top of page
Search
  • Writer's pictureDoug Merrett

Cybersecurity Best Practices Guidance from the “5 Eyes” governments



Why am I asking you to look at this? It isn’t because you run a smart city, it is because the recommendations are useful anywhere and the authors have great links to places where you can learn more or get deeper information.

So, look at the article and skip to the Recommendations section (unless you are building a smart city).

I have provided a quick rundown of each recommendation:

  1. Apply the principle of least privilege The NSA has a short 4 page document on managing this and it corresponds well to Salesforce. - How many administrators do you need? (As few as possible) - Monitoring for anomalies (Use Setup Audit Trail to see promotion of users to admin or creation of admins) - Removal of privileges when they are no longer needed (Use expiry dates for permission sets)

  2. Enforce multi-factor authentication - Just do it. - You can use physical security keys, certificates, Touch ID or Windows Hello to provide MFA as well as authenticator apps. See Identity Verification in the Salesforce Setup area.

  3. Implement zero trust architecture This is mainly for folks who have their own network infrastructure, however it is gaining traction elsewhere

  4. Manage changes to internal architecture risks Again, more towards folks who have their own network infrastructure, however some tidbits around vulnerability scanning. This is a key feature for your corporate laptops/desktops. Make sure they are updating their OS, browser and anti malware tools often.

  5. Improve security of vulnerable devices If you have a VPN for your corporate access, there is some guidance here for you.

  6. Protect internet-facing services Salesforce does the majoity of this for you: - Credential Stuffing protection (and alerts if you have Event Monitoring)

  7. Patch systems and applications in a timely manner Again Salesforce does this for their systems, however you need to do it for yours, see #4 above.

  8. Review the legal, security, and privacy risks associated with deployments These are always changing and you need to keep on top of them. Regulated industries have many requirements in this area, however anyone holding Personally Identifying Information (PII) needs to be aware of your privacy requirements.

  9. Managed Service Providers and Cloud Service Providers The US Federal Trade Commission has a short blog article on keeping your data safe in cloud providers. Its six points are very useful for a starting point for discussions.

  10. Operational Resilience & Backup systems and data Pretty self explanatory, however many Salesforce customers do not do backups and they should. Look to the two market leaders in the space — Odaseva and OwnBackup.

  11. Develop and exercise incident response and recovery plans Things will go wrong. Follow the advice from the specialist departments and you will be in a better place when things do go wrong.

Thanks for reading and I hope this is of value. Please leave me comments/questions below.

40 views0 comments

Recent Posts

See All

Java, WSC, JWT and Connected Apps

You should not be using Username/Password authentication for API access - let's have a look at how to use JWT and Salesforce's WSC to do it.

Comments


bottom of page