Shared Responsibility of Salesforce Security

Salesforce security and compliance is a shared responsibility and you, the end-customer, have skin in the game. Salesforce is a PaaS, and its compliance with regulations like HIPAA, PCI, and HITRUST don't flow down to your compliance unless you (or your SI) configure the security controls correctly. That starts with an accurate assessment of your current state to inform your actual risks and then a prioritized daily, weekly, and monthly remediation plan to reduce risk.

We reviewed some interesting statistics based on the Salesforce Security Risk Assessments RevCult completed in 2019, along with a checklist of actions you can take to complete your own assessment.

Also discussed are specific things you should be doing today to ensure your Salesforce security controls, given current situation surrounding the COVID-19 pandemic, along with the rapid expansion of remote workforces, e.g. IP restrictions, user authorization, and more.

To underscore the potential areas of risk, data from RevCult's Salesforce Security Risk Assessments include:

• The average production instance of Salesforce has over 1000 fields of sensitive data
• The average production Salesforce org has 13 methods of access which bypass create, read, update and delete permissions
• 66% of organizations using Apex do not follow secure coding practices
• 86% of all users have read and edit access to sensitive data

Recorded April 3rd, 2020 at 1:00 PM EDT

Hosts: www.revcult.com / https://www.sans.org/webcasts/

Dave Shackleford Senior Instructor	Pete Thurston Chief Product & Solutions Officer