In March 2022, The White House issued a statement relating to the war in Ukraine. The focus was around the potential for Russia to increase cyberattack threats.
A series of recommendations were included to help companies fortify themselves against cyberattacks and reinforce their data security strategies.
Many of these guidelines speak directly to potential issues within Salesforce DevOps, such as:
“Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors.”
Let’s look into how this relates to your Salesforce DevOps environment and what you can do about it. The first step is to understand the potential vulnerabilities because you can’t guard against something you aren’t aware of.
How This Relates to Challenges Within Salesforce
Organizations often struggle with managing their number of profiles and roles. Profile gaps can be confusing and challenging to debug. The complex mix of sharing architecture in Salesforce leads to users adopting practices that create security risks which can be exploited by both insider and outsider threats.
Shortcuts are often used to overcome complexity which leads to increased risk. One example of this is when users are given the Modify All role when all they need is Read Access or to edit one field.
Password exposure and malware risk are a constant concern for every environment, including Salesforce.
While we’re familiar with malware and ransomware coming through a browser, it can actually be distributed in multiple ways such as documents that have been uploaded as attachments. This puts everyone who opens that file at risk.
Stolen passwords continue to be a threat, especially if you don’t have good endpoint protection.
You are responsible for your security in the Salesforce environment. Salesforce does a lot to protect the platform, but you’re responsible for your own security within your particular org or instance.
Vulnerabilities in the Salesforce Sharing and Security Architecture
The sharing architecture within Salesforce is very complex. Org-wide defaults are currently transitioning away from profiles toward permission sets. So, when should you be applying more precision versus wider sharing?
Viewing this in totality can be confusing. Users often create profiles—which don’t encompass all types of named credentials, password policies, certificates, and keys—to cover various aspects of permissions.
Here are some questions you should ask yourself to assess your vulnerabilities:
- What are your org’s sharing settings for commonly used objects?
- Do you have more profiles than users?
- Do you use Guest Sharing Rules?
- When was the last time you audited the connected apps and auth providers?
- When was the last time you ran a Health Check?
These scenarios are unfortunately common and should be examined for vulnerabilities. Something as simple as offering guest sharing capabilities introduces the possibility of information being exfiltrated through guest users. And as we’ve seen with the recent Heroku breach, auth providers have the potential to create backdoors for cybercriminals.
Profile Deployment and the Risks Associated
Profiles are a complex matrix of permissions. Multiple profile metadata types are confusing and often misunderstood because they frequently overlap.
For example, a profile that is deployed from one sandbox to another will be cloned off the standard profile by default. This introduces differences between the two sandboxes unless you have the right tools in place to check the settings and enforce those changes from one sandbox to another. If not, this will also grant all sorts of unintended permissions which will be exposed in the process.
Salesforce recognizes that this is challenging. The roll out of Permission Set Groups started in 2019, which is a way of creating organizational roles. It’s highly recommended to transition away from profiles to role-based Permission Set Groups. It will give you better integrity across your sharing architecture and your permissions policies.
Embrace Multi-Factor Authentication
Salesforce adopted multi-factor authentication on February 1st of this year, but not for all products. In fact, many products won’t support MFA until 2023. As of right now, it only applies to the core Salesforce platform and not the other Salesforce cloud products.
Familiarize yourself with the MFA roadmap so you understand which aspects of Salesforce are covered and which are not.
| Product | Projected MFA Auto-Enablement Date | Projected MFA Enforcement Date | Notification and Details |
|---|---|---|---|
| Products built on the Salesforce Platform | Between January and June 2023 | September 2023 | Email Notification |
| B2C Commerce Cloud | Both will occur at the same time between May 1-31, 2022 (In the Spring Maintenance release) | Email Notification Release Note |
|
| Click Software - Field Service Edge (FSE) | No auto-enablement planned | June 2022 (In the MR12 Spring Maintenance release) | Email Notification |
| Click Software - Service Optimization V8 Cloud | No auto-enablement planned | June 2022 | Email Notification |
| Heroku | Both will occur at the same time on June 1, 2022 | Email Notification | |
| Marketing Cloud -Datorama | Both will occur at the same time between September and November 2022 | Email Notification | |
| Marketing Cloud - Email Studio, Mobile Studio, and Journey Builder | October 2021 (in the October 2021 release) | June 1-17, 2022 (in the Summer 2022 release) | Email Notification Release Note |
| Marketing Cloud - Social | Privileged Users: Between May 9-13, 2022 All Users: Between June and August 2022 | All Users: November 30, 2022 | Email Notification Release Note |
| Mulesoft Anypoint Platform | New Users: July 23, 2022 All Users: October 29, 2022 | Second half of 2023 | Email Notification Article |
| Quip Products | February 1, 2022 | May 1, 2022 | Email Notification |
| Tableau Online | Both will occur at the same time. Privileged Users: June 21, 2022 All Users: Between July and September 2022 | Email Notification | |
Strong Passwords
In the meantime, continue to emphasize the importance of strong passwords. Encourage your users and team members to adhere to the Department of Defense recommendation of a minimum of 15 characters for each password.
Update Permissions, Avoid Technical Debt
It’s very easy to create technical debt when it comes to profiles and permissions. Audit your current settings to ensure user permissions are up to date. Salesforce’s Health Check tool can be used to identify gaps.
Be Aware of Phishing Attempts
Many environments are targeted not only daily, but hourly. Bad actors are always looking to gain access to your Salesforce environment through malware—potentially infecting an endpoint—or ransomware.
Summary
Protecting yourself against the potential vulnerabilities outlined by the White House necessitates constant attention and an honest look at your current processes. Cybercriminals are constantly growing more sophisticated. Our defenses against them need to evolve as well.