Org Security Fundamentals1 July, 2020

Forward-Looking StatementStatement under the Private Securities Litigation Reform Act of 1995:

This presentation contains forward-looking statements about the company’s financial and operating results, which may include expected GAAP and non-GAAP financial and other operating and non-operating results, including revenue, net income, diluted earnings per share, operating cash flow growth, operating margin improvement, expected revenue growth, expected current remaining performance obligation growth, expected tax rates, the one-time accounting non-cash charge that was incurred in connection with the Salesforce.org combination; stock-based compensation expenses, amortization of purchased intangibles, shares outstanding, market growth and sustainability goals. The achievement or success of the matters covered by such forward-looking statements involves risks, uncertainties and assumptions. If any such risks or uncertainties materialize or if any of the assumptions prove incorrect, the company’s results could differ materially from the results expressed or implied by the forward-looking statements we make.

The risks and uncertainties referred to above include -- but are not limited to -- risks associated with the effect of general economic and market conditions; the impact of geopolitical events; the impact of foreign currency exchange rate and interest rate fluctuations on our results; our business strategy and our plan to build our business, including our strategy to be the leading provider of enterprise cloud computing applications and platforms; the pace of change and innovation in enterprise cloud computing services; the seasonal nature of our sales cycles; the competitive nature of the market in which we participate; our international expansion strategy; the demands on our personnel and infrastructure resulting from significant growth in our customer base and operations, including as a result of acquisitions; our service performance and security, including the resources and costs required to avoid unanticipated downtime and prevent, detect and remediate potential security breaches; the expenses associated with new data centers and third-party infrastructure providers; additional data center capacity; real estate and office facilities space; our operating results and cash flows; new services and product features, including any efforts to expand our services beyond the CRM market; our strategy of acquiring or making investments in complementary businesses, joint ventures, services, technologies and intellectual property rights; the performance and fair value of our investments in complementary businesses through our strategic investment portfolio; our ability to realize the benefits from strategic partnerships, joint ventures and investments; the impact of future gains or losses from our strategic investment portfolio, including gains or losses from overall market conditions that may affect the publicly traded companies within the company's strategic investment portfolio; our ability to execute our business plans; our ability to successfully integrate acquired businesses and technologies, including delays related to the integration of Tableau due to regulatory review by the United Kingdom Competition and Markets Authority; our ability to continue to grow unearned revenue and remaining performance obligation; our ability to protect our intellectual property rights; our ability to develop our brands; our reliance on third-party hardware, software and platform providers; our dependency on the development and maintenance of the infrastructure of the Internet; the effect of evolving domestic and foreign government regulations, including those related to the provision of services on the Internet, those related to accessing the Internet, and those addressing data privacy, cross-border data transfers and import and export controls; the valuation of our deferred tax assets and the release of related valuation allowances; the potential availability of additional tax assets in the future; the impact of new accounting pronouncements and tax laws; uncertainties affecting our ability to estimate our tax rate; the impact of expensing stock options and other equity awards; the sufficiency of our capital resources; factors related to our outstanding debt, revolving credit facility, term loan and loan associated with 50 Fremont; compliance with our debt covenants and lease obligations; current and potential litigation involving us; and the impact of climate change.

Further information on these and other factors that could affect the company’s financial results is included in the reports on Forms 10-K, 10-Q and 8-K and in other filings it makes with the Securities and Exchange Commission from time to time. These documents are available on the SEC Filings section of the Investor Information section of the company’s website at www.salesforce.com/investor.

Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements, except as required by law.

Speakers

Director, Security EnablementSalesforce

CISSP

Principal Success GuideSalesforce

Paul Gilmore Colin Cheevers

Today’s Agenda

● Salesforce security overview

● Org health at a glance

● Demo - Security Health Check

● Security best practices and controls

● Q&A

Security Overview

Security Partnership

Salesforce’s Responsibility

● Prepare customers for an evolving threat landscape

● Provide solutions that enable the customer to keep their data secure

● Educate customers on the need and options for enhanced security

Customer’s Responsibility

● Adopt the latest security controls and features available

● Continually monitor user behaviors and event logs

● Protect sensitive customer data in alignment with compliance standards

● Stay up to date with patching

Control access to your org and protect your data

Salesforce Application Services

Infrastructure Services

Network Services

Secure Data Centers

Backup and Disaster Recovery

HTTPS Encryption

Penetration Testing

AdvancedThreat Detection

Secure Firewalls

Real-time replication

Third Party Certifications

IP Login Restrictions

CustomerAudits

Salesforce ShieldPlatform Encryption

Event Monitoring

Field Audit Trail

Application ServicesIdentity & Single Sign On

Two Factor Authentication

User Roles & Permissions

Password Policies

Field and Row Security

Control access to your org and protect your dataSalesforce Application Services

● IP Range Restrictions

● Multiple User Authentication options

● Organization Wide Defaults

● Sharing Rules

● Profiles and Permission Sets

● Objects and Field Level Security

● Field Audit Trail

● Setup Audit Trail

● Field-Level Security

● Event Monitoring and Data Encryption

Trusted Networks

Authentication Field Level Security

Object Level

Security (CRUD)

Audit Trail Object History

Tracking

Org Health at a Glance

Security Health Check

Measure your org’s security against Salesforce’s standard baseline

Easily identify at-risk security settings

Fix with one click for immediate results

Customize based on your company’s compliance/reporting needs

OrgMonitor

Quickly scans all Salesforce orgs

Consolidates findings into one view

Health Check for Multiple Orgs

Security Command Center

Security Command CenterComplement and extend existing products and features

Data Classification

Threat Detection

Event Monitoring

Commerce Cloud

Data Mask

Platform Encryption

Marketing Cloud

Key Management

Heroku

Quip

Pardot

Salesforce Optimizer

Identify Security Risks

Equip admins with actionable insights and personalized recommendations.

Understand Organization Usage

Identify what roles, profiles, and permission sets are being used and who has admin permissions.

Maximize User Adoption

See user login behavior and understand what fields, pages, and record types are not being used.

Demo: Health CheckLearn how to run Health Check and fix at-risk security settings in an org.

Security Best Practices and Controls

Provide an Added Layer of Security for User AccountsMulti-Factor Authentication (MFA)

Something you knowLogin Credentials

Something you haveSalesforce AuthenticatorTOTP Authenticator App

Security Key

MFA

Salesforce Authenticator

Salesforce Authenticator is a mobile app that can be used with MFA in your Salesforce org or tenant, driving a seamless user experience for your end users.

Salesforce Authenticator tells the user:● What action needs to be approved

● What user is requesting the action

● From which service is the requested action coming

● What device the user is using

● From what location would the user approve or deny this request

With this information, the user can simply tap the "Approve" or "Deny" button to execute the decision, completing authentication quickly as part of their login process.

Fast, frictionless, free authentication

Provide an Added Layer of Security for User AccountsSingle Sign-On (SSO)

Restrict Login AccessBy IP address or login hours

To further enhance access security,

restrict the hours during which users

can log in and the range of IP

addresses from which they can log in

and access Salesforce.

These restrictions help protect your

data from unauthorized access and

phishing attacks.

Users should have the least number of permissions necessary to do their job and nothing more.

Profile Best Practices

Use descriptive names and the complete the Description fieldThis enables you to easily sort profiles in List Views and define a governance policy for creating profiles.

Create a governance policy for creating ProfilesDefine policies for creating new user profiles to simplify maintenance and increase flexibility and scalability.

Use Custom Profiles instead of Standard ProfilesMake copies of standard profiles and customize the copies to fit your needs.

Set up Enhanced List Views for your ProfilesCreate custom list views to organize and mass edit the profiles and permissions most important to you.

Create User Reports to identify unused ProfilesReport on the User object and group by Profile to see which Profiles have no active users and can be removed.

Limit the number of users with administrative rightsOnly grant Modify All Data or View All Data permissions to users who need it.

Permission Set Best Practices

Align permission sets to business functionsIdentify the job functions, tasks, and processes critical to your users and define permission sets appropriately.

Consolidate profiles to represent minimum required permissions Remove high-risk permissions from profiles and add them back to users as necessary through permission sets.

Mass assign or unassign permission setsPerform mass assignment via the sObject API by inserting or deleting PermissionSetAssignment records.

Reuse, reduce, and recycleAdjust permission sets to match job function changes rather than creating new permission sets.

Grant temporary access to resourcesUse permission sets when users need to fill in for another user or complete short-term projects.

Profiles and Permission SetsPermission Set Groups

Field Level Security (FLS)

Field-level security settings control whether a

user can see, edit, and delete the value for a

particular field on an object.

● Grant access to an object but limit

access to individual fields in that object.

● Protect sensitive fields without having to

hide the object.

● Define field-level security for multiple

fields on a single permission set or

profile, or for a single field on all

profiles.

Add Visibility to Your Data

Data OwnerLook-up to user or group

Field UsageCurrent status of the field

Data Sensitivity LevelLevel of sensitivity of the data typically housed in the field

Data classification

Add Visibility to Your Data - Event Monitoring Monitoring and preventative controls

Monitor and take action on user activityKnow who is accessing data from where with daily and hourly event log files

Drive user adoptionAnalyze user behavior to drive training and adoption of Salesforce

Optimize PerformanceProactively identify bottlenecks and high demand pages to improve user experience

Add Visibility to Your Data Event Monitoring with Transaction Security

Salesforce Data MaskProtect sensitive data when testing apps

Teams deliver secure apps fast on the Salesforce PlatformSandboxes mirror production data enabling teams to build and test faster

Code

Release

Plan

Build

App Dev Test Production Sandbox

CONTACTPh: 309 373 2877paul@salesforce.comSSN: 123 45 6789

NOTESAverage of 3 purchases/month

PaulCONTACTPh: 309 373 2877paul@salesforce.comSSN: 123 45 6789

NOTESAverage of 3 purchases/month

Paul

Production Sandbox

Access to Production is controlled and regulated

Access to Sandboxes is flexible

A broader set of employees and contractors may have access to sandboxes.

Sandboxes with un-masked sensitive data can be risky

Introducing Salesforce Data Mask

Meet compliance needsProtect your PI and PII data easily with a 100% native approach so that data never leaves the platform

Address data security Empower everyone to build and customize without exposing protected data to leaks and breaches.

Develop and manage with agilityLeverage proprietary pre-processing for speed and to automate compliance

Increase productivityMove fast, without breaking things, by leveraging a variety of obfuscation features

Protect sensitive data when testing apps

Masking Data in a Variety of Ways

AnonymizationScrambles a field’s contents into unreadable results e.g. Blake becomes gB1ff95-$

PseudonymizationConverts a field into readable values unrelated to the original e.g. Kelsey becomes Amber

Pattern-MatchingReplace data with user-specified patterns.

DeletionConverts a field into an empty data set

Obfuscate data based on business needs and privacy laws

Q&A