Privileged users of Salesforce, Office 365, and other mission-critical cloud applications are necessary to every organization. These are members of your organization who have more advanced permission sets than the average user. They might include Salesforce admins, sales reps, developers, HR staff, management, even senior or executive leadership. Some organizations enable advanced permissions for all users; others adopt a more intentional approach, granting only the permissions that are necessary for that user’s specific job roles and responsibilities.
The fact is that privileged users hold the keys to your kingdom. They have access to an array of company data, security controls, workflows, and resources. These advanced users can make nearly unlimited changes to your cloud environments, placing your organization at tremendous risk. And they can even cover up their own tracks in the process.
It’s not just the handful of internal bad actors you have to worry about with privileged users, though. Because they have access to so much valuable information, they’re the perfect target for external hackers, including social engineering attacks.
While Salesforce has provided data protection tools like authentication, access control, and user management, security and privacy-minded professionals often lack visibility into the most basic of user activities in their cloud environments. Audit logs can be manual, time-consuming, and expensive to obtain, and many cloud security solutions lack proactive monitoring. That means any issues arising from privileged user misuse can only be dealt with reactively, after the damage has already been done.
Restricting privileges — also known as the “principle of least privilege” — may be a smart solution in certain instances. But before you can even begin dealing with permission and privilege assignment (or reassignment) you need to understand who or what a privileged user might be.
Who is a Privileged User?
Salesforce admins are the ones people most often think of when they hear “privileged users.” Admins’ jobs, by necessity, require access to a wide variety of permission sets. Admins do everything from building reports and resetting passwords to ensuring data integrity, adding users, and running backups. They also champion efficiency and productivity in an organization. Many companies have at least one Salesforce admin; some have several. Their titles may range from the straightforward “Salesforce Administrator” to more general CRM Technical Lead, or even catch-alls like Sales Manager or Business Systems Analyst.
But admins aren’t the only privileged users in an organization. A privileged user can be:
- A sales person who needs access to customer accounts and the ability to export reports or mass update records.
- A developer or IT professional who accesses internal and external cases, with visibility into vulnerabilities at your organization or customers’ businesses.
- Human resources professionals who can see sensitive personal information.
- Senior leadership or executives who may have privileges because of their position but may not understand the implications of their actions in Salesforce.
Privileged Users Aren’t Always Humans
At the heart of a privileged user is anybody with higher levels of permissions than a standard user — which could just as easily be an application as a human. Salesforce generates half of its revenue from APIs, making them a significant portion of Salesforce users. That means your data may be accessed, and possibly extracted, not by a person but by another application. This makes it important to monitor for all access, including unauthorized APIs.
Trusting Your Privileged Users
Privileged users can pose risk to an organization, with access to a wide range of permissions that allow them to do everything from export data and read sensitive information to change permissions, log in as other users, and change password requirements. They can be excellent targets for cyber criminals.
Privileged users are also a necessity. Few businesses will find value in complete restricting access to the actions that allow a Salesforce user to do their job. Internal policies and procedures, coupled with a cloud security platform that offers unprecedented visibility in a simplified interface, can help privacy and security officials rest easy knowing that privileged users are being monitored. And they can more nimbly act on the insights delivered by such solutions.