- Salesforce customers are responsible for taking the steps to protect their own data. Even with Salesforce Shield in place, 84% of users are still putting their most sensitive data at risk.
- Data governance means that every organization will pay security costs, whether through proactive and predictable measures to protect sensitive data in Salesforce or through hefty fines and public scrutiny. You can’t afford to overlook data vulnerabilities.
- By taking the first step to make a security plan, using Salesforce tools to learn more about risks, and prioritizing data protection sooner, you can grow your skills and save valuable organizational resources.
Salesforce security skills are an increasingly important asset, for both individuals and organizations. As the Salesforce ecosystem grows, you can differentiate yourself professionally with top-notch security skills.
Beyond your own abilities, of course, data protection is indispensable for more complex Salesforce organizations. The security threats that come with greater complexity mean that companies simply can’t afford to take security risks.
Recently, Own hosted a webinar on leveling up your Salesforce security skills. Read on for findings from Own research on risk and what you can do to improve Salesforce security in the short- and long-term.
Why data protection is pivotal
The need for data protection starts with the shared security model. Salesforce is responsible for security of the cloud, ensuring uptime, responsiveness, and protection from platform breaches.
Salesforce customers are responsible for the security of their data in the cloud. This includes a variety of key practices, from keeping permissions updated and deactivating old users to protecting passwords and securing mobile devices.
Unfortunately, there are many ways you can expose your Salesforce org to undesirable access. But the most important and solvable cases of these breaches involve valid users who access records, fields, or objects they shouldn’t be able to access.
Salesforce usage has changed over time. It’s now a master of record for many organizations, including integrations with other apps. But more APIs mean more risk.
Employee transitions are natural. However, turnover leads to new training and changes in access. All of these transitions put your data security to the test and underscore the need for protection.
A real-world look at security risk (and why many companies fail)
Each year, Own conducts research to determine data vulnerabilities for many organizations. We anonymize and compile the findings of our security analysts and make these annual insights available.
This year’s report found that companies are putting 90% of their data at risk because of improper handling. What’s more, 84% of Salesforce users still have sensitive data exposed, even after buying Salesforce Shield, including Platform Encryption.
The following three key findings provide a deeper look into the reasons why and how many organizations fail to properly protect their most sensitive data.
1. Unsuccessful data classification
All data is not created equal. And without proper data classification, organizations are missing one of the most critical steps in eliminating security vulnerabilities.
Many companies miss this step entirely. But even for those who have classified their data, it’s important to consider key follow-up questions that can ensure effective follow-through. For instance, Have you involved key stakeholders like the business owners and infosec teams?
You also need to separate the classification of the data from the treatment of the field. For example, you may not be able to encrypt some fields that include Personally Identifiable Information (PII) because of needed functionality. If you cannot encrypt, you should find other ways to protect this highly sensitive user data in these fields through controlling user access and limiting reporting permissions.
2. Major gaps between InfoSec and Salesforce teams
Salesforce has become a critical player in system landscapes for many organizations. But its importance can pose communication—and security—challenges when teams have differing priorities.
Salesforce teams and CRM platform owners are most focused on a positive customer experience, including a feature-rich platform and the benefits of broad data visibility.
On the other hand, InfoSec leaders are most concerned with data security and want to shut down access as much as possible.
These conflicting priorities can lead to security challenges and gaps in understanding.
3. Administrator access in production
All too often, Salesforce users receive elevated access to data because the impact of removing or changing their permissions is unclear. Admittedly, Salesforce security permissions are so granular that it’s impossible to know every outcome of every access change.
When you need to enable a user to complete their task, it can seem all too simple to let them “Modify All” on an object or export reports.
But even seemingly straightforward permissions like exporting reports can open the door for departing employees and others to continue accessing data they shouldn’t. Failure to segment permissions and carefully control access can have significant and lasting security impacts.
Consider the principle of least privilege: both users and integrations should only be given the privileges they need to complete a task. This helps limit access by nonessential or even unwanted parties.
Steps you can take to improve Salesforce security skills
Salesforce security starts and ends with your data. Any time the security and classification aren’t right, your data is vulnerable.
When it comes to security and data governance, you will pay a cost at some point.
This cost can be predictable if you invest time and money in up-front, proactive work during the development process. Or the cost can be unpredictable, coming in the form of hefty fines and public scrutiny in the event of a data breach.
How can you become more proactive about making your Salesforce org safer? Here are six steps to level up your security skills, both as an individual and for your organization.
1. Take the first step to learn about Salesforce security
Reading this article—or watching the webinar—is a great move in the right direction.
Learning about Salesforce security fundamentals allows you to decide what steps you’ll take first to begin forming a plan. Start to identify red flags in your security, and decide what you’ll do to resolve them, both now and later.
2. Be the voice of security
Start by asking questions about what kind of data will be included in new objects, field classification types, access levels to be given, and data retention timelines.
Unfortunately, these kinds of questions likely won’t be popular—at first. Others in your organization may be resistant to slowdowns and changes in security practices. But over time, you’ll establish consistency in the security process.
Eventually, you just might educate product owners and business users enough that you won’t need to ask the questions—and user requirements will consider security from the get-go.
3. Learn about the Shift-Left model
The traditional quality model pays attention to quality during the testing and even deployment stages. Shifting left means focusing on quality as early in the process as possible during the design and development stages.
For example, rather than simply creating a field and adding it to the page layout, start by classifying the field and identifying its permission sets to get these aspects right early. For more complex components, focus on getting the code quality right from the outset.
4. Keep the Secure Coding Guide on hand
Nearly 100 pages long, this Salesforce document provides an in-depth look at potential vulnerabilities in modern technology and programming languages. Even more important, the Secure Coding Guide also offers advice on how to close those security gaps.
When combined with a Shift-Left approach to quality, the Secure Coding Guide serves as a useful reference document when writing code for maximum security results.
5. Complete the OWASP Trailhead
The Open Wave Application Security Project (OWASP) is an open-source project that publishes information about security threats, vulnerabilities, methodologies, and tools. Completing the OWASP Salesforce Trailhead unit will guide you through the OWASP Top 10 security risks and web attacks, with a focus on application for Salesforce.
This allows developers to ensure their code is secure against those vulnerabilities from day one. OWASP also regularly maintains and updates this list over time. Of course, Salesforce has plenty of additional security-focused Trailheads to further deepen your knowledge—so keep on learning.
6. Make security a habit
Simply put, don’t stop talking about security. Keep asking questions, and make sure that data protection is at the forefront of people’s minds.
Before you know it, security considerations will be built into your company processes—simply a part of what you do. Consistency in security will both grow your skills and benefit your organization for the long haul.
This article is based on a webinar hosted by Own. Watch the full recording here, and click here to see how Own Secure can help you strengthen you security posture within Salesforce.
