With the urgency of the COVID-19 pandemic, teams across all industries are switching to a fully remote workforce with little notice. Because everything is moving so quickly, many organizations haven’t had time to implement proper Salesforce security controls for remote workers. Unfortunately, this creates massive security gaps and opens your organization up to significant risk. It’s critical during this time to monitor security changes and the impact they may have on your Salesforce data security. When it comes to securing a remote workforce, it’s critical to understand the risks present with introducing a widespread remote workforce.
Securing your sensitive data in a remote environment
With a borderless work environment comes a new series of security concerns. If your remote employees log into your Salesforce environment from unsecured personal devices on unsecured home networks, they may inadvertently create risk. The security controls you established in an office-based environment may not be effective in a remote situation, rendering your data security rules, policies, and standards ineffective. With a rapid deployment of a remote workforce, there isn’t time to analyze the associated threat patterns that come with a borderless environment, especially with cloud applications like Salesforce where data is accessible from anywhere at any time.
Unfortunately, some cybercriminals take advantage of working remotely to engage in malicious activity like stealing data, siphoning sensitive information, or even altering records. These attackers may be external to your organization – or a trusted insider. Although most employees are trustworthy and responsible, suspicious user activity is common when enabling a remote workforce. In this post, we explore five remote scenarios that are cause for concern, including whitelisting IP addresses, escalating user privileges, logging in from unexpected locations, changing password policies, and changing Salesforce Security Controls.
Whitelisting IP addresses
Which IP addresses have you whitelisted and given access to your Salesforce org? IP whitelisting controls data access by limiting entry to trusted users based on their internet protocol addresses. But when adding a long list of newly approved addresses for remote workers to do their job at home, someone may add an unauthorized IP. By doing so, they may be providing an entry point for cybercriminals to infiltrate your network and steal data, causing a data breach. You can control your office’s network security even if you can’t ensure remote employees are working on an encrypted network with password protection.
Escalating user privileges
What permission sets have been created, assigned, or unassigned? Have any users’ profiles been changed to ‘System Profile’? Profiles and permissions determine what users have access to in Salesforce. Some organizations automatically enable advanced permissions for all users when moving to a remote environment to avoid a clog of access limitations. After all, with more than 170 different permissions in Salesforce, your admins are bound to receive a record number of tickets from users asking for permissions, right? That’s certainly possible, but adopting a conservative approach by granting only the permissions that are necessary users’ specific job roles and responsibilities can protect data security health.
If someone escalates their privileges, they may be taking advantage of being remote to access more data than is necessary to perform their job. Not only does this possibly compromise your data integrity, but if they were to make themselves an admin, they could alter others’ privileges as well. With hundreds of permissions in Salesforce – and hundreds or thousands of users – it can be difficult to grasp the full scope of what your users can do. Automated monitoring can tell you, in a glance:
- What permission sets have been created, assigned, or unassigned
- Which profiles have been created
- Who has escalated a user’s privileges (or their own privileges) to “manage” or “system administrator”
- Which profiles or permissions have been changed
Keeping a close eye on privileges helps maintain a clean data governance posture when shifting to a remote workforce.
Logging in from unexpected locations
Where have your users logged in from over the last week? Shifting to remote work means you’ll have users accessing your Salesforce org from locations you may not have seen before. Keeping an eye on the geolocation of logins can help you reconcile compromised credentials and avoid a data breach. By monitoring login data, you can detect when credentials may have been compromised based on the geographic location of the user logging in while spotting potential data theft by employees suddenly logging in from unexpected places or at unusual times. Using the monitoring data, you can adjust security controls to restrict specific IP addresses or geographic locations.
Changing password policies
Have there been changes in the password policy recently? If so, someone might try to make it easier to steal passwords or break into your network by taking advantage of the chaos of shifting to remote work.
A remote work environment without your standard set of security controls is the perfect setting for insider threats to create excess risk and threaten the security of your sensitive data. Salesforce Event Monitoring records and reports user activities, including who’s accessing what data, when, from where, and how often. User activity monitoring provides visibility to pinpoint threat patterns without requiring the time and energy needed to manually monitor a remote workforce.
Changing Salesforce security controls
Which users have made changes to Salesforce Security Controls in the past week? Any small change to security controls within your Salesforce or cloud environment can open your organization to significant compliance risks. Under the ISO 27001 information security management standard, security controls must be implemented to manage access to records, which must be “protected from loss, destruction, falsification, unauthorized access, and unauthorized release.” The Financial Conduct Authority (FCA) references IT controls to protect against “unauthorized access to customer data,” and FFIEC Objective 6 also touches upon the use of controls to mitigate identified risks.
User activity monitoring for securing a remote workforce
Proactive alerts allow you to quickly investigate whether a change within your Salesforce environment was warranted or not. In doing so, you can ensure that you maintain compliance with key regulatory requirements such as GDPR, the NY State Cybersecurity Rule, FINRA, PCI DSS, FCA, SOX, HIPAA, and more. Managing your security controls within your Salesforce environment can be complex and burdensome, but with insights and proactive alerting around changes can make meeting security and compliance requirements easy and clear.
If anyone unexpected shows up in your user activity monitoring report, someone may be acting outside their scope of responsibility, abusing their newfound permissions, and making it easier to steal data. By monitoring for changes made over a certain period – say, the past two or three weeks – you can observe changes in behavioral patterns that may indicate a user engaging in risky actions. With advanced threat detection controls, you can then adapt to these behaviors and shut down user access to compensate for unpredicted IT threats that put your business data at risk.