security

Open Letter to Salesforce Nonprofit Admins

In the 20 months since I left Fight Colorectal Cancer, I would guess that I’ve logged in to no less than 150 nonprofit Salesforce organizations. First as part of my role supporting customers at Convio/Blackbaud, and now in my role at KELL Partners where I work with clients who contract with us for support or virtual administration services.

When trying to troubleshoot a problem, one of the first things I typically look at is how the organization has structured their security and sharing model. Profiles, roles, organization-wide defaults, sharing settings. I’m thrilled to say that I’ve logged in to many organizations where the System Administrator is truly that – someone whose is responsible (and accountable) for the way Salesforce works for everyone else. Someone who protects the data and their configuration. Someone who knows where experimentation is okay and where they need to tread lightly. If that’s you, then thank you – this post isn’t for you. But please read on and comment on anything I’ve missed, okay?

For this post, I’m talking to the organization whose Manage Users looks something like this (yes, this is from a real org I won’t mention by name):

security1

Read on and I’ll explain exactly why it’s a very bad idea, and I’ll give you some suggestions on what to do to protect your organization’s data and your sanity.

Continue reading

Advertisements

Apple, it’s time to move parental controls to the cloud

Allowed Content

We’re an Apple family, since way before it was cool. Right now, I have a 2.5 year old iMac that is still going strong, iPad 3 and iPhone 4S. Husband has an iPad 3 and iPhone 5. Teenager #1 has an iPad 3 and uses a hand-me-down iMac for writing/school work. Teenager #2 has her dad’s hand-me-down iPhone 4 and my hand-me-down 2009 MacBook.

I see many families like ours. So it’s surprising to me that thus far, Apple has done little to help families organize their iLives.

Continue reading

Salesforce IP checking is a royal PITA

A few months ago, Salesforce implemented a security feature that while I agree with on principle (and therefore don’t want to take steps to completely disable), it has been driving me crazy.

In short, when you log in to your Salesforce account, the system looks at your IP and recognizes whether or not you have logged in from that IP before or if your IP is already cleared by the system administrator. If it’s a new IP in your account, you have to click an activation link which sends an email to the account you’re trying to log in under. You click the link in the email which activates the IP and you’re good to log in and get work done.

Businesses that have static IPs (or even dynamic IPs that don’t move around that much) aren’t bothered by this. However, someone like me whose office usually consists of a laptop and any power outlet she can find is finding this security feature challenging to say the least.

Even when I’m home, Verizon is changing my IP at least 2-3x a day. It’s annoying to have to dance over to my email so often to authorize yet another IP address. Thankfully, that email arrives in fractions of a second after I click the link so I’m not delayed that much. Otherwise, I would just authorize entire IP blocks that Verizon DSL uses, which I’m not sure I want to do.

However, yesterday I found out what happens when I can’t get to my email: Not fun.

I did a little presentation/demo at the New York City Nonprofit Salesforce Usergroup. The meeting was hosted at Wells Fargo Insurance services in midtown Manhattan. When I attempted to log in to Salesforce, of course I got the “Activation Needed” box. Okay, so I fire up a browser window to check my email. Now that we are fully migrated to Google Apps, I no longer use a separate mail client. A window pops up that mail.google.com is blocked by the corporate firewall. The little note on the message says that all external email applications are blocked. Uh oh.

So what did we do so I could use my Salesforce account during the demo?

Another attendee (thanks again, Marc!) found that he could use my computer to log in to his webmail (SquirrelMail). I guess they let that one get away, likely since it was webmail.domain.com and not a known mail application. So I clicked the link to activate, retrieved the message on my Blackberry, forwarded to his email where he could open the message in a window on my computer and activate. Phew!

I completely agree with the extra security measure of making sure that the account holder is the person logging in to Salesforce. I agree with the notion that if there’s a doubt, notify the user via the email address on their account. But I wish Salesforce wouldn’t base this decision solely on IP/physical location. Guess what? That’s the point of Salesforce. We can log in from anywhere and move around.There has to be a better way of verifying that I’m me.

What about a software token (Mac compatible, of course) that one could install on a computer in a secure way that Salesforce could check for if it doesn’t recognize the IP address? That way, every time my computer is used to log on, Salesforce knows it’s me. I don’t know.