When it comes to mission-critical cloud applications, today’s security teams have a laundry list of different focus areas. From ensuring cloud providers deliver adequate protection and analyzing baseline activity to examining interconnected systems and understanding data flows, teams are stretched thin. With so many competing priorities, it’s no wonder they have a difficult time answering standard cloud security and compliance questions.
Take Salesforce, for instance. More than 150,000 businesses rely on Salesforce every day for customer relationship management services, marketing automation, analytics, and more. For these organizations, Salesforce is the application that supports the critical business functions and processes of sales and services.
But it’s safe to assume not every one of these organizations could answer common security questions, including which users have excessive privileges, how many legitimate users are acting suspiciously or dangerously, and what happens if a user leaves the company, but their account is still lingering?
The reason? While many mission-critical cloud applications like Salesforce have security functionality built-in, they don’t consider the levels of customization and complexity that organizations introduce while implementing these solutions.
Therefore, built-in security does not offer the depth and breadth of insight needed to analyze and address risks that can impact other processes, applications, and the intelligent enterprise at large. And while SaaS, IaaS, and PaaS business applications provide faster time to value and more scalability than on-premises solutions, they also come with a loss of visibility into key security and compliance areas.
To ensure protection and compliance for all Salesforce instances, businesses need to focus on five specific areas, ask some difficult questions, and understand the impact these adverse outcomes can have on their business.
Five Salesforce security pitfalls (and how to avoid them)
While there are myriad checks each Salesforce instance needs to go through to ensure complete protection and compliance, five often go overlooked. These checks include security configurations, excessive authorizations, segregation of duties, user impersonation, and system integrations.
1. Security configurations: One of the most critical focus areas for Salesforce security is proper configurations. If a team misconfigures an instance, it may allow an attacker to hijack users’ sessions and upload malicious content, or even to exploit a weakness in default settings and encryption keys and, ultimately, access back-end servers and customer data.
To combat misconfiguration, it’s essential that the security framework is configured according to best practices, including proper user permissions, sharing defaults, HTTPS encryption, multi-factor authentication, minimum password lengths and others.
2. Excessive authorizations: A lapse in Salesforce authorizations can lead to a security or system administrator having the authority to modify access permissions, edit security configurations, and even mass export sensitive data from the system at any time. This can cause significant compliance issues (Sarbanes-Oxley, PCI-DSS, GDPR and CCPA), operations disruption, and brand damage.
To prevent this from happening, security teams must make sure that users have the least privileged authorizations possible – no more than they need to perform day-to-day operations.
3. Segregation of duties: A staff member with too much power can create a new user and assign them elevated privileges, or deliberately purge information and even run and access reports that contain sensitive customer information.
To stop this from happening, security teams must prevent a single user from owning a process from end-to-end.
4. User impersonation: It’s significantly easier for a hacker or rogue employee to impersonate people in the cloud. Successful impersonation could provide a bad actor with the ability to act on behalf of a security administrator, delegate access to other users, and even access proxy management settings.
With this amount of power at stake, security staff must ensure that users can only act on behalf of other users for legitimate business reasons.
5. System integrations: With cloud applications, organizations often sacrifice visibility for flexibility, so it’s hard to know what’s going on “in the background.” That’s why proper system integrations are so important. Poor integrations between third-party systems can allow hackers to hijack or intercept communications and even open Salesforce instances up to unknown systems.
Security teams must ensure third-party integrations are set up according to security best practices to reduce the risk of attackers leveraging compromised third-party applications to gain access into Salesforce. Proper management of connected third-party applications would include making sure APIs are secure and authorizations and access are securely configured. Continuous monitoring of anomalous behavior and misuse would also be recommended.
With so many conflicting priorities, these five considerations provide security teams with a concrete focus list for ensuring Salesforce implementations are secure and compliant. However, manually ensuring configurations, authorizations, segregation of duties, user privileges, and integrations at scale can become complicated, especially in a constantly evolving and growing business.
To help maximize effectiveness, security teams should consider support tools that can help automate these processes, monitor and flag anomalous behavior, identify potential misconfigurations and how to fix them, and more. These supporting assets can free up time for security teams that are stretched thin, so they can continue to support other strategic digital transformation initiatives while ensuring adequate protection.
One of the most widely used customer relationship management platforms shouldn’t be your biggest security target. By addressing these concerns head-on with security best practices and advanced technology, security teams can ensure Salesforce success for years to come.