Secure Platforms: A Deep Dive Series - Part 1: Salesforce Security: From Foundation to DoD Implementation and Data-Driven Risk Management

Secure Platforms: A Deep Dive Series - Part 1: Salesforce Security: From Foundation to DoD Implementation and Data-Driven Risk Management

INTRODUCTION:

Welcome to "Secure Platforms: A Deep Dive Series," where we'll explore critical security considerations for popular technology platforms.

In this inaugural article, we're focusing on Salesforce , a cornerstone digital CRM, Marketing, Service Management and no/lo-code platform for many organizations.

We'll delve into the crucial aspects of Salesforce security:

THE FOUNDATIONS: PROFILES AND PERMISSION SETS

Every Salesforce user receives basic rights and access to data objects and functionalities through a profile. Permission sets then offer the flexibility to adjust these rights at a more granular level for individual users, on top of their profile. This layered model is essential but can quickly become complex in larger organizations.

IAM AND IGA: TAKING CONTROL AND ENSURING GOVERNANCE

This is where centralized Identity and Access Management (IAM) and Identity Governance and Administration (IGA) across your entire technology landscape comes into play.

Think of solutions such as HelloID and Microsoft Entra ID (formerly Azure AD) as IAM tools, and SailPoint as an example of an IGA platform. Both categories of tools help you manage and govern access to Salesforce, but often with different levels of focus.

IAM tools like HelloID from Tools4ever Limited and Entra ID from Microsoft help you centralize and automate access to Salesforce.

  • Instead of manually assigning profiles and permission sets, you define roles within the IAM tool.
  • These roles are then linked to the appropriate Salesforce permissions.

New employee? Assign the correct role in the IAM tool, and the initial access to Salesforce is automatically managed.

  • Importantly, many modern IAM tools also offer access review functionalities, allowing for periodic checks on who has access to what.

IGA platforms like SailPoint build upon these capabilities with a stronger focus on governance and compliance. While also offering provisioning and role management,

  • IGA solutions typically provide more advanced and comprehensive access review functionalities, often tailored for meeting specific regulatory requirements.
  • They also excel in areas like role mining (discovering optimal role structures) and Segregation of Duties (SoD) controls (preventing conflicting rights).

FROM FRAMEWORK TO FLOW: THE "DEFINITION OF DONE" (DOD) FOR SALESFORCE SECURITY

But how do we translate generic security frameworks like OWASP, NIST, CIS Benchmarks, and GDPR into concrete actions within Salesforce? The answer lies in defining a clear "Definition of Done" (DoD) for security aspects, especially in your custom Salesforce Flows and Apex (high) code.

WHO IS RESPONSIBLE? A SHARED RESPONSIBILITY:

Security is not the task of one person or team. It's a shared responsibility within the whole organization:

  • Security Architects: Designing secure systems.
  • Security Engineers/Analysts: Crafting the DoD.
  • Salesforce Architects/Developers: Implementing security within the Salesforce org.
  • DevOps Engineers: Automating security checks in the CI/CD pipeline.
  • Compliance Officers/Security Analysts: Ensuring regulatory compliance and conducting audits.
  • Product Managers: Prioritizing security features and defining acceptance criteria.
  • Project/Program/Portfolio Managers: Facilitating security collaboration and managing risks.
  • Business Owners: Setting security policy and providing resources.
  • QA Testers: Verifying security requirements through testing.
  • Information Security Managers/CISOs: Overseeing the overall security posture and policies.

IMPLEMENTING ACTIONABLE DoD EXAMPLES (SALESFORCE SPECIFIC):

OWASP Top 10 & SOQL/SOSL Injection:

  • DoD: "All SOQL/SOSL queries must use parameterized queries (bind variables)."

Learn more on Trailhead: Secure Coding in Apex

  • DoD: "Implement robust input validation, including String.escapeSingleQuotes() and allow lists."

Learn more on Trailhead: Apex Security

  • DoD: "Utilize the Salesforce Security Scanner and comprehensive unit tests to detect potential vulnerabilities."

Learn more on Trailhead: Secure Development Lifecycle

NIST Cybersecurity Framework & Salesforce Access Control:

  • DoD: "Enforce Object-Level, Field-Level, and Record-Level Security."

Learn more on Trailhead: Data Security

  • DoD: "Leverage Permission Sets and Sharing Rules for granular access control."

Learn more on Trailhead: Permission Set Basics and Understanding Sharing

  • DoD: "Understand when flows should run in system context or user context, and apply the correct setting."

Learn more on Trailhead: Flow Trigger Explorer (While not directly about context, this trail helps understand Flow execution) and search Trailhead for "Flow Run in System Context" for specific details.

  • DoD: "Regularly audit user permissions."

Learn more on Trailhead: User Management and explore trails on reporting and dashboards for auditing.

CIS Benchmarks & Salesforce Configuration:

  • DoD: "Enforce strong password policies and session timeouts."

Learn more on Trailhead: Security Basics and Session Management

  • DoD: "Enable Multi-Factor Authentication (MFA)."

Learn more on Trailhead: Multi-Factor Authentication

  • DoD: "Utilize the Salesforce Security Health Check and address identified vulnerabilities."

Learn more on Trailhead: Security Health Check

GDPR & Salesforce Data Protection:

  • DoD: "Implement Salesforce Shield Platform Encryption for data at rest."

Learn more on Trailhead: Shield Platform Encryption

  • DoD: "Ensure HTTPS encryption for data in transit."

This is a platform-level setting, covered in general Salesforce security best practices. Refer to the Security Basics trail.

  • DoD: "Use field level encryption when needed."

Learn more on Trailhead: Field-Level Security and Shield Platform Encryption

  • DoD: "Implement data masking in non production orgs."

Learn more on Trailhead: Data Mask

DATA-DRIVEN INSIGHTS: OBSERVABILITY FOR SECURITY AND RISK

Visibility is key not only for security but also for a broader understanding of organizational risk. By centralizing Salesforce security data in dashboards (for example, using Power BI) or leveraging the reporting capabilities within IAM/IGA tools, we can gain valuable insights.

  • IAM/IGA Observability: These tools provide focused visibility into identity and access-related risks, such as user permissions, access violations, and compliance with access policies.
  • Broader Risk and Audit Perspective: While IAM/IGA tools offer excellent insights into identity and access risks, a holistic Risk & Audit (R&A) perspective requires considering a wider range of security and organizational risks.

INTEGRATING IAM OBSERVABILITY WITH HOLISTIC R&A TOOLS AND BI:

The valuable observability data from IAM/IGA tools can be fed into specialized R&A tools like LogicManager, MetricStream, ServiceNow GRC, Archer (by RSA), or AuditBoard, as well as a BI platform like Power BI, to achieve a more comprehensive view of organizational risk. This integration allows Risk & Audit teams to:

  • Incorporate Identity and Access Risks: Include these critical security-related risks in the overall risk register.
  • Assess Control Effectiveness: Evaluate how identity and access controls contribute to mitigating broader organizational risks.
  • Enable Cross-functional Analysis: Combine identity data with data related to other security checks (e.g. from Salesforce health check) from other business functions for a more complete risk profile.
  • Generate Holistic Reports: Create comprehensive reports that provide a unified view of security, operational, and financial risks.

THE POWER OF DEVOPS TOOLS (SALESFORCE CONTEXT):

Tools like Gearset offer a more in-depth analysis and automation of security checks than the standard Salesforce Health Check.

SECURING PRIVILEGED ACCESS (PAM)

And then we have Privileged Access Management (PAM) tools like Cyberark. This is crucial for securing accounts with elevated privileges, such as administrator accounts and service accounts. While Salesforce increasingly relies on OAuth for integrations, PAM solutions remain highly relevant. Here's why:

  • Managing Client Secrets: PAM tools can securely store, rotate, and manage client secrets used in OAuth flows, treating them as sensitive credentials.
  • Human Users with Privileged Access: Many administrators and users with elevated rights still rely on traditional usernames and passwords, which need to be managed and secured by PAM.
  • Non-OAuth Systems: Organizations often have a mix of modern and legacy systems, and many still rely on traditional authentication methods for service accounts and privileged access.
  • Governance and Audit: PAM provides broader governance and audit capabilities for all forms of privileged access, beyond just the technical implementation of OAuth.
  • Least Privilege for Service Accounts: PAM principles can help enforce least privilege even for service accounts using OAuth.
  • Session Management and Monitoring: PAM can offer session management and monitoring for privileged sessions, adding an extra layer of security.

PAM solutions like CyberArk, BeyondTrust, ThycoticCentrify (now Delinea), SailPoint (which has PAM capabilities integrated with its IGA platform), Okta Advanced Server Access, Microsoft Entra Privileged Identity Management (PIM), and HashiCorp Vault offer advanced capabilities for managing and auditing this privileged access, ensuring that even in an OAuth-driven world, the "keys to the kingdom" are properly secured.

A POWERFUL COMBINATION: IAM/IGA AND OBSERVABILITY FOR HOLISTIC GOVERNANCE

The most effective approach to Salesforce security governance, within the broader context of organizational risk, is a combination of IAM/IGA tools and robust observability capabilities, potentially leveraging both the built-in features of IAM/IGA platforms and dedicated BI/R&A tools. This ensures both active management and continuous monitoring of identity and access, while also providing valuable data points for a comprehensive understanding of organizational risk.

KEY TAKEAWAYS:

  • Salesforce security requires a layered approach, from basic configuration to advanced tooling.
  • A clear "Definition of Done" for security is essential for secure implementations.
  • Observability, whether within IAM/IGA tools or through dedicated BI/R&A platforms, provides crucial insights into your security posture and contributes to a broader risk understanding.
  • IAM tools centralize and automate access management, often including access reviews. IGA platforms offer more comprehensive governance capabilities.
  • PAM is indispensable for securing privileged access, even with the adoption of OAuth.
  • Security is a shared responsibility within the organization and a key component of overall risk management.

By fostering a culture of security ownership, implementing precise DoD, leveraging data-driven insights, and deploying the right tooling, we can build resilient and compliant Salesforce environments that contribute to a well-governed and secure organization.

HOW DO YOU INTEGRATE YOUR SALESFORCE SECURITY DATA WITH YOUR BROADER ORGANIZATIONAL RISK AND AUDIT PROCESSES, AND WHAT R&A TOOLS DO YOU FIND MOST EFFECTIVE? I'D LOVE TO READ YOUR INSIGHTS IN THE COMMENTS!

#Salesforce #Security #DevOps #PowerBI #OWASP #NIST #GDPR #Flow #Apex #Gearset #SalesforceDevelopment #Cybersecurity #SecurePlatformsSeries #IAM #IGA #PAM #HelloID #EntraID #SailPoint #Observability #Governance #RiskManagement #Audit #SecurityByDesign #ContinuousMonitoring


To view or add a comment, sign in

More articles by Denise Van der Linden

Insights from the community

Others also viewed

Explore topics