We have been hard at work over the last six weeks helping our clients make the transition to remote work — and sharing all the ways we’ve built our company culture to empower remote operations. So many of our financial institutions have experienced mandatory shelter-in-place orders, branch closures, an exponential increase in SBA and PPP applications, and adjusted their customer support operations to be entirely remote in a matter of days or weeks. Conventional wisdom says necessity is the mother of invention, but what do your Compliance and InfoSec teams have to say about these rapid shifts regarding security posture?
One of our core values at Silverline is that we are always learning. Part of that learning includes reaching out through our internal and external expert network to discuss the trends we are seeing, identify the challenges our joint clients face, and create an action plan to get the word out about solutions we believe in. One of the solutions we strongly believe in is Salesforce Shield, which empowers best-in-class cloud security and fine-grained control over your critical business and application data.
I was excited to sit down and interview the smart-minded team of security experts at RevCult to discuss what’s happened over the last couple of months. We discussed the importance of educating your stakeholders and users about security, the importance of documenting your security posture, and how strong governance helps tremendously in fast-moving times like these. The team’s insights are pragmatic and meaningful, and I’m so grateful they were willing to share with the Salesforce community.
How knowledgeable are customers regarding their Salesforce security posture? How do you help them understand and engage with the business and technical considerations at hand?
Ed Ponte, Security & Governance Engagement Leader at RevCult: The obvious answer is that it depends on the customer. But largely we see customers that consider Salesforce to be a secure platform, which it is, but haven’t yet considered their own enterprise data that lives in the platform, which is their own responsibility. Additionally we see customers that recognize they need to take measures to secure their data, but assume that purchasing Shield checks that box. Education about the Security Shared Responsibility Model is the starting point for many of our conversations with customers.
What might the Security Shared Responsibility Model entail?
Ed Ponte: User Access Management is a great example of implementing security controls but then not having an easy way to prove that the controls comply with a company’s least privilege access policy. In the Salesforce platform, it is challenging to quickly and easily prove what users can do inside the platform without a consolidated view of Profiles, Permissions, and Roles. Solutions that show the current status of security controls are critical to closing the compliance gap and should be considered as part of the implementation process from the beginning.
We also strive to close gaps in User Access Management, Data Classification, Platform Encryption, History Retention, Field Audit Trail, and overall security posture with our Security Insights Dashboards.
What are some common issues you encounter when working with clients and their security controls within the Salesforce platform?
Laura Nesbitt, Customer & Partner Success Leader at RevCult: Not understanding the data that lives in the platform is a huge challenge with customers. If you don’t know what data lives there, then you don’t know how you feel about it, nor what controls you should employ to protect that data. Another one of the challenges we see is an inability to easily understand and report on the status of security controls in the platform. Having a security posture is one thing, but being able to quickly translate those controls to Salesforce requires good visibility into the controls, and the ability to easily configure those controls without making it a development effort.
Many customers aren’t aware of the security controls available, or they think that Shield equals security, without fully understanding which controls Shield components address. So really the first step is education. Understanding the enterprise’s overall security posture and implementing that posture in Salesforce is a cross-stakeholder effort, including InfoSec, Compliance, the Lines of Business, and the Salesforce COE. Client success involves educating and aligning all the stakeholders to achieve the business goals in a secure manner.
Here are some compelling stats, based on the Security Risk Assessments we’ve done for customers:
- The average production Org has over 1,000 fields of sensitive data
- 86% of these sensitive fields are not effectively protected (e.g.,user authorization, encryption, audit tracking, data loss prevention)
- 75% of Orgs have not aligned Salesforce passwords to corporate password policy
How can customers ensure their Shield investment is driving the security posture they want in their Orgs?
Patrick Fields, Security Industry Veteran & Account Executive at RevCult: Achieving positive ROI from an investment in Salesforce Shield requires visibility, measurement, and a commitment to governance. Many firms buy Shield and assume it is a security layer which automatically protects their Salesforce environment. It is not an automatic software solution; these do not exist in the marketplace today. Security solutions that include AI or machine-learning components need configuration, testing, and tuning to become effective tools in an organization’s cybersecurity arsenal. Shield is not an exception.
There are two components to visibility in the Shield implementation process. The first is understanding the policies which govern the data living in your Salesforce Org. These policies and how they apply to your Salesforce environment define the “why” for your Salesforce security program. The second is understanding where this data lives in your Salesforce environment and the intricacies of your data model. Gaining the required visibility into the need to secure Salesforce, the specific data which requires treatment, the required security controls, and how to apply these controls forms the foundation for a successful Shield implementation.
Recent events due to COVID-19 have led to enormous upheaval in how organizations are treating their security postures. What are some of the most urgent Salesforce security concerns now?
Brian Olearczyk, Chief Revenue Officer at RevCult: Security controls in the COVID-19 era have been an evolution. Enterprises started with sustaining operations, which required loosening security, and focusing on basic considerations like IP restrictions and access controls. Over time, as the new normal for operations has been sustained, the market has gained more clarity and has had time to reflect and ask the question, “What did we just do?” This reflection has prompted the market to address more comprehensive security considerations, like change management and least privilege access, and even finer controls like session settings.
Much of the discussion for us comes back to making sure our customers have a Salesforce security strategy, knowing what data is in their SFDC org(s), and ensuring the appropriate protective measures have been implemented based on the risk profile of their data, users, and industry.
How are companies gearing up their security postures from the business standpoint to support these rapidly changing business environments and the necessary change management required?
Ed Ponte: There are four major recommendations we make to companies looking to prepare for an ever-evolving set of business needs, which are more important than ever:
- Document: Document current state and the modified state of any changes you make to facilitate an error-free recovery; keep the end in mind as you go and be sure you can back out any changes that are determined to be “stop gap” solutions, once employees return to the workplace.
- Manage Change: Consider including designated end users in different teams as end user support augmenters, or first points of contact, to help shepherd their teammates through the new remote access procedure. If you do take this step, include these users in the QA/testing of the new remote access solution before it is deployed.
- Communicate: Provide a live web conference to your users if appropriate to verbally walk through and demonstrate the new access solution, implementation plans, etc. Include time for Q&A. Provide 100% accurate written instructions with screenshots.
- Codify what you’ve done: Evaluate the risk mitigation effectiveness and efficacy of the solutions used during this disruption; identify gaps that can be improved next time and seek budget/priority to address those gaps; update your Business Continuity Plan and/or Disaster Recovery Policy with what you were able to successfully achieve to restore secure access to Salesforce.
In-depth, on-demand Salesforce security and compliance answers
I’m excited to host a panel with a select group from Silverline’s Financial Services team alongside RevCult’s Chief Product and Solutions Officer, Pete Thurston, next Thursday, April 30. We will be building on what’s covered here, diving deeper into strategies and best practices, and of course — ready to answer any questions you may have.