Raise your hand if you’ve used Salesforce. If you worked at one of the company’s 150,000 customers worldwide, you’re likely familiar with it. Reigning as the world’s top customer relationship management (CRM) solution, Salesforce is also a flexible SaaS platform with numerous configuration options and third-party extensions.
While a great business tool, Salesforce is also a significant source of security risk and a popular target for data breaches. Recently, simple misconfigurations in the Salesforce Apex programming language led to unauthorized access to data on more than 100 websites. Salesforce offers its own Salesforce Security Model to protect its sprawling attack surface and mitigate data security risks.
What is the Salesforce Security Model?
The Salesforce Security Model is a set of configurable access controls that operate at different layers of the Salesforce dataset and help businesses secure their Salesforce environment. It enables admins to establish access and data handling privileges for user roles, user profiles, individual permission sets, and sharing rules. The model also controls access and permissions at the object (databases) levels, fields, and records.
Knowing the difference between a Salesforce user’s role and profile helps one understand the security model. Roles are hierarchical, with differences in access privileges based on organizational rank. For example, a Salesforce admin might establish a user role called “Sales Representative.” Users in this role will be permitted to see the Opportunities object, but only their personal sales opportunities, not those of teammates. A user with a “Sales Executive” role can see all team members’ opportunities.
In contrast, a Salesforce profile is a group of permissions and settings that control what a user can do with data, among other parameters. A profile determines whether a user has “read-only” access to certain records or whether they can edit or delete them.
The Different Levels of the Salesforce Security Model
The Salesforce Security Model is intended to balance the protection of sensitive data with user experience and business agility. It provides a way to safeguard data with a high degree of granularity and customization. To achieve these goals, the model offers access controls on multiple levels.
1. Organization-Level Security
At the organizational level, admins can limit who has access to the platform in your organization. Theoretically, a user can log into your Salesforce instance from anywhere worldwide, which isn’t ideal for security. To filter out malicious actors, organization-level security allows access to be restricted only to trusted IP ranges and log-in IP ranges.
Admins could limit access to users logging in from IP addresses associated with the company’s network or expected geographical areas. A US-based company, for instance, could prohibit logins from Eastern Europe. Similar controls can prevent logins at certain times of the day, such as late at night or early in the morning.
2. Object-Level Security
Salesforce objects, such as Opportunities, Leads, Accounts, and Contacts, correlate mostly to the platform tabs. Each object is a separate database table.
Depending on the organization’s size and structure, most users will not need to interact with all these objects, and it would not be secure to allow such interactions. For instance, if you’re a cold-call sales rep, you shouldn’t be allowed to access the Customer Support object.
The Salesforce Security Model provides several ways to implement object-level security:
- Profiles—These can be by job category or organization-wide, such as “Basic User,” “Manager,” and “Executive.” Each organization-wide profile could have distinct object access permissions.
- Permission Sets—Salesforce allows you to assign multiple object-level access permissions to users without changing their profiles. For example, Joe can access Leads and Accounts, while Susie can only see Contacts.
- Permission Set Groups—To streamline the assignment of permissions, a Salesforce Permission Set Group bundles permission sets based on user roles and profiles.
3. Record-Level Security
Admins can use the Salesforce Security Model to manage access permissions for records, which equate to rows in a Salesforce object database. Record-level security can be based on roles and role hierarchies. For example, the Head of Sales can see all records, while regional sales executives can see all records in their regions. Geographical territories can create an additional layer of control.
Similarly, criteria-based sharing rules can govern record sharing between users. For instance, if the field “Zip Code” is within a specific range of values, a user with a given role can share them. Admins can also assign sharing permissions manually.
4. Field-Level Security
The Salesforce Security Model also enables access control at the level of database fields. This level is critical because the full dataset often contains sensitive or private information.
For instance, a Contact object might include a person’s birthday and personal cell number, which attackers could use steal and use for identity theft. Since there’s no reason for all users to see this field, admins can share it selectively.
5. Additional Security Measures
Salesforce has various supplemental security countermeasures, including data encryption, two-factor authentication (2FA), and event monitoring. Session settings can also establish session timeouts and lock out specific IP addresses.
The Weaknesses of the Salesforce Security Model
The Salesforce Security Model is also a driver of risk exposure. Even with good intentions, it’s possible to inadvertently set up data access that violates customers’ privacy and allows their personal information to get into the wrong hands. The same goes for valuable customer lists and sales opportunities. For a malicious insider or external attacker, the customizable nature of roles, profiles, and permissions makes it almost inevitable for security gaps to crop up.
To make matters worse, Salesforce system owners and security teams often struggle to keep up with access permissions given by other admins, making it easier for security vulnerabilities to slip through the cracks.
For example, if a Sales Manager requests that a Sales Rep be allowed to view deals in another territory, an admin could make that change in permissions without notifying the higher-level Salesforce system owners and security teams. The lack of visibility leads to overprivileged accounts, which hackers can exploit.
Top Tips to Secure Your Salesforce Environment
1. Focus on Governance First
Securing Salesforce presents a significant governance challenge, but your organizational structure and personnel can be crucial in addressing it. Ideally, your organization will have precise information security controls, rules, and authority grants to set up Salesforce roles, profiles, and permissions. Who gets to decide on settings? Who can make changes? Who needs to approve these? These are the types of questions you should include in your well-thought-out policies.
Consider investing in a data governance tool to make the process auditable and streamline efforts. These tools can help you define data ownership and oversee data security in Salesforce and beyond.
2. Monitor the Broader Ecosystem
Salesforce is complex enough to secure out of the box. However, many organizations aren’t just dealing with the Salesforce platform but with its various extensions. These include Salesforce Apps from the App Exchange, custom-coded apps written in Apex, and integrations with third-party vendors using the Salesforce API. Every single extension introduces additional risk.
For this reason, ensure you cover the additional integrations and Salesforce tooling your businesses use in your security policies. Your team must know how to approach these in the context of the Salesforce Security Model to avoid gaps.
3. Leverage Built-in Security Tools
It makes sense to take full advantage of Salesforce’s native security capabilities, such as data encryption or restricting login IP ranges and log-in hours, especially for critical profiles. Salesforce also offers features like Health Check, which allows you to review and optimize your security settings, and login forensics, which will enable you to monitor login activity and detect and respond to suspicious behavior.
4. Implement Regular Reviews
Organizations and hierarchies change over time, so Salesforce settings can become obsolete and, therefore, insecure. Regular reviews of your Salesforce Security Model are essential to maintaining a secure environment.
You should also evaluate role hierarchies, sharing settings, and permission sets to ensure they align with your current organizational structure and security requirements. Tools like Open Policy Agent can also support your monitoring efforts, enabling you to keep track of active policies, how you enforce them, and when changes occur.
5. Integrate with Existing Security and IAM Tools
You may already use security tools that enable an in-depth approach to securing Salesforce. For example, you can deploy a cloud access security broker (CASB) to monitor usage or constrain access to Salesforce. Or, if you use Microsoft Entra or comparable single-sign-on (SSO) solutions, you can centralize management of access to Salesforce for all users.
Compliance automation tools can also help streamline Salesforce security, ensuring your setup is aligned with regulatory requirements and industry practices.
- Deploy a SaaS Security Solution
Keeping Salesforce secure should be part of a broader SaaS security program. A SaaS security solution like Suridata can continuously monitor Salesforce on multiple levels, flagging anomalies that signal the presence of a threat. For example, if a Salesforce user exports more data than is required for his job, that will trigger a real-time alert to security managers. Suridata also offers comprehensive visibility into user permissions, data access, and security misconfiguration vulnerabilities.
Balancing Security with Productivity on Salesforce
There’s a reason over 150,000 businesses trust Salesforce for CRM and other critical operations. However, the same inherent flexibility and customizability that make Salesforce useful also expose customers to cyber risk. The Salesforce Security Model has the potential to enable strong security controls, but the model on its own, without the proper governance and tooling, will not be very effective.
As a comprehensive SaaS security tool, Suridata helps you identify and mitigate vulnerabilities in Salesforce and all your other SaaS apps. Its deep scanning and monitoring capabilities ensure no vulnerability is left undetected across any of your SaaS tooling. Plus, you get real-time alerts and automated mitigation workflows to solve security issues faster. Learn more here.