As a CISO (Chief Information Security Officer), you’ve probably heard of Salesforce or received a question about it from your team. Where do you start your journey to discover everything about the platform to ensure your organization uses it safely?
As part of the company’s information strategy, you want to know how this cloud platform works, how your users use it, whose responsibility it is to protect and back up the data (spoiler: it’s you!), and also which tools you have to manage all of this. You can use this article to create your own security plan for Salesforce.
Salesforce Is on the Cloud: Our Data Is Safe Right?
The short answer is ‘no’. Unfortunately, it is a common misconception that cloud platforms like Salesforce don’t require data management like backups, archiving, or encryption.
Of course, Salesforce does many things to keep your data safe, but it’s a shared responsibility. Some measures are legal measures, like the MSA (Master Service Agreement), and all related documents, privacy statements, data processing agreements and license agreements. Salesforce provides several websites with all legal documentation you might need, with the Trust site for compliance being the main one for standards, certifications, disaster recovery, privacy and so on.
On the Trust site, you’ll also find security best practices and guides, which you can follow to ensure you do your part to secure the data. Some topics are ‘User authentication’, ‘Monitoring and auditing’, and ‘Encryption’.
To educate all stakeholders in your organization (including upper management and end users), you can also find a lot of easy-to-understand information on Trailhead, Salesforce’s free online learning platform.
There are also products and plug-ins available to address risks you might face. One of them is a paid add-on called Salesforce Shield. This tool adds platform encryption (at rest) and detailed logging of your user activities.
A lesser-known aspect is the data center security. All non-AWS (Hyperforce) data centers built and managed by Salesforce have specific requirements. For instance, the exterior of the building has to be anonymous, bullet resistant, have concrete vehicle barriers, be not a straight road,be near water, and have manned guard stations. For the interior, it’ll need biometric scans, guards, and locked cages that can only be opened by the guards.
All of the above is wonderful; Salesforce ensures the backend, data centers and legal side of things are safe and reliable for all customers. But what about your users, who access the platform from their own devices, anywhere in the world?
Diving Deeper into User Behavior
Because Salesforce is cloud-based and can be accessed anywhere using a browser or mobile app, there are some additional risks to keep in mind. When users access Salesforce using their own devices, they can be easy targets for cyber attacks, ransomware, malicious browser plugins, recycled passwords, or outdated software.
To access Salesforce, a username and password is usually enough to get it. Luckily, it is now required (also legally, as part of the MSA) to use MFA (Multi-Factor-Authentication) or SSO (Single-Sign-On) to access Salesforce. This adds an extra layer of security. Of course, you can also use (hardware-)tokens.
Once inside Salesforce, your administrators have several options for sharing data, but also controlling which user has access to which platform functionalities.
Roles, Public Groups, Sharing Rules, Organisation-Wide Settings and Restriction Rules are there for the data. Profiles and permission sets are there to determine which tables (objects), fields, and functionalities can be accessed by a user or group of users.
Most Salesforce instances are also integrated with other systems, like ERP, webshops, marketing platforms, or BI tools. Via these integrations, users outside Salesforce can also influence the data. Remember this when analyzing or designing the security model and data flows, especially if you want your data to stay within a certain country or region.
Salesforce does try to keep your data in one country/region/jurisdiction, based on the data center and its live backup. However, there is always a third instance of your Salesforce environment in a different geographical area, and if needed, Salesforce can choose to move your environment and its data to another location. This only happens in extreme cases, where entire data centers are unavailable due to disasters.
Your users are the weakest link in this ‘security chain’, even if you’ve restricted their access as much as possible without making their daily life miserable. Users can still take screenshots, and they can also export or copy-past list views, reports, and individual records. And there might even be ‘malicious insiders’ who can do harm to your data. The audit trail, event monitoring and backups will be your best friends when this happens.
Tools and Processes
Besides the tools and functionalities provided by Salesforce, you can also use external apps from the AppExchange. Most of these apps have a specific use case, like scanning your files for spyware and viruses, creating backups, and managing restores or providing insights into the security model (sharing, profiles, roles etc). Most backup tools will cover the data and also the metadata, which is very handy in case of misconfiguration.
Don’t forget the interfaces, integrations, web services, and APIs connecting Salesforce to other platforms and apps. These connections and their levels of security need to be monitored, maintained, and upgraded when needed.
One thing that’s often overlooked are the release updates of the Salesforce platform. Salesforce ensures the platform and all of its products are updated at least three times per year. For specific use cases, your administrators have to test and apply release updates, which are often tied to a deadline. Some of these updates can have a large impact on your Salesforce environment, if not applied correctly.
Tools can get you very far, but processes are just as important to have in place. Salesforce has its own plans and policies for cyber/security incidents and disaster recovery. Since you’re responsible for your own data, having an incident response plan is needed. This way, you know what to do when a data breach or cyber-security incident happens within your Salesforce environment.
Examples of topics that should be part of your plan:
- Daily monitoring of data, metadata changes and user behavior
- Regular health checks (keep up-to-date)
- User management (disable inactive users)
- Training of users (give users the tools and knowledge to use Salesforce properly)
- Approval processes (streamline the decision-making process for impactful decisions)
Summary
Now you know what to look for when you start using or implementing Salesforce. Make sure to have an integral plan covering the legal, technical and procedural aspects of data protection and risk management.
Comments: