It is no secret that cloud platforms are becoming increasingly integrated in day-to-day business processes. In fact, the average number of cloud services used by an organization exceeds 700.
The undeniable benefit of cloud platform adoption includes a dramatic escalation in collaboration and productivity. However, as usage of the cloud grows, so do security concerns, as reported in the Forrsights Security Survey, Q2 2013: “Authorized users inadvertently exposing sensitive information was the most common cause of data beaches in the past 12 months.”
The volume of sensitive data stored throughout the Salesforce environment, including Sales Cloud, Service Cloud, Chatter, and Files, is considerable. Salesforce is secure at the infrastructure and platform levels, though user behavior represents the variable.
Here are three quick tips to secure your Salesforce environment.
1) Make Security Easy for Users
Risky user behavior is seldom born of malicious intent. Rather, in their effort to leverage the productivity and collaboration advantages of the cloud in a business environment, users often seek the path of least resistance. By impeding cloud service adoption and disrupting processes through burdensome gateways, an organization suffers reduced output and requires labor intensive remediation by IT teams.
Alternately, employing an entirely cloud-based Data Loss Prevention (DLP) solution avoids the delay associated with gateways while minimizing impact on end user performance. Harnessing the power and benefits of the cloud without negating the security objectives of the organization starts with making the secure process easy for users.
2) Invest in Users Through Awareness Building and Education
As the saying goes, sometimes you win, sometimes you learn. As we move deeper into the age of the cloud, it is important to recognize the value in treating mistakes and violations as teachable moments.
Rather than doling out punishments and nullifying productivity enhancing processes, notifying users of specific occasions of policy violations and offering self-remediation opportunities serves to educate while empowering individuals to take ownership of their own security and reinforcing their positive behavior.
IT workloads are reduced while simultaneously instructing users of acceptable use policy with memorably concrete examples. This people-centric approach instills a sense of responsibility in users while establishing the idea that security is also the shared responsibility of everyone in the organization collectively.
3) Recognize What Doesn’t Work
Identifying ineffective practices is invaluable when developing a security strategy for your Salesforce environment. For instance, relying on paper policy is not sufficient, or always applicable, in the age of the cloud. While defining acceptable use policy is critical, the existence of paper policy alone is not enough to encourage or enforce security strategy.
Similarly, Salesforce’s role-based user permission sets may not completely address potential security risks. Unfortunately, the typical organization has a large number of individuals with administrative privileges and the potential for policy violation, such as mass data exfiltration, exists.
Other organizations use encryption to lock down their Salesforce environment. However, the overwhelming majority of information stored in Salesforce is not sensitive data, making all-encompassing, universal encryption an expensive, resource draining, and impractical endeavor. Additionally, relying on encryption and gateways impedes users, encouraging alternatives that deprive security teams of visibility and policy enforcement capability.
Meanwhile, security at the device-level is impractical, as agents are cumbersome and expensive. Gateway-based solutions detract from the performance benefit gained by using cloud solutions. They slow users down and reduce productivity.
Keeping it Real
Taking a realistic approach to Salesforce cloud security requires considering the users’ perspective. Users want to work like they live, without disruptive hindrances and obtrusive barriers. A pragmatic strategy makes the secure process the path of least resistance, incorporates a feedback mechanism to educate users and enable self-remediation, and avoids the traditional security pitfalls.
Ready for More?
Our eBook, “5 Things You Think You Know About Salesforce Security“, discusses the all too common misunderstandings administrators and security professionals may have about Salesforce security. Read the eBook to learn:
- Why security at the infrastructure and platform levels just isn’t enough
- How you can balance Salesforces’ access benefits while protecting your sensitive data on the platform
- Tips to manage the risk of data exposure – whether through insecure devices, third-party apps, or just risky collaboration practices