Every Salesforce user is responsible for securing their own environment. This includes accounting for Salesforce vulnerabilities.

Why It Matters: Salesforce is secure. However, the way we interact with orgs has the potential to introduce vulnerabilities. And if you rely on Salesforce to secure your org, you’re leaving yourself open to costly outages and data exposures.

  • Planned and unplanned outages lead Salesforce users to lose connectivity with their environment.
  • A comprehensive data security strategy is critical to remaining secure in the face of evolving cybersecurity threats.
  • Consumer trust, regulatory compliance, and costly losses can all result from failing to account for Salesforce vulnerabilities.

1. Identify Salesforce Security Vulnerabilities

These security vulnerabilities were recently reported in Salesforce:

Spring4Shell Security Update: The Spring4Shell vulnerability published in March 2022 affected multiple Salesforce products, including Tableau, Slack, Service Cloud, Salesforce Einstein, Salesforce Core, Sales Cloud, Quip, Pardot, MuleSoft, Marketing Cloud, Hyperforce, Heroku, Experience Cloud, Commerce Cloud, and ClickSoftware.

CVE-2023-34362 and CVE-2023-35036: These two vulnerabilities could lead to unauthorized access to the MOVEit file transfer product and environment. However, there is no impact to Salesforce customer data at this time. 

CVE-2022-22128: This issue affected the Tableau Server Administration Agent. 

Tableau Security Update: This was an issue with Tableau Server logging Personal Access Tokens into internal log repositories.

CVE-2022-22127: This was a broken access control vulnerability in Tableau Server. 

Heroku Security Notification: There was an issue with GitHub repositories connected to Heroku. 

2. Understand Your Salesforce Data Security Responsibilities

The delineation of responsibilities between platform and user is important to understand. Failing to account for your responsibilities creates gaps that can be exploited by bad actors or simply leave your organization open to costly mistakes.

The shared responsibility model illustrates where the onus of security lies for both Salesforce as well as those who use the platform.

Salesforce is responsible for everything on the platform side—physical infrastructure, application-level security, and network security—whereas users are responsible for anything that happens within their orgs—access controls, permission settings, and the overall success of their data security strategy.

3. Learn What You Can Do to Protect Yourself

An overabundance of caution is always beneficial when considering data security. When in doubt, assume it’s your responsibility and put together a plan to account for any potential security risks. A complete analysis of your current approach, potential vulnerabilities, and a flexible plan should follow.

Utilize automated scanning tools to address existing threats while also verifying the proper structure of updates and new applications to avoid introducing vulnerabilities.

Static code analysis and policy management are two critical aspects of addressing these problems. Open communication is also essential. All of your team members need to work together to find, flag, and address potential data security issues.

4. Realize the Benefits of Working Off-Platform

Working outside the Salesforce platform clears up a lot of confusion about where responsibility falls for data security considerations. When it comes to DevOps, most environments exist directly within the Salesforce platform. And while this might seem like an advantage, it opens organizations up to outages—both planned and unplanned—from Salesforce itself.

Working outside the Salesforce platform ensures continuous connectivity—even when Salesforce itself goes down.

Outages cost companies around $5,600 per minute on average. Avoiding the loss of connectivity to your system is a major win for data security teams, and this can largely be accomplished by working off-platform.

5. Find Out How to Prepare for the Future

Data security threats are constantly evolving. The best thing organizations can do is implement a continuously updated approach to data security. This is accomplished by frequently auditing your current approach and making adjustments as they are needed.

A flexible approach, strong communication, and the utilization of automated tools give organizations the best chances at remaining operational and secure in the face of evolving threats.

Salesforce offers its users amazing benefits. But when it comes to data security, you can’t rely on the platform to save you and your data. Take the time to ensure your bases are covered—your future self will thank you.

Next Step…

Now that you have a better understanding of what you need to do to solidify Salesforce security, let’s look at your options for tooling. It’s tempting to source generic tools because of their low cost and ease of access, but you’ll be leaving yourself open to a lot of mistakes.

FAQs