Salesforce houses massive amounts of customer data, and protecting that data is at the core of business best practices. With personally identifiable information (PII), personal credit information (PCI), customer lists, and more stored in Salesforce, it’s never been more important to secure and classify your sensitive data.
Salesforce Ben Founder Ben McCarthy and Varonis Senior VP of Strategic Programs David Gibson held a session all about protecting your Salesforce environment. They shared best practices for managing sensitive data across multiple Salesforce Orgs, how to set up data classification using native Salesforce functionality, and how Varonis can help you find sensitive data and identify who can access it — all with just a few clicks.
The type of data found in Salesforce may not be what you’d expect. When navigating your Salesforce Org, there are certain types of sensitive data you anticipate seeing: personally identifiable information, personal credit information, customer lists, pricing information, and so on.
However, you may be surprised to find a lot more under the hood. “Whenever you’ve got end users involved, you kind of have to buckle your seatbelt because sensitive data is going to be in the obvious places, but it’s also going to be in the places you might not expect,” David said.
The most common way this information winds up in Salesforce is through integrations, Ben said.
“If you have the functionality where someone can send an attachment, that will also get attached to the case record,” Ben said. “They can be sending you absolutely anything, and it will get stored in your Salesforce.”
This could include sensitive information like health records, contract attachments, legal documentation, or even API keys.
“If you’re using Salesforce properly, it’s going to be at the center of your business,” he said. “Information from different systems are naturally going to end up in Salesforce.”
Protecting and locating data
Before you can protect sensitive data, you first have to locate it. In late 2020, Salesforce implemented a data classification feature that allows you to configure sensitivity levels, customize compliance categories, and create reports, building a picture of what information is being stored and whether or not it’s sensitive.
This process can be labor-intensive and time-consuming, though. “It is a bit of work,” Ben said, “but unfortunately, it’s necessary.”
“With the amount of fields and the amount of data that’s not in fields in Salesforce, it’s a logical conclusion that you’ll need to automate at some point,” David said. But when attempting to automate classification, you’ll want to avoid the traditional viewpoint that Salesforce only houses structured data.
“A lot of folks think of Salesforce as a structured data store, and it certainly is — it’s got tables, it’s got columns, it’s got rows — and from a classification perspective, structured data is an easier beast to tame,” he said.
However, David pointed out that over the years, Salesforce has evolved. While it is still highly structured, the CRM tool has also become highly collaborative, which can make identifying PII a little more complicated.
“An individual phone number might not count by itself as PII for some of these regulations, but if you join that with more information like an address or name, then all of a sudden, it does qualify,” he said. And if you are looking to automate classification in Salesforce, and you’re going into it with a structured mindset, field by field, you might miss sensitive data located where it shouldn’t be.
Reduce your blast radius.
Once you determine what information is stored in Salesforce, and have identified if that information is indeed sensitive, then you can take the necessary steps to remediate risk.
If you find overexposed data, David said, you have a few options:
- Lock the data down. Fix the org-wide defaults and broad sharing rules such as “read all,” “modify all,” and “export reports.”
- Block access to the data. Encrypt, obfuscate, or tokenize the information.
- Move the data. Limit export rights on these types of records.
Once you can visualize your blast radius — where we have sensitive data, where is it exposed, who’s using it — then you can start to reduce that blast radius and manage it going forward.
Protect your sensitive Salesforce data with Varonis.
With complex roles, permission sets, and org-wide configurations, it’s virtually impossible to see which users can do the most damage in Salesforce. Varonis gives you a complete view of effective access for every Salesforce user so that you can easily right-size permissions and get to a least-privilege model, ensuring compliance by only allowing the necessary people access to sensitive data.
Watch the full discussion to learn all the ways you can protect sensitive data in Salesforce. While you’re there, sign up to be notified of upcoming webcasts.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Megan is the content editor for Varonis and an avid fan of all things AP style. When Megan's not debating whether "cybersecurity" should be one word or two, she loves to travel with her husband and dote unhealthily on their pitbull, Bear.