Govern Data and Fuel Innovation

with a Digital Chain of Custody - 3 Ways ServiceSource Ensures Compliance

You must consent to Statistics cookies to watch this video.


Linda Bloszies

Sr. Director, Platform Engineering & Product Development @ ServiceSource


Shesh Kondi

Sr. Director, Platform Security & Compliance @ Salesforce


Doug Staubach

CISO @ ServiceSource


Joe Gaska





About this talk

With the data loss prevention market reaching $1.3 billion in 2020*, enterprises are voting with their wallets and demanding more bullet-proof ways to protect, manage and preserve sensitive data across their entire 3rd party app ecosystem.

Organizations such as Service Source are going one step further by implementing a Digital Chain of Custody to preserve, recover and act on all historical Salesforce data using GRAX.

Watch this webinar recording to learn:

  1. What a Digital Chain of Custody is and why it’s important
  2. How ServiceSource is using it to drive compliance and growth
  3. How GRAX can help transform your business


32 min. Published on


Hi, everyone. Welcome to the webinar. Today we're going to tell you about an old concept from the physical world that's finally making an entrance into the digital world. And how this concept is helping one of the most customer driven organizations in the world, ServiceSource, secure their data and fuel innovation. We've got a great lineup of speakers for you today.

Linda Bloszies is here and Doug Staubach are here from ServiceSource. They'll be telling you about all the amazing things that ServiceSource is doing with the digital chain of custody. Before we get there, Shesh Kondi from Salesforce is going to help us set the stage for why the idea of a digital chain of custody is so critically important in today's environment. Joe Gaska, from Grax will help us really understand the three underlying principles that underpin a digital chain of custody.

I'm Chris Shakarian and I'll help facilitate the presentation. If you have any questions, you'll have a chance to ask them at the end of the presentation. And you can please, to ask your questions, you can type them into the window at the end of the session. Into the chat window at the end of the session. Or you can use the Raise Hand feature on GoToWebinar.

So today we'll through to some of the trends creating the need for a digital chain of custody and we'll define what it is. We'll also learn about how one of the most innovative companies in the world, ServiceSource, is using it to drive both governance and growth. I'd like to introduce Shesh Kondi to help us set the stage for this concept of the digital chain of custody. Shesh is the platform security and compliance engineering solution lead at salesforce.com. Welcome Shesh. It's great to have you with us.

Thank you so much, Chris. Good morning, good afternoon, everyone. Thanks for joining the webinar. I hope this will be an hour well spent for all of you to learn about the digital chain of custody and available solutions in the domain. Again, my name is Shesh Kondi. I lead a solutions [INAUDIBLE] and top excellence at Salesforce and my team is responsible for customer engagement around all things security compliance and privacy.

As part of my role at Salesforce, I have the opportunity to speak with customers on a daily basis. And I've had the privilege to exchange thoughts and ideas with CXOs for the last few years around data management, from a security and compliance perspective. And in general-- and the larger data strategy domain as well. To set the stage for today's webinar, I want to spend a couple of minutes talking about how conversations have evolved around data and the changing paradigms.

So around the early part of this decade, the conversations I was involved in with the c-level stakeholders were mostly around the data security. And a majority of the questions were related to where the data was hosted, how secure is the platform and what kind of threat vectors we have addressed. The two main vectors we discussed were invariably external threats, and how good our perimeter was to handle that. And service providers that-- and how good our technical and process level controls were to manage that threat.

Then a couple of years later, the conversations changed. The adoption of sales was a platform of choice by our customers significantly increased and so did the maturity in analyzing and then defining acceptable and unacceptable risks. The conversations then, were around insider threat and what level of controls do we provide to monitor the usage of data in a Salesforce org, and also put certain controls from an audit standpoint.

This was about the time we released sales for Shield. Shield provides our customers with the ability to encrypt certain data elements addressed and update to the regulatory requirements or enterprise interest guidelines. It also helps monitor usage and audit activities and put preventative transactional controls on user activities, and provides the capability to manage the data evolution lifecycle as well. Shield has been a very widely adopted enhancement in our security and trust framework.

Fast forward 2017, 18. It was all about GDPR. And our customers spent anxious months in preparation for GDPR and figuring out ways to meet the requirements. Then the conversations obviously revolved around things like consent management, data deletion and transitional costs in data. We'll talk about a few of these today as well. At Salesforce, we enriched and enhanced our platform service layer with the tools and controls to help our customers build and deploy solutions to meet the GDPR guidelines and requirements.

As those compliance requirements are evolving, and enterprises are going through the audit process, in recent times the conversation has shifted again, to things like managing portable data and establishing residence and tracking movement of data, including controls for non repudiation and enforcing ownership and authenticating custody of digital information. And these conversations fall under the realm of what we now know as traditional chain of custody. And these requirements, which our customers are bringing up, are exactly where the chain of custody can help.

The concept of chain of custody has been there for a long time. And it's an idea from the physical world as, Chris mentioned initially. And it's now possible to achieve in the digital world. So if you refer back to the legal and the forensic management framework, and our chain of custody shows where the evidence has been, who was touched it and its condition at all times. And it tracks the information through a full and complete lifecycle of collection, storage, movement, handling and analysis and among other transactional controls.

So here we define digital chain of custody as an irrefutable record of ownership and changes that data, in its digital form, has undergone over time. The Salesforce partner ecosystem has done an amazing job around building solutions in this realm. And one of our partners, Grax, has built a robust and compelling native Salesforce solution to address requirements around digital chain of custody and gave customers, who implemented this solution, to meet the requirements around the space.

So to provide you with a detailed analysis, the domain, and talk about Grax and how the solution can help you, I would now like to hand the microphone over to Joe Gaska from Grax. And with hopes of welcoming all of your Dreamforce in a few days, Joe, take it away.

Thanks, Shesh. So as we look ahead and-- we live in a world of data abundance. And we really look at how the computing power is escalating from Google's latest announcement, with processing 10 years of data, in a little under two minutes. You really start to believe that it's not just data abundance, but it's infinite data that we're dealing with in the future. And all of this data itself is ebbing and flowing between third party applications, data warehouses. We have different geoaffinity storage mechanisms around globally.

So if we really look across the marketplaces and complex operations and events and sensitive data, and you really look at the tactical obligations that all of the companies today have to abide by, it becomes a monumental burden to really comply with all the requirements, both regionally and globally, under respect, all while having to maintain the full chain of custody as Shesh discussed before.

So if we look at some of the biggest examples, it's kind of a double edged sword. On one hand, you have companies like Equifax who experienced significant breaches and a significant cost to the enterprise, as well as detrimental to their brand. As well as you have organizations that identify that 20% of their top line revenue affects opportunity, due to poor data quality itself. You're really dealing with a mass amount of data and starting to understand that this data itself and data quality is becoming a burden and a liability to the business itself. All while continually expanding the regulations over time.

So the regulations themselves, just as you have infinite data expansion and data is creating data about data, calculating data velocity, if you really think about that and we understand the burden, the obligation and now the liability of that data, it becomes crucial to understand, as Shesh was saying before, not only the threat vectors of your data but minimizing your surface area of exposure of where your data lives, what companies the data transports through and really understanding all of the data requirements whether it be GDPR, whether it be WORM compliance, whether it be the new CCTA.

All of these are continually expanding and there's one thing that's going to be true, these requirements and regulations are going to continue to be a burden on the business itself. So as we looked at Grax, and Linda's going to be coming up and telling an amazing story, when we're really looking to help customers expedite and protect themselves for the obligations, the burden and the tactical requirements that every business now has to deal with, you start to realize not only fulfilling that tactical obligation gives new strategic opportunities to use the data itself.

So if we really think of it, the one core principle that we sat down when we started talking about what do customers need, one thing that we really believe, that is data must be owned by the client at all times. It must never leave their environment. We must be able to prove without a doubt, irrefutably, that the data has never left the customer's environment itself. All, while having a complete audit trail of the data itself.

So having complete ownership, never leaving your environment with a complete audit trail of that data. And it becomes crucial. Not only an audit trail of the data, but now there's requirements of audit trails to prove that you deleted data. And we can talk about that. When you get the right to be forgotten, how do you enforce that, as well as, how can it be audited? So not only an audit trail of the data, but also audit trails of the deletion of the data itself.

And when you think of this, when we started really talking and understanding a lot of the customers requirements for their tactical obligations to really reduce their liability and their burden, we quickly discovered that the asset that is also protecting the liability and the burden and the obligation for the customers, becomes a strategic asset now, that you have every version of the data. The data never leaves your environment. What questions can we answer with the analytics itself?

Really trying to understand, now that we have the rich history protecting us from the regulations and the obligations that we spoke about, now that we have that deep history of that data, what are the strategic opportunities that we can use to answer questions with that data or drive events? So what I'd like to do, is, I'd like to introduce Linda and Doug to tell their story, how not only having a history to protect and fulfill the obligation, but why and how did the history become valuable for ServiceSource to fulfill their story. And I'd like to say thank you. Linda, please.

Thanks, Joe. Hello, everyone and thanks for joining. I'm Linda Bloszies. I'm a Senior Director of Platform Engineering and Product Development at ServiceSource, and I'm joined by Doug Staubach, our Chief Information Security Officer. At ServiceSource, we bring the world's greatest brands closer to their customers by acting as an extension of their go to market teams. And we're always looking for better ways to unify, govern, act on and sunset our CRM data across a hundred plus Salesforce instances worldwide. Essentially, to build a digital chain of custody for all of our sensitive data.

But before we get into that, I wanted to give you a quick overview of ServiceSource. For 20 years, ServiceSource has provided exceptional customer journey experiences for some of the world's leading companies. Our people are a high performance extension of each of our clients sales and customer success teams and they're focused on establishing and expanding more than a million customer relationships every year.

ServiceSource supports many of the world's leading companies along every interaction and touch point in the customer journey experience. We can run the entire sales process, implement and manage effective customer success strategies, renew their business, handle account management and engineer successful partner programs. By combining an advanced technology platform, processes refined over two decades of experience and hiring and training the most talented people in the industry, we're able to cultivate wildly successful customer experiences and generate impactful revenue growth for our clients.

Not only that, we've just added new digital commerce capabilities to our suite of solutions. This helps us to digitize and automate transactions to drive better efficiencies, creating unified online and offline experiences that enable a blended right touch with our clients customers. We cover over 170 countries, operating out of our 11 global delivery centers and have earned the trust of global blue chip market leaders.

So how can we take a digital chain of custody and have it support our business? There's two main use cases we want to discuss today. We can understand how we get better over time to deliver more value for our customers and we can gain valuable revenue visibility. So one area that was discussed earlier is unified analytics.

The main question here for us, is, how can we use our historical data over time to improve the results we deliver to our clients? How do we get smarter about the markets that we operate in over time? How can we measure and mitigate new patterns in our business? Patterns that are directly tied to revenue and to the health of our customer relationships. These are some of the questions that we continually ask ourselves about our business.

As an example, if our reps are calling on an account that can benefit from multiple client offerings, and our rep has made the connection and has the full attention of that account, why not use that conversation to offer a complete solution based on what the customer needs and what applicable products we can use to meet those needs? This type of action really puts us in that trusted advisor role with our customers and it's going to help us continue to evolve how we deliver our services.

So we use the second element of the digital chain of custody, audit trails, in order to accurately measure an invoice for the business results we deliver for our clients over time. We're building a 100% auditable, verifiable, accounting ledger of all changes that we make in both our customer and our own internal Salesforce org and are going to use this to recognize revenue and accurately invoice our clients for the results we deliver.

To date, this process would take about 70 people, weeks to complete every single month. We're going to be able to do this 10 times faster. Thanks in part, to unlimited event based audit trails. So our teams literally embed themselves into our customers organizations in order to deliver results. Today we manage over 100 production Salesforce orders on behalf of our customers. If you think back to the data ownership pillar of the chain of custody story, our ideal operating scenario is to actually let our customers maintain ownership of their data, while being able to access and act on that data to drive results.

We're currently working on a new concept called, a digital bridge, that's going to let us extend API connections to our customer's Salesforce environments, streamlining interactions across multiple systems. It's going to create a seamless, synchronized and compliant environment for us and our teams. Something that will make them much more impactful and efficient over time. With that, I'd like to turn it over to Doug to talk more about the governance and compliance side of the story.

Thanks, Linda. My name is Doug Staubach. I'm the Chief Information Security Officer for ServiceSource. And because ServiceSource is a global B2B company, our security and compliance program has to be flexible enough to accommodate a variety of industries and regulations. If you pay attention to the laws, and the news really, then you that data privacy is becoming an increasingly global issue. Unfortunately every country is pushing its own set of privacy requirements and its own set of fines and penalties. And for people like me, that makes complaints tough.

So we started looking for ways to reduce that risk. And one thing that we saw in analyzing these laws, is, that the highest risk and the greatest cost comes when data crosses one of these regional borders. So if you can avoid doing that, you save a lot of money and a lot of hassle. This is where we started to ask ourselves the question, what if we could just leave the data in the same region but centralize the analytics. And that ties in with what Linda was talking about in being able to access that data in our customer systems. That's powerful stuff.

So one of the concepts that we're incorporating into our use of Salesforce and Grax, is the ability to keep that stored data and the change logs within the same regional boundary. We think that doing that will reduced a lot of the risks and answer a lot of compliance questions for our customers. The other aspect is the concept of centralizing logs and protecting them. If you ask me from a security perspective, there are a lot of parallels in the security industry. We'd call this as a security event management system or SEM.

The concept is that each of our connected devices maintains its own copy of data locally, but then we also send a copy of those logs to a centralized server. So why do we do that? Well, from a security standpoint, log data is valuable. If you look deep enough, that data can tell the whole history of a record, even months or years after the fact. But the problem, again, from a security perspective, is that local log data is only retained for short periods of time.

So we want to preserve those audit logs. We don't want to lose any of that history. In fact, when we aggregate all of that change data over a longer period of time, we start to see trends, we noticed gaps, we start to see patterns. And that's the power of centralized analytics.

So we talk about the solution that we're putting together with Heroku and Grax, it's pretty revolutionary for both a business and a security standpoint. It's a lot like a SEM, because we now have a centralized storage location for all of the changes that are happening. But with all of the data that we're working with, and with all of the Salesforce organizations that we're maintaining, it's better than a SEM because we can take advantage of Cloud capabilities and keep that data stored and confined within a specific geographical boundary and still get the power of the analytics.

So in my opinion, it gives us the best of both worlds. We have a centralized brain, centralized analytics, working on a distributed set of data. And in my opinion, that's going to change the way we do business with our customers. It's going to revolutionize our approach and it's going to tighten our security at the same time.

Thank you. Thanks so much, Doug. Where I wanted to pivot now, was a high level view of the key components of our new tech stack that's driving our current technology platform transformation. So last year at Dreamforce, when I was first introduced to Joe by our Salesforce account exec, one of the key business use cases we were trying to solve for was global invoicing. And it was a complicated one. And it continues to be, but I'm excited about the solution that was designed and that we've implemented to address these issues.

So we needed a way to summarize usage data in 100 plus spoke orgs for variable invoicing, while allowing the ability to drill back down to the detail level, all without bringing that detail into the master org, where the CPQ and billing engine lives. So we came up with the design and partnered with Grax and Salesforce to build a PoC to present it to our executive leadership. So given the complexity, it was incredible that we were able to stand up the PoC in about three days.

And this included implementing and configuring the Grax data like off Heroku, syncing three Salesforce spoke orgs to the Grax data lake, installing Salesforce CPQ on billing and configuring pricing, logic, coding, order and invoice flows in our master Salesforce org. Developing neo soft integrations, capacity, pricing and invoicing logic from our master Salesforce org to a Salesforce spoke org and return summary usage data, and developing the Einstein dashboards that leveraged the Grax data lake to show opportunity under management, revenue and margin across those three spoke orgs that we included in the PoC.

So by implementing our digital chain of custody, we're moving from overly manual processes to a model that facilitates revenue optimization. By moving away from the old EDW norms of data snapshots to an immutable ledger of all changes, we not only improve the tools at our disposal for governance and compliance, but we also enable our progression up the analytic maturity curve into more predictive and prescriptive analytics.

We'll be able to detect patterns in our data and draw strategic correlations that were previously hidden from us. And this will drive continual operational improvements and increase value delivery for our clients. So now I'd like to hand it back over to Chris to talk a little bit about Grax.

Thank you, Linda. What an incredible story. You took what normally people would consider a compliance or governance tactic and turned it into a source of transformation and growth for the business. And that's exactly what we envisioned when we created Grax. At Grax, we're obsessed with helping our customers adapt faster by giving them the tools to listen to what their business is telling them, through the data that its generating.

This is the very reason we created Grax Time Machine. Time Machine is the only way to capture a truly immutable record of every single change in your data over time, and use that record to meet compliance needs, retain customers and generate growth. There's nothing else on the market like it. It's a natural extension of Salesforce. It lives in the Salesforce interface. It's like taking Salesforce and giving it the ability to remember, recover and analyze every single change that happens over time. All inside a standard Salesforce reporting Einstein analytics and Tableau.

And of course, Time Machine is built on a Grax data value platform, which allows you to own and control 100% of your data's digital chain of custody. With Grax, your data never leaves your environment, whether it's the Grax managed package that installs right into your Salesforce instance, the data lake which you own and can host an AWS, Azure or your Google Cloud or even your own On-prem instance. With the Heroku Grax app, the Intelligence engine that shepherd's historical data between all sources and your data link. Your data never leaves an environment that is not under your direct ownership or control.

The truth is, there's so many ways to use the technology we built. And we just keep seeing new use cases popping up every day. We're proud and humbled to play some role in helping amazing customers like ServiceSource continue to pioneer and innovate in their industries by maximizing the inside value of their data. Before we leave you today, and before we open up for questions, we wanted to ask you to do two things.

One, hit record now. Start capturing every single change in your business data so that you can truly start listening to what your business is telling you. And two, if you're interested in learning more, come see us at Dreamforce. Linda from ServiceSource will be giving a session on Friday, November 22nd at theater two in Moscone South. Grax will also be having private meetings on the Salesforce campus at 50 Fremont Street, which is called Salesforce West. To set up a meeting, please contact your Salesforce account executive.

Now, we'd like to open it up for questions. And I know we have a couple here. So I'm going to go ahead and open it up. You can put your questions into the questions window or use the Raise Hand feature, whichever is more convenient. And I'm going to start with a couple here. Does CCPA contain a requirement around audit? Particularly show that the data was properly managed and deleted.

So Thanks, Chris. I'll jump in and take that one. So CCPA, like GDPR, what it really is, is really tracking every version of that data and being able to understand the right to be forgotten and what data actually has to be cascade deleted. So not only deleting the data, but to be able to prove it with a ledger that actually has a tokenized proof that you've actually deleted this data, if ever the auditing was to happen, as a proof that you actually deleted the data itself.

And we get scheduled some time. I'm happy to go through it and say it's basically powered by block chain. All of the company's own the ledger. It's a private ledger owned by the company itself. The data never leaves the environment, just like the data, itself. And this is proof or a pointer to the data itself, that is immutable. You cannot modify, delete or change and you retain ownership 100%. You do have to be able to prove, not only that you have the data, but you deleted the data itself.

We've got another question here. Does this work in production environments and is it available for installation?

Yes, it is. So if it works in any Salesforce environment; production, sandbox, scratch, orgs themselves. It works in Viva, financial Force. You can contact one of the people from the webinar and we can get you sorted out with the trial and get install.

I think you addressed the other question around how block chain plays a role in this, what about WORM compliance?

Great question. So the financial companies out there, WORM compliances, write once, read many. So in essence, making sure that the data itself can be written into a storage facility that has no way of being modified itself. So inherent with the mechanisms that we use to store data, if the technology is on the phone, we're talking about S3 in glacier. So you can replicate the data from S3 that we push down and it actually can-- there's a replication rule that pushes in to glacier itself and stores it in the WORM Compliance. Great question.

We talked about the right to be forgotten. How can chain of custody be preserved when the data goes to a Grax cloud?

Well, that's-- so just to go back to what Chris started earlier, the data itself never ever leaves the customer owned environment. So the customer's Salesforce, the customer's Heroku, the customer's platform as a service. The data itself is always contained within a facility that is owned and managed and fully auditable by the clients themselves.

And Heroku itself is an amazing extension of Salesforce and it has amazing abilities for security, IP restriction, private routing. All of the rich needs that allowed us to build Grax, is inherent with the Heroku platform itself. And the data itself never leaves the client environment itself. So that's how the chain of custody of data for Grax is preserved, and both auditable.

Is this a good option to replace Hadoop data lakes?

So without knowing what the Hadoop and it's requirements are for the data itself that it's fulfilling, you can really think of-- a lot of these data lakes per say, are not mutually exclusive but additive to a lot of the customers' data lake efforts. So you can really think about Grax and the technology that it's there. It really is an extension that you can write applications on top of and you can extend your data lake today.

So we have customers today that the data and every version of data they're using to build applications, to extend business processes, and also to attach the Grax data lake to existing data lakes that are there today, so now they can have all access to all the data anywhere that they want.

Interesting for a Salesforce. Did ServiceSource have other data repositories or sources to deal with? This is applied to other customer data.

Linda, I might send this one of your way.

Yeah, can you repeat that? Did we have other data sources to deal with besides Salesforce? Was that the question?


And basically, are you looking at scenarios that address data external to Salesforce?

Yeah, absolutely. So one really-- so the answer is absolutely, yes. We can store whatever we want in Grax on Heroku. And also, we've got other things that are running on Heroku as well. But for instance, specific to the global invoicing solution, Workday data is really key to the dashboards that I mentioned. That give us that high level view and then, of course, that ability to drill down and be able to look at revenue by, say center or region or things like that. And a lot of the data that's required to build that reporting comes from Workday. So that that's one example of data that we're also bringing in.

Excellent. I know there may be one or two other questions. We wanted to give you guys a chance to ask, but as I'm scrolling through, they look like they're a little bit repetitive from some of the ones we've answered earlier in the time frame. So at this point, we'd love to end the webinar. If you have any questions, please feel free to reach out. There are a number of ways you can talk to your Salesforce rep. And you could reach out to ServiceSource directly as well.

We will follow up to everyone who attended with the recording of this webinar, as well as some information about how to get in touch if you're interested in learning a little bit more about ServiceSource and about Grax, and certainly about broken Salesforce and how this all works together. Again, thank you so much for joining us today. It was a pleasure to present the story to you and we'll see you next time. Take care.

See all

Join the best
with GRAX Enterprise.

Be among the smartest companies in the world.