Salesforce data security: is native security enough?

Data security in Salesforce cover web 1400x800

Salesforce is a dominant player in the Customer Relationship Management sector. Around 150,000 companies use Salesforce to manage customer data and launch marketing campaigns, and the company enjoys a 33% market share.

It’s easy to see why. Salesforce’s cloud-based tools save costs and time, simplify customer analysis, and integrate smoothly with other SaaS services. But is Salesforce a secure environment in which to run your business?

While Salesforce is generally safe to use, data security in Salesforce is still something users need to consider. Data breaches have exposed potential vulnerabilities. Therefore, understanding data security in Salesforce is critical to making your implementation more secure.

Data security in Salesforce

Data security is the protection of sensitive data handled by an organization. In the context of Salesforce, this refers to customer records, including financial information and private personal details such as names and contact details.

The consequences can be severe if an organization loses control of data privacy protection. According to IBM, the average cost of a data breach is approximately $4.35 million. Companies that lose large volumes of sensitive customer data can expect to pay hefty compensation.

Salesforce is no exception. In 2019, Salesforce client Hanna Andersson suffered a significant data breach—a malware infection on the clothing retailer’s Salesforce platform exposed over 200,000 customer accounts. Neither Hanna Andersson nor Salesforce knew anything about it.

Three months after the Salesforce breach began, law enforcement officers discovered confidential data for sale on the Dark Web. Customers immediately sued under the California Consumer Privacy Act (CCPA).

Salesforce and Hanna Andersson eventually settled the claim in 2021. Both companies accepted shortcomings in protecting user data, detecting malware, and informing customers. And they had to pay the affected customers as much as $5,000.

The Hanna Andersson settlement shows that data security in Salesforce is a critical vulnerability that could happen to any user. So, let’s dig deeper into the Salesforce data security model to explain how secure the platform is and what companies can do to protect their data.

The Salesforce data security model

Since the 2019 Salesforce data breach, the platform has tightened its native security features.

Data at rest on Salesforce is encrypted, concealing it from outsiders. Logging systems allow users to track weaknesses and handle alerts. MFA adds strength to authentication processes. And users can even create bespoke protection for data analysis with the Data Mask feature.

However, one set of controls in the data security field is all-important. Setting permissions enables Salesforce users to manage data access. Users can use permission sets to ensure that only authorized data access is available. Everyone else is blocked by default – until they are granted necessary privileges. This enhances data security in Salesforce..

salesforce permission set lists

There are four Salesforce permission sets. Each one plays a role in locking down confidential customer information:

Organization level

At the organization level, users can manage data access for all users in their enterprise. Multi-factor authentication enhances the security of Salesforce portals, making them more robust against unauthorized access. Measures such as connection limits, location tracking, and IP range screening are deployed to deter malicious actors effectively.

Object level

Organizations can limit access to Salesforce databases and apps, ensuring only authorized users can enter. Object level controls enable administrators to designate specific areas of the Salesforce environment as restricted zones, where access is tightly controlled and limited to authorized users only.

Record level

Security teams can create permission sets for specific records to manage data access effectively. Marketing teams may need data access to information about customer purchases, while access to financial data can be securely restricted. Admins have the ability to set objects to read-only or allocate editing privileges for specific users, controlling data access with precision.

Field level

Users can restrict how users interact with database fields at the field level. This provides tight control over data access. Many employees may have object access to CRM data. Only a few will have field-level access to edit and export the most sensitive information. These measures ensure data security in Salesforce.

Salesforce security vulnerabilities

Applying access controls is critical, but users must also be aware of Salesforce security vulnerabilities. Be sure to factor in these issues when planning your security strategy.

1. Inadequate data classification

Before you can protect confidential data, you need to understand the data you hold. Companies need to classify every record according to its value and vulnerability. With that information, you can create field-level controls and set permissions for access records.

Review your databases and assign risk levels to their information, including access records. Use regulations as a framework. For instance, the CCPA mandates robust protection of customer financial records. HIPAA requires tight control of any patient data, including who has access to these records.

Classification matters because it isn’t always practical to secure all customer data. Unclassified data and access records generate noise and confusion. Security teams are presented with false positives and waste time on securing low-value data and unnecessary access records.

2. Confusing data ownership

Who is responsible for securing your Salesforce CRM system? Many companies cannot answer this question and rely on multiple stakeholders to secure customer data.

Data ownership should be clear and communicated to all Salesforce users. Assign an individual or team to manage data security in Salesforce. They should ensure compliance with relevant regulations, apply native Salesforce controls, and integrate enterprise-wide security systems with the CRM system.

Take advantage of Salesforce’s training materials. The platform offers courses in identity and access management (IAM). This information lets your security manager master Salesforce, setting permissions for data access and protecting critical databases

3. Poor Salesforce security awareness

Knowledge about Salesforce security should extend beyond the data security lead. Every CRM user must know security policies and the importance of protecting against phishing attacks.

Remember the Hanna Andersson case? A single Salesforce cyber attack can compromise huge data sets. Poor training and a shallow security culture can have huge implications.

Extended awareness matters because Salesforce is highly customizable. Employees can easily misconfigure communities in the Experience Cloud. Teams can add Salesforce services without the IT teams knowing.

Both actions expand the threat surface, potentially compromising a Salesforce environment. Avoid them by educating Salesforce users and creating policies that explain how to use the platform safely.

4. Not understanding how shared responsibility works

As with all cloud-based products, security responsibility is shared between Salesforce and service users. Unfortunately, this is something that users easily forget.

Users may assume that Salesforce protects data, but this is partially correct. Salesforce encrypts data and guards it against malware infection. Clients are responsible for ensuring secure data access and object configurations.

Companies using Salesforce can over-provision employees, giving them too much access to sensitive data. They might allow third-party access to databases, even down to the field level. Marketing teams could create vulnerabilities as they customize their Salesforce solution.

Be aware of your responsibilities under the shared responsibility model. If not, data breaches will probably be due to your negligence.

Why do you need additional security in SalesForce?

Salesforce security best practices are essential because while native security features provided by the platform are powerful, they are often insufficient to achieve data security. Companies must combine internal controls like Salesforce data encryption with external security solutions.

The 2019 data breach demonstrates why external security is so important. Salesforce and Hanna Andersson did not know about the malware infection. Security teams had no idea that gigabytes of user data had been stolen.

While the single data breach cost both companies plenty of money, the cost could have been higher without the actions of law enforcement professionals.

The initial malware infection involved a ‘magecart’ attack that skimmed customer data from the retailer’s payment portal. This agent probably arrived via a phishing attack on a Hanna Andersson employee. None of Salesforce’s internal controls could prevent it, but external security solutions could help.

SIEM tools to scan attachments and quarantine suspicious links can stop phishers. IP allowlisting screens devices and permits access for approved IP addresses. VPNs encrypt company networks and conceal credentials from external observers.

Salesforce allows in-depth access management and security logging. However, when fine-tuning their CRM security, companies should supplement native features with additional measures.

How can NordLayer help with Salesforce security?

Salesforce makes CRM simple, allowing eCommerce businesses to thrive. However, recent data breaches have shown that the cloud-based platform has critical cybersecurity vulnerabilities.

NordLayer’s tools supplement native Salesforce security and make it easier to achieve regulatory compliance.

Our cloud security solutions include access management tools and single sign-on that bridge company networks and cloud portals.

IP allowlisting is another core NordLayer feature. Allowlisting lets you set approved IP addresses and block everything else. This makes it safer to admit remote workers to your Salesforce environment. It also means that credential theft does not automatically provide access to your data. Attackers without approved IP addresses will remain outside the perimeter and cannot steal customer information.

Discover how to create a rock-solid Salesforce security posture. Get in touch with our team and discuss your options today.

Share article


Copy failed

Protect your business with cybersecurity news that matters

Join our expert community and get tips, news, and special offers delivered to you monthly.

Free advice. No spam. No commitment.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.