We’re all becoming media companies with a huge amount of value in our digital assets and information systems. This makes cybersecurity more important than ever, and it will only keep growing in importance. Cybersecurity goes beyond departmental lines, requiring vigilance and planning from the whole organization. That goes for Salesforce too – all members of an organization bear some responsibility for securing Salesforce to provide the best protection possible.
In this article, I’ll explain key cybersecurity concepts, particularly Zero Trust, and provide actionable insights you can apply to your own Salesforce security effort.
Here’s how this article will benefit you, whether you’re a Salesforce user, admin, or IT professional:
- Salesforce Users: Gain awareness of what’s going on in the cybersecurity landscape and ways you can keep Salesforce secure.
- Salesforce Admins: Know the action steps you can take to improve your security posture.
- IT Professionals: Increase your awareness of the depth and capability of Salesforce and how it can be managed to achieve any security standard.
So, let’s break down into a few key concepts and see how they apply to Salesforce.
Understanding Zero Trust
Before getting into everything, we have to start with a baseline concept fundamental to a strong security policy: Zero Trust. The concept of Zero Trust is gaining in popularity (and will become a requirement in the future) in the IT industry.
Zero Trust should be the mentality with which you approach building a cybersecurity framework for Salesforce, which we will cover next.
What Is Zero Trust?
While a traditional perimeter-based security model generally gives access to everything once authentication is managed, Zero Trust asks us to operate on the assumption that any request, at any time, could be from a bad actor.
Zero Trust requires systems that continually challenge the user’s identity and actions and offer layers of protection for data. However, it is much more than technology and technical controls – it’s a way of thinking. Zero Trust asks the question: How can we validate that EVERY request is for our business’s betterment and not from a bad actor? This implicit lack of trust at the technical level sets up a baseline for building strategy and systems to support it.
Creating Your Salesforce Cybersecurity Strategy
Now that you’ve got your ‘Zero Trust’ hat on, we’ll move into the practical application: How can you build a cybersecurity strategy for Salesforce that puts Zero Trust principles in action?
Cybersecurity is a complex discipline that requires coordination between several departments, such as business, IT, compliance, legal, and operations. Therefore, it is paramount to have a cybersecurity program in place that helps with goal setting and manages the required collaboration to make these efforts efficient and successful.
In my opinion, one of the most helpful tools out there is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The framework is based on five principles that can be applied to Salesforce to help guide the overall prioritization and improvement of your security posture. Out of the many frameworks available, NIST is easy to grasp and provides five core concepts to map your actions to. However, it is also 55 pages long, so I’ll summarize those five concepts here:
- Identify: Do you know what data you have in your organization? Have you classified the data and associated risk?
- Protect: Are you taking measures to protect the identified assets (everything from authentication, encryption, and associated technical controls)?
- Detect: Do you have the capability to detect activity if there is an ongoing incident?
- Respond: Do you have plans in place to deal with active incidents and limit risk? Are these plans testable and tested?
- Recover: After an incident, do you have the technology and processes in place to recover from the incident?
At a minimum, here are a few baselines to consider for your program:
- Draft a cybersecurity charter that outlines your organization’s position on cybersecurity, your values, and which compliance statutes you’re required to have.
- Align to a framework such as NIST, ISO, and CSC to provide a roadmap for strategy and execution.
- Maintain a task force that meets quarterly (at minimum) to set annual goals and manage accountability for cybersecurity initiatives.
- Work with accounting to maintain appropriate funding for cybersecurity initiatives.
- Create program documentation, including meeting minutes, policies, and technical guides.
- Draft critical policies, including data loss scenarios, privacy policy, cybersecurity incident response, and disaster planning. These policies are required by many compliance statutes and create actionable expectations for all teams involved in protecting an organization’s data.
- Define key roles and escalations and include them in relevant policies.
Begin by using this strategy as a framework, then build specific policies and controls for Salesforce that establish a Zero Trust posture. Next, I’ll cover four areas where you can do that.
4 Focuses of Salesforce-Specific Security
1. Perimeter
Even though Zero Trust is stricter than traditional perimeter-based security, the perimeter is still your first and most public line of defense. You need to wrap authentication around Salesforce, and for it to be considered a secure perimeter, it needs to be multi-factor.
Here’s how to plan for and enhance your perimeter defense:
- Align with your organization’s identity provider to create a more user-friendly environment and allow reliable management of users during onboarding and offboarding.
- Configure session settings to minimize ‘stale’ sessions.
- Configure login locations to have to come from within your VPN if you have one, and consider geographical or time-based restrictions.
- If you’re still using passwords, enforce strong password rules (requiring symbols and 16+ characters).
2. Technical Controls Beyond the Perimeter
Beyond the perimeter, further domains of Zero Trust rely on other technical controls of Salesforce and other systems which work together.
Beyond the perimeter, you need active controls throughout the system. Here’s what you can do:
- Create a strong multi-factor authentication scheme.
- Introduce session-based security, which locks the session to one token, IP, or geographical area to prevent hijacking.
- Implement Shield Encryption for key data points at the physical and application layers with decrypt permissions only given on a need-to-know basis.
- Use least privilege Salesforce profiles, permission sets, and permission set groups that align with user personas.
- Set up role hierarchy to only grant access to a minimal set of records based on the user’s function.
- Create an entitlement tracking process to manage user access and privilege requests.
- Implement data loss prevention to eliminate the ability to export data from the system.
- Use Shield Logging to introduce active logging and proactive alerts for concerning situations (such as large export requests).
- Install data change history tracking and backup/restore capabilities.
- Align with other IT security measures such as identity management, centralized logging, and VPN.
3. Vendors
This may come as a shock, but vendors are often overlooked from a cybersecurity perspective and regularly granted more access than required for their job function. Often, they have even more access than employees of the organization.
Why is this so risky? Vendors have unknown IT stacks, vulnerabilities, and staffing rules, which introduce a lot of unknowns. Here are ways to mitigate these risks:
- Create a formal vendor onboarding process that evaluates and assures vendors that they can attest to having adequate IT controls and compliance standards.
- Require vendors to “onboard” to your own managed IT stack for any systems access.
- Instead of making vendors administrators by default, carefully control their access to systems with as much restriction as possible that still allows them to carry out their job function.
- Audit vendor access regularly to ensure users are offboarded once the project is completed.
- Require that vendors attend and complete onboarding training that includes an introduction to risk and your organization’s IT controls and expectations.
4. Training
What good are all of these great technical controls if people are still your greatest weakness? A well-meaning user who clicks a malicious link and exposes their machine to malware could do as much damage as an external attacker.
Baking in an ongoing cybersecurity training and awareness program is crucial for protecting your data against a wide range of common attacks. Educate your teams about the following:
- Phishing and other variants, like SMShing and spear phishing, which are more sophisticated and effective ways to get users to exploit a system’s defenses
- Privacy fundamentals and what statutes apply to your organization
- Social engineering and how people are often manipulated into giving up credentials inadvertently
- Physical security considerations both in the office and while traveling or working from home
Conduct your trainings regularly and require team members and contractors to complete them where applicable.
Build a Secure Salesforce With a Zero Trust Posture
Cybersecurity is not just a task for the IT team but the whole company. The path to a strong cybersecurity posture requires active participation from many departments, including Salesforce users, admins, vendors, the IT team, and leadership. To keep moving your cybersecurity posture in the right direction, consider these takeaways:
- Create a cybersecurity task force, draft a charter, and evaluate policy.
- Adopt a cybersecurity framework (such as NIST) to help govern your decision-making.
- Audit your vendors and their system access.
- Evaluate your technical controls and consider improvements and remediations to achieve a higher standard.
- Invest in training for users and vendors.
Remember, cybersecurity isn’t just about compliance, and it’s not just a series of checkboxes. It’s about building a proactive, security-minded culture across the entire organization so you can adopt and anticipate future challenges. View it as an essential and dynamic strategy that is integral to your organization’s long-term success.
5 Salesforce Security Resource Recommendations
If you want to go deeper into cybersecurity within the Salesforce ecosystem, take a look at these five resources:
- Salesforce Trailhead: Salesforce’s own Trailhead provides a range of modules focused on best practices for security, understanding Salesforce’s security model, and implementing these practices within your organization. This is an excellent starting point for Salesforce Admins and users.
- NIST Cybersecurity Framework: NIST offers comprehensive documentation on its cybersecurity framework, which is invaluable for understanding how to apply these principles within any organization, including those using Salesforce.
- Salesforce Security Guide: Salesforce provides an extensive security guide that covers best practices, tips, and how-tos for securing your Salesforce environment. This guide is crucial for administrators and developers looking to bolster their organization’s security.
- Cybrary: Offering a wide range of cybersecurity courses, Cybrary is a platform that facilitates the development of cybersecurity skills, including those related to cloud security and data protection, which are pertinent for Salesforce professionals.
- SANS Institute: The SANS Institute offers cybersecurity training and certification, including courses that touch on cloud security, a relevant area for Salesforce users aiming to understand broader cybersecurity concepts applicable to cloud platforms.
Summary
The significance of cybersecurity cannot be overstated. Organizations must adopt a proactive approach to provide the best protection possible.
Cybersecurity is not just a compliance requirement but a dynamic strategy that is essential for safeguarding your organization’s long-term success. It is crucial that you build your own Salesforce cybersecurity strategy, protect your data, and contribute to a more secure ecosystem.