Salesforce Overview and Feature Matrix

Salesforce.com, inc. is a cloud-based software company headquartered in San Francisco, California. It provides customer relationship management (CRM) service and also sells a complementary suite of enterprise applications focused on customer service, marketing automation, analytics, and application development. Before Salesforce, Customer Relationship Management (CRM) solutions were hosted on a company’s own server. Can you imagine the cost and time it took for companies to have their own CRM solutions?  This lead to the building of an affordable CRM software and delivering it entirely online as a service. This was the main idea behind Salesforce. Started as a Software as a Service (SaaS) company, Salesforce has grown into the fifth-largest software company in the world.

- Prisma SaaS currently supports the Standard, Premier, and Sandbox versions.  This includes Classic and Lightning editions.

Prisma SaaS 

• Must log into the portal with Super Admin account or one that has the required permission to add cloud apps

Salesforce 

• The authentication step in the portal needs to be completed with a Salesforce Admin account that includes permissions listed below.  

• Within Salesforce under System
• API Enabled
• Manage Chatter Messages (required only if you use Chatter)
• Modify All Data (required to access the medadata API and used for exposure analysis)
• View All Data 
• Within Salesforce under Users:
• View All Users
• Manage Users (required only if you have not enabled User Sharing)

To ensure Prisma SaaS has the ability to scan all content, the IP addresses listed below need to be allowed in the related environment prior to connected the Salesforce cloud app.

NAM:                                  

52.8.93.28

52.8.40.56

54.219.134.168

54.67.77.65

54.219.180.40

52.8.13.242

52.8.4.101

54.193.156.0

52.53.91.120

52.8.46.33

54.153.2.91

54.183.179.36

EMEA:

35.156.155.74

35.156.123.1

35.156.199.255

35.156.182.65

35.156.187.73

35.156.212.138

APAC:

52.77.33.107

52.221.8.53

52.221.6.158

52.220.249.228

52.74.37.67

52.221.5.184

On Boarding Steps:

STEP 1.  

Configure the required permissions within Salesforce:

Under Setup, select Manage Users > Users.

Select the administrative user account and then click System Permissions.

Under System, enable the following permissions:

• API Enabled

• Manage Chatter Messages (required only if you use Chatter)

• Modify All Data

• View All Data

Under Users, enable the following permissions:

• View All Users

• Manage Users (required only if you have not enabled User Sharing)

STEP 2. 

From the Prisma SaaS Dashboard, click Add a Cloud App, and select Salesforce. 

Choose the type of Salesforce application:

• Connect to Salesforce Account - Adds your Salesforce production account to Prisma SaaS.
• Connect to Salesforce Sandbox - Adds your Salesforce Sandbox account to Prisma SaaS. Sandboxes are special Salesforce accounts that are maintained separately from your product account and are useful for development, testing, and training.

Log in to Salesforce using admin account with the appropriate permissions.  

After authentication, the new Salesforce app is added to the list of connected cloud apps.

• Optional; Adjust the maximum number of API calls allowed from Prisma SaaS to Salesforce.  By default, Prisma SaaS can send a maximum of 10,000 calls to Salesforce.

STEP 3.

• Start scanning Salesforce to begin ingesting data

• Select Settings > Cloud Apps and Scan Settings

• In the Cloud Apps row that corresponds to the Salesforce app you just added, select Actions > Starting Scanning

Prisma SaaS scans all assets in the associated Salesforce app and identifies incidents. Depending on the number of Salesforce users and assets, it may take some time for Prisma SaaS to complete the process.  However, you can monitor scan results on the Dashboard and begin to Assess Incidents. Monitoring the progress of the scan during the discovery phase allows you to Fine-Tune Policy to modify the match criteria and ensure better results.

Scan Operation

Salesforce Objects

Data in Salesforce is stored in a table-based database. The class of an object is a table and an object instance is a row in that table. 

There are two categories of objects:

• Salesforce specific objects
  These objects are populated by Salesforce and have a well known schema. Even though the user may add custom fields, a fixed set of fields is documented and can be used meaningfully.
  
  
• User custom objects
  These objects are entirely defined by the user. They might be defined manually or populated by an third party application based on Salesforce. 

Salesforce Files

Some Salesforce specific objects (Document, Attachment, ContentVersion, ChatterVersion) can have a file content attached to them.  The object will contain a link to the content that has to be downloaded separately.

Scanning Process

Depending on the type of the object and how much information is known about an object and its data, different levels of scanning can be achieve.

• Salesforce specific objects containing user data
  By having a fixed and document schema, these objects can be scanned with the deepest level of information. In addition to scanning the data they store, the knowledge of the fields and the relation between different objects is used to gather additional metadata. The scan detects policy violations and object exposures (thanks to the metadata).
  
  
• Salesforce specific objects containing metadata
  These objects are used in conjunction to the ones mentioned above. They usually provide additional information related to another object, but no user data. These objects are fetched first but not scanned directly. Their data will be used by the scanning process of an object of the first category.
  
  
• Custom objects
  These objects have to be scanned generically: the data they store cannot be used to infer any metadata information. The fields and the relationship between these objects are not documented nor guaranteed to be consistent. The scanning process will gather the data blindly and scan for policy violations.
  
  
• File Content
  When objects with file content are scanned, only the content of the fields is used during the first step. Afterward, another scanning process downloads and scans all the files for policy violations.

Rate Limiting 

Salesforce only allows a limited amount of API calls during a 24hr period of time (in thousands of calls). This means that the process must be optimized to reduce the number of API calls. In order to do that, objects are not fetched one by one but using bulk queries. These queries return a relatively large array of results (no more than ten thousands), that may not contain all the records requested. As the records are sorted by timestamps, a small sequence of iterative bulk queries is enough to return all the results.

In addition, the limit must not be reached in order to prevent Salesforce from sending a warning to the user. To tackle this problem, two counters per customer are used to keep track of the number of API calls and bulk queries. These counters are incremented and checked every time a query is done.