Government organizations, financial institutions, and healthcare providers are leaking private and sensitive information such as Social Security numbers, dates of birth, and IP addresses from their public Salesforce Community websites. According to a recent article from KrebsOnSecurity, this is due to the potential misconfiguration of Salesforce’s customer relationship management (CRM) software, which can leave data accessible to unauthorized individuals.  

The leakage problem is generally attributed to Salesforce Administrators misconfiguring the Salesforce Community that powers public sites. They are potentially granting more access to private information than required to unauthorized guest users versus logged-in users.  

The data leakage issue should be a concern for any organization using Salesforce and underscores the importance of proper data security measures. And while Salesforce prioritizes data security and says the data exposure issue is not inherent to the Salesforce platform, many organizations are left wondering what steps they can take to ensure they are protected.  

Silverline helps our clients with their Salesforce security journey by advising and implementing security controls that are compliant with an organization’s security and regulatory policies. Here we share some critical initiatives companies can take to protect their data.

1. Review Salesforce configurations for access permissions

Organizations should look at restricting access to their sensitive data by providing only the necessary permissions to the Salesforce fields and records involved, including the following: 

• Carefully review Guest and Community User Profiles to ensure only the intended objects and fields have been granted the appropriate read or edit permissions.
• Review and update org-wide sharing settings on the objects. Also, review any sharing rules and sharing sets for the community.
• For logged-in users, use multi-factor authentication and limit access to the Salesforce org by IP range or network access control lists.

2. Regularly audit Salesforce configurations

Conduct regular security audits of your Salesforce site configurations to identify and address vulnerabilities and misconfigurations. Check out these Salesforce health check tools:

• Health Checker
• Salesforce CLI Scanner Plug-in
• Checkmarx Code Scanner
• Apex PMD Tool
• Clayton.io       

3. Manage the Salesforce code

An organization’s Salesforce code should be designed so that it only retrieves the required data on the client site. Additionally, any user credentials should be stored using secure mechanisms to prevent unauthorized access to the sensitive information.

Use code testing software like Clayton.io to identify any security vulnerability in the code. Always store third-party user credentials in Named Credentials or protected custom metadata, depending on your use case.

For code design, consider applying the principle of least privilege, which means that each user and component should only have the minimum level of access required to perform their tasks. This reduces the potential damage that a security breach can cause. Furthermore, consider implementing secure coding practices such as input validation, escaping, and output encoding to prevent attacks like injection attacks. 

4. Conduct penetration testing

Penetration testing is a method of security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security controls of an application, system, or network.

Running appropriate penetration testing software can help identify any vulnerabilities in your Salesforce site that attackers could exploit. Regular testing helps maintain the site’s security and identifies any potential risks before they become a problem.

5. Monitor activity for unusual behaviors

Implement real-time monitoring and analysis of site activity to detect anomalous behavior, such as excessive data downloads or login attempts from unusual locations. 

Salesforce Shield is a trio of security tools – Event Monitoring, Platform Encryption, and Field Audit Trail – that helps organizations build extra levels of trust, compliance, and governance into business-critical apps. Shield Event Monitoring gives organizations access to detailed performance, security, and usage data on Salesforce apps. Salesforce Administrators can see who is accessing critical business data when, and from where to help them: 

• Understand user adoption across apps.
• Troubleshoot and optimize performance to improve end-user experience. 
• Track data via the API and import data into any data visualization or application monitoring tool, like Analytics, Splunk, or New Relic. 

6. Train staff on data security

One of the best lines of defense against data breaches is your own people. Educate your staff on security awareness and best practices with ongoing training sessions. Focus on common pitfalls such as creating strong passwords and how to handle phishing scams. Regularly review and update your security policies and share them with your staff to ensure continued protection of sensitive data. 

Salesforce Trailhead offers several helpful tutorials, including the Data Security Module and the Protect Your Salesforce Data Trail.

How Silverline helps level up Salesforce data security

Silverline believes that data security matters now more than ever. We help organizations strategize and implement robust security operations solutions customized to your Salesforce instance. We leverage insights acquired through more than a decade in the business along with real-world expertise gained across Media and Entertainment, Financial Services, and Healthcare industries to enable continuous value and security with the Salesforce platform. Find out how we can strengthen your Salesforce data security.