As a CISO (Chief Information Security Officer) or CIO (Chief Information Officer) of an organization, there is always an overarching fear of whether the CRM has the right security and fear of unwanted access and compliance audits grapple the leadership. With more point and click features and more people accessing Salesforce from different departments, the worry is always on who has access to what, is my sensitive data secure in Salesforce and how do I prevent costly audits in the future for compliance needs. The real need is to be proactive on security before a breach happens and how we can ensure security is in mind with the Salesforce team and business teams involved in the project.
Establishing a Salesforce Security Baseline
Given the complexity of salesforce clouds like sales, service, marketing cloud etc. and the volume of data in your Salesforce org, it can be overwhelming to figure out a starting point to assess security. To start simply, here is a high-level list of items which you can start and identifying the current state of security in your org.
Authentication – How do users Login to Salesforce with their devices?
What devices do Salesforce users use to login like laptops, mobile etc.? Are there devices which allow the user to login by passing MFA (Multi Factor Authentication) or Single Sign on?
With Salesforce enforcing Single Sign On, what percentage of users like Salesforce admins, Integrations have the capability to bypass Single Sign On?
Authorization – Who has access to what data?
Who are the users who have privileged access to Salesforce? This can be system administrators, business user with Modify all data permissions etc.
Do external users have access to data they are not supposed to have?
Do the salesforce users follow company restrictions where there can be departments, business units who can access only certain data?
Sensitive Data – Data stored in Salesforce which can be deemed restricted or sensitive based on compliance, privacy, and organizational issues.
Do we have data classification defined in our org in terms of which data is public (accessible to all), private (accessible to only users), internal (access to employees), restricted (confidential data accessible to internal users)?
Once the data classification is in place, what is the process to provide users elevated access like access to restricted data or internal data?
How can we monitor data breaches where unwanted users access sensitive data like restricted or internal data?
Encryption (At rest and in transit enforced)
In terms of compliance, is my Salesforce data encrypted at rest?
Do we use encrypted fields for securing sensitive data?
Do all my external applications integrating with Salesforce follow encryption in transit?
Are there gaps or limitations which in encryption in transit where info security has approved exceptions?
Malware Protection and Security Audit
Do we have all the Malware protection turned on from Salesforce security settings and are there any risks showing up on the Salesforce security report?
Do we have Solutions in place to meet Audit requirements to archive the data after say 7 years based on compliance needs?
Do we have a Log policy to proactively monitor login history, Salesforce event log to monitor any alerts?
Survivability and Physical Protection
Do we have backups in place for our Salesforce org?
Have we tested restore plans for any data restore during a Salesforce data issue or downtime?
Do we have policies in place to protect Salesforce data across any physical locations like public places, internal workplaces and others?
Intrusion Detection
Do we have a way to proactively monitor Salesforce intrusions like download of reports by users?
Do we have a way to monitor users who login once they are terminated from the company?
How much time does it take for a terminated user to be completely removed from Salesforce
The above questions will help to put together a security plan and starting point to assess security.
Proactive Measures to Mitigate Audit Risks in Salesforce
Once we assess the security with current state, we can start working on requirements for future state to start addressing the gaps. As we work through the requirements, it is also important to create a process and team responsible for implementing security. Here are some guidelines which can help with this.
Define a security cross functional team with salesforce team, info sec team, business team to monitor security requirements and issues.
Define Quarterly or Monthly process to monitor Salesforce security reports and items and have a security report sent to the info sec team on current state of security.
Define a process to Monitor users with privileged access and have an approval process to approve these users by the business and regular users to prevent unwanted access.
Quick Wins to Kickstart Salesforce Security Vigilance
Once you have a security plan and process and team in place, the critical issue is what can you do now to start proactively monitoring security.
Run security health check, portal health check and guest user access check and ensure all the critical items are addressed right away.
If you have a Salesforce shield or Salesforce alert monitor, make sure you have epics defined to start working on security items and alerts put in place to monitor exceptions.
In case of a lack of salesforce shield and security products, have the event logs downloaded regularly and have reports run on unwanted exceptions.
Create a requirement for data classification where you can start classifying data to public, internal, confidential, and sensitive needs.
Create process to monitor Salesforce data breaches where you can have a report of unwanted users accessing salesforce data and implement an approval process for exceptions.
By doing all these, you can have a cyber security plan for Salesforce, have a process and policy in place and start proactively monitoring security in your org. Feel free to answer any questions and please email me at buyan@eigenx.com for any questions.