Home » Spin.AI Blog » Cybersecurity » Salesforce Security » Why you need an extra layer of protection in Salesforce
February 15, 2024 | Updated on: April 8, 2024 | Reading time 11 minutes

Why you need an extra layer of protection in Salesforce

Salesforce is a leading customer relationship management (CRM) platform many organizations use today. While it is a SaaS platform, it is not immune to data loss and security challenges. Let’s see why an additional layer of protection in Salesforce is needed as we look at Salesforce data security, backup, and best practices to protect your Salesforce environment.

Enhanced Security and shared responsibility

Salesforce is the backbone of customer data management for countless businesses. This critical data repository makes Salesforce a prime target for cybercriminals and unexpected data loss. With the surge in AI data-driven processes, business-critical data, such as the data contained in the Salesforce platform, is becoming even more important in the overall decision-making process.

A cloud with blue text

Description automatically generated
The Salesforce SaaS environment is the leading CRM platform among businesses today

Like most SaaS environments, Salesforce operates with customers in a shared responsibility model. It means there is responsibility shared between Salesforce (the SaaS vendor) and the customer organization using the SaaS service. Customers must note that ensuring data is secure, protected, and the environment is configured correctly to minimize data mishaps falls in the purview and responsibility of the customer.

Note the following table provided by Salesforce detailing Salesforce responsibilities vs customer responsibilities:

A screenshot of a computer

Description automatically generated
Salesforce shared responsibility model

Understanding Salesforce Data Vulnerabilities

Data stored on the Salesforce SaaS platform is not immune to data loss risks and can fall victim to many of the same data loss culprits that exist on-premises. Organizations must protect their Salesforce data. If compromised or lost, it can have devastating consequences for an organization and its customers. Worse, it can lead to compliance violations, fines, and legal implications, including class-action lawsuits. 

What are the common causes of data loss in the Salesforce cloud?

  1. Human error
  2. Cyberattack
  3. Salesforce infrastructure failure

1. Human error

The possibility of human error remains one of the top data loss culprits, both on-premises and in the cloud. Salesforce SaaS environments are not immune to this danger. How can human error lead to data loss? 

Admins or other users may mistakenly import data to the Salesforce cloud that overwrites existing data. Tools like the Salesforce Data Loader, a client application for bulk import and export of data, can insert, update, delete, or export Salesforce records.

If an admin or power user accidentally imports records in bulk, valid data can be inadvertently overwritten or even deleted. Bulk changes can quickly and easily wipe out thousands or even millions of data records.

2. Cyberattack

Cybercriminals are pivoting their focus to SaaS environments as organizations increasingly move to the cloud for business-critical operations and data storage. 

Customer data is a prime target of attackers. It places Salesforce in the crosshairs of cybercriminals looking for ways to compromise customer data. In 2019, Salesforce experienced a data breach from September 16 through November 11, 2019. Hackers accessed purchases from Hanna Andersson, a children’s clothing retailer, and placed the data of about ten thousand consumers on the dark web. The information included credit card numbers and personal identification.

3. Salesforce infrastructure failure

While not as common as human error and cyberattacks, infrastructure failures can lead to data loss for Salesforce clients. Cloud infrastructure is generally resilient when it comes to availability and its ability to withstand outages. However, SaaS environments fail occasionally, and data loss can occur.

For example, just a few months ago, in November 2023, some Google customers lost over a month’s worth of data stored in the Google Cloud. The culprit behind the data loss was unclear. Google has been investigating this with customers affected by the event.

Salesforce Shield protection

Salesforce has an add-on solution called Salesforce Shield, providing an advanced set of security tools. It includes event monitoring, field audit trails, platform encryption, and data classification. Salesforce Shield can also help protect sensitive data. 

1. Event Monitoring and Field Audit Trail: Keeping Tabs on Data Access

Salesforce Shield can provide event monitoring, and field audit trails can offer insights into how data is accessed and modified. 

2. Salesforce Shield Platform Encryption

Shield Platform Encryption is an additional layer of security where customers can encrypt data at rest. Customers must use encryption strategies to protect data from prying eyes for strong data security. Salesforce encryption safeguards data from security breaches and provides security controls to help bolster security posture and align with compliance requirements.

Customers can choose between probabilistic encryption and deterministic encryption, with probabilistic encryption being the more secure. It is essential to understand that Salesforce encryption is not whole disk encryption that protects the information from that layer. Instead, it is field-level encryption. It can also protect files and attachments once turned on. To encrypt existing files and attachments, customers have to contact Salesforce support.

3. Data classification

Salesforce Shield also provides data classification capabilities. It allows companies to find and classify critical information. 

Best Practices for Enhancing Salesforce Data Security

While Salesforce is built around data security, there are additional steps Salesforce admins can take to protect their organization’s data further. These include the following best practice recommendations that play a critical role in your Salesforce instance:

  • Use of multi-factor authentication (multiple verification methods)
  • Regular security audits
  • Implementing transaction security policies
  • Educating users on security protocols.

Encrypt Salesforce data

Encrypting data is one of the cornerstone defenses against data breaches as it helps to protect sensitive data and make it inaccessible to unauthorized users. Salesforce offers Shield Platform data encryption to protect data in fields, files, and attachments.

Encrypted data is unreadable without the encryption keys and protects data integrity. It protects against leaked data being read without the encryption keys to unlock the data. With Salesforce Shield encryption, customers can use Salesforce-managed keys or bring their “own key” from customer-managed PKI infrastructure.

Data protection and backups

A well-rounded data protection strategy includes the best practices we have covered, such as encryption, user access controls, regular monitoring, and compliance checks. However, Salesforce security also includes protecting your data using regular backups.

As mentioned earlier, data can be lost for several reasons, including human error, cyberattacks, and infrastructure failure. Having solid, up-to-date backups allows for recovering data lost for any of these reasons.

Salesforce Partners and Third-Party Applications

Like other SaaS environments that allow third-party app integrations, organizations can enhance Salesforce functionality with third-party applications. However, this introduces potential security risks.

As part of their cybersecurity plans, companies must maintain visibility and control over third-party apps integrated with their Salesforce data and the means to control and govern which integrations are allowed. It helps with compliance and minimizes the risk of shadow IT.

SpinOne for Salesforce provides modern security and backup for Salesforce data

Organizations may find the native Salesforce tools are not cost-effective or lacking features. SpinOne for Salesforce is a cutting-edge third-party solution that protects organizational sales pipelines against data loss or corruption. It enables comprehensive backup of all Salesforce objects and classifications, incorporating several essential features:

  • Comprehensive backup of all Salesforce queryable data and metadata
  • Capabilities for restoring individual data entries, object relations, or entire organizational data
  • Tools to compare and export modifications made to Salesforce data and metadata
  • Insights into Salesforce data changes for timely intervention
  • Backup, comparison, and recovery functionalities for Sandbox data and metadata
  • Enhanced speed for backup, comparison, and restoration processes through the utilization of two unique APIs
  • A 99.9% SLA guarantee for data recovery, supported by secure AES-256 encryption
  • Administrative control over Salesforce API limitations

SpinOne for Salesforce distinguishes itself in the SFDC Backup market with several unique advantages:

  1. Bulk API 2 Utilization: By leveraging Bulk API 2 and a second API, SpinOne executes requests more swiftly while staying within Salesforce API limits.
  2. Enhanced Operation Speeds: The intelligent API utilization system employed by SpinOne significantly accelerates backup, comparison, and restoration tasks, outperforming competitor speeds.
  3. Complete File Backup: Unlike its competitors, SpinOne offers the capability to back up all files stored within SFDC, including options for file export.
  4. Unified Login System: SpinOne provides a single login portal for customers, regardless of their data center location.
  5. Accurate Object Classification: SpinOne accurately classifies and presents a valid count of protectable objects, avoiding the overestimation often seen with competitors.
  6. Cloud Provider Options: Customers can choose between AWS, GCP, and Azure for data protection, benefiting from multiple data center regions globally.
  7. Consolidated UI for SaaS Tools: SpinOne integrates data protection for Google Workspace, Office 365, and Salesforce within a single user interface, facilitating seamless navigation. The platform plans to expand its service offerings in 2022, positioning itself as a comprehensive solution for protecting critical SaaS applications.

If you would like to speak with a Spin Solution Engineer to learn how SpinOne can protect your Salesforce environment, click here to schedule a demo: Request a Demo of SpinOne.

Was this helpful?

Thanks for your feedback!
Avatar photo

Director of Support

About Author

Nick Harrahill is the Director of Support at Spin.AI, where he leads customer support, success, and engagement processes.

He is an experienced cybersecurity and business leader. Nick’s industry experience includes leading security teams at enterprise companies (PayPal, eBay) as well as building programs, processes, and operations at cyber security start-ups (Synack, Elevate Security, and Spin.AI).

Credentialed in both cyber security (CISSP) and privacy (CIPP/US), Nick has managed teams focused on vulnerability management, application security, third-party risk, insider threat, incident response, privacy, and various facets of security operations.

In his spare time, Nick enjoys trail running and competing in ultra-marathons, camping, hiking, and enjoying the outdoors.


Featured Work:

Latest blog posts

Protecting Partner Margins: An Inside Look at the New Spin.AI Partn...

Google recently announced a 40% reduction in the partner margin for Google Workspace renewals –... Read more

saas application data protection fundamentals

Expert Insights: SaaS Application Data Protection Fundamentals

SaaS applications appeal to organizations because they make running the application “somebody else’s problem.” However,... Read more