Where Salesforce once sold by going around IT and held on dearly to its cloak of security, the company now seems to have traded this cloak for a cape of open security and proactive compliance designed to speak to IT.
This should be good news for the 150K Salesforce customers using over two million apps to complete 211 billion transactions in Q1 2015. “We are pleased to announce Shield,” said Jim Rivera, VP Product Management at Salesforce.com. “Shield is a service that provides event monitoring, field audit trails, and platform encryption.”
There may be holes in the v1 security implementation, which seems to be led and driven primarily by compliance. But the team at Salesforce is clearly taking an active approach to being more transparent with respect to what happens to the data residing in their customers' Salesforce instances.
Managing Risk: Choosing Compliance Over Security
In a number of sessions held during Dreamforce, the team at Salesforce promoted four elements of trust: availability, confidentiality, integrity, and transparency.
Three of these elements are very well-known in the security space as they are part of the traditional “CIA Triad” security model. The fourth element, transparency, is an interesting addition, namely in that Salesforce has a history of asking companies to blindly trust that they protect their data; oftentimes selling directly to the line of business (traditionally the sales and marketing teams), and by going around the IT and security departments.
It appears that Salesforce has a desire to sell to additional lines of business operating outside of its bread-and-butter sales and marketing targets. These new targets—such as HR, commerce, support, service and more—are often bound to government regulations and other industry policies and standards. A move in this direction, coupled with the onslaught of breach news in the media, means Salesforce has to be more transparent by giving companies a way to see how their data is accessed and used.
In most cases, a small step forward is better than no step taken at all. This definitely holds true for Salesforce implementations of some of its recently-added security features. However, aside from the encryption element, this step is really geared toward the auditor and compliance folks—the people that could hinder sales to additional departments within the organization.
“There’s a big difference between compliance and security, but you need to be both compliant and secure,” said Bill Phelps, Managing Director/Global Practice Lead of Security Services at Accenture. “Adversaries neither care about compliance nor if the data resides in the US, the UK or France.”
New Tools of Transparency: Assessing Salesforce Data Security
Putting compliance aside for a moment, let’s look at the security pros and cons of each Shield function:
Shield Feature: Event Monitoring
Situation: People with access to Salesforce can use the data; hopefully they only do so for approved business purposes within their scope of responsibility. For cases where this no longer holds true, companies need to monitor for data misuse and data leakage.
Feature Capabilities: With Shield, administrators can monitor user activity to see who accessed what data from where. In addition to the security and compliance aspects associated with this feature, organizations can leverage the information to optimize performance and improve the experience while also tracking app usage for increased adoption.
- Solves for compliance: Companies can solve for data compliance with event monitoring.
- Identifies anomalies: People accessing data that shouldn’t, people accessing data from a strange location or device or people accessing volumes of data that are not commensurate with their job function.
- Uses other tools and partner apps to analyze data: Companies can also export data to Excel files to be used in other broader security and compliance analysis.
“Shield is like X-ray vision for data access,” said Bill Schongar, Technical Lead at Cisco Systems. “We pull data from Salesforce daily to see if people are accessing stuff they shouldn't see, if there is anything out of ordinary, and if the access is used properly and effectively. One good example is to see if people are logging in from a system they don't normally login from.”
Added Franck Fatras, Founder and CTO at LendingPoint, “If someone accesses the customer list and it's not part of their job, we can do something about it,”
- Supports historic use cases only—you have to wait 24 hours after an event is generated before it can be seen via the API.
- Only 30 days of logs retained.
“Doing an assessment every six months is not enough—organizations need to do continuous assessments,” said Niall Brown, Chief Trust Officer at Workday.
Schongar added, "24 hours’ worth of data does not work for real-time analysis. This is really dangerous.”
- “Minimize the logs you collect until you are ready to analyze them—don't respond to everything as if it were an issue when you start,” said Schongar. “Start by analyzing so you have a good picture before you start responding.”
Shield Feature: Data Integrity
Situation: In addition to monitoring access to data, organizations need to have a handle on how their data is changed—both from a data model and operational infrastructure perspective as well as at the actual content level.
Feature Capabilities: With Shield, organizations get a full field audit trail, complete with field history tracking: who made what change, what the change was, and the reason behind change. Additionally, organizations can establish and then meet their own data retention policies—keeping data for 10 years, for example, as opposed to the standard 18 months offered in earlier versions of the Salesforce platform. Finally, with Shield organizations can track and access data at scale for all data they’ve retained.
- In many industries, this is critical from a compliance perspective.
- From a security perspective, capturing and tracking these changes can help identify malicious or accidental changes that could lead to data misuse, loss, or theft.
- While this information is good to have, making use of it means having a team (and tools) available and ready to analyze it to look for troubling trends or notable anomalies.
“Data is not an asset, it is a liability,” said Phelps. “If you can get rid of data instead of letting it back up forever and ever, do it. Large amounts of data available to unauthorized access or misuse leads to events like that which we’ve seen at Sony.”
Shesh Kondi, Director of Security & Compliance at Salesforce, added, “Unfortunately, there are conflicting requirements to delete old data and to retain data.”
“We look for anomalies in our data,” said Kate Slattery, Data Scientist at SolarCity, as she presented with her business partner, Bryan Yeung, Senior Manager of Sales & Marketing Systems. “These are some of the things we’ve done in reaction to what we found:”
- A report was made in Slattery’s name that she didn't recognize - later the report disappeared.
- An outside user may have taken advantage of her account, froze it, and prevented further theft.
- We looked at the last 24 hours to see what she was up to: she logged in from different locations, which is okay.
- Perhaps a customer used her credentials.
- So they looked at her travels to see the series of logins to find that one of the account logins was from a previously-visited location.
Shield Feature: Encryption
Situation: As more business units begin to use the Salesforce platform to run additional aspects of their business, sensitive data needs to be protected against unauthorized viewing. In many cases, it’s not just a matter of privacy for the company’s sake of protecting intellectual property; oftentimes, it’s about keeping regulated data from prying eyes.
Feature Capabilities: With the introduction of Shield, organizations can now encrypt their data at rest. This includes standard fields, custom fields, files and attachments.
- Organizations can tag and classify the data; where it should live; who can access it.
- This approach gives organizations an idea of how to manage their data; for example, they can encrypt the name and not the social security number.
- Shield also provides full customer-controlled and customer-managed encryptions keys.
- Customers get the full lifecycle of key management, which is a derived key approach seeded by Hardware security modules (HSMs) and by the tenant's database.
- Organizations can rotate the key by rotating the tenant secret.
- With the encryption built into the system, users can still search, use Chatter, look up content, and manage validation rules; in addition, the apex triggers all work.
- It’s an all-or-nothing approach; organizations can encrypt everything or nothing at all.
- People with the right access can see and use the data unencrypted.
“You have to encrypt everything, even if it doesn't need it,” said Kondi. “This has the potential to break things.”
“It's important to advise employees to not do stupid things,” said Phelps.
Know Where Compliance and Security Start and Finish
If you are a Salesforce customer, I encourage you to take this first step toward compliance/security by taking a look at what Shield offers. Be cautious though—monitoring alone does not equal security, and encryption alone does not equal data protection. Be aware of what you are gaining and where the gaps remain.
Take note too as to what the experts have to say: “When moving to the cloud you don't transfer risk or liability or responsibility to the cloud provider,” said Jamie Fox, Senior Associate at Deloitte. “To claim compliance as a means to claim security, and to claim that the choice to use Salesforce makes you compliant and secure, are both false claims.
“Ultimately—governance, risk and compliance (GRC) and security programs are the responsibility of the enterprise, not Salesforce,” Fox adds. “Data policies are owned by the enterprise while apps and permissions are owned by both the enterprise (for its employees) and Salesforce (for its cloud operator employees).”
Robert Clarke, US Enterprise Systems Risk & Controls Leader at PWC, added, “There are tools and techs to help with compliance, but you need to understand where it starts and finishes.”
But perhaps the more appropriate question raised by Clarke is…“Does it finish?”