Ian Glazer and Laura Pelkey on the Salesforce Admins Podcast.

Security Breaches and MFA with Ian Glazer and Laura Pelkey

By

On today’s episode of the Salesforce Admins Podcast, we’re bringing on Ian Glazer, SVP Identity Product Management, and Laura Pelkey, Sr. Manager, Security Customer Engagement at Salesforce. We talk all things multi-factor authentication (MFA) and have a really honest conversation about implementing it and the benefits.

You should subscribe for the full episode, but here are a few takeaways from our conversation with Ian Glazer and Laura Pelkey.

Ian knows security

Ian is a new voice on the pod, though he’s been with Salesforce for eight years. At Salesforce, he works on everything related to Identity Services, which encompasses everything from single sign-on to the next generation of identity services to MFA. Before Salesforce, he spent many years in the identity industry and is the co-founder and a board member of IDPro, the professional organization for digital identity management.

Laura, a pod regular you may recognize from Salesforce Live, has been on the security team for five years and in the security industry for ten. She also was a Salesforce Admin at the beginning of her career, “…so I definitely empathize with all of our admins listening and the challenges that they face securing their Salesforce instance.”

MFA has been a hotly-discussed topic in the admin community recently, so this is the perfect pair of people to talk to about all the reasons to make the switch sooner than later. “It’s one of the most effective things you can do to increase protection against different kinds of threats, like phishing attacks — common things people face every day that affect businesses everywhere,” Laura says.

The benefits outweigh the risk

“A lot of this stems from a basically and commonly-shared awareness that passwords are horrible,” Ian says, “because we’re busy people, there tends to be reuse of passwords and that’s known by the attackers.” This fact makes it relatively easy for someone trying to get access to your org to find the credentials they need from a breach somewhere else. It’s like they’ve found a key and now they’re trying it on every lock they can find. “The beauty of multi-factor authentication is it adds something else to the mix protecting you that really only you should have,” he adds.

While enabling MFA adds a little bit of friction to your login process, the returns you get in terms of massively improving your org’s security are well worth it. As the headlines fill up with news of high-profile data breaches and ransomware attacks, anything you can do to protect yourself will help you sleep a little more soundly. “You can think of MFA as a seatbelt for the internet — it’s just that effective,” Ian says.

MFA has never been more important, especially in our current hybrid work environment. “Security is a huge part of trust,” Laura says, “your brand reputation depends on trust, and there could be huge monetary implications if something like a breach occurs.” As Ian says, “you’re doing this for your customers’ sake, and that is 100% worth the effort.”

Podcast swag

Links

Social

Love our podcasts?

Subscribe today or review us on iTunes!

Full Show Transcript

Mike Gerholdt: Welcome to the Salesforce Admins Podcast, where we talk about product, community, and career to help you become an awesome admin. This week, we’re talking with Ian Glazer, who is SVP of Identity Product Management. And you know what? It’s a little bit of a roundtable, because I also have Laura Pelkey, who is the Senior Manager, Security Customer Engagement about the connection between security breaches and MFA.

This is a really cool episode. Take a little bit of time, sit down, listen to this. Ian’s got so much that he knows about. And of course, if you’ve been listening to the pod, you know Laura’s a big fan of Admins, really helping Admins secure everything. It’s a fun conversation. I learned a lot, and I think you will too. So let’s get Ian and Laura on the podcast.
So, Ian and Laura, welcome to the podcast.

Ian Glazer: Thanks. It’s great to be here.

Laura Pelkey: Hey, Mike.

Mike Gerholdt: Ian, you’re a new voice and name, we haven’t had you on the podcast yet. So I’d love to learn a little bit before we get into our discussion about your journey to Salesforce and what you do for Salesforce.

Ian Glazer: Sure, sure. Thanks again for having me here. I’m so honored. So I’m an SVP of Product Management here at Salesforce. I’m part of our platform organization, and my teams focus on our identity services. So we own everything from good old login.salesforce.com, to the way you can easily single sign on into the core platform. As well as things like our next generation of identity services for our products. As well as our multifactor authentication services. I’ve been here, coming up on eight years.

I have been in the identity industry, a number that’s greater than say, 10, and lower than say, 30. But I don’t want to give it a name because it freaks me out that I’ve been in the industry that long. But I’ve been in the identity industry a good long time. I’ve played a lot of different roles in it. I was an analyst at Gartner, focused on privacy and security and identity. I have been a product manager, a sales engineer, but all usually around this subject matter.

I am also the co-founder and board member of IDPro. which is the Professional Association for Digital Identity Management, trying to help all identity practitioners out there get better at their game.

Mike Gerholdt: Wow. I am 100% going to use your answer when people ask me how old I am. I’m greater than 21, but less than 50.

Ian Glazer: That’s all people need to know.

Mike Gerholdt: But I don’t want to tell you the number. It’s in between somewhere.

Ian Glazer: Privacy preserving. It’s all good.

Mike Gerholdt: Exactly. Now, Laura, you’re a welcome and returning voice to the podcast. You’ve been on many times with Lynn. And you’ve done a lot of episodes with us. If people are joining and watching Salesforce Live, they’ve seen your face. But can you refresh us and let us know what you do at Salesforce?

Laura Pelkey: Yeah. So happy to be back on the podcast. I always love coming on here with you guys. I think my first podcast with you was maybe my first week on the job at Salesforce, which was about five years ago. So that’s so funny to think about. I’ve been on the security team here at Salesforce for five years, overall in the security industry for about 10. I’m really, really passionate about security, helping people secure their data.

And early on in my career, I actually was a Salesforce Admin, back in the day. So I definitely empathize with all of our Admin friends listening, and the challenges that they face securing their Salesforce instance.

Mike Gerholdt: Absolutely. Now what’s interesting is, Ian, you used MFA in your answer. And to be honest with you, it’s the three letter acronym that has been bouncing around our Admin community for quite some time. But Laura, what is MFA? And if anybody doesn’t know by now, could you help explain that?

Laura Pelkey: Yeah, yeah. This is definitely a hot topic. People are probably … some people are probably sick about hearing about MFA from us. We’ve been talking about it a lot over the last couple years. But it’s really one of the easiest, most effective things you can do to increase protection against different kinds of threats, like phishing attacks, very common things that people face pretty much every day, and that affect businesses everywhere.

So we are asking our customers to implement MFA. It, as I said, really helps prevent against security breaches. It’s one of the best things you can do. And actually, Ian, you might have some thoughts on this … I mean, not might. You definitely have some thoughts on this.

Ian Glazer: I’d better. It’s actually my day job, right?

Laura Pelkey: It’s your job. Yeah. Could you talk a little bit about how MFA prevents, or can prevent some of the breaches that we’re seeing in the news, and how that can help people with their security overall?

Ian Glazer: Yeah, absolutely. So a lot of this stems from a basic, and actually commonly shared awareness, that passwords are horrible. No one … not me, not you. No one likes them.

Laura Pelkey: Totally valid.

Ian Glazer: Here’s the thing, is that because we’re busy people, in our personal lives, in our professional lives, there tends to be reuse of passwords. People will sometimes use the same password from place to place, site to site, service to service. And that’s known by the attackers.

And so what we see is that over the last few years, certainly, an incredible increase in the number of attacks where the adversaries are looking to see if they can get a valid set of credentials. And once they have that, either they want to go off and resell those things, or they actually want to use that to get into the service, say your Salesforce org, and download contact data.

Laura Pelkey: And credentials are a username and password. That’s what we mean by credentials.

Ian Glazer: Yeah. Right, right. Sorry about that. And so if you just had a password, that’s only one thing protecting you. The beauty of multifactor authentication is it adds something else to the mix that really only you should have. Now that might mean you’ve got your Salesforce authenticator app installed on your phone. You’re going to see a challenge come up when you log in. And you’re like, oh yeah, that’s me because I’m sitting here logging in right now. Boom, I’ll approve that. Or no, I’m not logging in right now. I’m going to block that.
Or it can be something like a hardware token. You may see like a USB key, for example. There’s a lot of different kinds of these things. But the nice thing about them is they can help prevent an enormous number of the attacks we see out there. And it does add a little bit of friction to the log in process, but it adds an enormous amount of security to the overall posture of your organization, to you and your customers. And it’s just super important because of that.

Laura Pelkey: Could it prevent something like a ransomware attack from happening or from being successful?

Ian Glazer: Yeah, absolutely. Things like ransomware attacks, the adversary is looking to get a toehold, right? They need to get into a system and start doing things. And so the more that we can prevent that from happening, and adding things like MFA to your overall security posture is a great way to actually do that. Keep them from getting a toe hold and preventing a more significant impact.

Mike Gerholdt: So Ian, when I hear you talk … and I’m thinking through this. Because often, I hear, okay, well, we got to implement MFA. It’s to prevent people, one, from knocking down your front door and logging into your Salesforce org. But what I hear is also, hey, there’s probably a good portion of people that are reusing passwords and or usernames.

Laura Pelkey: Yeah.

Mike Gerholdt: And once they have that, then they start snooping. Almost like, well, what other lock does this key work in?

Ian Glazer: You got it. You got it. Yeah. And that’s a natural outcome, right? Like I say, we’re all busy. And so oftentimes, you’ve got a favorite username. You may even have a favorite password that you rotate a little bit, but that’s exactly right. Adversaries are saying like, ooh, hey, I’ve got a combination of a username and a password that works. I wonder what else this person uses it for. Let’s go see what’s in their Netflix wishlist. Or what other things do they use this for.

And MFA stops that cold. And that’s what’s just so amazing about it is … and Laura’s boss up the chain, Jim Alkove, our Chief Information Security Officer says, “It’s really about putting on your seatbelt.” And you can think about MFA as the seatbelt for the internet, from a security perspective. It’s just that effective.

Mike Gerholdt: Yeah. So you think about if … who knows. But somebody used, let’s say on Facebook, their Salesforce username and password. And their Facebook account got hacked. And their shopping around, hey, I wonder if this works in Salesforce. Now with MFA enabled, there’s a bouncer at the door saying, yeah, cool. You got all that, but I need to know you.

Ian Glazer: Yep. You got it.

Mike Gerholdt: And now, because somebody’s Facebook got hacked, suddenly they don’t have access, these attackers don’t have access to, arguably the most valuable thing that any company owns.

Ian Glazer: Totally right. Totally right. This is a great way of protecting that truly valuable gold of our organization, which is information about our customers and our relationships with them. And it’s just a simply great way to protect it.

Mike Gerholdt: Yeah. No, I bring that up because I always think a lot these protection measures are … if you think of Salesforce as a metaphor for your house. You’re just adding locks to the door. And it’s really not. I mean, it is, but it’s, you’re adding protective measures so that in the case that something outside of your control … credentials are gained. That they don’t also now have access to your org. Which is to me, a different perspective than what I was thinking that, oh, MFA requirements … you mentioned seatbelts. I got to wear a seatbelt. It’s another thing we got to do.

But it’s actually, it’s another thing we got to do because you never know if perhaps someone else is pinging that front door trying to get in because your Facebook or your Twitter or your Instagram or TikTok got snatched up.

Ian Glazer: Absolutely. And I think the other important thing that sometimes we lose sight of is, this isn’t good advice and the requirement that Salesforce is putting out there for just Salesforce. This is good advice … and honestly, it ought to be a requirement for all of us in our daily lives as we interact with the internet, with online systems.

If you’re not, where you can, turning on MFA for everything from your banking apps to your social media accounts, do that. Take the moment to do it because it is just so effective and valuable. This is the kind of thing that we hope to habituate in online users of all sorts. Not just Salesforce users, but everywhere.

Laura Pelkey: Yeah. Banking, social media, and email. I think of those as the trifecta of things in your personal world that you want to add MFA to where it’s available.

Ian Glazer: Well, Laura, hold on. We got to go back in time a little bit. One of the first places that we saw consumer facing MFA first rolled out, was actually in World of Warcraft [crosstalk]. If you have spent that many hours farming a character and getting them leveled up, that’s time spent. That’s super valuable. You want to protect that.

And so World of Warcraft is one of the first places that we actually saw an MFA mechanism called a one time password. A time based, one time password. Just a rotating set of six digits. But that’s one of the first ones I can remember in not banking, not social media, not enterprise computing, but something super valuable to people out there.

Laura Pelkey: That’s amazing. I had no idea about that.

Mike Gerholdt: I didn’t either. Things you learn on the podcast.

Laura Pelkey: Yeah.

Ian Glazer: There you go.

Mike Gerholdt: Also, apparently more important than securing your bank account.

Ian Glazer: Depends on where you’re sitting, but yeah. For some people, yeah. Yeah. I think it’s totally true.

Laura Pelkey: Depends what’s in your bank account, maybe. So Ian, it sounds like MFA has gradually become something that’s more and more widely used. Is this the direction that the whole world is going in, is the whole world hopping on the MFA bandwagon?

Ian Glazer: I think we’re going to get there. And there’s a couple of pieces of evidence for that. One thing … I mentioned at the beginning that I am part of an organization called IDPro, which is the Professional Association for Digital Identity Management. Essentially, it’s identity nerds like me trying to get better at what they do. And we conduct a skills and initiative survey every year.

And this year … we ask similar questions year over year. And one question we ask is, what are major enterprise priorities for the organizations you work with over the next 18 months? And over the last two years, MFA has been in the top spot by a wide margin. And this is, I think a combination of a recognition that it’s not always a sunny day on the internet, and that there are at adversaries out there looking to cause harm.

Laura Pelkey: Adversaries, AKA hackers.

Ian Glazer: Yeah. It is also an acknowledgement that, starting certainly last year, we were in, and still are in a work from anywhere, succeed from anywhere world. And that makes it really hard on IT organizations to necessarily extend all the same kinds of security controls that they have in the office. But one of the best ways that they can do that, to protect employees and thus their customers data, is through MFA. So it’s not surprising that we see industry evidence of saying, MFA is, and is going to remain a major initiative.

And you start to see more and more consumer services starting to either offer, or more importantly, start to require MFA. So Google’s an example of that. They’re going to start rolling this more prevalently across all of their Gmail users. This is a great step. We’re starting to really extend the use of MFA. And this is really important actually, through those activities, we’re going to start to normalize the use of them, right?

I would say 10 years ago it would be a little bit unusual, other than identity nerds like myself, for people to be using MFA in a personal setting. But now we’re going to start to see this being very, very common. And that’s really encouraging, because that means we’re uplifting the security posture of the whole internet.

Laura Pelkey: Yeah, that’s amazing. So you mentioned MFA is like wearing a seatbelt. It’s a great way to protect your valuable data, your personal information. For our Salesforce customers, what is so valuable about the data that our customers store in Salesforce? Why is it important for them to protect that data?

Ian Glazer: First and foremost, it’s their treasure. It’s the data that describes their relationships, their activities with their customers. And information about those customers. So first and foremost, it is grist for their mill, right? Is what they do. Second thing is, a lot of that information can be personally identifiable. It can be PII information. And that kind of information, if it were to be taken from your org, that’s a data breach. And under many laws, both here in the US and then globally, that’s something you actually have to report. That becomes a significant incident.

And so, because we have attackers looking for this kind of information, and because the loss of that information out of your control becomes a real thing that you have to deal with, with real ramifications … not just for you, but for your customers. It’s really why we’re leaning into saying, you’ve got to turn on MFA your Salesforce environments to protect yourselves and protect your customers.

Laura Pelkey: Yeah. Yeah. That’s huge. And that all plays into trust as well. Security is a huge part of trust. Your brand reputation depends on trust. And there can be huge monetary implications if something like a breach occurs, like you said.

Ian Glazer: That’s absolutely right.

Mike Gerholdt: And when you’re a customer of a business, what’s interesting is, to me, trust is implied. And I think that’s why the data breaches and stuff that you read about are always so … I don’t want to say disheartening. Because I gave my business to this company. And the implication was that I entrusted you with this. I went to your website, I created the profile, I saved my credit card. Why did your IT use password 123 to encrypt my data?

Ian Glazer: I mean, it goes directly back to Parker and Mark, thinking about, look, our competitors, when we started Salesforce, are one click away. And that the way we have to ensure that we retain those customers, is starting with trust. And that’s not just a lesson for Salesforce, that’s a lesson for all of us. You’re totally right, Mike. That trust isn’t implied. I would say, not just implied, it’s tablestakes. And that people will shift providers of service if they feel like their trust has been violated.

And so knowing that, and then knowing that now in a succeed from anywhere world, we are competing globally. Even if you’re a mom-and-pop shop in upstate New Hampshire, you’re competing at a global scale. Which means the way you win is by delivering awesome service, awesome value, and trust. And this is an easy way to do it.

Laura Pelkey: Yeah. Yeah, it’s just expected now. I think customers expect a high level of trust, and MFA is a great way to ensure that. So I’m going to bring up the elephant in the room, the MFA requirement that we have announced. Salesforce is asking our customers, all of our customers of every product, to implement MFA by February 1, 2022. And we’ve definitely had some customers feel excited about it and happy that we’re taking that step to really ensure that their data’s secure.

We’ve also had some customers share that this is not an easy transition for them. Depending on your industry or the way that you use Salesforce, it’s not always easy to make that change. So Ian, my question for you is, is this requirement going to really be worth the effort for our customers that are saying that this is hard for them to do?

Ian Glazer: This is totally going to be worth all that effort. And we have tried to provide a variety of choice in terms of the kinds of ways of MFA that can be used with our products, which means we know it’s not going to be a one size fit all world. So there’s different kinds of MFA verifiers that you can use. So, part one. Part two is, we fully acknowledge that this journey is changing employee behavior, and that’s not simple. Changing one’s own behavior is not simple. But it’s totally worth it because of the security benefits that you get out of it. The rest well at night, knowing that your information about your customers and your interactions with them is secured, is incredibly valuable.

And we’ve also given a variety of guidance … and this is available through the MFA microsite. On how to go about rolling out MFA. Certainly some of the feedback we’ve gotten is like, I don’t know where to start. Okay, Salesforce, I buy it. I get I need to do it. Help me do it. Help me ease through that. So we’ve built a lot of things, both in product, as well as materials like an Admin rollout guide, to actually help the process as well. But the bottom line is the effort you put in to protecting your org by rolling out MFA, means the value that you attribute to your customers. Really, you’re doing this for your customer’s sake. And that is 100% worth the effort.

Laura Pelkey: Yeah. I totally agree. Could not agree more. And I know there’s been some questions around, when will we be enforcing this? The plan is that we will let all of our customers know at least six months in advance before any type of enforcement starts. So this is not something that’s going to be turned on overnight and you’re going to wake up and there’s going to be all these issues.

Ian Glazer: Yeah. For people that are nervous about this, on February 2nd, when you log in, things are going to be as they are today. We are not going to surprise anyone with enforcement. We’re going to give you a six months roadmap on that. We do ask … this is part of the requirement. That on Feb one, you use MFA. And know that if you don’t do it on that date, we’re not going to immediately enforce, but it means that you’re accepting a lot of risk that could be mitigated with some very straightforward steps you can take.
And so it’s something strongly to consider, but don’t panic. We’re here to help. We’re providing both capabilities functionality wise, and also guidance wise to help you through the journey.

Laura Pelkey: Yeah. That’s awesome. And you mentioned the MFA website earlier. That’s a great place to start. The URL for that is security.salesforce.com/mfa. There’s also the MFA Trailblazer Community Group, that’s an amazing place to visit if you have questions. And the MFA FAQ is also a really good document to check out. And if you still have concerns, just reach out to your account representative, and we’ll work with you on a plan and finding a solution.

Mike Gerholdt: That’s very cool. Well, Ian, Laura, thank you for coming on the pod. This is a great little discussion. The analogy to seatbelts is very relevant because I think back, one of the cars I have is from the 70s and according to the build sheet, seatbelts were optional. And it’s crazy to think, because cars were invented in the early 1900s, but for 60 years, the most basic life saving device was not considered a requirement. And now I see a lot of parallel with that in MFA.

I know, thanks to Lynn, who Laura reports to, she set me up with MFA early, early on when I started at Salesforce. And the irony was, six months later my Instagram got hacked. And thankfully, I had MFA voluntarily set up across all my accounts. And I wouldn’t have known about it had I not had that awareness. So you don’t have to wait until February 1st to worry about mitigating risk either.

Laura Pelkey: That’s right. That’s right.

Mike Gerholdt: Thanks so much for coming on. We’d love to have you back. Anytime you got something top of mind, let us know. We’re always happy to have that conversation.

Laura Pelkey: Absolutely.

Ian Glazer: Awesome. Thanks so much for having me, Mike.

Mike Gerholdt: You bet.
So it was a great conversation. I love having a few guests on where we can sit and chat and talk about different subjects. I know security is a thing that’s always on people’s top of mind. So with that, if you want to learn more about all things Salesforce administration, go to admin.salesforce.com to find more resources. And just a reminder that there is new podcast swag up in the Trailhead store, holidays are just around the corner. Wink, Wink, nudge, nudge. So I’ll include a link in the show notes to that.

You can also stay up to date with us on social. We are @SalesforceAdmns, No I. You can follow Ian on Twitter. He is @iglazer. Laura is @LauraPelkey1. It looks like somebody must have got Laura Pelkey. Of course, my co-host Gillian, who is out right now, is @gilliankbruce. And if you give me a follow, I’m @MikeGeroldt on Twitter. With that, stay safe, stay awesome, and stay tuned for the next episode. We’ll see you in the cloud.

Love our podcasts?

Subscribe today on iTunes, Google Play, Sound Cloud and Spotify!

Make a Cybersecurity Plan with Garry Polmateer

Today on the Salesforce Admins Podcast, we talk to Garry Polmateer, CEO of Red Argyle, a Salesforce Consulting agency, and a member of the Salesforce MVP Hall of Fame. Join us as we chat about why admins need to be involved with cybersecurity at their organization and how to start planning. You should subscribe for […]

READ MORE

Being a Security Advocate with Laura Pelkey

Today on the Salesforce Admins Podcast, we talk to Laura Pelkey, Senior Manager of Customer Security Awareness & Engagement at Salesforce. Join us as we chat about how to be a security-minded advocate within your organization and what it could do for your career. You should subscribe for the full episode, but here are a […]

READ MORE