7 Salesforce Security Concerns Relating to Metadata
The basic metadata definition of “data about data” is pretty well known at this point. However, even with this general idea being familiar, many of us don’t truly understand what metadata actually is or how it can impact the functionality and security of our Salesforce systems.
Cybercriminals are always looking for a weak point to exploit. This comes in many forms and is always evolving, so constant care and attention to the various aspects of our systems needs to be maintained.
Your Salesforce metadata is one such consideration that needs to be guarded.
We’ve discussed how metadata can be used to secure your Salesforce data. But what’s the flipside of that? How can it be used by bad actors to compromise our system data?
The first step is to better understand how metadata works within the system.
There are three types of metadata:
- System Metadata: Information associated with a particular file such as author name, file name, file size, and changes within the file.
- App Metadata: Added to a file by the app used to create it—includes change history, comments, and user information.
- Embedded Metadata: Functions and information such as cell formulas in Microsoft Excel, as well as hyperlinks and associated files.
Proper protection of Salesforce metadata is necessitated both by user trust as well as regulatory requirements. Data breaches have severe consequences for companies regardless of their particular industry.
1. Custom Fields
One function of metadata within a Salesforce system is to populate recurring fields. Item A is connected to Item B and performs a predesigned function when data is input. These functions are dictated by metadata and are also recorded in the associated metadata.
The problem with this is that these fields can contain personally identifiable information like names, addresses, email addresses, phone numbers, and even financial information.
This is exactly the type of data that draws the attention of hackers and cybercriminals.
Metadata can store the populated and connected information. Cybercriminals that are able to gain access to the back end of your Salesforce system can find and decode this information through the page’s metadata.
2. Embedded Objects
Objects contained within a page can hold metadata of their own, which can be used by cybercriminals to initiate a data breach.
An easy example of this is a spreadsheet on Microsoft Excel. All you need to do is hover over a particular section to see the associated formula for the data contained within—including hidden cells and columns.
And while this might be a simplistic example, it illustrates how information can be contained within a file even if basic measures are taken to hide the contents. Hidden and embedded objects—and their associated data—can still be accessible through metadata.
3. Document Releases
Human error is one of the most common sources of data breaches. There are a variety of ways failing to adhere to data security best practices can result in an unauthorized release of system data and information.
One such scenario includes the release of documents—such as a press release—to various outlets.
These documents can contain identifying information within the metadata that hackers can use to access confidential data.
Failing to edit and remove identifiable metadata will lead to the release of data not deemed appropriate for outside viewers. This could include information such as author information, track changes, and more.
4. Hidden Information
There is often information contained within our documents or pages that are not to made public, but also not completely removed. This could include track changes on a Microsoft Word document or the speaker’s notes associated with various slides in a PowerPoint presentation.
But it could also include redacted information. This is information that has been ostensibly removed—or simply covered up—from a document before it is made public.
The problem is that this information is still available.
There are many examples of these redaction failures. Improperly formatted redacted documents can often be simply copied and pasted into a new document. Once the formatting is removed, the redacted information becomes readily available.
5. Metadata Harvesting Software
Software has been developed for just about everything these days. And sometimes, this software can be used in ways deemed unethical by some, and even illegal by others.
There are programs that will do the meticulous work of analyzing metadata to pull applicable information from files such as PDFs and Doc files.
Data regarding the targeted business such as usernames and server information can be discovered.
There are legitimate research-related reasons to use software such as this, but this information can also be used by hackers to access systems. Any releases or housed files on a company’s website needs to be checked and cleaned of any identifying information held within the metadata.
6. Metadata API Credentials
Salesforce’s Metadata API can be used “to retrieve, deploy, create, update or delete customization information, such as custom object definitions and page layouts, for your organization.” This powerful tool can make your Salesforce experience much better, but it can also create some vulnerabilities.
Individuals with administrative permissions are the only ones that can access and alter Metadata API’s functionalities.
Partner applications need to make use of these credentials in order to capture and store metadata from their org into the cloud.
This transfer puts your metadata at risk of a breach.
Beyond that, the administrative login credentials can become compromised, which would give a cybercriminal free reign on your platform.
7. Metadata Corruption Affects Functionality
As we saw with Metadata API, your Salesforce system customizations come from the information contained within your metadata.
Any corruption or loss of this essential information can affect the functionality of these customizations—as well as the rest of your Salesforce platform.
User error, software or hardware failures, or the efforts of a hacker can impact your system’s metadata and damage the usability of your services for both your customers as well as your team members.
Backing up your Salesforce data and metadata—as well as having a system in place to quickly restore this repository of data—is essential to maintaining the integrity of your Salesforce platform.