How the Experts View and Secure Experience Cloud for the Enterprise

Experience Cloud: What is it?

Over the last several years, Salesforce has invested heavily in building a more robust customer experience to complement the power of its platform. Enter Experience Cloud. Once called Community Cloud, Experience Cloud was built with the intention to empower the business to meet the customer where they were while also providing other avenues to build robust business communities that kept people coming back. The power of Experience Cloud comes from its ability to leverage the data within Salesforce to create customized experiences for those visiting the site or portal. By using real-time data, customers and partners can see information that is important to them.

To put it plainly, Salesforce’s Experience Cloud makes otherwise boring websites interesting while helping the business to better understand how its customers are interacting with it. Plus, businesses can quickly spin up sites leveraging standard UI components and having a direct connection to CRM data – no integration work required! We all know that most business is being done online these days. Who wouldn’t want a more engaging website that helps prospective customers understand what you do by surfacing the most relevant content?

The Risks of Experience Cloud

Experience Cloud has at its fingertips every piece of data that exists within your Salesforce. That’s an incredible amount of power to create wonderful customer experiences. The problem is that that is also an incredible amount of power to expose that same data to people who shouldn’t see it and potential attackers or cyber criminals. Salesforce is highly dependent on creating relationships between pieces of data. That’s what allows you to see who all your contacts are for a specific account. While these relationships make navigating and using Salesforce to do business a lot easier, it also makes exposing the wrong data through Experience Cloud, and therefore introducing a new threat vector into your ecosystem, just one or two misconfigurations away.

Creating a cyber secure experience for the customer and the business takes a truly security first mindset. Implementing, fixing or building a secure experience means consulting with cyber security experts like WithSecure^TM to address security at every step of the process, starting with planning all the way to monitoring after go-live. In my opinion, the planning and discovery phase is undoubtedly the most important. It is within this phase of planning, through threat detection and vulnerability scanning, that you begin to understand all the org’s weak points. You are understanding the data relationships the org is relying on to deliver the right data, you are understanding how the data needs to be delivered, you are understanding how the customer needs to interact with the site, etc. In short, you are beginning to understand how your visitors SHOULD interact with the experience. What you also need to be understanding is how your visitors SHOULDN’T be able to interact with the experience and sensitive data. This second piece is the one that is most often overlooked because it is what takes cyber security experience and some imagination to begin to practice.

Let’s take the example of an experience where you want the customer to upload some documents as part of a loan application. These documents are going to live in your Salesforce org where your underwriters and loan officers can open them, download them and otherwise, interact with them. Unfortunately, as cyber security experts, we know that we live in a world where forms like these are quite often abused by cyber criminals and hackers as a means of planting malware or phishing for credentials with phony links. We don’t want to lose this valuable means of receiving information that is vital to our business so we can’t turn off the ability to accept files. We also don’t want to place our business or our Salesforce org at risk. This is where cyber security experience and imagination come into play. Instead of saying “we can’t accept files through Salesforce,” we must ask ourselves “HOW can we accept files through Salesforce without expanding our attack surface and allowing in malware?” Thankfully, Salesforce has a robust AppExchange with solutions for this exact problem. Installing an application like Cloud Protection for Salesforce from WithSecure^TM will allow you to utilize all the functionality of Salesforce and Experience Cloud without having to sacrifice the safety of your org or your business.

Of course, not all problems will have an AppExchange solution that will solve it for you, but understanding what tools and solutions, both internal and external, are available to you can help you solve for even the toughest of cyber security problems when it comes to securing your customer experience.

Security-First Mindset

Adopting a security first mindset when implementing Salesforce is a must. Many organizations view Salesforce as a business-owned solution which means that your cyber security teams will have less oversight. This can be both a blessing and a curse. It is a blessing that you won’t have security teams demanding to understand each and every change that happens in your system (though you need to understand them), but a curse in that it can sometimes be difficult to leverage their experience and well-honed cybersecurity minds to ensure you are creating the safest experience for your business and Salesforce org. This means that the responsibility for security lies in your hands and “with great power comes great responsibility”, as Uncle Ben in Spiderman would say. By considering the cyber security implications of every change and creating a culture of shared responsibility for security, you can create for your customers an incredible experience without placing yourself or them at risk of data breaches or cyber attacks.