Specifically, there are 13 categories of advice to help organizations use cloud applications securely. Doug Merrett, Salesforce Security, Compliance, Privacy and Resilience Specialist at Platinum7 has very kindly given his insights into what this actually means in practice for organizations using Salesforce.
1. Understand the application and its purpose
Simply put, your security team needs to understand what Salesforce does. They also need to know what data will be put into Salesforce.
From there, they can consider the workloads on Salesforce that are particular to your organization and quantify the risks associated with this purpose.
Let’s look at this in practice. If a healthcare provider enables its customers to upload personal medical information to Salesforce Experience Cloud – with your employees accessing that data inside your network – how can you use Salesforce to make sure this is all done securely? Salesforce is a very capable application so you need to configure settings correctly to ensure data safety.
The general advice here is to be familiar with the shared responsibility model and have some questions for Salesforce and your organization.
2. Manage user onboarding and offboarding
Salesforce integrates with widely used onboarding and offboarding tools like Microsoft Entra, making it easy for you to manage secure access for your Salesforce users.
Regarding Salesforce security, anything that can be sensibly automated or incorporated from your broader organizational security strategy is good. A note of caution, however, Salesforce is unique and certainly shouldn’t simply adopt the same security approach as with other cloud applications.
3. Robustly authenticate users
Salesforce supports SSO (Single-Sign-On) and mandates multi factor authentication so has strong capabilities and policies for this. You can certainly ask Salesforce what they have available and what might be a good fit for your organization.
4. Protect administration of the application
This is really minimizing the number of Salesforce admin users and accordingly, your risk, and this can be done easily within Salesforce profiles and permissions. Here’s some simple advice: The number of active system admins in your environment should trend towards two.
5. Manage standard user’s permissions in the application
Salesforce has excellent capabilities in this area and helps by providing standard profiles like ‘minimum access’ and these can be used as a baseline for appropriate users. Salesforce has also created a Video Playlist explaining the sharing model.
6. Use trusted devices to access the application
The shared responsibility model comes into play again here. Salesforce isn’t responsible for security of the devices that access Salesforce – you are.
So, if you have employees or contractors using their Salesforce license from their own laptop or desktop computer, you could have a problem. An attacker could see and keylog all their Salesforce activity and steal credentials.
Salesforce provides better protection for mobile devices and has an add-on product called Mobile Security, but it has fewer capabilities for users accessing Salesforce from a browser.
Therefore, ensure all internal user devices have strong endpoint security to mitigate cybersecurity incidents. You can also configure Salesforce to require certificates to be installed on the browser to allow logging into Salesforce.
7. Ensure your data is being protected and handled appropriately
Rule one here is to understand what data you have in Salesforce. The NCSC guidance is about data being encrypted in transit and at rest. With Hyperforce, Salesforce guarantees encryption of data – in transit and at rest – in the data centre and on the internet.
How Salesforce protects and handles data is also governed by legislation, such as how data is moved between Europe and North America. Consider how and where your data will move and ask Salesforce how they can help with your use cases.
There are AppExchange solutions from the likes of AppOmni and Varonis that can help you to understand what data you have, which of it is PII (Personal Identifiable Information) for example, and provide guidance on the permissions you should have around it.
8. Check for malicious content in the application
The shared responsibility model strikes again. As files and URLs are your data, you are responsible for checking them for malware. This isn’t an easy task to do quickly and effectively on Salesforce. Particularly when you have external, unknown users sending you them as part of supplier onboarding or customer service cases.
Importantly, malicious content on Salesforce doesn’t pose a threat to the platform due to Salesforce’s excellent platform security. However, if files and URLs are used by your internal users and perhaps more concerningly, used by your customers and suppliers, you need to consider the risk of exposing them to malicious files and URLs.
WithSecure Cloud Protection for Salesforce is an AppExchange solution that does this for you, giving you visibility and protection against phishing and malware attacks.
9. Secure how access to resources is shared
Making sure you have set up public and private sharing rules for your data appropriately. Resources are confidential by default to reduce risk of unintended disclosure so the baseline Salesforce sets is secure. Your job is to make sure that you don’t expose data to the wrong users when you make changes to this.
Rules should be set up by a Salesforce admin but created by a security professional. This, unfortunately, is rarely done well, with oversharing being the most common issue.
10. Manage the use of service identities
This involves third party access to the platform and Salesforce provides great functionality here with customers getting five free API integration users – so you can use these to plug in the likes of SAP or Workday for example.
11. Plan your incident response and disaster recovery
This is about including Salesforce in your overall organizational incident response and disaster recovery plan. If Salesforce is the app that drives your organization and is not explicitly named in your plan, then you need to address this.
12. Monitor for security incidents
Salesforce allows you to see what your admins are doing with the setup audit trail. Salesforce also has Event Monitoring, which is a component of their security add-on Salesforce Shield. It helps you see what’s going on in your org and also set up alerts to block certain things using Transaction Security Policies.
A policy can be written so that if a field contains PII you can prevent any report with PII in it being exported. Event monitoring also alerts you on abnormal reporting so you can mitigate an obvious risk of one of your employees using Salesforce data in an improper manner.
13. Maintain your security posture over time
Salesforce is complex and changes constantly in line with organizational demands. Complexity and change are key enemies of security, so review your security posture continuously.
For further reading you can check out the NCSC website and the trust section of the Salesforce website.