesforce.com employs several highly sophisticated security tools to monitor platform activity, including application database activity, in real time. Such tools flag almost all types of threats and potential malicious events. Smart event management tools correlate user actions and event data, and flag potential internal and external threats, in real time. While real-time monitoring help counter threats as they emerge, Salesforce goes further and tries to curb threats from developing in the first place.
Today’s highly fluid business environment is marked by a fragmented ecosystem of many alliances, where subtle changes in the technology stack can happen outside of anyone’s knowledge or control. Such changes can compromise the systems running on it. It requires periodic assessments and proactive interventions to ensure the system once secured remains secured.
Salesforce.com conducts regular internal and external vulnerability assessments. In-house security experts conduct periodic reviews of the system architecture, to identify weak spots on a proactive basis. Similarly, managed security services providers (MSSP) conduct external vulnerability assessments to nip any possible threats in the bud.
Enforcing Physical Security
Security is a composite activity. The best of protection at the software and hardware level can easily be compromised by a rogue insider who has official access to the facilities hosting the infrastructure.
Salesforce.com is wise to such eventualities, and ensures all its facilities have strict access control policies. The company also heavily regulates and monitors all the work operators can perform inside any facility.
Every employee and contractor go through a thorough background check before being granted access to a facility. Multiple biometric scans and manual guards enforce a strict access control policy, at a physical level. Once inside, the employee is tied to secure workstations, which limits the scope or extent of work to what is required, on the principle of least privileges. For instance, the workstations prevent cut and paste, public IM, and data copying tasks.
Salesforce factors in all possibilities, even situations considered not plausible in the normal scheme of things. A case in point is the exterior perimeter of each premises being made bullet resistant, in addition to the normal practice of deploying closed-circuit television coverage, alarm systems, and manned guard stations
Factoring in the Human Element
Research major Gartner estimates about 60% of virtualized servers to be less secure compared to the physical servers they replace. A plausible scenario is one machine of a multi-tenancy application hosted on virtualized infrastructure monitoring its neighbors by burrowing into the underlying infrastructure and bypassing the security at the software layer.
Any security is only as strong as its weakest link, and in many cases poorly trained or unskilled employees are the weak link. They make mistakes or fail to make the right interventions at the right time, and end up compromising the best of policies or the most robust of systems.
Salesforce not only deploys highly mature tools and processes, but ensures technicians, consultants, and all other stakeholders involved in the process receive extensive training on a regular basis. Still better, it ensures training is specific to the roles handled by the employees.
Salesforce has placed its reputation on the line and leveraged its extensive experience and resources to ensure its multi tenant infrastructure is as secure as possible. The net result is the Force.com multi-tenanted platform being as safe as it will ever get, and unlocking a world of benefits for its users.