The Essential Eight — The Salesforce Edition
If you are at all interested in security and are based in Australia (or anywhere for that matter), the Australian Government’s Cyber Security Centre, the ACSC, have created the Essential Eight — eight essential threat mitigation strategies as baseline settings for every business. This baseline makes it much harder for adversaries to compromise systems.
OwnBackup have sponsored a whitepaper around the Essential Eight written by Forrester and it is a great read as Forrester have discussed it relation to the Zero Trust framework. For non-IT security folks — zero trust is a good thing, not, as its name suggests, a bad thing as it means that for accessing your data, you should have zero trust of any device, person, network or application and you need to mutually authenticate each time. See Wikipedia for more information on zero trust.
Now back to the Essential Eight — these eight strategies are:
Application control : you control which applications are able to run on your systems and block all others
Patch applications : the applications you use are kept up to date with the security patches released
Configure Microsoft Office macro settings : basically do not allow Microsoft Macros unless they are vetted and the user has a business reason for using them
User application hardening : make sure the common applications a user uses (web browsers, PDF viewers etc) are using strong security settings
Restrict administrative privileges : minimise who has administrative permissions on the applications you use
Patch operating systems : operating systems are kept up to date with security patches
Multi-factor authentication : every user should be using multi-factor authentication which is a combination of things you have and/or things you know
Regular backups : being able to recover lost data, or more often, recovering from a mistake that affected data is key to keeping a business running
The Forrester paper covers off the zero trust aspects of each of the eight strategies and then provides a good roadmap for applying them to your business. I particularly liked this as it is a good checklist to make sure you are on the right path and do not forget something important. For example, how many of us think about the business benefits tracking for programmes? You are spending money on this programme, make sure the benefits are what you thought they should be.
When it comes to your Salesforce org, you may think that these do not really apply since they are talking about operating systems and Microsoft Macros, well I think that some do… Restrict administrative privileges, multi-factor authentication and regular backups are the three that are key for you and all of them are key for Salesforce themselves when running the service. You can read more about the Salesforce response on the Salesforce Compliance Website under iRAP.
Restricting who are admins in your Salesforce environment is key. In fact, it would be good if no-one was a full admin, except the “break glass” admin user that is never used except in an emergency. I have seen too many customers having a large number of admins — sometimes nearly all users have this profile. This is dangerous for a few reasons — they can accidentally do bad things that have a large impact (accidentally deleting all the records in the system), they can see all data and therefore export it (leading to a data breach) and lastly, they can give the same rights to others. If you do not use multi-factor authentication and other mitigations around credential theft, then you are exposing a large attack vector for data access.
Multi-factor authentication is a key mitigation to the user credential theft threat. Salesforce even has password-less authentication capabilities. Most companies use some form of token generator (Salesforce Authenticator, Google Authenticator, Microsoft Authenticator, …) that follows the industry standard as well as a password. However there are other multi-factor authentication methods, Salesforce recognises a certificate installed on the PC as one factor and the password as another, so no token is required. And since multi-factor authentication is going to become mandatory for all internal Salesforce users early next year, you may want to start now to get ahead of the curve.
Now, lets get onto the interesting part of the conversation, backups… Salesforce backs up your (and everyone else’s) data as part of the service, however it is solely focused on getting the service back and running in case of a Salesforce issue. It is not designed for you to be able to request a restore at a point in time. There is a service provided by Salesforce where you pay a fairly large amount of money and around 4–6 weeks later a CSV file is delivered to you for you to manage the restore of data… This is not going to provide a decent business continuity in case of a disaster on your part.
There is also the weekly backup service — it is very similar in that its a large number of CSV files that you need to manually decipher and import manually. It is also up to a week old by definition…
You could also use Change Data Capture to catch all the changes in some objects, however you need to then decipher and store these messages and provide some form of restore and not all objects work with Change Data Capture. You could also use the API and just export the data that has changed on an hourly basis (or more regularly) and keep it somewhere to then manually reinstall when needed.
A major challenge to the above methods is the restore and especially if the underlying data structures change or you want to backup and restore metadata for features like reports, approval processes, or details about profiles or users. These are not easily achieved in the manual methods above.
Restoring the data and keeping the referential integrity intact is very difficult since rowids will change on a new load of the records.
Into this maelstrom comes partner applications and Salesforce’s recently announced Backup and Restore solution.
There is not much information available yet on what the Salesforce solution will be able to do and how much it will cost, however it is on platform and will store the data in Amazon S3 buckets — either supplied by Salesforce or you can BYO. I do not believe that the S3 bucket data is going to have an API capability in the first instance.
When it comes to partners there are a few and depending on your needs and capabilities one will suit you more. I work with two of the leaders in this space: OwnBackup and Odaseva.
Both are excellent tools and both do similar things when it comes to backup and restore. They both allow easy restores of data and metadata. You can do point-in-time restores, however they are different and have different add-on tools. OwnBackup recently purchased a fantastic security product that is also on the AppExchange — RevCult which is a differentiator for them.