The Hidden Truths of Salesforce Security

What is cloud security?

As the use of cloud infrastructure, platforms, applications and services grows, so do opportunities for malicious attackers to infiltrate systems.

Without effective defences, you face a growing risk of data theft, ransomware and other attacks that could seriously disrupt operations, damage your reputation and put you in breach of compliance rules and data protection regulations. Cloud security refers to the technologies, processes and resources you deploy to protect your organization against cloud-based attacks – and in many cases it’s dangerously inadequate. 

Stay safe as cloud use grows

There are many compelling reasons why organizations are switching to the cloud, including lower operating costs, greater operational flexibility, and the need to enable people to work and collaborate remotely. Indeed, the requirement for social distancing during the pandemic has normalized cloud-based working over the past two years, with Salesforce among the most popular platforms. 

The trend looks set to continue. A recent Gartner CFO survey found 74% of companies expect a proportion of employees to work outside the office permanently, with 17% of them estimating remote employees will make up at least 20% of their workforce. Cloud platforms are also increasingly being used for business-critical work – from sharing sensitive materials and handling documentation to collaborating with customers and partners. 

Yet while the cloud is clearly a boon for productivity and convenience, too few organizations understand and effectively mitigate the security risks introduced by this new way of working – and cyber criminals are ever more adept at exploiting any gaps in organizations’ defenses. As the use of cloud software- as-a-service (SaaS) offerings such as Salesforce, Microsoft 365, Google Workspace and others increases, these services are becoming an ever more lucrative and attractive target for attackers.

If attackers are not up for stealing data stored in the cloud, they will surely use cloud services as "stepping stones" to get into other internal and external systems. We have already seen examples of phishing and ransomware attacks conducted via cloud services, for example. 

Our experts have highlighted four hidden secrets that will help you use Salesforce and other cloud services securely.

As the use of cloud software- as-a-service (SaaS) offerings such as Salesforce, Microsoft 365, Google Workspace and others increases, these services are becoming an ever more lucrative and attractive target for attackers.

Hidden Truth 1: Increase visibility to gain control

When you move data into a cloud service like Salesforce, you need to maintain full visibility and control.

That means being aware of what kind of data you’re storing, how it’s classified, where it comes from, who can access it, and where it goes to. If data comes from external, unknown or untrusted sources, such as via email, you need the ability to block harmful and disallowed content before it reaches internal or external users.

You also need to ensure you’re not in breach of any regulations or compliance requirements that apply within the jurisdictions, industries and markets where you operate – such as the EU’s data protection legislation GDPR or the payment card security standard PCI-DSS. That means you must be able to monitor and control access to any sensitive data and maintain a full audit trail. You also need the ability to detect malicious insiders and any unauthorized access to data, which means monitoring activity and behavior rather than just looking for known threats.

If data comes from external, unknown or untrusted sources, such as via email, you need the ability to block harmful and disallowed content before it reaches internal or external users.

Hidden Truth 2: Know your responsibilities and close security gaps

One major cause of cloud security gaps is widespread misunderstanding of who’s responsible for securing what on third-party clouds.

Providers typically guarantee the security of their platforms, often displaying impressive accreditations and certificates. This leads some buyers to presume – wrongly – that they don’t need to worry about any aspects of cloud security.

When you buy cloud services such as Salesforce, you sign up to what’s known as a shared responsibility model of security. While providers contract to ensure their systems are secure at an infrastructure and platform level, you remain responsible for maintaining general security hygiene, ensuring the cloud security controls your supplier provides are always properly configured, and protecting your data on the system. Precise responsibilities can vary from contract to contract, but most follow a broadly similar split.

When you buy cloud services such as Salesforce, you sign up to what’s known as a shared responsibility model of security.

Hidden Truth 3: Keep clouds wellconfigured amid growing complexity

Cloud services and applications can easily become very complex, which frequently results in misconfiguration or weak access controls that can lead to data breaches.

Data can also be accessed by other applications and services connected to cloud platforms via software interfaces known as APIs. If these are misconfigured or granted more permissions than necessary, they too can facilitate a breach.

This is particularly pertinent for Salesforce admins, who face a constant stream of change requests from their organizations to add new functionality, take advantage of advanced capabilities of the platform or deploy third-party apps, services and add-ons from the Salesforce AppExchange. Ease the complexity by deploying tools such as cloud threat detection and cloud security posture management (CSPM) to highlight potentially dangerous or non-compliant configuration automatically.

If these are misconfigured or granted more permissions than necessary, they too can facilitate a breach.

Hidden Truth 4: Mitigate supply chains attacks

Even when your cloud platform or service is properly configured, there is a risk with third party integrations or applications connected via APIs.

You need to anticipate that systems connected to your cloud may be compromised via a software vulnerability or misconfiguration. Attackers may also use the lateral movement techniques to gain access to organizations providing third party systems and leverage their distribution channel – what is known as a 'supply chain attack'.

For example, In 2019-20, a backdoor in the popular network management system SolarWinds was compromised, allowing attackers to infiltrate the systems of multiple US Government agencies. More recently, a vulnerability in the Java logging framework Log4j put an estimated 93% of enterprise cloud environments at risk of attack (source: Wiz/EY). While many systems have now been patched, Log4j is so widely used – often invisibly installed by other packages that require particular Java components (‘dependencies’) in order to function – that the Log4j vulnerability is likely to remain a problem for some time.

If you have integration between your Salesforce cloud and a partner, customer or third-party system that has been unknowingly compromised via a vulnerability such as Log4j, that connection could be used by the attacker to infiltrate your organization, so it’s critical you’re monitoring for both known malware threats and anomalous activity that could indicate an unknown one.

More recently, a vulnerability in the Java logging framework Log4j put an estimated 93% of enterprise cloud environments at risk of attack

Who needs additional security for Salesforce?

F-Secure Cloud Protection for Salesforce8 provides real-time protection from viruses, trojans and ransomware, scanning all content that is uploaded into the cloud. It complements the built-in security controls of the Salesforce cloud platform and ensures you meet your security responsibilities by protecting any and all data stored or shared via Salesforce.

The solution gives you the capability to prevent or disrupt attacks via malicious files or phishing links. It also provides full visibility and analytics – including details of all content accessed by internal or external users.

For many organizations that use Salesforce, the need to deploy additional defenses such as F-Secure Cloud Protection for Salesforce for the platform is becoming increasingly critical. Below we present three typical use cases.

For many organizations that use Salesforce, the need to deploy additional defenses for the platform is becoming increasingly critical.

Use case 1: The Proactive Seeker

Ever more Salesforce admins recognize that, as the use of cloud systems and services increases, they need to ensure their Salesforce platform is fully protected. They are aware of growing cloud threats such as ransomware and data breaches. They also understand their shared responsibilities for security, although they may not be fully aware of what third-party tools are available to help them meet those responsibilities. So they start asking pertinent questions around security and protecting the Salesforce environment from cyber attacks. They quickly learn about solutions like F-Secure Cloud Protection for Salesforce by searching via the AppExchange to see what security apps are available. They also learn that F-Secure solution can cover the gaps in Salesforce security. They then initiate an evaluation and procurement exercise, having already built a solid business case for investment. 

Use case 2: The Portal Protector

An organization is expanding its use of Salesforce to link up with partners and/or customers – for example, via Experience Cloud (previously known as Community Cloud). However,
it can’t guarantee that external third parties have adequate security in their endpoints – the systems and devices they’re using to connect to the organization’s portal. If they allow external users to upload content to Salesforce like documentation, forms or links, then they need a way to ensure these potentially compromised endpoints aren’t being used to smuggle in threats like malware or phishing links. They’re concerned about the potential for damage not only to their systems, but to their reputation. They can’t afford to risk something nasty getting through and subsequently being downloaded by a partner or customer. Neither can they afford their systems to be out of action, since their portal may well be core to their business offering – as is often the case in financial firms, recruitment companies, travel agencies and other professional service businesses. 

Use case 3: The Compliance Overseer

A large organization – or one operating in a highly regulated sector such as health, financial services or government – often has strict compliance rules it must follow. These might include legal and regulatory stipulations on data protection and privacy, or they might simply be internal compliance procedures that follow best practise, such as the ISO 27001 security standard. An objective comes down from a senior manager, perhaps a CISO or CIO, or even CEO, to ensure that cloud platforms, applications and services are fully compliant with the organization’s overarching data security policies. As a result, admins realize they need additional tools to protect Salesforce adequately. As a result, admins realize that their need additional tools to protect their Salesforce environments adequately. That is likely to include implementing content security with solutions like F-Secure's Cloud Protection, but may also require a Cloud Security Posture Management (CSPM) solution to ensure compliance across the business. 

Protect your Salesforce Cloud against malicious content

F-Secure Cloud Protection for Salesfore complements native security capabilities of Salesforce by scanning all files, URLs and emails for malware in Salesforce cloud environments.