How to secure Salesforce?
Salesforce is a technology company that provides one of the most sophisticated CRM software solutions and enterprise cloud computing. As a CRM, Salesforce has access to sensitive data, making it a good target for data breaches. This is especially the case as Salesforce is cloud based.
The data breach in 2019 that led to huge amounts of customer data being sold on the dark web highlighted some serious flaws in Salesforce’s cyber security. This incident pushed Salesforce to develop a more robust security system that would ensure sensitive data would remain secure.
This article goes through Salesforce’s history with data and the measures the company put in place to avoid another breach after the one in 2019. We will also recommend some security best practices a company should implement, from enforcing strong passwords to educating users.
Salesforce’s cyber history
2019 was a difficult year for Salesforce, as two incidents highlighted serious flaws in the company’s security system.
2019 Salesforce-Hanna Andersson data breach
In December 2019, it was discovered that Salesforce and Hanna Andersson, a partner company selling children’s clothes, had suffered a data breach. The hackers who penetrated the system gained access to Hanna Andersson’s customer purchase history.
The data breach put huge amounts of customer data at risk, as hackers obtained personal data and credit card information. The hackers then sold this data to criminals on the dark web.
The scandal was especially shocking, as the data breach took place from September to November 2019 without Salesforce noticing anything. It was law enforcement who noticed the breach, when they spotted huge amounts of customer data on the dark web.
A class action lawsuit was filed against Salesforce and Hanna Andersson for alleged negligence and violation under the UCL, the California Unfair Competition Law.
The complaint alleges that both companies failed to properly protect private data, and subsequently failed to detect the data breach. Also, the companies are said to have not made their customers aware of their weak security systems, even though the companies allegedly knew their security standards were deficient.
2019 Salesforce data outage
On 17th May 2019, Salesforce suffered a service disruption due to a bug in a single-purpose database script that was deployed that day. The bug in the script caused many users to have elevated access to some fields in their organisations.
In order to prevent users from gaining access to unauthorised files, Salesforce blocked access to all organisations that might be affected by the bug. Many users experienced service disruption from “16:55 UTC to 21:40 UTC on May 17, 2019”.
Salesforce stated that the disruption was caused by fixes that took “longer than acceptable by [their] security standards”. It took until the 20th May for all permission issues to be fixed.
What does Salesforce do for security now?
In order to prevent similar security incidents, Salesforce has taken steps to develop a more robust security system.
Data is now encrypted with SSL technology
SSL, or Secure Socket Layer, technology ensures that a connection between a user and a server is secure and encrypted. Salesforce uses this technology, protecting its website with data encryption and server authentication.
Also, Salesforce does not include any sensitive information in its cookies, such as usernames and passwords. There is thus no use in stealing Salesforce’s cookies.
Enforcement of the principle of least privilege
In order to minimise the risk of data breaches, Salesforce follows the guiding principle of least privilege. According to this principle, users should only be given access to files that are required to perform their job.
With this principle, users have access to data that is only directly relevant to their job. The fewest number of users have access to sensitive information with this principle.
After, if extra permissions need to be granted to users, admins can determine permission sets and permission set groups. These measures grant additional access to users whilst keeping clear and strict control over the information that is shared with users.
Salesforce has implemented sharing rules, enabling admins to extend access to files that would usually be inaccessible to users. There are two types of sharing rules:
- Criteria-based: users can be granted access to all files of a certain type. For example, an admin could grant access to all relevant files for a certain region. This would give users in this region only data that is relevant to them.
- Owner-based: a user can be given access to all files that are owned by a certain employee or manager. For example, a manager of a sales team could be given access to the past records showing all past opportunities of team members.
Over the years, sharing rules have become a fundamental part of Salesforce’s security system. Sharing rules have become a very effective way of fine-tuning the principle of least privilege.
Used in conjunction with sharing rules, role hierarchies have been developed by Salesforce to protect sensitive data. Role hierarchies are determined in accordance to Salesforce’s management structure, with those at the top having access to the most information.
Data exfiltration controls
Data exfiltration, or data theft, is a major cybersecurity threat to many companies, as it can lead to the loss of very sensitive data, such as personal information or private business data.
In order to prevent another data breach, Salesforce has a number of built-in data exfiltration controls:
- On the server side: in order for Salesforce to make outbound connections to third-parties, these external systems need to be enabled beforehand. Conversely, inbound connections from third-parties are limited and also need to be enabled beforehand. Such a measure limits the risk of malicious third-parties penetrating Salesforce’s systems.
- On the client side: Salesforce is secured by Content Security Policies, which determine whether or not a client-side domain is trusted. This means that only enabled client domains can have access to Salesforce.
- Cross-Origin Resource Policy: this security measure limits the domains that can make requests to Salesforce organisations. The measure prevents data exfiltration, as it blocks unauthorised users from taking data from Salesforce’s system.
In other words, Salesforce’s controls permit data to be sent only to enabled applications. Data can also only be taken by authorised users.
Ability to follow security incidents in real time
The 2019 data breach showed that Salesforce was unable to track ongoing data breaches. This was a major issue, as it enabled hackers to steal information for months, selling it to criminals on the dark web.
In order to prevent such scandals from reoccurring, Salesforce has developed a sophisticated audit trail system, enabling the real-time tracking and analysis of potential security incidents.
Audit trail logs provide information about everything that has taken place on Salesforce systems, such as login attempts, changes in code, or data alterations. Audit trail logs help quickly identify and deal with security risks.
Salesforce’s audit trail system is specific in that users with high-level permissions aren’t allowed to alter logs. This means that no users in the system can change information in order to cover their tracks.
Such a measure ensures that the logs are trust-worthy, as is it impossible to tamper with them. The logs are available for 180 days, giving admins ample time to analyse past logs.
As a company, what are the security best practices you should follow?
Enforce a strong password policy
Weak passwords remain the biggest threat to security systems. You can reduce this threat by enforcing strong and secure passwords that are regularly updated.
You can set password policies that will enforce length and complexity requirements to user passwords. There is also a password history function, that blocks users from reusing expired passwords.
With password policies, you can decide what users have to do when they forget a password.
Admins can also reset user passwords if they want to impose a stronger password or if the user is locked out from their account.
Once a password has expired, a user has to update their password. They will be automatically logged out when the password has been reset and will have to login anew with the updated password.
Implement Multi-Factor Authentication (MFA)
Multi-Factor Authentication is a security measure that forces users to provide more than one verification method to access an account. Traditionally, users are only forced to provide basic credentials: a username and a password.
With MFA, users need to provide information that is usually obtained from an additional device. For example, when logging in on a computer, a user will receive a temporary verification code on their mobile phone. Other MFA examples include biometrics or security tokens.
MFA is a very effective security measure, as it requires physical access to a device. This makes it much more difficult for a hacker to gain access to an account. MFA makes your company system less vulnerable to users using weak passwords.
Salesforce has a dedicated Salesforce Authenticator mobile app that will send a notification to a user when they attempt to log in to an account. Salesforce makes it obligatory for all users to use MFA.
MFA is simple to configure through Salesforce with the “Configuration” button. You can either use the Salesforce Authenticator app or another normalised authentication app.
Configure regular backup
One of the biggest threats to companies regarding data security is data loss or damage. There are a variety of factors that can make data unusable, such as theft, damaged equipment, or natural catastrophes.
In order to limit the risks of losing data, it is highly recommended that each company configures regular data backups.
Depending on company needs, backups can be performed on a weekly or monthly basis.
Salesforce gives companies the options to either have automatic backups generated by Salesforce or manual backups by admins.
Set login IP ranges
Setting Login IP Ranges is a method of limiting unauthorised user access by forcing users to login from specific IP addresses. Usually, these IP addresses are the corporate network or VPN.
This measure blocks logins from any IP address that has not been specifically enabled. Login IP Ranges are thus a very effective method of preventing unauthorised users from accessing company systems.
Use Salesforce’s Health Check tool
Salesforce’s Health Check lets admins identify and fix weaknesses in a company’s security system, all from the same page. Health Check is free to use and comes with all Salesforce products.
Health Check provides a Health Check Score, rated from 0% to 100%. 90% and above is considered excellent, 80-89% is very good, 70-79% is good, 55-69% is poor, and below 55% is very poor.
Salesforce offers a Baseline Standard that determines various security measures used to prevent either high or low security risks. For example, the measure “lock sessions to the domain in which they were first used” is a high risk security measure. On the other hand, the measure “require a minimum 1 day password lifetime” is a medium risk security measure.
Read more here for a complete look at Salesforce’s Baseline Standard.
Whilst Health Check offers users standard guidelines to monitoring their systems, it can be tailored to suit a business’ particular needs. This is great for companies who require specific insights into their security systems.
Configure session timeouts
A big security risk for companies is that employees sometimes forget to log off or they leave their devices unattended. In order to limit this risk, you can configure session timeout.
Session can be closed automatically when there is no user activity. The default is 2 hours, but you can change it to 30 minutes if you want to increase security.
You can configure session timeout by clicking Setup > Security Controls > Session Settings.
Educate users about phishing
Perhaps the most important measure in developing a strong security system is educating users about security risks. Even the most robust security system will be ineffective if employees are not aware of the dangers of cyberattacks.
Phishing refers to the practice of hackers tricking users into divulging sensitive information, granting access to a malicious user, or transfering money to a hacker’s account.
Hackers rely on user ignorance to gain access to systems. It is thus essential that all employees know how to identify and deal with potential phishing incidents.
A common type of phishing are fraudulent emails that trick employees into sharing private information. Usually, the email will be masked as an official email from a company head or from another organisation.
These emails are designed to install malware on company systems, which will grant them unauthorised access to private data.
Employees should be taught to:
- Review the email’s subject, especially the message is unexpected;
- Verify the provenance of the email, by checking who the sender and organisation are;
- Avoid clicking on suspicious attachments;
- Never share credentials unless they are completely sure that the sender is trustworthy;
- Double check the language. Scam emails will sometimes have awkward grammar or incorrect spelling;
- Be suspicious of urgent emails.
You can forward suspicious emails to Salesforce at email@example.com.
In response to the 2019 data breach, Salesforce implemented a number of measures to develop a robust security system. Salesforce now ensures that data remains secure and encrypted by using SSL technology, by enforcing the principle of least privilege, by implementing data exfiltration controls, and by having the ability to track security incidents in real time.
Salesforce also recommends some security best practices, like enforcing the use of multi-factor authentication and strong passwords. These two measures greatly reduce the risk of password-related data breaches.
Educating users about security risks is essential to maintaining a strong security system. Education ensures that all employees are aware of the dangers of phishing and do not fall prey to hackers’ predatory tactics.