Logalytics: Intelligent Audit Log (www.logalytics.io)
Our Dreamforce Mobile Hackathon entry is an intelligent activity stream of Salesforce events. Built on Salesforce1, Logalytics provides a unified interface giving people in Salesforce Operations roles the ability to monitor and manage many end-to-end workflows within a mobile user experience.
Leading up to Facebook's IPO, a set of operational tools and processes were developed for SOX compliance and monitoring, and subsequently presented at Dreamforce 11. In the weeks and months prior to the Facebook IPO, our Salesforce environment and processes underwent several audits and reviews.
The Auditors questions around compliance in the cloud were confidently addressed, but there were still blind spots. There were incidents and human errors that should have gone detected much sooner. If we couldn't prevent every possible incident, surely we could monitor, alert, and respond much faster.
Trusting The Cloud
Logalytics is the mobile app plus service I wish we'd had at Facebook. Trusting the cloud requires keeping a close eye on changes, identity management, and access policies 24/7. While Salesforce provides a SOX "ready" environment, it is ultimately the responsibility of operations teams to maintain "compliance".
SOX, HIPAA, COBIT, PCI, Basel II, 8th Company Law Directive... some are more prescriptive than others, but fundamentally all these compliance frameworks share the same core set of IT governance principles that are applicable to either cloud or on-premise services.
The Logalytics service continuously analyzes every Salesforce LoginHistory record and delivers suspect events directly into a Salesforce1 Visualforce activity feed:
- Concurrent Logins: Logging in from 2 separate locations within a short time period.
- Open Proxy Logins: Commonly referred to as "zombie" computers, these computers often have key logger and other viruses installed.
- Repeated Failed Login Attempts.
Using the latest features in the Winter '14 Salesforce API (v29), Admins can instantly freeze any user flagged with suspicious login activity. Tasks and Cases can be created with one click for either personal follow-up or team remediation.
The "View All" and "Modify All" profile permissions, while necessary for Admins, are generally disabled for all other users. These permissions are actively monitored with corresponding alerts raised when metadata changes.
Metadata changes on all standard and custom objects are also monitored and reported in the feed.
Salesforce1 supports both in-app and native push notifications. The push notifications only occur when a user is mentioned, so to ensure Admins received timely alerts, we used the Salesforce Chatter API to cc: mention all System Administrators when a red alert occurs.
Once an alert is raised, the Salesforce Administrator or Developer is able to take action and resolve the issue. With Salesforce1, Tasks and Cases are only a swipe action away from the Logalytics feed. Some workflows can be managed end-to-end entirely from a phone.
For all the occasional incidents that may crop up, Salesforce Operations can be an extremely rewarding responsibility. Gaining deeper insights into how often users login, from where, with what apps, using which platform... these insights can now be gleaned with a quick glance at the Logalytics feed during the 150+ micro-moments per day we check our phones.
Heroku is the glue that holds the Logalytics solution together. A REST API uses web dynos to publish the activity feed and serve event details. Background workers analyze production Salesforce environments.
The analysis workers use pretty much every Salesforce API: SOAP, Metadata, Apex, and Chatter.
The user interface is written entirely in HTML5 and hosted in Salesforce1 as a Visualforce mobile web tab. JQuery Mobile was initially used early in the hackathon, but we switched to Zepto for performance reasons.
Database.com is used for subscription and mobile user management. Logalytics provides an in-memory NoSQL datastore for capturing time-series analysis and trend data.