RevCult is now OwnBackup Secure! In 2021, OwnBackup acquired RevCult, enhancing the cloud data protection platform with proactive data security. With OwnBackup Secure, you will strengthen security posture by understanding data exposure risks and proactively taking action to protect and secure your data -- all within Salesforce.
Perhaps your business has been fortunate enough to avoid disruption due to natural disasters or other events which prevent some or all of your employees from coming into the corporate office to work. You’ve locked down access to your Salesforce platform to corporate IP ranges and your org was secure… that’s great news! However, with the current state of the COVID-19 outbreak worldwide, many businesses are quickly responding to guidance from local and worldwide experts to lean on social distancing techniques, including remote work wherever possible.
How can you quickly respond to ensure the security of your org while minimizing business disruption? Our team of Engagement Leaders and Security Analysts met to discuss this very topic. The following is a high-level overview of some of the key points that the team discussed and agreed on.
Security, at the end of the day, is all about layers of defense. One can’t trust a single policy, device, or setting to ensure that organization assets remain safe.
Compensating controls are alternatives to those in your existing posture which provide a similar, or the same, level of defense as the original stated requirement.
In this case, we are exploring methods available to address end users logging in to your Salesforce org from their homes instead of a corporate network that is within your current IP range restrictions.
The issue, of course, is that most of your employees probably have dynamically assigned IP addresses provided by their internet service provider. This means that your employees will be blocked by the IP address restrictions configured in your Salesforce org.
Ideas for compensating controls are provided below. Many orgs have already implemented these configuration changes to secure their environment but it’s time to take an inventory of these settings to understand if there is an opportunity to improve the security of your org(s)!
For each profile, you can set the hours when users can log in to minimize the risk surface. Note that if users are logged in when their hours end, they can continue to view their current page, but they cannot take any further action.
Two Factor Authentication
IP range restrictions are implemented to make the system available to the right users from the right location(s). While the “locations” portion of this statement will suffer from relaxed or eliminated IP range restrictions, stepping up the authentication of users (prove that you are who you say you are) is achieved by having both something you know (username, password) and something you are /have (Salesforce Authenticator app, U2F security key, etc.).
You can require two-factor authentication each time a user logs in with a username and password to Salesforce, including orgs with custom domains created using My Domain. This is set at the profile level by changing “Session security level required at login” to “High Assurance.” Then set session security levels in your org’s session settings to apply the policy for login methods. Also, in your org’s session settings, review the session security levels to make sure that Two-Factor Authentication is in the High Assurance column.
Along the same lines as two factor authentication, now might be a good time to strengthen the “what you know” portion of authentication to ensure only the right users are accessing your org. We have found in our Security Risk Assessments that many of our clients' Salesforce org password complexity configurations were not in alignment with their corporate security policies. This is a good time to align corporate policy and your Salesforce org in this regard. If you do not have a policy, one might consider using the NIST framework used by the Federal government, specifically NIST 800-63 Volume B.
Be sure to check with your infrastructure/IT team! There may be unused capacity and/or existing solutions which can be put to work to minimize the disruption caused by COVID-19. Some helpful examples are included below.
In either example below, ensure that if you use the solution, you confirm that the IP range used/provided by the solution is within the IP range configured in your Salesforce org!
Virtual Private Network (VPN) Capabilities
VPNs have the potential to overcome the IP Range restriction issue by creating a secure tunnel from your employees’ home office to a corporate IP address. One would also want to ensure split tunneling is disabled (or other VPN configuration) to ensure that the Salesforce-bound web traffic from your employees home office computer is routed over the secure VPN tunnel, through the corporate network, and on to the Salesforce site.
Terminal Server Farms
Terminal Server solutions such as Citrix Workspace or Microsoft Terminal Server, if used by your company, provide a potentially viable method of originating Salesforce sessions from a corporate network IP range.
Document, Document, Document
Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.