Brian Krebs recently reported that an alarming number of organizations—including banks and healthcare providers—are leaking sensitive information due to a misconfiguration in Salesforce Communities.
The misconfiguration, which Varonis Threat Labs documented extensively in October 2021, gives unauthenticated guest users access to records containing social security numbers and bank account info.
Discover your weak points and strengthen your resilience: Run a Free Ransomware Readiness Test
What actions should you take?
Follow our step-by-step guide that gives Salesforce admins detailed steps to:
- Ensure your guest profile permissions don’t expose things you don’t want to be exposed (account records, employee calendars, etc.)
- Disable API access for your guest profile
- Set the default owner for records created by guest users
- Enable secure guest user access
If you want hands-on help, please ask our team to perform an automatic (and free) audit of your Salesforce instances to uncover this issue and many others.
How did this happen?
The issue is not due to a vulnerability in Salesforce’s app, but a configuration within each customer’s control.
Salesforce, like many other cloud service providers (CSPs), operates under the shared responsibility model. While the CSP is responsible for securing the underlying infrastructure and code, each customer is responsible for configuring their applications and data to ensure they are secure, monitoring user access, and maintaining compliance with regulations.
Misconfigurations providing pathways to critical data are not unique to Salesforce. Gartner notes that "through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end users."
This isn’t the first, nor the last time a SaaS configuration will create a potential security incident. In the Great SaaS Data Exposure, our research team uncovered the massive complexity of SaaS permissions and configurations.
Ensuring SaaS security posture
It’s imperative that security teams assess SaaS exposure continuously with automation. Varonis can help secure your critical SaaS apps like Salesforce, Microsoft 365, Google, GitHub, and countless others:
- Discover and classify sensitive data
- Detect and respond to abnormal behavior
- Auto-remediate excessive permissions and sharing links
- Find and fix critical misconfigurations
- Mitigate third-party app and supply chain risk
Varonis also makes it easy for Salesforce admins to analyze and compare permissions, so they can quickly identify unnecessary and risky access.
We can even automatically identify and remove unassigned Profiles and Permission Sets, getting you to a least privilege model without interrupting users.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Rob Sobers
Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.
