Perhaps your business has been fortunate enough to avoid disruption due to natural disasters or other events which prevent some or all of your employees from coming into the corporate office to work. You’ve locked down access to your Salesforce platform to corporate IP ranges and your org was secure… that’s great news! However, with the current state of the COVID-19 outbreak worldwide, many businesses are quickly responding to guidance from local and worldwide experts to lean on social distancing techniques, including remote work wherever possible.
How can you quickly respond to ensure the security of your org while minimizing business disruption? Our team of Engagement Leaders and Security Analysts met to discuss this very topic. The following is a high-level overview of some of the key points that the team discussed and agreed on.
Layers of defense
Security, at the end of the day, is all about layers of defense. One can’t trust a single policy, device, or setting to ensure that organization assets remain safe.
Compensating controls are alternatives to those in your existing posture which provide a similar, or the same, level of defense as the original stated requirement.
In this case, we are exploring methods available to address end users logging in to your Salesforce org from their homes instead of a corporate network that is within your current IP range restrictions.
The issue, of course, is that most of your employees probably have dynamically assigned IP addresses provided by their internet service provider. This means that your employees will be blocked by the IP address restrictions configured in your Salesforce org.
Ideas for compensating controls are provided below. Many orgs have already implemented these configuration changes to secure their environment but it’s time to take an inventory of these settings to understand if there is an opportunity to improve the security of your org(s)!
For each profile, you can set the hours when users can log in to minimize the risk surface. Note that if users are logged in when their hours end, they can continue to view their current page, but they cannot take any further action.
Two Factor Authentication
IP range restrictions are implemented to make the system available to the right users from the right location(s). While the “locations” portion of this statement will suffer from relaxed or eliminated IP range restrictions, stepping up the authentication of users (prove that you are who you say you are) is achieved by having both something you know (username, password) and something you are /have (Salesforce Authenticator app, U2F security key, etc.).
You can require two-factor authentication each time a user logs in with a username and password to Salesforce, including orgs with custom domains created using My Domain. This is set at the profile level by changing “Session security level required at login” to “High Assurance.” Then set session security levels in your org’s session settings to apply the policy for login methods. Also, in your org’s session settings, review the session security levels to make sure that Two-Factor Authentication is in the High Assurance column.
Along the same lines as two factor authentication, now might be a good time to strengthen the “what you know” portion of authentication to ensure only the right users are accessing your org. We have found in our Security Risk Assessments that many of our clients' Salesforce org password complexity configurations were not in alignment with their corporate security policies. This is a good time to align corporate policy and your Salesforce org in this regard. If you do not have a policy, one might consider using the NIST framework used by the Federal government, specifically NIST 800-63 Volume B.
Leverage Existing Capacity/Capabilities
Be sure to check with your infrastructure/IT team! There may be unused capacity and/or existing solutions which can be put to work to minimize the disruption caused by COVID-19. Some helpful examples are included below.
In either example below, ensure that if you use the solution, you confirm that the IP range used/provided by the solution is within the IP range configured in your Salesforce org!
Virtual Private Network (VPN) Capabilities
VPNs have the potential to overcome the IP Range restriction issue by creating a secure tunnel from your employees’ home office to a corporate IP address. One would also want to ensure split tunneling is disabled (or other VPN configuration) to ensure that the Salesforce-bound web traffic from your employees home office computer is routed over the secure VPN tunnel, through the corporate network, and on to the Salesforce site.
Terminal Server Farms
Terminal Server solutions such as Citrix Workspace or Microsoft Terminal Server, if used by your company, provide a potentially viable method of originating Salesforce sessions from a corporate network IP range.
Actions to take
Document, Document, Document
- The current state and the modified state of ANY changes you make to facilitate an error-free recovery.
- Keep the end in mind as you go and be sure you can back out any changes that are determined to be “stop gap” solutions, once employees return to workplaces.
- Manage, Manage, Manage (Change)
- Document the updated user access instructions for Salesforce being sure to include help desk staff in the QA/testing effort of this new access procedure and documentation.
- Consider including designated end users in different teams as end user support augmenters, or first points of contact, to help shepherd their teammates through the new remote access procedure. If you do take this step, include these users in the QA/testing of the new remote access solution before it is deployed.
- Communicate, Communicate, Communicate!
- Provide a live web conference to your users if appropriate to verbally walk through and demonstrate the new access solution, implementation plans, etc. Include time for Q&A.
- Provide 100% accurate written instructions with screen shots.
- Codify what you’ve done
- Evaluate the risk mitigation effectiveness and efficacy of the solutions used during this disruption.
- Identify gaps that can be improved next time and seek budget/priority to address those gaps.
- Update your Business Continuity Plan (BCP) and/or Disaster Recovery Policy (DRP) with what you were able to successfully achieve to restore secure access to Salesforce, particularly if it is a core business application for your firm.
Actions to avoid
- Remote PC Access - because one of the keys to securing these solutions is IP range restrictions.
- Relaxing IP Range restrictions without adding or having compensating controls.
- Not documenting the current state and the modified state of any changes you make.
- Not including end user support staff in the QA/testing effort of any solution you develop.
Interested in learning more? Request a free Guided Risk Assessment for Salesforce today.
Understand your data exposure risks to proactively strengthen security posture.