Salesforce.com, the world’s biggest SaaS platform with over 150,000 companies as customers has never been breached. Is that true?
In 2007, the Washington Post reported that names, email addresses and physical addresses of about 40,000 SunTrust customers were stolen from a database on Salesforce.com. A cursory reading of the headline may lead you to believe that Salesforce.com had been hacked, but the real story shows that the data was able to be taken because a user’s Salesforce login details were stolen using a ‘phishing’ attack. The perpetrators, furnished with an authorised user’s access, was then able to steal sensitive data, and went on to send phishing emails to the unsuspecting SunTrust customers.
In December 2015, TheNonProfitTimes reported that VolunteerMatch customer details, including name, address and emails were stolen, again following a malware attack on a user’s computer. This time the Pony downloader, and Vawtrak malware, are thought to potentially have been used to affect the breach.
We know that Salesforce data can be stolen by compromising a user’s credentials. Of course, insider threat is always one of the highest risk factors, and a disgruntled Salesforce employee could theoretically steal mountains of sensitive data and sell it to the highest bidder.
But what if someone gets access to a ‘power user’s’ sign in details? If, say a Sales Director, who is defined to have access to all customer data, falls victim to a phishing scam and enters their Salesforce user ID and password whilst a keylogger is stealing their login information?
Falling Through the Cracks
Salesforce and other SaaS environments are often considered to be outside of ‘mainstream IT’ and are often managed and supported by people other than the teams who manage in-house or cloud application environments. Worse still, InfoSec processes and policies in place for non-SaaS IT systems do not reach the SaaS environment, because SaaS data security is often wrongly assumed to be the responsibility of the provider. This is not the case, especially under the GDPR. Your data is your data, and any breach or loss of data to bad actors is the responsibility of the data owner – namely you.
Your job as the data owner is to protect your customer data from theft and while it is good to know Salesforce and some other SaaS vendors provide state-of-the-art perimeter and access controls, and in some cases two factor authentication as an additional layer, it is a truism of our industry that bad actors will always find a way to steal your data.
We have seen that insider threats and compromised users are a favourite way in, so to reduce risk access must be limited by modifying your Salesforce implementation to activate IP range restrictions, allowing users to access Salesforce only via your corporate network or VPN. So far so good, but one must assume people will still get in.
Secure Data Itself
The GDPR advocates pseudonymisation to protect sensitive information from misuse, loss and theft. Protecting data itself in this way before it leaves your corporate boundary, so that what lands in Salesforce is fake data, means that when a bad actor attempts to steal data, even if they are within your corporate network and the sign-on details are valid, any single user can only have access to the data their credentials allow. All other data in Salesforce is fake, and can only be rendered in the clear by a suitably authorised user. Of course, system admins should have no access to sensitive data in the clear. They do not need it to do their job.
3 Steps to Take Now
How can you improve your Salesforce security posture today?