Balancing security versus access in your Salesforce tenant
When it comes to sensitive data, there can be little more sensitive than an organisation’s customer data
Not only is high availability critical for the operation of their sales activities, but the data needs to be accurate and well-maintained.
And that’s before we even start discussing the need to keep this information secure from theft and misuse. In short, considering the cybersecurity triad of confidentiality, integrity, and availability, we commonly see that conversations about the risks associated with customer data would be determined as high impact.
The significant volume of threats would ramp up the likelihood aspect of risk too
Salesforce, for many organisations, is a hub for customer data. Whether in their flagship CRM service, or hosted within apps on the wider platform, many enterprises will have a lot of sensitive stored and processed on salesforce and will employ salesforce security controls alongside their own policies and 3rd party tools to implement their desired security strategy, balancing the need for access against the need for protection.
But think about the conflicting requirements here:
- On one hand, you want everything locked down, using principles of least privilege (you only get access to what you need)
- On the other hand, your sales manager and service agents require wide access across their regions to work efficiently.
This typifies the security dilemma. Nobody (including the security team) wants to lock things down so much that every new campaign needs new permissions granting. It would be an operational nightmare. And so, access is granted in a more “most privilege” model; management gives more access and expects teams to contact more leads and produce more revenue.
This isn’t a universal fact; lots of organisation are working very hard indeed to get the balance right, but the need for sales will commonly outweigh the risk of data loss in decision making rights.
“How did you get my number?”
One tangible example of where this practice can lead to an undesirable outcome is the story of a team member who takes data with them as they leave to start work at a competitor.
Many of us will have personal experience being contacted by a company that we didn’t share our information with; “How did you get my number?”
As per the point above, the more access an individual has, the more they can take when they leave.
Whilst this can happen with employees, it is rife when third party organisations that are contracted for specific activities and given access to data at scale, in a rush to get ROI from the engagement. Detecting theft is tricky when the thief has legitimate access as part of their role.
Black swans versus Laws
Now let’s go back to risk. A major part of calculating risk is the “likelihood” variable. We try to forecast probability of something happening in the future; from an outlier, black swan kind of deal (0.0001% likely), to a cold hard fact certainty (100% likely).
If an organisation suffers a breach, it might get detected early enough to shut down quickly before real damage is done (equally, it might not). Any incident might lead to some level of reputational damage, that could take some time and money to recover from.
But, there will be an involvement from the relevant regulators, because it is a law that organisations protect their customer’s privacy. Laws move the conversation from a possible outcome to a fact, and unlike hackers or data stealing ex-employees, most organisations consider legal obligations to be important. Our view here at seedata.io is that such laws will only increase in scope and penalty.
In summary, it’s important (because of laws and risks) that organisations get the balance of access versus security right, otherwise they will restrict sales activity or facilitate data loss incidents
So, let’s consider how organisations are doing that today. From the 10,000-foot view, security people will establish and operate a bunch of processes and tools that aim to prevent incidents before they happen or detect them and recover normal operations swiftly.
From a lower-level view (the actual processes and tools themselves), there’s been some fantastic innovations over the years; look at Transaction Security and Data Classification within Salesforce, or controls to block exporting of data; look wider at security tools like AI-fuelled automated incident response platforms and user-behaviour analytics.
Such controls have taken the industry forward in leaps and bounds, and they offer fantastic risk reduction opportunities when implemented correctly.
And there’s the killer blow… “when implemented correctly”!
The first step is in deciding to implement any particular security control at all. Many organisations will not know such controls even exist, or underestimate the risk, or decide the costs/overheads are too high; they just won’t implement them.
Some organisations will implement though. But then “correctly” becomes imperative; what if the project wasn’t scoped correctly, or the control was configured incorrectly, or worse still get subverted by users who find the intended security improvement to be an inconvenience to their activities.
What this means is that if an organisation’s security controls fail to prevent or detect an incident, data theft can run unnoticed.
And if they don’t know it’s happening, they can’t do anything about it (worse still, false confidence of adequacy is assumed).
We see large enterprises reporting Mean Time To Detect (MTD) times in excess of 200 days, with the majority of detections being alerts from outside sources, such as customers, law enforcement agencies or regulators.
That’s 200 days during which the impact of the incident is growing, more data is being stolen, more customers are being contacted by competitors
Critically, detecting N incidents does not mean you’ve had N incidents; It means you’ve had N+x incidents, and you don’t know what x equals!
Seedata.io is a platform that intends to reduce the MTD for incidents that existing security investments failed to detect, and thereby provide an organisation with confidence on what “x” equals.
We provide a closed feedback loop to show where sensitive data is going, and how it is being used. We plant artificial but trackable data within our customers environments, then monitor for any interactions with / exposures of our data; we look across surface, deep and dark web, identifying activities by organised cybercriminals and casual abuse by employees and 3rd parties.
We then perform enrichment and analysis of our observations, leading to notifications back to our clients for any events of interest, which can then be investigated as potential incidents. We do all of this in a low cost, highly automated platform, requiring minimal integration efforts and producing incredibly low levels of false positive noise.
We help reduce the likelihood of data theft by trusted employees by acting as a deterrent, and we reduce the impact of such incidents by detecting the theft event much quicker. If you’re interested in learning more about how we work, please schedule a meeting. If you’d like to put our platform to use, please sign up for a free account