Salesforce has emerged as a mission-critical application for major enterprises. In fact, a single Salesforce customer instance can store vast amounts of regulated, confidential, and proprietary information accessible by hundreds or even thousands of users. this makes user activity monitoring in Salesforce a necessity. But for many years, Salesforce data security solutions lacked rapid forensic investigations on users, continuous user monitoring, and alerts. This was because Salesforce audit trails were manual, time-consuming, and expensive to obtain.
In 2015, Salesforce released Shield, a suite of platform tools that includes Event Monitoring. This allows users to access audit logs and introduced the ability to put in place user activity monitoring and more robust data protection strategies for a Salesforce instance. But is Shield enough for a proactive user activity monitoring program?
Here are five lessons learned from user activity monitoring in Salesforce, and what to keep in mind when creating a comprehensive data protection program for Salesforce and other mission-critical cloud applications.
5 Lessons Learned From User Activity Monitoring in Salesforce
1. Non-filtered alerts can be overwhelming
User activity monitoring and alerts provide some peace of mind, as well as visibility into potentially suspicious user behaviors. The most obvious scenario is monitoring for the export of a customer report (and exports in general). However, it should be noted that monitoring and alerting on “experts” of reports is insufficient for most enterprises. In fact, unless an organization enables more details regarding an export and fine-tuned filtering, export alerts will just add noise. Target monitoring carefully and fine tune alerts so they are meaningful enough to require investigation when they do occur.
2. Reports and filters should work with standard and custom fields/objects
Every Salesforce instance holds standard fields and objects such as Accounts, Contacts, Opportunities, Leads, and Cases. And virtually all major enterprises have customized their Salesforce instance by adding custom fields to support the specifics of their business. Further, customers add custom objects, which enable workflows and applications supporting the business. Reporting and filtering must be capable of getting to salient information rapidly, which includes the ability to support on standard Salesforce fields and objects, as well as custom fields and objects.
3. Forensic investigations are an essential component of a data governance program
A wide range of scenarios requires forensic investigation of Salesforce access activity. For many enterprises, a review of access of a departing employee is a mandatory step in the offboarding process, and a simple forensics report supports this step. Numerous other scenarios unfold that are unexpected, as well – for example, conducting an investigation of how a price book was deleted that led to errors in hundreds, or even thousands, of Salesforce opportunities. Shield’s Event Monitoring makes forensic investigations possible, with a couple of limitations – which brings us to our next two lessons.
4. Event Monitoring files in their raw form are not easy to interpret
Event Monitoring files are clear text, but not human readable without detailed API calls or very detailed, laborious manual intervention. A robust user activity monitoring platform must automatically decode the files so that a business user can easily interpret the results.
5. Audit log retention is essential to legally defensible investigations and regulatory compliance
Shield Event Monitoring files are produced by Salesforce and retained on their customers’ behalf for a very short time (often a matter of just days). A strategy for capturing, encrypting, and archiving the Event Monitoring files must be put into place by Salesforce customers to meet the most basic requirements of a data protection and governance strategy for Salesforce.
Gaining peace of mind for data governance
The responsibility for a data protection program is most likely to fall on the Director of Salesforce/CRM and supporting Salesforce administrators. This means that tools and platforms needed to support Salesforce data protection must be easy to use and support multi-field filtering in order to rapidly gain access to salient information. In addition, these tools and platforms must be extremely flexible, supporting Salesforce standard fields and objects, as well as custom fields and objects that are part of nearly every Salesforce instance.
A comprehensive data protection program for Salesforce gives organizations the peace of mind needed to store sensitive information in the application, therefore enabling greater business velocity through central data views and improved workflows. Additionally, Salesforce customers expand their reputation for trust by protecting shareholders against theft of proprietary information, protecting their customers against theft of personal information, and by improving their privacy and security compliance posture. Shield is a great start, but organizations can take its security features to the next level with a solution that incorporates the needs described above.