As with most SaaS applications, within Salesforce it is your organization’s responsibility to determine whether Salesforce’s default security settings meet your specific security and compliance obligations.
Read this online guide, for free, to learn about the problem of data exposure in Salesforce and how to ensure compliance with HIPAA, PCI, and other leading industry standards while storing sensitive data in Salesforce. You can also download this guide here.
What can contribute to data exposure risk in Salesforce?
Salesforce environments present unique challenges for ensuring infosec best practices are followed:
- Organizations may lack dedicated stakeholders explicitly responsible for understanding how security policies and best practices should inform Salesforce platform configuration
- Usage of standard, custom objects and fields must be actively audited in accordance to compliance with PCI DSS, CCPA, HIPAA as well as security policies and practices.
- Sandbox organizations are often a lower priority. However, this can be a massive attack surface as sensitive data can be copied from production to sandbox organizations.
- Emails, attachments, chatter messages create complexity by expanding the number of places where data can live as well as the types of sensitive data security teams must look for.
- Very few organizations using Salesforce have classified their data and therefore do not know what data is part of their risk surface or where it’s even located.
- Internal data breaches are a serious threat. The more users have access to sensitive data, the more risk there is to the Salesforce org.
What are the consequences of data exposure risks in Salesforce?
Failure to mitigate data exposure risks in Salesforce can lead to compliance violations or data breaches stemming from:
- Real-time security risks: Sensitive data can be shared in standard or custom objects like case comments, accounts, or attachments and seen in real-time by unauthorized persons.
- Sandbox data exposure: Without automated tooling to mask sensitive data, manually managing data privacy in sandbox orgs is cumbersome and can lead to exposure incidents that result in non-compliance.
Best practices for protecting sensitive data in Salesforce
1. Identify engaged stakeholders who are Salesforce experts and make sensitive data protection in Salesforce a top priority by using security and compliance policies to determine the appropriate Salesforce security configurations and user best practices.
2. Implement the appropriate security & privacy configurations for your Salesforce instance based on your compliance and security policies (multi-factor authentication, field level encryption, etc) and ensure employees are educated on the importance of maintaining these configurations.
3. Invest in technologies like cloud data loss prevention (DLP) to enforce consistent sensitive data protection policies across all your cloud applications from a centralized product. DLP can also streamline Salesforce security across orgs to auto-discover sensitive data, enforce protection controls and continually meet compliance requirements.
What is Data Loss Prevention (DLP)?
DLP ensures confidential or sensitive information (like credit card numbers, PII, and API keys) isn’t shared within Salesforce by scanning for content within messages and files that break predefined policies.
DLP is important for both security and compliance reasons. With DLP in place, you’ll be able to:
- Protect users from accidentally or intentionally sharing sensitive information.
- Train and coach users on your data sharing policies.
- Ensure compliance with HIPAA, PCI, GDPR, and more.
- Reduce manual time spent reviewing sensitive data that might lead to incidental data exposure in Salesforce.
How does Salesforce benefit from DLP?
Highly customizable CRM applications like Salesforce, with enormous amounts of sensitive data, create environments where data privacy and security best practices are difficult to maintain or enforce without an excessive time or resource commitment. Data loss prevention helps provides companies with a feasible alternative to address this problem.
Does Salesforce have DLP functionality built-in?
No, Salesforce relies on third-party apps (like Nightfall) to provide DLP functionality in Salesforce. DLP is critical to help maintain compliance with HIPAA, PCI, and other regulatory requirements.
How do I implement DLP on Salesforce?
- Grant access to your Salesforce org via OAuth 2.0. Nightfall’s API based integration can start scanning selected objects in seconds.
- No additional set up, tuning, or installed agents are required. Request a free trial with us.
Does Nightfall support any Salesforce edition?
Nightfall Enterprise is designed for:
- Salesforce Enterprise
- Salesforce Unlimited
- Salesforce Developer
- Salesforce Performance
Both production and sandbox organizations are supported. Nightfall creates Apex triggers to scan objects and fields in real-time across these editions.
What is Nightfall DLP?
Nightfall is a platform to discover, classify and protect sensitive data across cloud SaaS & cloud infrastructure.
- Nightfall supports compliance efforts with a number of industry standards like PCI DSS, GDPR, HIPAA, CCPA, and much more.
- Nightfall works by continuously monitoring data flowing in and out of data silos and classifying that data with machine learning. Data marked as sensitive can be automatically quarantined, deleted, and redacted with workflows.
- Nightfall integrates with Salesforce via API, so you can get started immediately. Start in minutes and tell Nightfall which files or folders to scan in real-time for PII, PHI, PCI, API keys, and more.
Watch a demo video of Nightfall for Salesforce
How does Nightfall work?
- Discover: Continuously monitor sensitive data that is flowing into and out of Salesforce via comments, fields, and objects.
- Classify: Machine learning classifies your sensitive data & PII automatically, without prior tuning or tagging, so nothing gets missed.
- Protect: Take manual actions or setup automated DLP workflows for quarantines, deletions, alerts, and more – saving you time and keeping your business safe.
Key Benefits of Nightfall
- Install in minutes – no setup, tuning, or agents required.
- Leverage pre-trained, standard detectors out of the box for PII, PHI, PCI, credentials & secrets, and more.
- Customize Nightfall detectors and build your own detectors.
- Apply policies with a high level of granularity to individual objects, fields in Salesforce.
- Real-time alerts directly in Slack for ease of use.
- Integrate with multiple SaaS applications like Google Drive, Jira, and GitHub, and use the same detection settings across them.
- Enterprise-grade security including TLS and AES256 encryption and SOC 2 Type compliance. Nightfall also fits in your security workflow by integrating with products like your SIEM, issue tracking, and more.
Detailed Help Center, high-touch support, and dedicated customer success manager.
What does Nightfall DLP detect in Salesforce?
- DLP solutions should be equipped to scan a broad set of data types, including personally identifiable information (PII), protected health information (PHI), Finance and payment card information (PCI), Health, Networking, Credentials & Secrets (API keys, cryptographic keys), and more.
- Nightfall comes with pre-built detectors out of the box that cover a comprehensive set of data types, industries, and geographies.
- Nightfall provides the ability to add in custom detectors, rules, keywords, and regexes as well.Review our list of Detectors and learn more about them in our Help Center.
Does Nightfall DLP for Salesforce scan files too?
Nightfall supports a broad set of file types including but not limited to xls/xlsx, doc/docx, csv, plain text, ppt/pptx, PDF, HTML, and more.
How do I get started?
- To get started with Nightfall, schedule a call with our sales team or contact us directly at email@example.com with any questions.