salesforce_security_impl_guide

Security Overview
CAPTCHA Security for Data Exports
To enhance network-based security, Salesforce includes the ability to restrict the hours during which users can log in and the range of
IP addresses from which they can log in. If IP address restrictions are defined for a user's profile and a login originates from an unknown
IP address, Salesforce does not allow the login. This helps to protect your data from unauthorized access and “phishing” attacks.
To set the organization-wide list of trusted IP addresses from which users can always log in without a login challenge, see Restricting
Login To Trusted IP Ranges for Your Organization on page 81. To restrict login hours by profile, or to restrict logins by IP addresses for
specific profiles, see Setting Login Restrictions on page 40.
CAPTCHA Security for Data Exports
By request, salesforce.com can also require users to pass a user verification test to export data from Salesforce. This simple, text-entry
test helps prevent malicious programs from accessing your organization’s data, as well as reducing the risk of automated attacks. CAPTCHA
is a type of network-based security. To pass the test, users must type two words displayed on an overlay into the overlay’s text box field,
and click a Submit button. Salesforce uses CAPTCHA technology provided by reCaptcha to verify that a person, as opposed to an
automated program, has correctly entered the text into the overlay. CAPTCHA stands for “Completely Automated Public Turing test to
tell Computers and Humans Apart.”
Session Security
After logging in, a user establishes a session with the platform. Use session security to limit exposure to your network when a user leaves
their computer unattended while still logged on. It also limits the risk of internal attacks, such as when one employee tries to use another
employee’s session.
You can control the session expiration time window for user logins. Session expiration allows you to select a timeout for user sessions.
The default session timeout is two hours of inactivity. When the session timeout is reached, users are prompted with a dialog that allows
them to log out or continue working. If they do not respond to this prompt, they are automatically logged out.
Note: When a user closes a browser window or tab they are not automatically logged off from their Salesforce session. Please
ensure that your users are aware of this, and that they end all sessions properly by clicking Your Name > Logout.
By default, Salesforce uses SSL (Secure Sockets Layer) and requires secure connections (HTTPS) for all communication. The Require
secure connections (HTTPS) setting determines whether SSL (HTTPS) is required for access to Salesforce, apart from
Force.com sites, which can still be accessed using HTTP. If you ask salesforce.com to disable this setting and change the URL from
https:// to http:// , you can still access the application. However, you should require all sessions to use SSL for added security.
See Setting Session Security on page 83.
You can restrict access to certain types of resources based on the level of security associated with the authentication (login) method for
the user’s current session. By default, each login method has one of two security levels: Standard or High Assurance. You can change
the session security level and define policies so specified resources are only available to users with a High Assurance level. For details,
see Session-level Security on page 85.
Securing Data Access
Choosing the data set that each user or group of users can see is one of the key decisions that affects
data security. You need to find a balance between limiting access to data, thereby limiting risk of
stolen or misused data, versus the convenience of data access for your users.
Note:
Who Sees What: Overview
Watch a demo on controlling access to and visibility of your data.
EDITIONS
The available data
management options vary
according to which
Salesforce Edition you have.
7