Copado’s Secure Platform Delivers Continuous Assurance for your Salesforce DevOps Environment
Copado offers a highly secure platform for enterprises to protect and safeguard their entire DevOps environment for their salesforce applications. In the constantly changing DevOps environment, it is important to shift the mindset of security being just a milestone to a sustained discipline that treats security as a continuously changing state of a system. This is made possible through capabilities that enable continuous assurance using a combination of architectural design, specific security features, operational policies and best practices. Copado implements multiple security features, policies and processes in order to orchestrate Salesforce DevOps in a secure and compliant manner within an enterprise.
Secure Platform Architecture
Copado enables DevOps for Salesforce, built entirely on the Salesforce and Salesforce Heroku platforms. Salesforce utilizes some of the most advanced Internet security technology available today. Further, Heroku’s physical infrastructure is hosted and managed in Amazon’s secure data centers using Amazon Web Services (AWS). Amazon’s platform undergoes recurring assessments to ensure compliance with industry standards, and has earned the trust of the world’s largest organizations. Salesforce and Amazon’s data center operations have both earned the following audits and certifications that demonstrate the layers of trust and security on which Copado is built:
- EU-U.S. and Swiss-U.S. Privacy Shield
- ISO 27001/27017/27018
- Service Organization Control (SOC) SOC1, SOC2, SOC3
- SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
- Payment Card Industry (PCI)
Secure Application Architecture
Copado is a native application built on Salesforce supported by a secure, API-based backend. Underlying Copado services and functionality are accessed via calls to this secure API. As a native application, Copado is installed in one of your Salesforce Orgs, either your Production org or a separate ‘governance org’. Transparency is a key value at Copado, and as such, service and incident monitoring is available on a public site. The Copado package uses OAuth and TLS to communicate with the backend API. When the backend needs information from Salesforce, it uses the Salesforce API, which again is based on OAuth and TLS. The backend manages the interactions between changes in Salesforce and the customer version control system stored in one of the commercially available versions of git, also using TLS.
Copado uses three layers of authentication when communicating between Salesforce and Heroku. First, HTTP Requests sent from Copado on Salesforce are signed with a time-sensitive signature within the HTTP Header. Requests failing to provide a valid header are rejected by the Backend. Second, a signed token in the header identifies the Customer Org ID and Customer User ID. This Org ID will be validated against the Copado customer database. Only registered Copado customers can consume the backend APIs. Third, Copado requires Salesforce authentication. The customer user must have granted access to Copado application using OAuth v2.0 protocol.
OAuth tokens are stored in Heroku for each User of Copado in each Environment. The CI/CD platform accesses information from the various customer environments using the OAuth token for each running user who makes the request. If the user has not authorized Copado to Access that environment, Copado will be unable to fulfill the request. OAuth Tokens are encrypted using the same Private AES 256 Key.
Secure Credential Storage
Git credentials within Copado are stored in the Customer’s Salesforce Org using protected Custom Settings. These Usernames and Passwords are encrypted at rest using AES 256 and a private key which is generated for the specific installation of Copado.
Single Sign-on Integration
Most customers have a corporate single sign-on directly, which stores the password for all the applications as well as provides the front-end interface to login into all applications at once. Customers can choose to integrate with their corporate single sign-on solution just the way they have done it for the production Salesforce instance.
Securely Accessing the Git Repository in the Cloud or on-premise
Copado enables customers to securely access their Git repository in the cloud or on-premise. When a Copado Operation requires the backend to perform an action (e.g. Merge) on a given Git Repository, the backend queries the git credentials using an OAuth-protected Web Service. Only Apex code within the namespace of the managed package can read the protected custom setting. The Web Service will return the encrypted Git credentials to the backend and the backend will decrypt the Git credentials using the private key for the customer that matches the request context and use these credentials to communicate with the Git Repository.
Copado can also successfully connect to a Git repository hosted on Customer’s own servers (on premise) even if it is protected by a firewall. The firewall acts as a protection layer between the server where the Git repository is hosted and the rest of the internet (the outside world).
When setting up Git, customers need to Initialize a Git server so that the Git repositories created on this server are accessible via HTTP. You can configure an SSL certificate on the server so that the transfer of the repository data is encrypted. Once the SSL certificate is configured, the Git repository’s URL can be accessed through a secure HTTPS URL (e.g. https://…).
Copado Compliance Hub
Copado Compliance Hub is the first compliance application for Salesforce orgs that helps institute an additional, indispensable layer of security and governance for Customer’s DevOps processes and Organization. The Copado Compliance Hub allows customers to monitor and enforce compliance rules in Customer’s business for all metadata changes made in Customer’s environments and Git branches. Copado Compliance Hub can also help customers identify non-compliant changes before they get deployed to other environments and even to production, thus avoiding customers the hassle of manually having to revert these changes once they have been applied. Copado enables customers to run ‘Compliance scans’ across Customer’s DevOps environments including on user stories, Git snapshots, org credentials and deployments or from a scheduled job, a deployment step, a user story deployment task or a process builder.
Trust, Availability & Business Continuity Plans
Copado is completely built on the Salesforce platform; as such, the same SLAs for availability, business continuity, disaster recovery that apply to Customer’s production organization also apply to Copado. In addition, Copado has taken specific steps to enhance the Trust, Availability and Business Continuity / Disaster Recovery preparedness for Customer’s Copado installations.
Copado addresses our customer’s Business Continuity requirements as a priority and provides continuous service to our customers in the event of experiencing outages of Heroku APIs on our backend. Copado spins up an inventory of “Backup Dynos” which are available to be deployed even when the API is down. We also implemented a process of recycling Dynos after usage instead of disposing of them. This eliminates the need to use the API for spinning up new Dynos and thereby eliminates the impact to our customers.
Copado has a detailed incident response process, which is detailed as part of our ISO-27001 certification. As part of our plan we maintain runbooks on how to respond to system alerts and events, including security events, along with a Crisis Communications Plan that includes instructions on how to notify customers, should a large-scale event occur. Our incident response plan is audited at least annually.
Being a native Salesforce application running on a Heroku backend, Copado leverages the disaster recovery infrastructure and policies implemented within Salesforce and Heroku..Also, for Heroku, Our platform automatically restores customer applications and Heroku Postgres databases in the case of an outage. The Heroku platform also maintains redundancy to prevent single points of failure, is able to replace failed components, and utilizes multiple data centers designed for resiliency.
Logging & Monitoring
Any policies or practices for logging and monitoring used in relation to a customer’s Salesforce production organization are also applicable and used in conjunction with the Copado organization. All security and access events are logged for Heroku. Log history is maintained for 7 days.
Copado data related to Customer’s metadata deployments is stored in Customer’s Salesforce org. Copado doesn’t store Customer’s cookies, data or metadata. Any data or metadata processed by the system via our backend (Heroku) is processed on a secure, ephemeral dyno. The dyno is deleted when the transaction is successful. How we ensure secure transmission of data and metadata was outlined above beginning with the “Secure Application Architecture”.
Software Dev Lifecycle
Copado maintains a detailed Software Development Life Cycle (SDLC) plan as part of our ISO-27001 certification. Copado uses a combination of peer reviews, pull requests, validation deployments, apex code coverage scans, static code analysis and a two-step approval process to ensure that the work performed meets our high standard for quality and security.
Formal Corporate Security Policy
Copado has defined and formalized a detailed security policy formalized and published within a Security Policy document. Its goal is to protect the Organization and users to the maximum extent possible against security threats that could jeopardize their integrity, privacy, reputation and business outcomes. A copy of this document is available on request. Copado also has independent penetration testing completed at least annually.