Since its inception as a CRM designed to empower sales teams through automation, Salesforce has added countless features and capabilities. It has also become a hub for huge amounts of organizations’ data. Although companies might begin their Salesforce adoption in a single department (like sales), the platform’s broad use cases mean that implementation, and the volume of data that follows, typically extends to other parts of the organization.
While this evolution has made the platform invaluable for companies around the globe, it’s also accelerated the “three Vs” of data: volume, variety, and velocity. Simply put, there’s more data being created, with varying levels of sensitivity.
But there’s also one new “V” to add to this data confidence crisis: The talent “vacuum”.
Finding Salesforce talent is hard enough these days, and it’s even harder to find people who understand Salesforce and data security. Salesforce is not just any SaaS platform; it’s extremely complex and nuanced. There’s a gap between Salesforce and security teams, which can result in miscommunication and misunderstanding – this creates more risk, as well as the potential for breaches and regulatory fines.
Taken together, all of these factors make managing and securing SaaS data more difficult than ever before. How can you make sure your security posture evolves with your use of Salesforce, while also ensuring that cross-functional teams like InfoSec, Compliance, and Centers of Excellence have the data they need to prove security strength? In this post, we outline four steps to help you get started. But first…
What Is a Security Posture?
Given the increased focus on data security, the term “security posture” is becoming more commonly used, especially as it relates to security in the cloud. According to the National Cybersecurity Alliance, security posture refers to the security status of an enterprise’s networks, information, and systems based on information security resources and capabilities in place to manage the defense of the enterprise and to react as the situation changes. To have a strong security posture, security teams must be able to:
- Understand their attack surface, with effective, real-time visibility into security gaps and vulnerabilities.
- Track the current status and effectiveness of security controls that have been deployed.
- Prevent, detect, and remediate threats.
Now that we’ve defined what security posture is, here’s how you can improve yours within Salesforce.
1. Identify Security Vulnerabilities
When you’re using a tool like Salesforce, which becomes more deeply embedded in your organization over time, you’ll want to regularly revisit and reassess your security posture. This will help you ensure that you’re taking into account new use cases and data requirements. Start by taking stock of your existing security posture and identifying the data you need to be protecting. After all, you can’t begin to improve if you don’t have a baseline for your data security risks.
There are third-party solutions that can help you identify security vulnerabilities, however Salesforce also offers us Salesforce Health Check, which is a free tool that scans your system to identify and fix potential security issues created by improper settings. Your system will be compared to a baseline standard and given a score based on adherence to recommended practices.
2. Classify Your Data
Organizations change – new fields, lists, reports, and features are constantly being added to your Salesforce org. Before they’re released into the wild, make sure each piece of data is classified properly. That means identifying which fields should be protected and whether Salesforce Shield, other applications, and/or the Salesforce platform itself can meet these protection needs.
3. Implement Security Controls
Understanding your data and identifying vulnerabilities are foundational steps to strengthening your org’s security posture, as well as reducing risk. But organizations must take the next step to implementing the correct security controls to mitigate that risk.
This exercise should include:
- User access controls: Ensure the principle of least privilege.
- Encryption-at-rest: Salesforce offers robust security products like Salesforce Shield Platform Encryption, but they can be difficult and time-intensive to implement and manage.
- Data backup and recovery: Ensure continuity and the vitality of data.
- Data anonymization in non-production environments: Ensure sensitive information isn’t being exposed while maintaining realistic test environments.
- Data archiving: Make sure data is retained for exactly as long as it needs to be for governance and compliance purposes.
4. Prove Compliance for Audits
Audits are designed to reveal blind spots or security vulnerabilities before they present a problem. While the resulting reports are hardly best-seller material, they contain valuable insights that can shore up gaps in your organization’s security posture – provided you take advantage of them.
Conducting regular security audits will help stress-test your strategy, but these exercises are useful only if you put the findings into practice promptly. Make sure that each audit concludes with a thorough investigation into your findings, as well as a reassessment of your security strategy before the books are put away until the next quarter.
Salesforce is an incredible tool, and the platform has expanded far beyond what early adopters thought possible. Unfortunately, its impressive suite of capabilities has led to the mistaken assumption that Salesforce is solely responsible for data stored on the platform.
That couldn’t be further from the truth, and companies should reevaluate their security measures and Salesforce configuration settings to take steps toward a more secure future. After all, Salesforce security is a shared responsibility.
As a managed package built natively on the Salesforce platform, OwnBackup Secure delivers powerful data security insights. These can help to guide data classification, compliance requirements, encryption, and evidence-based reporting to give security leaders confidence in their SaaS data. Be sure to check out OwnBackup to learn more.