Salesforce Gets Serious About Its Security Ecosystem

Security Ecosystem

Salesforce is one of the fastest growing enterprise software companies in history and while security is a major roadblock for many cloud projects, the company’s extensive security investments appear to be paying off. Salesforce is one of just 9.4% of cloud providers that store data encrypted and they support a wide range of security controls including IP address whitelisting, device pinning, and multi-factor authentication. If there’s a concern about data going to Salesforce’s cloud, it’s a concern about how users treat that data, not the integrity of the platform.

Under a shared responsibility model, Salesforce takes care of platform security, while customers are responsible for taking precautions to ensure their users don’t expose that data to risk. That means the end customer is responsible for ensuring their salespeople don’t download all the company’s sales contacts before quitting to join a competitor, or that users have appropriate application permissions that don’t give them access to data they shouldn’t be able to access based on their role at the company.

One of the primary concerns of companies with large Salesforce deployments is a rogue employee taking sales contacts when leaving the company for a competitor. One study found that half of employees took data with them when they left their job and 40% planned to use that data at their next job. Key indicators that something is amiss can include an employee downloading an unusual amount of data. Let’s say this employee typically views 50-100 opportunities each day, and then downloads a report with 1,500 opportunities. That could indicate there’s a problem.

Another threat faced today is the possibility that a user or administrator will sell sensitive data. A shocking survey recently found that 25% of employees would sell company data for less than $8,000. Many companies store a vast amount of sensitive data in Salesforce including customer credit card numbers, Social Security numbers, patient information, and other sensitive or regulated data. Even if a rogue employee is at fault, a company can still be fined and sued if this data is stolen.

Such “insider threats” are increasingly common. Skyhigh recently analyzed data across its customers and found that companies, on average, experience 9.3 insider threat incidents each month. Not all of these events are malicious, they also include users mistakenly sharing data when they shouldn’t. All told, 89.6% of companies experience at least one insider threat each month on average. Salesforce recognizes these concerns and is making investments to support the development of security solutions that help address these concerns.

To help support customers in identifying these types of negligent or malicious activities, Salesforce has made available new event monitoring APIs that provide a record of user and administrator activity within Salesforce. The volume of these events is enormous. In the most recent quarter, Salesforce’s core platform processed 234 billion transactions, including logins, edits, and downloads. That’s an average of 3.7 billion events each business day – quite the haystack to search for a few needles.

For customers looking for unusual user or account activity, the sheer number of events in Salesforce would be impossible to manually review. In making these new APIs available, Salesforce is making a significant investment to support its security ecosystem to build solutions that help Salesforce customers understand and manage user activity. Also, these APIs provide a near real-time feed of events that can be captured by security solutions and archived, rather than forcing customers to go to their Salesforce account manager and request logs for a post-incident investigation.

Salesforce is already one of the most secure cloud services available. Owing to its investment in platform security, Salesforce is one of the 8.1% of cloud services that meet the security standards of enterprises today. With the introduction of new APIs to support third party security solutions that give greater visibility into usage and the ability to detect threats, the company is well positioned to continue its leadership position in the cloud market.

By Harold Byun

David Gevorkian

Website Accessibility: Compliancy, Laws and Best Practices

Key to Making Your Website Accessible The internet has changed the education sector in so many ways. With e-learning, more people around the globe are able to access high-quality education and advance their careers. E-learning ...
Dan Saks 1

How the Cloud Will Transform in the Next Decade

Transformative Cloud Silicon Valley is easy to stereotype: the gadgets, the startup perks, the culture and mentality. However, the real reason Silicon Valley captures headlines is its market dominance. The rise of the FAANGs—Facebook, Amazon, ...
David Shearer

Looking Back – and Looking Forward to 2020

As we celebrate our thirtieth anniversary here at (ISC)², it’s incredible to look back at the changes our industry has been through. From advances in technology, to changing policy and regulations, this field is constantly ...
Brian Day

Tips for Developing Apps In a Cloud Environment

DevOps and the Cloud Unless you’ve just started a brand-new organization, your IT environment is currently running a diverse collection of last-generation and older applications that were deployed with the one-application-per-server approach that unleashed the ...
Juan Pablo Perez Etchegoyen

The S/4 HANA Decade is Here: Three Tips for a Successful Migration

Three Migration Tips For organizations using SAP, migrating to S/4 HANA is a project that’s either in the works or on the horizon as the 2027 deadline for completion looms. The new generation of SAP ...
Tunio Zafer

Questions To Ask Every Cloud Storage Provider

Cloud Storage Provider Questions As with many new technologies, attitudes toward cloud storage vary. Telephones were immobile; wearables perhaps unwarranted. And now, the global cloud storage market was estimated at $21.1 7 billion in 2015, ...