The Cloud Vision 2020 study revealed that 27% of organizations believed that almost the entirety of their key operations would migrate to the cloud in five years, 11% think this would happen in seven years, and 20% in ten years.
This is a big deal for Salesforce, since it has been a huge advocate for cloud technology from the beginning. Yet, customers are not so sure about the effect this migration to the cloud would have on data security and privacy.
Research by Salesforce shows that 46% of customers do not feel that they have control over their own data while 63% think that companies are not using their data in a very transparent manner.
A January 2019 Cisco Data Privacy Benchmark Study reported that 59% of companies claimed that they were compliant with the rules of the General Data Protection Regulation or GDPR, a data protection law enforced by the EU on May 25, 2018, while 29% more believed they would be by 2020.
Yet, Marketing Week research showed that even as one year of the GDPR being in effect was about to be completed, only 31% of consumers felt secure about how their data was being utilized by organizations.
In fact, customers were more likely to choose an organization that took responsibility for the security of their data than one that did not.
This is evident from the 2020 Cisco Data Privacy Benchmark Study, according to which, companies that invested in data privacy actually showed an increase in customer retention and growing revenue.
Therefore, if a company thinks it is winning by focusing on delivering business outcomes that increase revenue growth over data privacy, it will actually see the opposite effect.
Data privacy and security is a growing concern among the rising risks and instances of exploitation of data with malintent.
Much of it has to do with institutions rushing to move to the cloud without fully comprehending the data security risks to be taken care of.
But, being a cloud tech champion, Salesforce has always been one step ahead in keeping itself up-to-date in terms of data privacy, especially with its GDPR compliance.
Here is everything you need to know about responsible and secure data management in Salesforce.
1. Salesforce Data Security Model
Salesforce uses the shard responsibility data security model. This means that while Salesforce is responsible for maintaining the security of the cloud, organizations using it are responsible for maintaining the safety of data in the cloud.
Thus, Salesforce acts as the processor, providing all required resources and tools for companies to implement operational outcomes in business necessary to comply with applicable global and local data protection laws.
In turn, it will do its best to maintain the Salesforce privacy policy, especially for PII, PFI, and PHI. Also, since it is a multi-tenant platform, the Salesforce data structure is maintained with the help of unique identifiers for each institution.
2. Salesforce Data Encryption
To ensure that importing data into and exporting data from Salesforce is done securely, the latest TLS encryption certificates are used.
Edge routers and firewalls act as gatekeepers of data between internal and external networks. Encryption of data at rest can be done in Force.com that allows one to define encrypted custom fields using AES 128, ie, 128-bit Advanced Encryption Standard.
External applications can also be used to create an even greater level of encryption in your data.
3. Salesforce Health Check
The Salesforce Health Check is a useful tool that allows you to assess the quality of data privacy and security of your system in comparison to the Baseline Standards set by Salesforce in accordance with the industry-level grades.
It scores your system in a percentage form based on how well you comply with or exceed the standards, flags out any indication of failure to do so, and suggests actions to affect desired business outcomes for better data privacy. Some of the settings checked are:
Minimum password complexity
Locking sessions to the IP address from which they originated
Maximum invalid login attempts
Clickjack protection
Forced logouts on session timeouts
Forced re-logins after an admin logs in as a different user
IP restrictions can also be set to prevent the access of the Salesforce platform of a company for certain IPs, IP ranges, locations, or times of the day to block unauthorized logins.
4. Salesforce Access Control
Two-factor authentication is a great way to ensure that only authorized users are able to access the company Salesforce database and platform. You can control whether you want two-factor authentication to be done for every login or for specific actions only.
You can also enforce password criteria like complexity, length, expiration period, reuse and hint restrictions, and autocomplete and caching prevention.
5. Salesforce User Permission Rules
You can set permission rules to determine who is able to view, access, and modify certain data in your system. These permissions can be set for specific objects, individual fields in the objects, and even records, for different users.
You can also define role hierarchies to define which data is accessible to whom depending on their role in the system.
6. Salesforce Community Visibility Rules
Salesforce allows you to define the level of visibility that users will have inside a community or portal. You can define visibility defaults and sharing rules for users in the community or portal.
You can decide how public or private you want your community to be using these settings. View and access settings can also be defined for users in public groups of Salesforce.
7. Salesforce Shield
Salesforce Shield is an extremely powerful tool that allows users to greatly augment the level and strength of the security of data stored on the platform. It has three parts to do this.
Field Audit Trails – This allows you to view the data history of as many as 60 fields of every custom object, account, case, contact, lead, and opportunity, up to as far back as 10 years. This helps you in salesforce data cleaning and audit trail maintenance.
Event Monitoring – The tool allows you to generate detailed logs of any changes, including user and application activity, and have it delivered in 24 hours through the SOAP API and REST API. The data can then be fed into a visualization tool like Salesforce Analytics to detect anomalies and threats.
Platform Encryption – Using Shield, you can encrypt fields as well as files with no size restriction, using 256 AES. It also allows platform actions so that the encryption is uninterrupted. Management of the encryption key rests with the user.
8. Salesforce API Security
APIs are one of the most common channels for attacks on data. Therefore, while Salesforce makes life easy for its users through the wide-range integration of apps, it also leaves users’ data vulnerable. Regulating APIs is the best way to ensure that they do not pose a threat.
This can be done by keeping regular tabs on the activities of the API through auditing, creating an integration user for every API that accesses your data, setting strict rules for their access permissions, and using the App Whitelisting feature to determine which apps can integrate with your system.
9. Salesforce Trust
Salesforce Trust is a useful site that helps users keep themselves safe from the latest threats to data privacy and security. This site regularly posts updates about the most common, serious, or recent malware and attacks that could pose a risk for Salesforce users.
It also provides steps that users can take to protect themselves, maintain Salesforce data hygiene, and advise what to do in case they have already fallen victim to an attack.
10. Salesforce Clickjack Protection
Clickjack is a hacking method that baits people to click on an interactive object that they believe to be safe, but which will perform some malicious action in the background.
Standard pages on Salesforce have protection against this type of hack by default. But what you can do is activate clickjack protection for Salesforce Visualforce and other pages from the Session settings.
11. Salesforce Custom Login Flows
While IP restrictions would altogether stop unnatural logins, this is not a feasible option for a company with an agile workforce.
An alternative is to define custom login flows, which will allow such logins, but only after the user passes additional security steps to ensure they are a valid user.
12. Salesforce Data Privacy Manager
The Salesforce Data Privacy Manager is a handy tool created by Elements.cloud to track and automate data privacy and customer consent fulfillment and Salesforce GDPR and CCPA compliance. It is available in the AppExchange and will greatly aid users in their mission of data privacy.
13. Salesforce Data Mask
Like APIs, another weak point for data privacy is in the Salesforce Sandbox, where security and privacy rules are far more flaccid.
To protect data in the Sandbox, users can utilize the Salesforce Data Mask to mask critical data from external users.
Conclusion
While no company, no matter how careful, can eliminate data privacy risks completely, they can do their best.
By using the right tools, employing a DPO, implementing Salesforce data cleansing best practices and change monitoring, and enforcing key business outcomes to strengthen data protection in Salesforce.
Source: Data Privacy in Salesforce
No comments:
Post a Comment