By Bob Violino
Contributing writer, CSO |
Marketing technology, or ‘martech’, keeps getting more complex and more vital to the way companies do business. For many enterprises, the Salesforce cloud-based customer relationship management (CRM) platform is a centerpiece of the martech strategy. Salesforce is the CRM market leader by a wide margin, with 19.8% market share, according to research firm IDC.
Ensuring that a company’s Salesforce implementation is secure should be a major priority for cybersecurity and IT leaders because CRM systems typically handle large volumes of sensitive customer data. New vulnerabilities and common errors or oversights can put this information at risk.
Companies “place enormously valuable data in Salesforce,” says Jeff Pollard, vice president and principal analyst at Forrester Research. “It’s the place where opportunities become revenue, and prospects become clients. For an intruder, gaining access to Salesforce means possibly gaining access to lots of companies’ data.”
In other words, Salesforce is an inviting target. While experts agree that the platform itself is reasonably secure—“given the robust defense-in-depth approach Salesforce applies internally,” says Brian Olearczyk, chief revenue officer at RevCult, a security and governance provider recently purchased by OwnBackup—it’s still a big attack surface. Organizations “need to implement, configure, and develop it in a secure way to prevent security and privacy vulnerabilities,” Olearczyk says.
Perhaps the most famous Salesforce data breach illustrated how messy it can get. In 2019, retailer Hanna Andersson had data exposed, allegedly due to malware that infiltrated Salesforce itself. A series of lawsuits followed, with both companies bearing costs that strung out into late 2020.
Here are seven deadly sins, errors, and blindspots to avoid in protecting the valuable information stored and used in Salesforce, with expert suggestions on how to address them.
Experienced security pros aren’t going to fall into the “they’ll secure it” trap, but some smaller companies or IT shops with no security specialization do.
This isn’t unique to Salesforce; it’s common across SaaS apps. “In our experience, most SaaS platform vulnerabilities stem from customers not understanding that cyber security is a shared responsibility with the SaaS provider,” says Andy Ognenoff, managing director and North America chief technologist at the Salesforce Business Group at Accenture, an IT services provider.
“There needs to be an upfront and ongoing effort to secure cloud applications by the customer,” Ognenoff says. “Vulnerabilities often manifest as users being overprovisioned with high-risk permissions, highly permissive data access configuration, and unsanctioned third-party applications accessing enterprise data, among others.”
The 2020 State of Salesforce Security Report research, conducted by RevCult, underscored this point. Salesforce users themselves tend to create vulnerabilities when corporate application development teams customize and develop their Salesforce instances to suit their unique use cases and business workflows, Olearczyk says. This is not something Salesforce, by itself, can ever fully protect against.
Recognizing a shared responsibility is first, and any responsibility needs an owner. RevCult found that many companies persistently lack clear security programs for the platform, the tools needed to support the program, and Salesforce security expertise.
This job may default to the marketing, sales, and IT teams running Salesforce. However, there’s a lack of knowledge on Salesforce teams regarding information security policy details and requirements for meeting regulatory and compliance standards, Olearczyk says. “Unfortunately, we often see that nobody owns it; therefore risks are left unmitigated—especially [with] sensitive and regulated customer data,” he says.
Salesforce produces a large amount of information and compliance documentation related to its own security efforts. In terms of building Salesforce-specific security skills, the company offers a certification specifically focused on identity and access management in Salesforce, “designed for those who assess the architecture environment and requirements and design sound, scalable and high-performing solutions on the Force.com platform that meet the Single Sign-on (SSO) requirements.”
Having an individual and/or team, depending on the scale of the deployment, to own security as a first responsibility and cultivate knowledge and skills can help address many of the problems that follow.
Not all data is not the same, so different types of information require different levels of security. This is a key principle recognized, for example, in the still-emerging zero trust security approach.
Among the key findings of the RevCult study are that few Salesforce users have classified their data and therefore don’t know what to protect. Enterprises should also have a real-time, explicit, and validated understanding of the data they have in Salesforce. “Review all the data you have, and assign value based on the internal classification of compliance categories that apply,” Olearczyk says.
“Without this value, you will implement protective measures and processes that are noisy and deliver too many false positives or false negatives and are not as actionable as you think.” This data classification work will be a first task for the security owner or team specified in step two above.
Cross-functional blind spots persist around how a company’s Salesforce organization is actually used. Salesforce is a customizable platform, with workflows getting turned into custom configurations and settings. Often, those doing the configuration reside in lines-of-business or departments.
“Development teams usually align with certain business lines—sales, marketing, finance, customer service, support, even HR [human resources]—and not information security, so they develop the platform without considering data security controls, Olearczyk says.
This lack of understanding of how all the dots connect ultimately manifests as “too much access.” Without keeping security in mind, administrators and developers alike can sometimes mistake the nominal basic roles and permission sets to be sufficient and inadvertently open up user access to sensitive data.
“Our client engagements show a near-universal disconnect between implementation and configuration and corporate security program requirements,” Olearczyk says.
It’s also important to keep in mind that some of the security issues involve Salesforce application programming interfaces (APIs). That’s especially relevant considering the amount of data coming in and out of Salesforce to support a multitude of end-to-end business processes.
As with other security concerns, this is not unique to Salesforce. SANS Institute research found that attacks against APIs are growing, and security pros worry that API configuration mistakes may expose their companies to data exposure.
“Security teams need to treat integrations like every other user and validate the appropriate configuration and management of access privileges,” Olearczyk says. “It is continual management that needs to be governed at the time of deployment and then on a regular cadence.”
Salesforce is a big platform with a lot of different elements, options, and functions.
Any of these may be subject to an ill-informed or careless configuration. RevCult sees common vulnerabilities across access controls, over-privileged users, poorly controlled integration implementations, and poorly or incompletely implemented premium capabilities such as Salesforce Shield event monitoring.
In a recent example to hit the news, a security researcher identified a misconfiguration in Salesforce communities that can inadvertently expose sensitive data.
Security program ownership, as noted above, will help prevent or remediate basic errors. As Salesforce implementations expand, however, it will take the proverbial village to expand efforts to secure data from errors such as the communities configuration. As more and more administrators, developers, and end users touch the platform, it will be critical to keep building security awareness and knowledge outside of the core team.
A good way to address any disconnect is to build a strong relationship between the Salesforce implementation team, business line owners, and security teams, Ognenoff says. “Security can enable agility for the business, but it can be challenging to unlock that value if security is an afterthought or seen as a roadblock,” he says.
Security teams need to have visibility to manage the risk exposure of SaaS applications such as Salesforce, Ognenoff says, “so integrating Salesforce into existing monitoring and response plans is critical.” Accenture recommends that Salesforce users take advantage of Salesforce Shield and the various logging capabilities of the platform, tied in with enterprise security information and event management (SIEM) tools and incident response processes.
This broad team includes Salesforce itself. For its part, the company says it will continue to make security a priority for the platform. The company “builds security into everything we do,” says Trey Ford, vice president of strategy and trust at Salesforce. “Nothing is more important than our customers knowing their data is safe—to be accessed when, where, and how they intend.”
Customers have found that three of the security services the company offers are particularly valuable, Ford says. One is Security Center, which enables administrators to simplify security management while detecting threats faster. Another is Shield, which protects an entire enterprise with tools that enhance trust, transparency, compliance, and governance across all Salesforce applications. The third is Data Mask, a tool designed to help customers customize, build, and test on Salesforce while protecting private data.
“We recognize that cyber criminals are getting more sophisticated,” Ford says. “Our product and security teams continuously innovate to stay ahead of the curve. Of course, security remains a shared responsibility between Salesforce and our customers. Part of any responsible enterprise’s overarching security strategy is to organize its exposures into problems they need to manage for the company and decide which can be handed off to be managed by Salesforce.”
Copyright © 2021 IDG Communications, Inc.
Copyright © 2021 IDG Communications, Inc.
By Bob Violino