Blog: Salesforce Security Plays: What’s New, Next & Now with the Summer ’21 Release and RevCult’s Security Cockpits®

Posted by Brian Olearczyk
Brian Olearczyk”
Find me on:

Salesforce security plays

Managing Salesforce security is a mad dash to stay ahead of the rapid changes happening in your Org and the platform itself.

In this article, we’ll break down important new and upcoming developments related to security controls in the Salesforce Summer ’21 release, as well as in our Security Cockpits®, that accelerate the time to value with these products.

Here are the new Salesforce security plays you should know about, what’s coming next, and what best practices you should already be doing.

NEW Security Plays: Salesforce Shield & Summer ’21 Release Highlights

Platform Encryption

New fields that, by their nature, store PII or sensitive data are now supported for platform encryption.

  • User Email Field (Beta)

Many corporate security policies require putting protective controls, like encryption at rest, in place for internal employee information. While technically still in beta, the user email field can now have the encryption at rest control applied to it.

If you're using Lightning Sync, Einstein Activity Capture, or any functionality that uses the Event Object (e.g. calendar invitations), remember to consider the ripple effects of encryption. For example, if the User Email is unencrypted when Lightning Sync or Einstein Activity Capture are enabled, Lightning Sync and Einstein Activity Capture duplicate the User Email field in the database when users are added to sync configurations for those products; even if you encrypt the User Email field with Shield Platform Encryption, the duplicate field stores user emails in the Salesforce database in an unencrypted state.

It's very important to analyze where any fields that end up on your encryption wish-list are referenced in your Org, so that you can apply the encryption at rest control without having any downstream impact on anything that you've already configured.

  • Contact Points on Individual and Person Account Objects

Contact Point is another set of objects that are now supported for platform encryption. Contact Point objects (Contact Point Address, Contact Point Email, and Contact Point Phone) are used to collect the different ways to reach customers (phone, email, address). Contact Point lets users associate multiple phone numbers, email, and mailing addresses to a single customer, and track the customer’s consent to be contacted via these different channels using Contact Point Consent records.

Similar to the User Email field, enabling encryption for Contact Point fields matters because they contain PII. And again, it’s important to analyze where these Contact Point fields are referenced in your Org before applying encryption at rest to ensure you don’t impact anything already configured in your org.

Event Monitoring

Event monitoring gives you the ability to track user activity—what users are doing with the data they have access to—in the system.

  • New User-Type Field: Internal vs. Guest Users

A new field has been added that allows you to differentiate between internal and guest users. More specifically, you can now see whether activities were performed by an internal authenticated user or an Experience Cloud (formerly known as Communities) user. Experience Cloud sites can be back doors to your Salesforce Org and have recently grown in popularity, so this update helps manage external threats to these online communities.

  • Monitor Changes to Permission Sets and Permission Set Groups (Pilot)

Another important update is being able to see the changes that were made on specific permissions sets. You can now track activity on what system permissions were added and the different object and field-level security settings that were changed within the permission set.

Limited Access (Beta)

These are new beta features related to Salesforce security, specifically involving sharing and permissioning, that we think are noteworthy. Customers may opt to try them by contacting Salesforce directly.

  • Restriction Rules

The Restriction Rules update is a big change to the way the Salesforce security model has been implemented up to this point. The model has previously been to start by locking down all security controls and open up access as needed. Restriction Rules flips that model, allowing you to start with unlocked controls and create rules if you don’t want users to see something.

  • Permission Expirations for Permission Sets and Permission Set Groups

If you have a group of users who need a specific set of permissions for a limited amount of time, such as for the duration of an ad-hoc project, you can now provide them access to the information they need on an impermanent basis. You can set their new permissions to automatically expire after a set period of time.

Limited Access (Beta)

These are new beta features related to Salesforce security, specifically involving sharing and permissioning, that we think are noteworthy. Customers may opt to try them by contacting Salesforce directly.

  • Restriction Rules

The Restriction Rules update is a big change to the way the Salesforce security model has been implemented up to this point. The model has previously been to start by locking down all security controls and open up access as needed. Restriction Rules flips that model, allowing you to start with unlocked controls and create rules if you don’t want users to see something.

  • Permission Expirations for Permission Sets and Permission Set Groups

If you have a group of users who need a specific set of permissions for a limited amount of time, such as for the duration of an ad-hoc project, you can now provide them access to the information they need on an impermanent basis. You can set their new permissions to automatically expire after a set period of time.

NEW Security Plays: RevCult Security Cockpits®

There are several new and powerful features now available in our Security Cockpits®. Here are the top plays:

Data Classification

Data classification is the key first step that informs the strategy of how to apply all other security controls, which is why we’ve released several updates in this area.

  • Compliance Category Assignment

We are now allowing Compliance Category Assignment directly from the Data Classification tab. This means you can configure and apply tags—like GDPR,CCPA, HIPAA, etc.—to different fields as needed and see them directly in the app. Particularly for customers operating in highly regulated industries like healthcare and finance, these tags will help provide context on which fields are under the purview of specific regulatory bodies. In short, you can choose to filter and prioritize by compliance levels, instead of just data sensitivity levels.

Salesforce Security Plays-1

  • Full Bi-Directional Data Classification Sync

We have enabled a full bi-directional sync between the native Salesforce metadata tags and RevCult’s products. So, if your admins have already completed some manual data classification work in the Salesforce setup, that work can now be converted over to the data classification tab in Cloud Security Cockpit® and Shield Security Cockpit®. Similarly, any categorization and classification completed in Cloud Security Cockpit® can be synced back to your Salesforce metadata. This gives you a single, holistic view of data classification in your Org.

Salesforce Security Plays-2

  • Fill Rates Calculator

Before you classify, find out if and how fields are being used in your Org. The new Fill Rates Calculator shows the percentage of completion for specific fields (such as sensitive or high-risk fields) so you can determine how your data model is being filled with certain records. From a single view, you can filter and drill down on fill rates to reveal what information is missing, what needs to be protected, and more.    

    • This helps inform where additional controls need to be applied, and
    • From a data hygiene perspective, it helps to identify candidates for deprecation

Screen-Shots  Salesforce Security Plays What’s New, Next & Now with the Summer ’21 Release

  • New Filters and Views

There are several new enhancements to the filtering and viewing features, and simply finding fields is quicker than ever before. For example, you can filter, and then drill down and prioritize:

    • Results from a system-wide search
    • Fields that haven't been classified
    • Standard or custom fields
    • Managed packages
    • Data types
    • Compliance categories
    • Fill rates percentage ranges

These advanced filters help you easily classify data on a continual basis and gain a truly contextualized view of all the data existing in your Org.

Salesforce Security Plays - 4

Expanded Reporting & Insights – Cloud Security Cockpit®

We’ve expanded our robust Security Insights more than ever, adding some important new features that enforce and align with your corporate security policies.

  • New Insights
    • Privileged Users: You can now monitor the administrative activities of your privileged users, such as who did what and at what time. For example, what are privileged users changing? What are admins doing while logged in as standard users (impersonated activities)? Anomalies or unusual activity will be surfaced, so you have visibility and can take action as needed. You can even filter by security-related events.

      Salesforce Security Plays -5
    • Connected Apps: Get a single view of all your connected apps and the last time that they were used. This visibility will help drive internal conversations around the business justification of each connected app and its subsequent security requirements.

      Salesforce Security Plays - 8
    • Trend Reporting: We now offer packaged Salesforce out-of-the-box reports and dashboards that can be configured to show how your Org’s security configurations have evolved over time. Based on your Security Insights dashboard, you can see how your Org’s current overall score and the scores for each of the six lenses have changed. InfoSec and leadership teams can generate monthly or quarterly trend reports to get a strategic view of why security configurations are rising or falling over specific periods of time, and then prioritize risk accordingly.

       

      The trend reports provides transparency as to what’s going on with your Org’s security controls, including Data Classification, show progress over time, and give context as to why and how configurations change as more sensitive data enters the Org.

      Salesforce Security Plays-  9
  • Security Insights Action Plan

Customers can now subscribe to receive a Security Insights Action Plan delivered directly to their email inbox, whether they have a Salesforce license or not. The Action Plan can be automatically emailed on demand or sent on a chosen cadence. Allowing the Action Plan to be shared with non-Salesforce users like InfoSec, DevOps, and Compliance personnel will aid internal collaboration on managing Salesforce security risks. Because it is a prescriptive, explicit document that includes your Org’s risk score for each of the six security lenses, the underlying details on each score, and specific tips on how to improve those scores, all internal teams will have the information they need to understand risk, both currently and as it has shifted in the Org over time.  

Salesforce Security Plays - 10

  • Policy Management

It’s our job to surface anything in Salesforce that has potential risk, but many customers come to us with unique requirements and want to configure their Security Insights scores. The new Policy Management feature offers that flexibility. You can now dismiss certain risks and other items flagged by the app that impact your security scores because you deem them to be acceptable based on your business objectives, security policies, or critical functionality needs. For example, if you have field representatives who frequently use the mobile app when on the road, you can dismiss the API enabled permission and note the justification in the system. You can exclude the entire Insight or individual entries, documenting what was dismissed and why. That dismissed item won't impact the associated security score and you have proof of why. You can also get a single view of all security policy dismissals and justifications for auditors and leadership teams.

NEXT Security Plays: Cloud Security Cockpit®

Let’s take look ahead at the Cloud Security Cockpit® roadmap. These exciting new features are in development and will be released soon:

  • Configurable Rules Engine/Alerting

Users will soon be able to subscribe to alerts based on their security policies. This makes it easier to take proactive steps when configurations change in your Org. Alerts can be configured to be delivered both in-app and via email, so anyone who does not have a Salesforce license, like InfoSec or Compliance team members, will also be able to subscribe.

  • MFA/SSO Security Insights Dashboard Widget

We are building out the ability to validate that users are logging in with the SSO provider. An MFA/SSO summary view will be added to the Security Insights dashboard and you’ll be able to drill down by type of user. For example, this functionality will reveal whether privileged users are bypassing the SSO and logging in locally, or if standard users aren’t using SSO.

  • Multi-Org Reporting

Large companies with multiple Orgs and production environments will soon be able to connect their orgs and view important data from each in a single location. Users will be able to connect both sandbox and production instances to track and compare scores between orgs as well as progress made over time.

  • Policy Portability (Enabling Migration of Data Classification)

If you have Cloud Security Cockpit® in a pre-production sandbox, you will soon be able set up your data classification there and then push it up to production. This update is part of our effort to help organizations shift more of the security work to earlier in the process—ideally, the development stage.

NOW Security Plays: Salesforce Security Best Practices

Updating to the new Salesforce Release is a great time to revisit your Salesforce Security Operational Playbook. Here are some best practices to put in play moving forward:

  • Review Security Scores Quarterly (e.g. Security Insights)

Make sure that your configurations and controls are being maintained over time by reviewing security scores each quarter. Identify why scores changed and, if needed, create requirements to remediate risks.

Interested? Test run a quarterly assessment with Cloud Security Cockpit® for free.

  • Review Encryption Status & Blockers Monthly (e.g. Platform Encryption Analyzer)

For customers using Salesforce Shield platform encryption with encryption at rest, have a monthly review of new configuration blockers to encrypted fields. Then, create requirements to remediate so you’re maintaining your encryption posture over time. Try out the Salesforce Shield Platform Encryption Self-Assessment

  • Review Data Classification

New fields are frequently being added to Salesforce, so have processes in place to regularly maintain and validate your data classification. This involves: identifying and classifying new fields in your Org; determining field usage; and creating requirements to remove access. Yes, data classification is a big job, but these duties can be segregated. Salesforce administrators can classify and maintain, while InfoSec and Compliance teams validate that classifications are aligned with your policies.

Ask Us Anything

There’s a lot to unpack with these new product developments and what they can mean to your organization’s security controls. If you have questions or want more info, let us know. We’re experts on Salesforce security controls and can help.

Here's more to explore:

Topics: Salesforce Security & Privacy, Blog, Articles

Subscribe to the Blog