Defense in Depth: Salesforce Security

For many, Salesforce is far more than a CRM, it’s running their entire business. How difficult is it to secure the environment? Are Salesforce’s security controls doing an adequate job, or are they falling short?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, and Mike Johnson who is regularly the co-host of CISO/Security Vendor Relationship Podcast. We welcome our sponsored guest Ed Ponte, security and governance engagement leader, RevCult.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our podcast sponsor, RevCult

On average, 18 percent of all your Salesforce data fields are highly sensitive and 89 percent of users have access to that data. RevCult is the only solution that helps you understand the data you have in Salesforce, and if you’re protecting it. Get a free Salesforce Security Self-Assessment to understand your Salesforce security weaknesses.

Full transcript

David Spark

For many, Salesforce is far more than a CRM. It is running their entire business. How difficult is it to secure the environment? Are Salesforce’s security controls doing an adequate job? Or are they falling short?

Voiceover

You are listening to Defense In Depth.

David Spark

Welcome to Defense In Depth. My name is David Spark, I am the producer of the CISO Series. Joining me, not as always, doing a cross-over, kind of like when Donny Osmond chose to do country instead of rock and roll on the Donny and Marie Show, it is Mike Johnson who is normally my co-host for the other show, CISO Security Vendor Relationship Podcast. And he is subbing in, and it will be obvious in just a moment why he is subbing in. But now let me just mention that we are available at CISOSeries.com. All our programing, everything available at that site. Our sponsor for todays episode is RevCult. RevCult has a sales force security solution. If you have a sales force environment you are going to want to lock in on today’s program. They are also responsible for bringing our guest today. That in just a moment, but first, Mike. You yourself are a former cyber security employee at Salesforce, so you know some of the inner workings of that program. On LinkedIn, you asked the community where Salesforce is delivering in security controls and where it is falling short. I would also argue that I think the way many people use Salesforce also puts a lot of privacy issues in question, and we maybe get into that a little bit. But Mike set us up, what was the initial response, and who were the people responding?

Mike Johnson

The response was really interesting. It was not quite what I had expected in terms of some of the other perspectives that people were sharing. I also did not expect a lot of other fellow former Salesforce security employees to come out of the woodwork and share their perspectives, and things that they had run into in the past. Which was great, it really means that we had a lot of expertise on this thread, and a lot of great information that we will talk more about in this episode. The thing that was most compelling to me was how everyone really did seem to feel the pain. People really understood that Salesforce security both is complicated and difficult, and also important. There is a very solid recognition now. Years ago there was not. But now people understand the importance of data that is kept within Salesforce, combined with the complexity of the fact that it is not just a CRM anymore.

David Spark

No far from it.

Mike Johnson

Salesforce is a company with a vast number of products across all over the space. They are a constantly growing, constantly adding additional products, acquisitions. Completely different bolt-on’s that are coming from different places which only serves to both increase the complexity and increase the importance and criticality of the security of Salesforce as a product suite.

David Spark

An excellent summation Mike. That really kind of nails it and that really sets us up for the discussion. And the person to help us discuss this is a sponsored guest from RevCult. As I told you they have a Salesforce security solution so they will also have expertize. It is interesting, we are going to get some internal expertize and external expertize if you will. He is the Security and Governance Engagement Leader for RevCult, Ed Ponte. Ed, thank you so much for joining us.

Ed Ponte

Hey Mike and David, great to be here today with you both.

Why is this a problem?

00:03:45:23

David Spark

Sean Brazeau of the NCC Group said “who is managing the Salesforce security controls and are they capable and prepared to do so?” Robert Fly of Elevate Security said “first the issues are did not have an understanding, visibility or oversight into the security controls.” And two, they had no idea about the sensitivity of the data Salesforce actually had in it. That is kind of repeating the things you said right up front Mike, so let’s start with you. The issue is I do not think Salesforce Security seems to be on anybody’s plate, is it?

Mike Johnson

That is a great question for Sean to be asking. I think it needs to be asked for any SaaS solution that an organization is rolling out. Often the answer is I had not thought about that or it is the security team, the security team has got it. And the security team is sitting over here going what? What is this thing? We do not even know what it is? We do not know what is expected of us. So ultimately you have got either nobody is doing it or it is expected of them that they will be doing it. They do not know the application. You cannot go into an application you do not understand and bring a reasonable security model to it. So Sean is asking a great question. I think looking at Robert’s points, Robert is former Salesforce and he has forgotten more about Salesforce security controls than I will ever know. And ultimately he is totally right. I remember talking with so many security professionals who did not even know what Salesforce was. What is Salesforce? And they did not know what was in there. They did not understand the importance of that data. They might have thought oh well it is just a bunch of email addresses, that is all that is really in there.

David Spark

If you only look at it as a CRM maybe it is.

Mike Johnson

Exactly, but even at the end of the day if you really look at it as a CRM you have contact information, you have contract information. You know a sales pipeline. If you add it all together you can look at your revenue for your company if you are looking at Salesforce. Super critical data in there.

David Spark

Ed, I have got to assume that this is a common thing where people might come to you because you have a Salesforce security solution. And it is this attitude of their hands out, their pockets open and are like what the hell just happened?

Ed Ponte

Yes for sure. Both questions are spot on. I mean if we think about our modern world and especially last year with Covid. Digitization of sales and servicing experiences were already well underway and now they have even accelerated. CRM continues to play a bigger role in delivering those customer experiences through digital channels across bricks and mortar and digital channels. It is ensuring that you have a consistent, smooth experience. To Mike’s point that the data you get accumulating in these CRM systems can range. From internal financial controls with SaaS compliance to CCPA, New York State 500, GDPR, privacy type information to sensitive PII. There is just a wide range. And not only do we have a product to help but we also do security risk assessments, we see a lot. We are capable and prepared to do so. Most of the people we meet are capable but they are not prepared. And it is also what Mike said.

David Spark

You glossed over “we see a lot”. What is “I see a lot?” What is it you see?

Ed Ponte

We encounter people that are just getting around to Mike’s point of thinking about “gosh, I have this Salesforce application. It is playing a bigger role in my sales and serving journeys. I wonder if there is some risk in there.” So they will engage us just to find out where are we? What mountain do we have to climb to work down the security data in this thing? We find exactly what these two comments, what we see illustrated here. We see capable sales personnel that are 110, 120% utilized building in supporting platform capability, business capabilities. And a security team that knows how to spell Salesforce but getting in and actually looking at the controls and making sense of them, just not possible. So you have capable people prepared to do so? Probably not. But again there is a large amount of sensitive data being collected and we start our security risk assessments, identifying and classifying that information because that is the what to protect. You have to answer that question before you are answering how well is it protecting? What controls can I use?

Why is everyone so confused?

00:08:32:03

David Spark

I love this quote from Branden Newman who has been a guest on our shows before, CISO of MGM resorts. He said “It is difficult to even talk about “Salesforce security” as a single topic. In my experience, the setup that was cobbled together from all of the acquisitions does not even allow you to consistently apply Salesforce own security controls, that they usually charge for, uniformly across the environment if you operate in multiple of their “clouds.” Mike I am going to throw this to you. Have you seen this behavior Branden is speaking of?

Mike Johnson

I am really glad you pulled this quote out because it really gave me this moment of I had not even thought about it that way. I am so used to core sales cloud. That is the CRM solution. That is what everyone associates with Salesforce. But there is so many other applications. You have got marketing cloud which was an acquisition. You have commerce cloud which was an acquisition. There is the analytics cloud, the integration cloud and now even slack is a part of Salesforce. All of these have different security capabilities and even the core concepts of what do you secure? They are all different. I really like what Branden is saying here that having this holistic view of Salesforce security as a thing, it is probably not the right framing. You really do need to think about the individual clouds, almost as individual companies, because that is how Salesforce operates them. If you think about them as individual companies, as individual platforms and secure each of those independently, you have a chance, but it is a pain. There is overhead associated with that. There is a lot of manual work. Ultimately that is the only way that you can survive, is to look at them independently. I like that he pointed that out because it is a good reminder that a lot of us think about CRM but it is so much more than that.

David Spark

Ed, have you seen this behavior that Branden is talking about?

Ed Ponte

Yes absolutely but like Mike, I always go to sales cloud, service cloud. I think they are classic in legacy. Our platform runs on that, so we do our security risk assessments on. But all valid points, all of those applications are going to have different sets of data in them, including mule soft. It is a whole different effort to tackle those as well under that Salesforce security umbrella.

How do we handle this?

00:11:09:22

David Spark

Vaporhax on reddit said, and I should mention he did not know that we were going to do a show with our sponsor. They said “RevCult gives us security configuration information. We have a highly customized instance of Salesforce. This gives us good insight to the risk associated with the configuration and allows us to apply data governance to Salesforce.” Pretty much calling your application out. Let me also add what Adam Besecker of Chime said. “It can get very confusing on how to properly provision

profiles with proper permissions while keeping them locked down.” Did Vaporhax describe what your product does appropriately Ed?

Ed Ponte

Yes absolutely, thank you, thank you Vaporhax, it is good to have fans. We put a lot of thought into that product and it is productizing the main expertize we have in the security risk assessments. But I totally agree with Adam’s point on the profiles and permissions, that those are specifically places where our product actually puts the classification alongside your object. So if you are looking at your field level security settings, you want to make heads or tails of why do these users have access, it will show you the profiles and permission sets. The good news there is that Salesforce has very robust controls. The bad news is they are very difficult to make heads or tails of as kind of alluded to here.

David Spark

Can you give me what you mean by “it is difficult to make heads or tails of once they are configured it is hard to see who has got what”. What is happening?

Ed Ponte

It is the number of clicks you have to dig and drill down to find out and reveal information about, well how am I getting the access? How am I getting the permissions to this field as an example? Or what users have weekly data export? I do not know, that is a splunking exercise.

David Spark

Essentially it is there if you want to spend your time digging. And who wants to spend time digging Mike?

Mike Johnson

Yes and I am going to say two acronyms that anyone who has ever worked on Salesforce security is going to hear this and probably have flashbacks, so I apologize. And that is FLS and Crude. Field Level Security and then Create, Update and Delete. You can get so granular on this and have controls overriding other controls, overriding other controls, overlaying profile permissions on top of that. It is a model of security of permissions that grew organically over time. You can really see it when you start getting under the covers and just realize that you do not have a clue. It is almost impossible to use the built in capabilities, built into the platform, sales cloud into the CRM suite, to understand who has access to what. Often times it is a surprise and sometimes it is a really negative surprise when you have exposed something to the public that you had no idea that you were doing that. And that is because of this complexity that Adam is talking about.

David Spark

And that seems like a really easy mistake to make Ed?

Ed Ponte

Absolutely, see it every single day.

David Spark

We keep talking about this and we have talked about this before. It is not because of malicious nature, I think it is two fold. Complexity and just simply not knowing.

Whose issue is this?

00:14:44:15

David Spark

Kyle Tobener of Copado said, “one of my main concerns was always the downstream third party applications that connect to Salesforce.” Kyle called out, “lack of granularity in OAuth scoping. Essentially all user data or no user data.” He also mentions “admins authorizing third parties through OAuth to have administrative permissions to their environment without understanding the impact.” Mike, Kyle knows this application and gets into the weeds. What is he uncovering here?

Mike Johnson

It is an interesting perspective and again Kyle is one of those people who knows Salesforce like few do. Especially from a security perspective. I think it is great that he is surfacing that concern around third party connections. It is not something that is immediately obvious. I think a lot of the prior discussions that we have had have been around permissions, and who has access to what? When you are bringing in third parties into the situation, it makes it all the more difficult. What he is really getting at here is yet another layer of authorization on top of the already complex permissions model that Salesforce has. That lack of granularity on scoping, it kind of leaves you with two bad decisions, no data and therefore no usage of the application. You just do not give them the access and then they cannot use the application. Or they get access to everything. It is really difficult to track all of this. It is really difficult to understand who has access to what and at the end of the day only Salesforce can fix it from a preventative perspective, but there is a possibility of monitoring. Of at least being aware and surfacing what that access is. So it is a combination of Salesforce really needs to fix this, frankly, but there is also some opportunity for visibility into the situation, understanding what that exposure is.

David Spark

Alright Ed, I throw this now to you. How much visibility can I get to something like this for RevCult?

Ed Ponte

This is not something that RevCult is focused on in the application but it is certainly something we surface. I had a large delivery this morning where we talked about exactly this issue. You have got the OAuth scoping for these applications. You have a 100% of your users are API authorized which enables these things to connect to Mike’s point, depending on how you are using the platform to support your business. You might not be able to do much about it. And it really leaves you with real time event monitoring, which the good news there is that you can see the investment occurring in real time even monitoring. You marry that up with some good classification, you really know where to focus your efforts to start looking for activities that are happening against your objects that contain sensitive information. But it is work, to Mike’s point, that is not a simple endeavor. But sometimes that is your only top in saving control for exactly that situation that Kyle calls out.

David Spark

We come to now the end of our show where I ask the two of you what was your favorite quote and why? I will start with you Mike, what is your favorite quote and why?

Mike Johnson

I really like Branden Newman’s quote talking about Salesforce security as a single topic. This was the one that really kind of struck me as I did not even think about it. A lot of these others I was aware of. I aware of really thinking as I was looking through the thread of those are our problems. I understand those but Branden’s quote and comment really gave me pause to say wow it really is a lot bigger than I was thinking about. So I am really glad to see that contribution. I really appreciate Branden adding that to the thread.

David Spark

Let me just add to that, we did an episode, I think it was two years ago, on ERP security. This sort of has a lot of remnants of that in that you can do a lot of the foundational basics of security, which we talk about on both of our shows for that matter. But do something sort of like so intrinsic to a closed environment, when you have an ERP solution or a CRM solution like Salesforce which end up behaving I think in some ways like an ERP and is doing so darn much. That even the basic foundations will not be enough. Do you agree with that statement or not Mike?

Mike Johnson

There is foundations but what you build on top of those foundations is all the more important. Your foundations can be here is the policies about who is going to have access to what as a conceptual thing. But then the application of that, the translation of policy into configuration, that is where you have to have that core competency in the platform. And it is going to be very different how you apply that to Salesforce, CRM or to an ERP platform. Both of those are going to be very different. You could have the same basic foundational concepts, but the application is going to vary so wildly.

David Spark

What say you to that Ed? Because it seems that just intrinsically knowing and understanding the application does require a sort of another level of security understanding.

Ed Ponte

Absolutely.

David Spark

Well let me go to you, your favorite quote and why?

Ed Ponte

I like Sean’s quote, who is managing the Salesforce security controls and are they capable, prepared? Again almost always I see capable people, I do not necessarily see prepared people. If anything the Salesforce team is more prepared and capable, but they do not always know all those security policies and the Infosec team I think they are just really busy and they do not know enough about Salesforce, they just do not.

David Spark

That is a good point. You can know the foundations but not know the foundations within some specialized environment that you do not have experience in. And that it essentially what it just falls down to. Then if you do not have that then you have got a big, giant hole in your security program. Which, by the way, to those listening there is a lot of head nodding going on right now. I want to thank RevCult for sponsoring this episode of the Podcast. Thank you very much, this is a great discussion. Ed I want you to have the very last word and I want you to make a pitch for RevCult. Any offer you want to give to our audience please mention it as well. Mike any last words from you?

Mike Johnson

Ed thank you for joining us. It was great to have the conversation of Salesforce security with someone who really gets it. This is your business, you understand it. It was great to have that conversation in general. What I liked specifically, and you just reiterated it just now, your concept of capable but not prepared when talking about security of the platform. You have got these experts in Salesforce, who are very capable, but they are not prepared to take on the security weight that really is expected of them. I like that specific capable but not prepared, it is a great way of thinking about it. So thank you for joining us and thank you for sharing your insights.

Ed Ponte

Yes thank you Mike and David. We have a lot of experience in Salesforce security. We have different workshops, implementation services and a really great product offering. If you would like to hear more about us please do go to RevCult.com and check us out.

David Spark

Awesome, and is there a way to get in contact with you specifically Ed?

Ed Ponte

LinkedIn is a great way.

David Spark

Ed Ponte, his last name is spelt P-O-N-T-E. The link to his LinkedIn profile is on the blog post for this very episode. I want to thank you Ed. I want to thank you Mike. I want to thank RevCult. I want to thank our entire audience as well for all your contributions, and for listening to Defense In Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.