Customer relationship management platforms like Salesforce are saving businesses millions in overheads and are proving to be indispensable tools in online commerce. However, these tools have a significant downside.
Since the very nature of a CRM requires it to store gigabytes upon gigabytes of user data, a single data breach can spell trouble for both the business and the customers. With the cost of cybercrime averaging at 6 trillion a year, it’s a problem that requires attention from each and every business.
In this article, you can learn all you need to know about how Salesforce data security is implemented, so that you can make informed decisions when choosing a CRM.
Salesforce data security model
Salesforce is very concerned about the level of security on their platform. The model they are using is multi-layered. It allows developers and administrators to manage access on multiple levels.
Source: Slideshare/Salesforce
The CRM also provides encryption whenever data is transferred to ensure maximum security. Security is not only implemented on the side of the CRM, Salesforce provides plenty of resources for developers to help each user improve the cybersecurity of the database they host on the platform.
Salesforce’s issues with data security
If you don’t think data security should be a serious concern at your organization, you need to think again. Not even the biggest players on the market like Yahoo and Salesforce could avoid such a disaster.
That’s right, Salesforce had incidents of data breach. Let’s look at how the company handled them and what we can learn about their approach to cybersecurity from the response.
Salesforce data breach
In the autumn of 2019, Salesforce and one of its clients, Hanna Andersson, a clothing brand, experienced a data breach. For several months, hackers had access to a database with all customer information, from credit card numbers to addresses, and neither Hanna nor Salesforce were aware. It only came out when law enforcement found the database on sale on the dark web.
Since the incident, both companies reached a settlement with affected customers and offered monetary compensation and identity theft protection services. It’s unclear what Hanna Andersson did on their part to prevent similar situations in the future, but Salesforce focused heavily on integrating monitoring systems to catch breaches early on.
Salesforce security data outages
2019 was definitely a bad year for the company because it didn’t just experience a data breach, but also experienced a significant downtime in early spring. Salesforce released an official statement and analysis of the issue shortly after it was sorted out.
The company was open about the problem and shared how it originated and how it was fixed. The issue happened to be with the approach to testing a new script that changed permission sets. The company assumed that the results of local testing would apply to global servers, but it produced a critical bug preventing users from accessing some of their data.
That’s an approach to cybersecurity any company should follow: fix, communicate, and improve.
Salesforce data security best practices
Salesforce did have its problems with security, but it always came on top of them. Here are the best practices of cybersecurity implemented by Salesforce that make this possible.
Authentication data security
The most basic layer of security at Salesforce is protecting user login data. Each time you enter the platform using your username and password, a session cookie is created for you. Salesforce follows the latest security practices and does not store username or password data in those cookies. This way, if a malicious third party intercepts cookies from a user’s browser, they won’t have access to their authentication data.
Instead, Salesforce uses encoded session IDs in cookies to avoid compromising user data.
Multi-factor authentication
Phishing attacks are responsible for 90% of data breaches, so protection against third parties getting access to corporate accounts is crucial. You can decrease the probability of a phishing attack by appropriate training, but even with these types of precautions it’s not guaranteed that a phishing attack wouldn’t expose your business.
Humans tend to make mistakes, and with hundreds of employees in an organization, the probability of one person making a crucial mistake exists no matter what training they undergo. What cybersecurity specialists prefer to do instead is to make sure a phishing attack can’t help the scammer.
With multi-factor authentication, even if an attack like this goes smoothly and the malicious third party gets a username and a password, it won’t matter. Salesforce now strictly enforces MFA and requires users to confirm their identity with an authentication app on a mobile phone or a security key.
The probability of hackers gaining control of both a user’s authentication data and their phone is minimal. When combined with proper cybersecurity training, this means both your and your users’ data is safe from intruders.
User-introduced weakness
The last layer of user-facing protection that Salesforce uses is an automatic system that flags user actions that can be potentially dangerous. Since the platform has dealt with several Salesforce data security issues, it has a vast knowledge of bad practices. The system will flag user actions that can lead to data being compromised like weak passwords or insecure settings.
Data storage & backup
The word you’re looking for when talking about data storage is redundancy. Salesforce exemplifies this principle perfectly. The database where user data is stored uses multiple active clusters to improve availability in case of component failure. It is hosted on carrier-class storage that can be trusted to only need a few minutes of downtime per year.
This system ensures that even if one data center goes offline or one server breaks, all data will still be accessible. Data can be further backed up weekly or monthly for even greater data security in Salesforce.
The only problem with data storage at Salesforce is that it limits backups to once per week in Performance and Enterprise editions. Working with reporting can also be a problem because depending on the edition you’re using, you can generate only 50-200 reports per month.
If you find out that Salesforce’s backup options aren’t enough for your needs, you can use Coupler.io to export Salesforce data to your chosen destination. Coupler.io allows you to automate export of Salesforce data on a schedule and store it in BigQuery, Google Sheets, or Excel. This gives you increased options for historical data analysis as well.
Permission sets
Most organizations that work with Salesforce have dozens if not hundreds of employees. Employees that have different levels of responsibilities and can be trusted with different levels of data manipulation. This is why Salesforce gives the person with main administrative rights in the organization the right to issue and take away permission sets to other users.
You can issue these permissions at any level for any document in the database. For instance, you may give the salesperson permission to edit only individual records in an object and only see this specific object they’re working with. Their manager may have the right to view all objects and create new ones.
This is not only useful for workflow purposes, but it also ensures that if one person within an organization gets their authentication data compromised, the intruders won’t have access to the whole database.
Encryption
Encrypting data is another redundant step that ensures maximum safety. You can encrypt most data that is stored on the platform and Salesforce offers two types of encryption for standard and premium subscriptions.
When data is being transmitted on and off the platform, the connection is encrypted, so if you’re using Coupler.io to export Salesforce data, it’s not in danger of being exposed.
Event monitoring
The final piece in the Salesforce protection puzzle is an event monitoring system. With this in place, users will be promptly notified once something suspicious is going on with their data. This way, even if everything else fails, both the user and Salesforce cybersecurity personnel will be given a headstart to fix the problem.
How good is data security in Salesforce?
Even though Salesforce had a pretty bad year in 2019 in terms of data security, the company prioritized and focused on what matters, the users, and improved. Now, Salesforce data security is robust with MFA, advanced encryption, and a notification system in place.
However, if you decide on exporting data stored on Salesforce databases for further analysis in a third party tool, don’t let data security put you off. Google Workspace and BigQuery are even more secure than Salesforce and are a great choice for long-term storage of historical data.
