As more businesses start relying on Salesforce as a critical piece of operational infrastructure — and as the number of apps being built on it skyrockets — executives are waking up to a somewhat uncomfortable reality: There’s a lot of sensitive data stored in Salesforce.
That’s not a bad thing. It just means that data protection must become a heightened priority this year. Own has been conducting Guided Risk Assessments (GRAs) for our customers for years, and here we’ll recap a recent discussion on the importance of conducting a comprehensive Salesforce security evaluation in the coming year.
Elements of a baseline security assessment
What does it take to keep sensitive data safe? As part of a baseline security assessment, we generally take a number of factors into account. First, we look for the high-risk or sensitive fields that live in a customer's org. We’ll also evaluate how encryption is implemented, specifically Salesforce Shield platform encryption. If encryption isn’t part of your existing security posture but should be, we have to understand how we can implement it without breaking the user experiences of existing applications running on Salesforce.
In terms of data loss prevention, our first step is to understand where data can leak out. That means assessing organization-wide sharing practices, high-risk permission usage, and change tracking. We also review risk exposure and reports, and the big one — coding practices. The reality is that 100% of our customers that have Custom Apex coding have had insecure coding practices. We look through the Apex code for API callouts, remote site settings, and legacy outbound messages if you’re using them.
We assess connected applications to make sure that endpoints are being securely implemented, and examine the roles, profiles, and permission sets that govern usage and privileges. Your system must be accessible to the right people at the right time and from the right locations, which means that access control is another important area to evaluate.
By the end of a typical GRA, there will undoubtedly be gaps that need to be filled. This is usually because most companies simply aren’t aware of how much sensitive data they have stored in Salesforce, and most aren’t implementing event monitoring protocol in a useful way.
Most compliance executives and cloud security professionals are familiar with the assessment techniques above, but few incorporate them into a codified process for conducting internal Salesforce security audits. Within many companies, basic security standards aren’t developed internally, but are rather derived from the National Institute of Standards and Technology or mandated by a regulating entity or legislation like HIPAA or the Gramm-Leach-Bliley Act.
As we evaluate different dimensions of a Salesforce org, we always have to do so in the context of the larger business environment, and we have to maintain a clear understanding of how a particular client intends to maximize usage.
Oftentimes, Salesforce is acquired as a sales tool and then eventually starts being implemented as a tool for servicing customer journeys. While most companies are migrating to digital channels, and selling and servicing customer journeys through those channels, many are still relying on human-assisted channels. No two companies are the same, so understanding business goals and existing policies is critical to establishing correct criteria for a baseline assessment.
Overcoming policy limitations
Whether it’s derived from external standards or internal evaluations, most companies using Salesforce have some kind of security policy in place. Even among companies that are dealing with major security gaps, policy is rarely the problem; instead, issues arise during implementation. That said, making sure that you fully understand the security policy governing your company’s usage is a good starting point for developing an audit plan. Hopefully, that policy has been developed in accordance with business goals; at the very least, it will inform your audit and help you determine how to prioritize different risks.
In most cases, data protection and data loss prevention will be at the center of security policy, and other rules like access control protocols or password policies will stem from that focus. This makes sense. Data can walk out the door with a sales rep or customer service rep, and when it does, you become vulnerable. If you haven’t taken the time to secure it with the proper protections, you’re putting your brand reputation at risk and potentially exposing yourself to regulatory fines.
Ultimately, an effective assessment will help you understand where implementation isn't aligned with policy and will give you direction as you look for solutions. Salesforce is constantly evolving, and as a user, you have to figure out how to maximize the features it provides while minimizing risk as your environment changes.
Own specializes in helping companies get the most out of their Salesforce usage. Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.