Welcome to the era of data breaches. If it were measured as a country, then cybercrime – which inflicted damages totaling $6 trillion USD globally in 2022 – has the world’s third-largest economy after the U.S. and China. Cybercrimes are increasing at a rapid rate, with damages estimated to rise to $10.5 trillion USD by 2025 – posing a threat to Salesforce Marketing Cloud security.
The reality is that cybercrime is a growth industry where the returns are great and the risks are low. Cyber attackers target platforms and infrastructure that store customer data, like Salesforce Marketing Cloud. Fortunately, and somewhat remarkably, no data breach has been publicly linked to Salesforce Marketing Cloud to-date, but this statistic could be set to change soon considering the exponential growth of cybercrime and the fact that many Marketing Cloud customers are behind the eight-ball when it comes to security.
The good news is that security configurations are relatively simple to address and should be easy to implement. This article identifies key areas where platform security can be maliciously exploited in Salesforce Marketing Cloud, and explains how to address them.
1. Security Settings
The quickest and most obvious way is to ensure that the security settings on your account align with Salesforce’s recommended settings.
Some users choose to disregard these recommendations out of convenience (for example, setting passwords to never expire), but in doing so, you can compromise your Salesforce Marketing Cloud security.
Additionally, it’s recommended to Enforce Export Email Allowlist in Security Settings and limit the individual email addresses who can receive reports including subscriber data extracts.
2. User Access Reviews
When staff or contractors leave an organization, their Marketing Cloud access can be overlooked and as a result they may continue to be able to get into the platform – allowing them to export data or behave maliciously.
Marketing Cloud customers should periodically verify that only legitimate users have access to the platform and review user access regularly, revoking access for everyone who no longer requires it.
3. Principle of Least Privilege
Principle of Least Privilege, or ‘PoLP’ refers to the practice of enforcing the minimal level of user permissions that allows the user to perform their role.
Assigning a broad permission scope to users can allow users to perform malicious activities, like deleting or copying data. Giving users administrative privileges enables them to access API credentials, which could then be used to perform activities like retrieving data, even after their account is disabled.
Marketing Cloud offers a highly granular permission set and allows custom user roles to be created. You should assign or create roles that tightly align with responsibilities, so users can only access specific applications and features that they need to perform their work.
4. API Users
Many Marketing Cloud Administrators inadvertently enable the ‘API User’ checkbox when creating new users, without any understanding of what the option actually does or the implications of enabling it.
This username and password based authentication setting was superseded in 2012 with the introduction of the OAuth authentication flow. While this legacy authentication option is still available, it’s highly recommended to keep it turned off, as by default, passwords for API users are excluded from expiration (in password policies).
Additionally, OAuth authentication (using credentials from Installed Packages) provides a superior and more secure authentication flow, through exchanging credentials for a time-limited token.
5. API Credentials
What should probably be a key concern to many Marketing Cloud customers is how and where their API authentication credentials are stored, and who has access to them.
API credentials (consisting of a client id, client secret and tenant-specific endpoints) are defined when creating an Installed Package in the platform with an API Integration component. The problem is administrators (and developers alike) commonly create these components with a very broad scope.
The scope in an API component defines which platform features the API integration can access – but to remove the guesswork, the scope is often set with all options enabled. The risk with this practice is that if the API credentials are compromised, then an attacker can perform almost any user action, effectively providing a ‘backdoor’ for an attacker without ever needing to login to the platform.
Beyond the credentials themselves – and arguably of equal concern – is where and how API credentials are stored. Most Marketing Cloud developers store credentials in Postman (an API development platform). While Postman is very popular in the development community, the security implications of using it should be keeping every CIO up at night as API payloads and credentials are stored online.
While convenient, Postman does not offer multi-factor authentication, although it’s understood that this is (at time of writing) currently in an internal pilot program. As a result, if a Postman account credentials are ever compromised, or worse still (and quite plausible), that Postman’s user identity database is compromised, then an attacker could have API-based access to Marketing Cloud accounts.
Furthermore, most Marketing Cloud developers maintain a library of scripts or ‘code snippets’ on their computers and servers for re-use across projects. For API-related integrations, it’s common practice to include hard-coded API credentials in scripts for development purposes. But when developers finish projects, contracts, or even employment, the API credentials rarely change, providing them (or anyone else who has access to their code) with continued API-based access to the platform, long after their platform access is revoked.
It’s recommended to rotate API credentials periodically and at specific milestones, for example, when offboarding development staff and contractors. This can be accomplished by creating a duplicate Installed Package, then removing the original package once the credentials have been updated in the integration source platform.
6. Zero Trust
Many Marketing Cloud customers place enormous trust that employees and contractors will ‘do the right thing’. But for some individuals, the temptation is too great – 60 percent of data breaches are caused by insider threats.
Most Marketing Cloud users have access to a gargantuan volume of customer data and it would be relatively easy for them to anonymously contact their employer and hold them to ransom by demanding payment (typically Bitcoin) and threaten to publish the stolen data (typically on a website) if payment is not received.
One method of minimizing this risk is to adopt a ‘Zero Trust’ approach to platform access. Zero Trust is based on the principle that no user or application should be inherently trusted. It starts with the assumption that everything is hostile and only establishes trust based upon user identity and context.
It’s recommended to diligently monitor identity access management by enabling Audit Logging Data Collection in the platform security settings and automating the extraction of audit trail data at a daily frequency, then analyze the IP addresses used to access the platform. A geolocation lookup tool can be used to identify that users are consistently logging in from the same location and not sharing their credentials with a third party (eg. a contractor who shares credentials with a sub-contractor). Also, data extension exports (a feature available in Advanced Audit Trail) can be reviewed to validate that these data extract events were executed for a legitimate reason.
7. Data Retention
Thanks to the notable absence of Marketing Cloud data storage fees (a policy that is likely to change in the future), platform users quite happily store all their data, forever. Without any performance or cost impact, there’s little incentive for users to delete all this data. However, there are a few problems with this storage philosophy.
Firstly, you shouldn’t keep data just because it might be useful to someone in the future. Security laws prevent you from storing data indefinitely; GDPR, HIPAA and CPRA just to mention a few. You need to determine why you need to store data and identify if there are any regulatory or legal requirements for retaining it. Secondly, retaining data longer than necessary will increase the risk level and impact in the event that the data is ever compromised.
It is important to establish a data retention policy for your data, which can easily be implemented at a data extension level.
8. File Transfer
All Marketing Cloud editions include an SFTP account, or “Enhanced FTP” where data files can be imported to, or exported from. And SFTP is widely regarded today as the de facto protocol for secure file transfer. Marketing Cloud offers different authentication options when creating SFTP user accounts, which includes password, SSH key, or a combination of both.
While these authentication options are secure, they ultimately rely on users to follow best practices. Key based authentication is stronger than passwords. Without diving into a technical explanation, it is possible to guess passwords, but impossible to guess a key. However, strong passwords can effectively minimize this risk. Additionally, passwords should be changed every 90 days or less.
These same rules also apply to SSH keys. Only designated users should be able to access SSH keys and it is important to enforce diligent key rotation, while also disallowing the use of matching passphrases across multiple keys or iterations.
Deciding on the best authentication option is not straightforward. Both passwords and SSH keys offer their own advantages and disadvantages. However, where possible, it is recommended that both SSH key and password authentication are adopted.
The main justification is that if the private key is compromised (for example, a device is stolen or malware is installed on it), the attacker would not be able to compromise the SFTP account without the password. Similarly, if a password is compromised, then they would still need the SSH key. It’s not foolproof, but it does provide dual-factor authentication and makes it harder for an attacker to access.
9. File Encryption
When transferring files to and from Marketing Cloud using SFTP, consider encrypting files using PGP. While it may be assumed that SFTP replaces the need for PGP, it does not.
SFTP and PGP have two different goals. PGP encrypts the data payload, while SFTP encrypts the file transfer. At a minimum, transport encryption is required. Data encryption provides an extra security layer.
Marketing Cloud supports importing and exporting both PGP and GPG files. The two files are almost identical, with the major difference between them being how they are licensed to the public. PGP and GPG encryption protects data at rest, which ensures that the data file is not exposed after it is transferred to an SFTP server or file system.
10. Device Security
The weakest link and greatest vulnerability for a platform cyber attack is the service, process or device used to access the platform. In an era of remote working, laptops and mobile phones have become ubiquitous, but companies whose employees have lost these devices are more likely to have customer information stolen than businesses targeted by ransomware criminals. Cyber criminals will target laptops in order to indirectly access platforms.
Adopting the following simple principles will help protect devices from cyber attacks:
- Create a hard-to-guess password or passphrase for logging into your laptop.
- Use a password-protected lock screen for your laptop and mobile devices.
- Scan files with antivirus software before opening them.
- Turn on auto software updates for your browser, programs, and operating system.
- Encrypt your hard drive.
- Use a VPN to keep your laptop secure on public networks.
- Never leave your laptop or mobile unlocked or unattended.
Cybercrime is a very real threat for Marketing Cloud customers and cyber security is everyone’s responsibility. By adopting the configurations and practices identified in this article, in addition to ensuring that Salesforce Marketing Cloud security is front-of-mind, users can work together to form a human firewall, providing an effective cyber security strategy and protecting customer data.