Using Salesforce securely

Specifically, there are 13 categories of advice to help organisations use cloud applications securely. We had a conversation with Doug Merrett, Salesforce Security, Compliance, Privacy and Resilience Specialist at Platinum7 to explain what this actually means in practice for organisations using Salesforce. 

Simply put, your security team needs to understand what Salesforce does. They also need to know what data will be put into Salesforce.

From there, they can consider the workloads on Salesforce that are particular to your organisation and quantify the risks that are associated to this purpose.

Let’s look at this in practice. If a healthcare provider enables its customers to upload personal medical information to Salesforce Experience Cloud – with your employees accessing that data inside your network – how can you use Salesforce to make sure this is all done securely?  Salesforce is a very capable application so you need to configure settings correctly to ensure data safety.

The general advice here is to be familiar with the shared responsibility model have some questions for Salesforce and also for your own organisation.

Salesforce integrates with widely used onboarding and offboarding tools like Microsoft Entra, making it easy for you to manage secure access for your Salesforce users.

When it comes to Salesforce security, anything that can be sensibly automated, or incorporated from your wider organisational security strategy is a good thing. A note of caution however. Salesforce is unique and certainly shouldn’t simply adopt the same security approach as with other cloud applications.

Salesforce supports SSO (Single-Sign-On) and mandates multi factor authentication so has strong capabilities and policies for this. You can certainly ask Salesforce what they have available and what might be a good fit for your organisation.

This is really minimising the number of Salesforce admin users and accordingly your risk and this can be done easily within Salesforce profiles and permissions. Doug has some simple advice “the number of active system admins in your environment should be a number trending towards two.”

Salesforce has excellent capabilities in this area and helps by providing standard profiles like ‘minimum access’ and these can be used as a baseline for appropriate users. Salesforce has also created a Video Playlist explaining the sharing model.

The shared responsibility model comes into play again here. Salesforce isn’t responsible for security of the devices that access Salesforce, you are. So, if you have employees or contractors using their Salesforce license from their own laptop or desktop computer you could have a problem. An attacker could be seeing and keylogging all their Salesforce activity and stealing credentials.

Salesforce does provide better protection for mobile devices and has an add-on product called Mobile Security, but has less capabilities for users accessing Salesforce from a browser.  

Doug’s advice here is to ensure that all internal user devices have strong endpoint security to mitigate cyber security incidents.  You can also configure Salesforce to require certificates to be installed on the browser to allow logging into Salesforce.

Rule one here is to understand what data you have in Salesforce. The NCSC guidance is about data being encrypted in transit and at rest. With Hyperforce, Salesforce guarantees encryption of data – in transit and at rest – in the data centre and on the internet.

The way that Salesforce protects and handles data is also in accordance with legislation. For example, how to move data from Europe to North America. Think about how and where your data will move and ask Salesforce about how they can help with your use cases.

There are AppExchange solutions from the likes of AppOmni and Varonis that can help you to understand what data you have, which of it is PII (Personal Identifiable Information) for example, and provide guidance on the permissions you should have around it.

The shared responsibility model strikes again. As files and URLs are your data, you are responsible for checking them for malware. This isn’t an easy task to do quickly and effectively on Salesforce. Particularly when you have external, unknown users sending you them as part of supplier onboarding or customer service cases.

Importantly, malicious content on Salesforce doesn’t pose a threat to the platform due to Salesforce’s excellent platform security. However, if files and URLs are used by your internal users and perhaps more concerningly, used by your customers and suppliers, you need to consider the risk of exposing them to malicious files and URLs.

WithSecure Cloud Protection for Salesforce is an AppExchange solution that does this for you, giving you visibility and protection against phishing and malware attacks.

Making sure you have set up public and private sharing rules for your data appropriately. Resources are confidential by default to reduce risk of unintended disclosure so the baseline Salesforce sets is secure. Your job is to make sure that you don’t expose data to the wrong users when you make changes to this.

Doug’s advice here is that rules should be set up by a Salesforce admin but created by a security professional. In practice his view is this is rarely done well with over-sharing being the most common issue found in his assessments.

This involves third party access to the platform and Salesforce provides great functionality here with customers getting five free API integration users – so you can use these to plug in the likes of SAP or Workday for example.

This is about including Salesforce in your overall organisational incident response and disaster recovery plan. If Salesforce is the app that drives your organisation and it is not specifically named in your plan then you need to address this.

Salesforce allows you to see what your admins are doing with the setup audit trail. Salesforce also has Event Monitoring, which is a component of their security add-on Salesforce Shield. It helps you see what’s going on in your org and also set up alerts to block certain things using Transaction Security Policies. A policy can be written so that if a field contains PII you can prevent any report with PII in it being exported. Event monitoring also alerts you on abnormal reporting so you can mitigate an obvious risk of one of your employees using Salesforce data in an improper manner.

Salesforce is complex and changes constantly in line with organisational demands. Complexity and change are key enemies of security so make sure you review your security posture on an ongoing basis.

For further reading you can check out the NCSC website and the trust section of the Salesforce website.