Acting on a security risk assessment of your organization’s use of Salesforce
Salesforce isn’t rocket science, but the software has an incredible array of tools, which is why securing it demands a unique (and sometimes complex) approach. If you’re hoping to mitigate risks associated with your company’s use of Salesforce, you must start with a fundamental understanding of the service and a strategic plan to prioritize risks. From there, it’s all about operational implementation and ongoing management of that plan as your organization’s use of Salesforce evolves over time.
Throughout 2020, RevCult went through this same security risk assessment (SRA) process with a host of clients. Despite the fact that these clients represented a diverse array of industries, there was significant overlap in the security and governance challenges they experienced related to their use of Salesforce.
These commonalities indicate that almost all companies using Salesforce in a significant capacity will go through the same struggles, which primarily stem from a misunderstanding of the cloud platform and the shared responsibility model for securing it.
Salesforce is responsible for the security of its platform, and the organization has done a tremendous job of repelling a constant barrage of external threats. However, this success doesn’t mean your own company is off the hook. Salesforce isn’t responsible for your failure to appropriately classify and secure your data within the platform.
In other words, if your access controls are configured incorrectly and you’re providing companywide access to sensitive information, Salesforce isn’t at fault when a disgruntled employee leaves your company and takes your Rolodex with them. It’s a simplistic example, but internal breaches are increasingly common due to the broad misconfiguration of administrative privileges. This issue underscores the importance of a proper governance framework, which will ensure employees have access to only the information they need to perform their duties (and no more).
The information contained within your Salesforce orgs is also constantly changing due to the evolving capabilities of the platform. Large enterprises might add as many as 500 fields every few months, which can pose a significant risk if these changes aren’t also reflected in your security posture. You need to know what information is present in order to take measures to adequately protect it, which is why accurate data identification and classification are so important.
An SRA helps point out the holes and gaps in your security strategy, but it’s only the beginning. After you’ve identified areas for improvement, the following four steps will take your security to the next level.
1. Build the cathedral
Plenty of organizations lay individual security “bricks” to create a wall, whether that means implementing access controls for profiles or turning on encryption to protect some information. When security measures are constructed on an ad hoc basis, however, you end up with a disjointed group of walls, some of which intersect, while others are completely free-standing.
Constructing the cathedral is about looking at the big picture and ensuring your security measures fit together in a logical, effective, and even elegant way so your team members are eager to embrace them.
2. Define clear owner(s)
Responsibility is one of the biggest gaps we see in security. You can talk about shoring up security all you want, but it isn’t going to happen until a person or group of people is directly responsible for it. Someone needs to own the risk, and they should have the responsibility and accountability to report the vulnerabilities to an independent party that owns risk.
In our work securing Salesforce implementations, the clear owners are often a Salesforce product owner who owns the implementation of risk control measures and an individual who receives recurring status reports and is independently accountable for the risk.
3. Create an assessment process
It would be nice if security was a box you could check and put behind you, but evolving technologies in your organization and the emerging stream of threats mean security will always be an ongoing journey. With this path in mind, it’s important to create a recurring process designed to assess your security posture and identify the changes necessary to effectively manage risk.
This process might involve regularly taking stock of users and their permissions or redefining the responsibilities allocated to your security team. Regardless, make sure regular assessments are part of your overarching security strategy.
4. Embed security into development
Most companies treat security as an afterthought. They’ve identified how they want to do business, and then they work to secure the processes, tools, and technologies that allow them to fit that mold. With this approach, development and security teams are operating in silos.
Best-in-class organizations, on the other hand, are embedding security into the development process to ensure that the tools they create are set up for security success. By removing the gap between developers and their colleagues in security, organizations can eliminate risk before an application ever reaches production.
The incredible and evolving capabilities of the Salesforce platform are an organization’s (and developer’s) dream, but they also make security a complex undertaking. To make sure your own company is keeping the data stored on the platform locked up tight, start with an assessment of what information is there and who has access. Once you’ve taken stock of your holdings, follow the above four strategies to regularly address many of the most common security risks and configuration gaps facing organizations like yours.