BMC Remedyforce CMDB & Asset Management

BMC Remedyforce CMDB & Asset Management
3/22/2018 BMC Remedyforce CMDB & Asset Management Overview Virginia Leandro, Technical Product Manager July 11, 2017

Legal Notice The information contained in this presentation is the confidential information of BMC Software, Inc. and is being provided to you with the express understanding that without the prior written consent of BMC, you may not discuss or otherwise disclose this information to any third party or otherwise make use of this information for any purpose other than for which BMC intended. All of the future product plans and releases described herein relate to BMC’s current product development considerations, which are at the sole discretion of BMC and are subject to change and/or cancellation at any time. BMC cannot and does not provide any assurance as to whether these plans will result in any future releases of the nature described. These future product plans should not be viewed as commitments on BMC’s part and thus should not be relied upon in customer purchase decisions. No presentation is complete without our safe harbor statement. We may discuss future plans, however all purchasing decisions should be made on what is generally available today.

Today’s Agenda What is Asset Management? Enhanced CMDB Approach
Capabilities Q&A

What is IT Asset Management (ITAM)?
IT Asset Management (ITAM) entails collecting inventory, financial and contractual data to manage the IT asset through its lifecycle. ITAM depends on robust processes, with tools to automate manual processes. Capturing and integrating auto-discovery/inventory, financial and contractual data in a central repository for all IT assets enables the functions to effectively manage vendors and a software and hardware asset portfolio from requisition through retirement, thus monitoring the asset’s performance through its lifecycle. (Gartner IT Glossary, 2015) What is IT Asset Management also known as ITAM? Well, it’s a foundation of integration, process, and data. It’s the collection of inventory and financial and contractual data to manage assets through their lifecycle. ITAM relies on robust processes and tools to automate manual processes.

Enhanced CMDB and ITAM ITAM Enhanced CMDB 3/22/2018
Lifecycle Management Enhanced CMDB with Co- Existence of Assets with CIs Data & Security Driven Views Rules-Based Asset Classes Expanded CMDB Explorer Dashboard and Reports Agentless Discovery and Client Management New Configuration Options Improved Searching Improved Auditing List View Customization Normalization and Models Standardization and New Fields Expanded Navigational Capabilities We’ve done a lot of work to enhance our CMDB as well as add the tools you need to manage your Assets. For CMDB we’ve improved searching and auditing. We introduced list view customization. Additionally, normalization and models help you ensure the integrity of your data. ITAM was introduced to help with asset lifecycle management. AM lives within the CMDB giving you a common and familiar interface. We’ve also expanded the CMDB Explorer to also incorporate your assets. And most importantly we’ve added a component to support Agentless Discovery and Client Management.

Enhanced CMDB Data Driven Views
3/22/2018 Enhanced CMDB Data Driven Views Based upon the user’s rights and configurable rules, users can see CIs and/or Assets Little to No Impact to Existing Customers Asset Management is a configurable option which has no impact on existing integrations. Automated Classification With the new rules-based classes, administrators can classify any records as CIs and/or Assets. The CMDB really consists of two items now. CIs and Assets….both of which live within the single Base Element object. With the introduction of Asset Management there was little to no impact on existing customers who may have already been using the CMDB. Additionally we introduced new rules-based classes so that admins can classify any record as a CI or an Asset. The design allows customers to leverage CIs and/or assets depending on their maturity and requirements.

New Configuration Options
3/22/2018 New Configuration Options General CMDB Settings Options to enable or disable CI and/or Asset Management and CI Management Auditing Intuitive screen to select which fields to audit (unlimited) List View Customization Custom list views for any class Enhanced Class Management Create CI, Asset and joint class types with rules-based classes Additional configuration options were added to Remedyforce Administration so the administrator has one place to go to set up general CMDB settings, configure auditing (which is unlimited), manage list view customization and we introduced class management. Allowing you to redefine existing classes as a CI, Asset or both, and allowing you to create custom classes.

Additional Configuration Options
3/22/2018 Additional Configuration Options General CMDB Settings Options to enable or disable CI and/or Asset Management and CI Management Auditing Intuitive screen to select which fields to audit (unlimited) List View Customization Custom list views for any class Enhanced Class Management Create CI, Asset and joint class types with rules-based classes Taking a closer look, in General CMDB Settings you have the option to enable or disable Asset Management and/or CI Management.

3/22/2018 Additional Configuration Options General CMDB Settings Options to enable or disable CI and/or Asset Management and CI Management Auditing Intuitive screen to select which fields to audit (unlimited) List View Customization Custom list views for any class Enhanced Class Management Create CI, Asset and joint class types with rules-based classes Auditing of your CI/Asset fields is now unlimited allowing you better insight into changes of the asset or CI over its life.

3/22/2018 Additional Configuration Options General CMDB Settings Options to enable or disable CI and/or Asset Management and CI Management Auditing Intuitive screen to select which fields to audit (unlimited) List View Customization Custom list views for any class Enhanced Class Management Create CI, Asset and joint class types with rules-based classes You now can customize the list view for any class. This means the list view for one class can be different from another class.

3/22/2018 Additional Configuration Options General CMDB Settings Options to enable or disable CI and/or Asset Management and CI Management Auditing Intuitive screen to select which fields to audit (unlimited) List View Customization Custom list views for any class Enhanced Class Management Create CI, Asset and joint class types with rules-based classes Under Enhance Class Management you can now create CI, Asset, and Joint class types using rules-based classes.

Advanced CMDB Navigation – CI Tab
3/22/2018 Advanced CMDB Navigation – CI Tab Dynamic Tab Filters Authorized users can see CIs and/or Assets with the new Tabs. Customers without access to CIs or assets will not see these tabs as they would not be necessary. Quickly See All Records “All Records (Base Element)” has been added to the top of the list to quickly and intuitively see all records. Change View Now available by selecting the button to toggle between views or select from a dropdown. New Instance Type List Field The new Instance Type field differentiates between CI, Asset and “CI and Asset” records. We augmented the CMDB UI to better help distinguish between CIs, Assets, or if you choose to, to see all items within the CMDB.

Advanced CMDB Navigation – Asset Tab
3/22/2018 Advanced CMDB Navigation – Asset Tab Dynamic Tab Filters Authorized users can see CIs and/or Assets with the new Tabs. Customers without access to CIs or assets will not see these tabs as they would not be necessary. Quickly See All Records “All Records (Base Element)” has been added to the top of the list to quickly and intuitively see all records. Change View Now available by selecting the button to toggle between views or select from a dropdown. New Instance Type List Field The new Instance Type field differentiates between CI, Asset and “CI and Asset” records. You can easily switch from one view to another and you can quickly view all records.

Advanced CMDB Navigation – All Tab
3/22/2018 Advanced CMDB Navigation – All Tab Dynamic Tab Filters Authorized users can see CIs and/or Assets with the new Tabs. Customers without access to CIs or assets will not see these tabs as they would not be necessary. Quickly See All Records “All Records (Base Element)” has been added to the top of the list to quickly and intuitively see all records. Change View Now available by selecting the button to toggle between views or select from a dropdown. New Instance Type List Field The new Instance Type field differentiates between CI, Asset and “CI and Asset” records. We added an instance type field so that when you are viewing all records, you can easily distinguish it’s type.

Advanced CMDB Search Filter
3/22/2018 Advanced CMDB Search Filter More Precise Search Select any field(s) to define a more precise search. Quick and Easy Quickly create a one time search or save your search, remembering your last search with an icon to identify if the search is active. Flexible Users can chose between the new advanced search or the global search. The new CMDB Advanced Search filter allows for more precise searching as well as saving favorite queries for use later.

Locations New Management Screen Leverages Existing CI Class
3/22/2018 Locations New Management Screen A simplified screen to view and manage the locations is available under Administration. Leverages Existing CI Class For existing customers, it utilizes the existing CI class “Physical Location”. New Field on Instance Dropdown available on general tab to quickly view and assign a location with the option to drill in to view all location details. Locations have always been a part of the CMDB, but we saw a need for a more simplified screen to view and manage locations. This leverages the existing CI class “Physical Location”.

Locations New Management Screen Leverages Existing CI Class
3/22/2018 Locations New Management Screen A simplified screen to view and manage the locations is available under Administration. Leverages Existing CI Class For existing customers, it utilizes the existing CI class “Physical Location”. New Field on Instance Dropdown available on general tab to quickly view and assign a location with the option to drill in to view all location details. And on the CIs and Assets we’ve added a new Location field which you can now set vs. having to set up a complicated relationship. This makes it even easier to see CIs and Assets per location when combined with the advanced search.

Enhanced Navigation Navigate Between Objects 3/22/2018
New objects and options to navigate to related information. The new navigations include: Instance ↔ Location (screen shot) Instance ↔ Model Instance ↔ Primary Client Instance ↔ Support By We’ve enhanced navigation and provide new navigations such as Instance and Location, Instance and Model, Instance and Primary Client, and Instance and Support By.

Enhanced and Renamed CMDB Explorer
3/22/2018 Enhanced and Renamed CMDB Explorer Renamed to CMDB Explorer Formerly named “CI Explorer”, with the introduction of “assets”, authorized users have the option to see CIs and/or Assets Advanced Filters To see assets and/or CIs We improved (and renamed) the CI Explorer to CMDB Explorer allowing you to see All items, just CIs, or just Assets.

Dynamic CI and Asset Screen
3/22/2018 Dynamic CI and Asset Screen Dynamic Based upon the user and selected view, asset specific fields (ex. Asset Status) and common fields will be visible. Secure Multiple levels of security across the CMDB including: CI and Asset Management Options User permissions for CIs and Assets (read-only, update and update & delete) Profiles for Field Level Security Depending on a user’s focus, you can dynamically control what they can see. For example, an Asset Manager most likely only wants to see asset records With a simple user configuration, the Asset Manager will only see those records (i.e. assets) most relevant to them, but maybe the Service Desk agent needs to see all (i.e. CI and asset) records.

Dashboard and Reporting
Asset Management Metrics and Reports Targeted for this release are: Asset Count (option to filter, ex. by status, class, …) Asset Status (option to filter, ex. by class, location, …) Asset Aging (by timeframe) Data Quality (missing data by class) Warranty expiration (X days prior and expired) Exceptions (trending) Highest Number of Incidents by Model (option to define timeframe) Assets associated with Sev 1 issues (incidents, business services)

Models

Models What is it? Why do I care?
3/22/2018 Models What is it? Model are a new optional object used to create CIs and/or assets. Think of them as catalog items or templates to create CIs and assets. Why do I care? Models drive consistency and reduces the time creating CIs and assets. If enabled, users can quickly select a model from a new lookup field to auto-populate a configurable set of fields at the instance level to ensure consistency. Imagine users and numerous data feeds populating and updating your CMDB. Now image every source creating the same record a different way. Models and Normalization help drive data consistency which improves reporting and searching, ultimately improving confidence in the data the their Service Management program.

Models Optional Standardize Simplify Control and Consistency
3/22/2018 Models Model Instance CI Asset CI and Asset Optional Customers can choose to use or not use models. Standardize Models are catalog items of what can become a CI or Asset Simplify Users can search and select from within the CMDB to create a consistent record Control and Consistency Control which model fields are inherited from the model to instance (ex. model name, manufacturer). Instance Examples Today Instance Examples Summer 15 with Models Dell Latitude D800 Dell D800 Dell Latitude D800 Latitude D800 iPhone 6 Apple iPhone 6 Apple iPhone 6 Models allow you to standardize catalog items of what can become a CI or an Asset. It simplifies and adds consistency to creating a record. Additionally the models can control which fields are inherited such as model name, manufacturer, to name a few. An example of this would be to create a model for a Dell Latitude E You can then set standard properties such as the CMDB Class, if the model is virtual or not, it’s primary capability, and it’s total physical memory. iPhone6

Normalization

Normalization What is it? Why do I care?
3/22/2018 Normalization What is it? Normalization is the process of organizing objects and attributes to minimize, ideally avoid redundancy. Why do I care? Service Management can accept from many sources and users. Data can be inconsistent and inaccurate. The normalization capabilities introduced in Summer 15 empower customers to define the rules for accepting and reviewing data. The new features provide a simple and intuitive way to handle the exception and minimize inconsistent and inaccurate data. “How consistent is your data (ex. CI Manufacturer, CI Model Name)?” Normalization is the process of organizing objects and attributes to minimize redundancy. Normalization provides a simple and intuitive way to handle exceptions and minimize data disparity.

Normalization The Simplified Continuous Process Improvement Flow
3/22/2018 Normalization The Simplified Continuous Process Improvement Flow Define Normalization Value(s) Select Field(s) to Normalize View Exceptions Manage Exceptions Enter and/or Import Data Normalization is a continuous process of entering or importing data, viewing the exceptions and then managing those exceptions. A great example of Normalization is having multiple computers where one may be a Dell, the other is Dell, Inc. and yet another may be Dell Corporation. Normalization can be used to standardize all of these to simply Dell.

Normalization Continuous Data Consistency Improvement
Configurable rules-based exceptions to increase consistency and reduce exceptions. Intuitive and Flexible Design Easily identify the fields and rules to normalize. Ex. Any new asset status values must be approved or mapped. Manage by Exception Only see those records which create exceptions based upon your rules.

Normalization – View Rules
Continuous Data Consistency Improvement Configurable rules-based exceptions to increase consistency and reduce exceptions. Intuitive and Flexible Design Easily identify the fields and rules to normalize. Ex. Any new asset status values must be approved or mapped. Manage by Exception Only see those records which create exceptions based upon your rules.

Normalization – Define and Manage Rules

Normalization – View Exceptions

Normalization – Manage Exceptions

Normalization – Accept New Value or Map to Approved Value

Normalization – Map to Approved Value

Agentless Discovery and New Client Management Options

Agentless Discovery What is it?
Included in the Remedyforce base license (i.e. no additional cost for existing and new customers). Customers have the option to enable “Agentless Discovery” to quickly discover devices in their environment. Simple and Powerful From new administration screens, an Administrator can easily enable, configure and collect device data to populate their Remedyforce CMDB. Also included is a new admin screen with enhanced logging to track activity and assist with troubleshooting potential connectivity issues.

3/22/2018 Agentless Discovery Automatically delivers a wealth of device details including: Device type Key identifiers (ex. serial number) Operating system Hardware configuration Installed software No software is being imported into the CMDB….we can table and have a follow up discussion on how to manage software.

Remedyforce Agentless Discovery
3/22/2018 Remedyforce Agentless Discovery How does it work? Scan configurations are defined in Rf to determine data and frequency. At least one on premise “scanner” is installed to perform the agentless scans. The scanner passes the data to the “Discovery Server” hosted in the cloud by BMC. Depending on your scanner configuration(s), you determine when and which classes to pass to the Remedyforce CMDB. We offer options to host the Discovery server in EMEA (Amsterdam) or NA (Chicago) depending on the location of your Remedyforce org.

Remedyforce Client Management
What is it? Remedyforce Client Management goes beyond “discovery” to automate system administration and support functions that would otherwise be done manually. Compelling value statements for our Remedyforce customers: Empower Support Team to be proactive Increase first call resolution rates Reduce support call time Automate and reduce support calls Agentless Discovery (base) Premium Premium Plus Device type Operating system Hardware configuration Relationships Installed software Agent discovery Remote management Compliance management Premium Capabilities “plus” Patch Management Deployment Management

Remedyforce Client Management
Maturity Based Model Those who require more advanced discovery and client management capabilities can easily upgrade to two new options – Premium and Premium Plus: Capabilities Remedyforce Base Remedyforce Client Management Premium Premium Plus Inventory Management (Agentless Discovery) √ Inventory Management (Agent Discovery) Remote Management Compliance Management Patch Management Deployment Management

Agentless Discovery Setup –
Easy and Intuitive

Agentless Discovery – Easy Setup
Enable Discovery Request Discovery Server Install Scanner(s) Configure Scanner(s) Configure Import Step 1: Enable Discovery Simply select “Enable Remedyforce Discovery” to start the setup. Under Remedyforce Administration -> Configure CMDB 2.0 -> (“New”) Discovery Setup & Configuration

Enable Discovery Request Discovery Server Install Scanner(s) Configure Scanner(s) Configure Import Step 2a: Request Discovery Server Step Up First Remote Site (manual or automated) to authorize an external connection (a Salesforce requirement). …and Request Discovery Server to automate the assignment of a hosted server to collect the discovery data. Note: The first remote site is required to access provisioning server.

Enable Discovery Request Discovery Server Install Scanner(s) Configure Scanner(s) Configure Import Step 2b: Request Discovery Server Step Up Second Remote Site to authorize access to the discovery server. This screen will then refresh to allow you to see the license details and scanner links.

Enable Discovery Request Discovery Server Install Scanner(s) Configure Scanner(s) Configure Import Step 3: Install Scanner(s) Install scanner(s) depending on your network (note: most customers will only need to install one or a few scanners). Scanners can be installed on Windows and Linux platforms.

Enable Discovery Request Discovery Server Install Scanner(s) Configure Scanner(s) Configure Import Step 4: Select and Configure Scanner(s) Configure scanner(s) by defining what, how and when to scan (ex. platforms, credentials, IP ranges and schedule)

Enable Discovery Request Discovery Server Install Scanner(s) Configure Scanner(s) Configure Import Step 5: Configure Import Identify which classes to import and the frequency to perform the import to the Remedyforce CMDB.

CMDB Mobility for End Users and Agents

Expanded CMDB Mobility for End Users
Empowers End Users to: See which CMDB records are assigned to them View CMDB record details Dynamically create a ticket from an assigned CMDB record Note: Administrators can configure the order of self service options along with which CMDB fields appear in the list and detailed views.

Expanded CMDB Mobility for Agents
Empowers Agents to: View related CMDB records from an incident Link or unlink CMDB records to an incident View CMDB record details and relationships Edit CMDB records Note: Administrators can configure which CMDB fields appear in the list and detail views.

Enhanced Request Management

Streamline Request and Fulfillment
New filter added to Service Request Definitions to identify available CIs and/or Assets Note: Also includes the ability to associate a model or models (introduced in Summer 15) to SRDs.

New menu option for approved Service Requests to perform a “Fulfillment”

Prompts Fulfiller with records based upon filter defined in SRD

Enables Fulfiller to assign and update record(s) (ex. Asset Status = Assigned) Selecting “Save” will update and link the associated CMDB records to the service request.

Salesforce Platform Encryption

Salesforce Platform Encryption
3/22/2018 Salesforce Platform Encryption Salesforce Platform Encryption gives data a new layer of security while preserving critical platform functionality. It enables customers to encrypt sensitive data at rest, and not just when transmitted over a network so companies can confidently comply with privacy policies, regulatory requirements, and contractual obligations for handling private data. A few years ago, in response to customers needing an additional layer of security, Salesforce introduced a new product called Platform Encryption. Platform Encryption allows customers to selectively encrypt data at rest. Data at rest is data that is stored physically in any digital form. Customers who utilize or may be interested in Platform Encryption are usually in highly regulated industries such as Financial Services, Heath & Life Sciences, Government, etc.

Features of Salesforce Platform Encryption
3/22/2018 Features of Salesforce Platform Encryption Strong encryption of data at rest Preserve critical business functionality Control the lifecycle of encryption keys Customers can encrypt standard & custom fields (including Managed Package fields such as Remedyforce) as well as files and attachments. The encryption preserves key functionality such as Search, Lookups, validation rule, and Chatter. Platform Encryption offers flexible key management providing more control and ownership of data security.

Defense in Depth Strategy
3/22/2018 Defense in Depth Strategy Platform Encryption Facilitates Regulatory Compliance Prevention of Unauthorized Access to Database Contractual Obligations PII & Data privacy Does NOT replace Sharing Model Object/Field Level Security Data Residency Solution Encryption for Non-Salesforce Data Protection against Social Engineering Platform encryption is an additional layer to the Salesforce Defense Strategy. It helps customers meet regulatory compliance, prevents unauthorized access to the database, and facilitates the securing of PII & Data Privacy. Platform Encryption is not intended to replace the sharing model, or object/field level security. Platform encryption is NOT data masking. Salesforce already provides an Encrypted field data type for customers who need data masking.

Salesforce Driving Principles
3/22/2018 Salesforce Driving Principles Salesforce needed to balance security demands with customers’ functional requirements so a set of principles drove their solution design and architecture: Encrypt data at rest. Natively integrate encryption at rest with key Salesforce features Use strong encryption Enable customers to drive key lifecycle Protect keys from unauthorized access Encrypt as little as possible Salesforce has a number of driving principles that they laid out as they were designing Platform Encryption. The most important one for you to be aware of is that customers should not take a “encrypt everything” approach. That is not possible with the product today and Salesforce doesn’t have plans to ever support that thinking. Salesforce’s take is to encrypt as little as possible. Customers should only encrypt what is absolutely necessary.

3/22/2018 Delivery Salesforce Platform Encryption (PE) is an additional cost to customers. They must purchase Salesforce Platform Encryption. They can reach out to their Remedyforce Business Relationship Manager or Account Manger for pricing information. Once the customer purchases PE, and depending on their needs, we’ve equipped Remedyforce Summer 17 with an Encryption Library. The Encryption Library allows us to support Platform Encryption and the encryption of managed package fields or critical Salesforce out of the box fields, such as the Account Name, that customers may encrypt.

Salesforce Platform Encryption – What can be Encrypted?

Salesforce Platform Encryption – What can be encrypted?
3/22/2018 Salesforce Platform Encryption – What can be encrypted? Files and Attachments Account Account Name Phone Fax Website Description Contact Name Mailing Address (only Mailing Street and Mailing City) Mobile Home Phone Other Phone Case Subject Case Comment Body Platform Encryption can encrypt all Files and Attachments as well as certain fields of the Account, Contact, Case and Case Comment objects.

What can be encrypted? Custom Fields (Data Types)**
3/22/2018 What can be encrypted? Custom Fields (Data Types)** Phone Text Text Area Text Area (Long) URL Date Date/Time ** Remedyforce falls into this bucket What we’re really interested in is if Platform Encryption is enabled, how does that affect Remedyforce? Well, in addition to Platform Encryption, customers can request that managed package fields be eligible for encryption. Note this is not enabled by default and customers will need to submit a case to support to request the feature be enabled. Once enabled, managed package fields of the listed data types can be encrypted. But would you want to? As we built out the Remedyforce solution to support Platform Encryption, we realized we needed to separate Data from Metadata. We’ll talk about that more in a bit.

3/22/2018 What else? Encrypt fields belonging to a managed package (Must request Salesforce to enable after the customer purchases PE) Use encrypted fields in formula fields (This has a very narrow scope) Beta: Access encrypted data in Flows (Must request Salesforce to enable) Beta: Access encrypted data with Flows and Process Builder (Must request Salesforce to enable) Once encryption is enabled it only applies to new or updated records! So for existing records, customer can submit a request to Salesforce asking for a Mass Encryption action. Same goes for if a field is encrypted and then the customer later decides to remove the encryption…they will need to have a case submitted to Salesforce to run the Mass Encryption action to decrypt. So just a few more notes around Platform Encryption. In order to encrypt fields that belong to a managed package, a request must be submitted to Salesforce to enable. Encrypted fields can be used in formula fields; however it has a very narrow scope that we’ll cover a bit later. There’s two Betas going on utilizing encrypted data in Flows and Process builder. In both cases, a request has to be made to Salesforce to have these enabled. Finally, once Platform Encryption is enabled and customers have marked their fields for encryption, they can submit a request to Salesforce to have a Mass Encryption action carried out on their org. This will go through and encrypt all data that currently exists in the customer’s system.

Implementation Checklist and Best Practices

Implementation – Sandbox Implementation – Production
3/22/2018 Planning Read Salesforce documentation Identify specific fields to encrypt (Excel works well to track information) Compare the fields to what is supported - Analysis Purchase Salesforce Platform Encryption from Salesforce Contact Remedyforce to submit a case to Salesforce to enable Managed Package Encryption (assuming they want to encrypt RF fields) Configure a Sandbox for Testing Implementation – Sandbox Create a Permission Set for “Manage Encryption Keys” permission and assign to the Security Officer. Security officer generates Tenant Secret or uploads CA Signed Secret/Key Enable Remedyforce to Support Platform Encryption Encrypt fields identified during planning phase Run Remedyforce Encryption Report. Review and take action if necessary. Contact Remedyforce to submit a case to Salesforce to perform a Mass Encryption action on the Org. Test Revise list of fields to be encrypted based on testing and discovery Implementation – Production Notify all Salesforce users of the plan to enable Encryption Create a Permission Set for “Manage Encryption Keys” permission and assign to your Security Officer. Security officer generates Tenant Secret or provide CA Signed Secret/Key Encrypt fields identified and documented during Sandbox testing phase Run Remedyforce Encryption Report. Review and take action if necessary Monitoring Monitor and manage your Encryption Keys Monitor for fields you may want to encrypt later Put a Plan and Process in place to make sure Keys are backed up and stored safely. We’ve helped a couple of customers implement encryption and this is a living plan that we can make available. Encryption requires careful planning and testing. Our recommendation is to first Plan out your encryption strategy which includes purchasing Salesforce Encryption and having it enable to encrypt managed package fields. You’ll want to identify all the fields you want to encrypt and cross reference against documentation. Once you are ready, implement and test in a Sandbox. This includes things like testing reports, quickviews, list views, and usage on the form to ensure there are no issues. Once you’ve tested everything in Sandbox and updated your documentation, you can then implement within Production. Finally you’ll want to monitor for fields that could be added later than may fall under your encryption guidelines. If you opt to manage your keys, you’ll want to make sure you have your Key Monitor program worked out and fully tested. Regardless of whether you have Salesforce generate the tenant secret for you or you bring your own, you are responsible for the backup and safe keeping of your keys. Loosing a key or accidently having it deleted can cause serious problems as Salesforce will not be able to restore any key information.

Checklist Project Plan: Determine and document specifically which fields they want to encrypt. Customer purchases Salesforce Platform Encryption. Submit a case to Remedyforce Support for Encrypt fields part of a managed package (required if customer has identified Remedyforce fields to encrypt) Create a Permission Set, turn on the “Manage Encryption Keys”, and assign to the one or two people who are responsible for securing Salesforce. Ideally should not be the Admin but the Security Officer. Security Controls | Platform Encryption Either Generate Tenant Secret or Upload Tenant Secret Enable Fields and Attachments (if part of plan) Enable encryption on identified fields Enable Remedyforce support for Encryption Run Encryption Impact Report and evaluate results and take corrective measures if necessary Submit case to Remedyforce Support for Mass Encryption action. Once encryption is enabled for a field, only new or updated data going forward is encrypted. By submitting a request to support to have the Mass Encryption action run, Salesforce runs scripts that encrypts the data for you. Key Management Plan and Process

Best Practices Define threat model for your organization
Encrypt only where necessary Create a strategy for backing up and archiving keys and data Understand that encryption applies to all users, regardless of permissions Read the Shield Platform Encryption considerations and understand their implications on your organization Analyze and test AppExchange apps before deploying them (this can impact other 3rd part apps) Platform Encryption is not a user authentication or authorization tool Grant the “Manage Encryption Keys” user permission to authorized users only Mass-encrypt your existing data Don’t use Currency and Number fields for sensitive data Communicate to your users about the impact of encryption Encrypt your data using the most current key and have a backup strategy for your key

Resources

Resources Salesforce Shield Platform Encryption Architecture
Salesforce Security Guide Salesforce Shield Platform Encryption Implementation Guide Salesforce Shield Platform Encryption Online Help

3/22/2018

BMC Remedyforce CMDB & Asset Management

Similar presentations

Presentation on theme: "BMC Remedyforce CMDB & Asset Management"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

BMC Remedyforce CMDB & Asset Management

Similar presentations

Presentation on theme: "BMC Remedyforce CMDB & Asset Management"— Presentation transcript:

Similar presentations

About project

Feedback