Publish date:
“Passwords are like underwear: don’t let people see it, change it very often, and you shouldn’t share it with strangers.” – Quote by Chris Pirillo, founder and former CEO of LockerGnome, Inc
What do LinkedIn, Alibaba, Yahoo, Face, and hotel giant Marriott International have in common besides being household names? Any ideas? No. Well, they have all been victims of data breaches in the past decade. These recent famous examples of data leak / theft have been worrying companies dealing with sensitive, valuable, and large caches of data of customers and audiences. Vigilance, 24x7, is the key for all businesses to prevent any sort of data breach. And Salesforce organizations deployed are not immune for them. Luckily, layers of protection are at hand to keep data in Salesforce in safe hands and away from data leaks. Let’s look at them.
Application Layer
-
Custom Code (Apex, Visualforce, LWC, Aura)
-
Software Libraries (open-source components like jQuery, etc.)
-
Runtime (XSS, SOQL & SOSL injection flaws)
-
Third-party packages (Managed apps from AppExchange)
Architecture Layer
-
User Access Controls: The Principle of Least Privilege
-
Object Permissions: Access where access is needed
-
Auditing, Event Monitoring, and Logging
-
IAM: Identity and Authorization Management (ie SSO, 2FA, etc)
Data Layer
-
Encryption
-
Data Masking
-
Data Backup and Restore
With Salesforce you get access to a safe and secure platform that is second to none. With it comes the concept of the Salesforce Shared Responsibility Model. Here shared refers to the moment we start making any alteration to the basic framework of the salesforce organization, we become responsible for the security of our data and information pertaining to clients and audience. In brief, the moment we start customising Salesforce and bringing in security vulnerabilities, we become easy prey for people with malicious intent. So be alert, be aware and be responsible.
Data security is an issue when the following are overlooked:
-
Not studying the impact of any customisation whether internal or external. It’s important to be cautious, as any change can leave the organization vulnerable, putting data in danger. For outside threats, the risk is Salesforce Community and Force.com sites. Before undertaking any customisation, installation / configuration, do proper homework so that they don’t jeopardise the hard work.
-
Not studying 3rd party software libraries. These, especially if old, may come with posted Common Vulnerabilities & Exposures or public exploits reported. If the edition of the version is in doubt, you can either fix it or get another one.
-
Not reviewing code base from time to time. This is important. You need to be alert to any form of risks that can be averted with timely action.
The following questions need to be asked by all salesforce vendors / partners:
-
Are the developers and administrators familiar with testing before deployment?
-
Are security and compliance managers evaluating the Salesforce security posture regularly?
-
Is the security posture status of your client data known to the management / owners?
Being methodical and alert at all times can prevent accidents, etc. The same applies to data security and protection. Let’s be resolute at all times and reassure our clients.