On May 24, FairWarning held an Executive Series webinar featuring Mark Bowling, Consulting ISO for United Financial Capital Partners. On the webinar, “5 Strategies for Preventing Privileged User Abuse in Salesforce,” Bowling joined FairWarning information security analyst LaDon Williams to discuss how he’s strengthened United Capital’s Salesforce data security, protected from insider threats, and met key requirements of GDPR and ISO 27001 controls.
Here are five takeaways from the webinar to help you better secure your Salesforce environment and increase control of and visibility into user access.
1. Recognize that privileged users can come in many forms
“At the heart of a privileged user is anybody with higher levels of permissions than a standard user,” said Williams. Most commonly, that’s a Salesforce administrator or their manager, senior leader, C-suite executive, or human resources employee.
Then there the privileged users that are often overlooked: sales staff, developers, and third parties. It’s that last one that can get particularly complicated – 50 percent of Salesforce’s revenue comes from APIs, which means your data may be accessed, and possibly extracted, not by a person but by another application. This makes it important to choose a cloud application security vendor that monitors for all access, including unauthorized APIs.
2. Create different “levels” of users to determine threats to Salesforce data security
United Capital created access levels to categorize various users within the organization:
- Root/administrative user: These users have full administrative control over the entire Salesforce environment and can create new accounts, set up new power users, and manage log data.
- Power/super user: Power users can create new customers, add new users for subordinates at branch offices, delete records, add records, and assign privileges
- Subsidiary user: This might be a financial advisor who can only create and access customer accounts.
- Customer: The lowest level of users, customers can check their own information – and nothing else.
United Capital then determines the severity of a threat based on user’s access level.
“If we see wholesale system changes that can’t be done by a managing director in an investment office,” Bowling said, “then we have significant concerns that there may be a power or a root-level user who is making changes and creating unauthorized accounts that have privileged access — and they may be changing accounts from other administrators to remove their access and cover their tracks.
3. Align security frameworks with internal controls
United Capital’s internal security controls fall into three categories: detective, preventive, and corrective.
A detective measure may be a platform that monitors for unusual user access and provides proactive alerts.
A preventive control would include applying the principle of least privilege to permissions, only allowing users the level of access they need to complete their job.
And a corrective measure might be sanctions or other components of an incident or breach response plan. This helps them better implement security frameworks like ISO 27001 to achieve compliance with regulations like GDPR.
4. Foster a culture of security and compliance
There’s a lot of overlap between compliance and security, and both require a culture be created and sustained – both inside and outside of an organization. If your organization doesn’t value compliance, its security may be weak, and if it doesn’t value security, its compliance posture won’t be as strong.
“The culture of, and respect for, compliance fosters security,” Bowling emphasized.
5. Take advantage of technologies built especially for this purpose
While there can be a lot of moving parts when securing your Salesforce instance against privileged user abuse, there’s no reason to complicate the matter. There are technologies that are created specifically to monitor privileged user access in Salesforce and other cloud applications, giving you a consolidated view of profiles and permissions, implementing geolocation monitoring, and monitoring for access and activities by unauthorized individuals.
Taking advantage of these tools and reducing manual processes can save you time, allowing you to focus on more strategic security and compliance efforts.