ScottMaden is a management consulting group that supports Fortune 500 companies. The service provider focuses on two primary business areas: the energy sector and corporate & shared services. With 40-year experience in the industry, ScottMadden provides its clients with strategic planning through implementation across different business fields and functions.

Addressing numerous global clientele challenges represents ScottMadden’s expertise in sophisticated planning. Therefore, how does a company with up to 250 full-time employees throughout the United States and three local East Coast offices face internal security issues? Clinton Miller, IT Director of ScottMadden, shares their story on filling in the missing links in the organization’s cybersecurity strategy.

The Challenge

Securing employees on the go the right way

The company consults domestic and international clients — employees travel quite a bit to client sites and work hands-on on their projects. Hence, a hybrid work model wasn’t the new normal for the organization once the pandemic hit.

ScottMadden consultants spend a lot of time in airports and other public spaces where they would connect to the airport or mobile hotspots and hotel wifi. Yet, the company’s solution wasn’t as good for protecting and running smoothly while traveling.

“The concern was to improve the existing security model and ensure our employees had an encrypted connection regardless of which network they were on.”

Click to tweet

Having better performance, following industry best practices, and fulfilling client requirements to protect data outside the office were the driving factors in looking for a change. But is there a solution that can solve the problem effectively and efficiently onboard?

The Solution

Streamlined client drive-out to different environments

The traveling ScottMadden consultants and employees working from home used to rely on browser-based encryption. Using built-in data encoding in Office365 applications allowed them to perform job tasks and communicate with teams with some security levels.

However, the issue was the poor connection flow while video conferencing — latency is a deal breaker for online business meetings in a remote setup.

“Everyone during the pandemic did a lot of video conferencing via Google Meet, Microsoft Teams, or Zoom. We aimed to ensure there was a minimal impact on video calls.”

Click to tweet

One thing is handling latency to elevate employees’ and clients’ experience. But can the transition process administratively have a minimal impact on existing company infrastructure and cybersecurity strategy?

“One of the things we wanted to do was to push out the client fairly easily, operating on an SSO solution already in use.”

Click to tweet

ScottMadden uses solution Azure AD single sign-on solution for user identification within the organization. The company operates in macOS and Windows environments, so the chosen solution had to fit into the criteria for integration and simplicity.

Why choose NordLayer?

NordLayer solution is compatible with major service providers on the market. Thus, the company could integrate with AzureAD IAM solution and roll out organization-wide onboarding to a new solution using existing SSO.

The endpoint management solution allowed remote access in macOS and Windows environments.

“The implementation of NordLayer went a lot easier when we connected clients to Azure AD. It relieved us from setting up new individual accounts for every 250+ people in the organization.”

Click to tweet

The IT Director handled the process — it didn’t require a lot of resources and time to deploy the solution in the organization.

Organization onboarding using Azure AD by ScottMadden

According to Clinton Miller, the IT Director of the company, the longest step was to create an Azure group and add NordLayer. Once it was solved, the complete rollout to NordLayer solution took only a few hours.

The Outcome

Onboarding to a chosen solution enabled the company to secure team connections and extensive access to functionalities that comply with ScottMadden set benchmarks. Achieving data security didn’t have to compromise connection speed and video conferencing quality.

“Anytime employees are outside the office – at home or coffee shop – wherever they might be, we validated that they can reach all the services they needed, and speed wasn’t an issue.”

Click to tweet

The t
ransition to the new tool was heavily based on the company’s SSO. The documentation, knowledge base, and support team are highly responsive with communication to walk IT leaders through the process.

“For other potential decision-makers: onboarding NordLayer isn’t a heavy lift — you have the support and knowledge base ready, so it’s pretty straightforward.”

Click to tweet

Moreover, NordLayer’s Control Panel provides a good cross-reference point for those using the tool while working outside the office by filtering ongoing active connections.

It also delivers another step in the reporting process for the IT admin and the whole organization. For instance, it verifies that the organization follows internal policies by exporting connection data to verify and justify to a third-party audit.

Pro cybersecurity tips

Different sectors, industries, and services, but the same goal unites every organization’s IT leaders — securing their company assets. Following best practices and professional knowledge helps achieve security targets easier. Clinton Miller, the IT Director at ScottMadden, shares his top-on-the-list tips:

Do you need to upgrade existing tools used in your organization to align with best practices in the industry, improve processes and performance for the team, or expand your capabilities of tracking and reviewing the implemented security strategy?

Using NordLayer, you can integrate more features and functionalities with the organization’s preferred tools, service providers, and IAM solutions. It is possible without committing to massive changes and re-organizing current policies and infrastructure. Reach out to find out about your options on how to secure connections for the off-office employees and improve their experience while working online.

The lines are blurred in the modern business lifestyle. There’re no boundaries between employees working from the office or anywhere in the world. And technological privilege enables linking personal devices to work applications for user and organization convenience.

This flexibility and ability to be mobile also mean that business matters simultaneously mix with personal activities online. And mobility is not alone to blame — the internet is often a necessary tool to perform job tasks and operate in different organization layers. Uncontrolled access to the internet provides vast resources incompatible with the work environment. How to manage what employees can do online without imposing risks on the company?

Deep Packet Inspection (DPI) is one of the most straightforward tools that limit free roaming online while connected to the company network. Establishing a set of restrictions helps create a secure perimeter for online activities within the company network.

It’s an important feature that supports performance and security efforts. Non-work-related activities can distract and reduce productivity. Moreover, entering various websites and apps can lure employees into malicious activities, so DPI is a choice for IT administrators to get a grip on the company’s traffic flow.

DPI solution using NordLayer

NordLayer solution offers a DPI Lite feature that allows IT administrators to control what user-requested data goes through or gets blocked from entering the company’s network.

The DPI Lite technology at NordLayer works on nDPI open-source protocol classification engine. It offers the most popular and acknowledged services  (ports and protocols) that are used by websites and network apps to operate on the internet.

With NordLayer, admins choose specific ports and protocols they want to include in the custom-defined block list. The policy applies only when a user is connected to the organization’s virtual private gateway. Thus, employees who work on job-related projects can’t simultaneously use blocklisted online resources and network applications with restricted access.

How does NordLayer’s DPI Lite feature work?

The cloud-based feature is available only with a virtual private gateway configuration. It’s set to active within 24 hours upon request. IT admins can add or remove specific ports and protocols open to access through the company’s network. They can do it by submitting an inquiry via NordLayer’s Control Panel.

The IT administrators can navigate and choose from a wide range of alphabetically arranged services (no slot restriction) that cover dual-use online resources, potentially harmful to business operations:

1. Apple services

2. Domain Name System

3. E-commerce

4. Email client protocol/Email services

5. File sharing

6. Gaming

7. Google services

8. Hypertext Transfer Protocol

9. Identity

10. Infrastructure/Networking

11. IP tunneling protocol

12. Messaging protocol/services

13. Microsoft services

14. Monitoring/SCIM

15. Music streaming services

16. News services

17. Peer-to-peer file sharing

18. Remote Access

19. Social media

20. Software Development

21. Streaming services

22. VoIP protocol

23. VPN services

24. Other (miscellaneous)

Our internal data shows the tendency to stop services primarily related to unapproved Peer-to-peer file sharing, Social media, and Gaming categories. It comes as no surprise that customers are particularly interested in limiting access to non-work-related services that impose the biggest risks to company assets and staff performance.

However, if an employee needs access to company-level blocked sources, for example, a Social Media Manager working on Facebook and LinkedIn, IT administrators can purchase a separate dedicated Virtual Private Gateway for such employees and configure it with fewer restrictions.

The categories expand to a complete list of 250 available ports and protocols. You can choose only certain types of services, like blocking all messaging services except Slack, used for organizational communication.

NordLayer’s DPI Lite feature is managed only by the IT administrator and doesn’t have an ON/OFF function on the user side. The feature operates on the Application layer (OSI model Level 7) and Browser layer (OSI model Level 3). It means DPI inspects incoming data on the web and within network apps.

Enabled DPI Lite runs when the user, connected to the company’s virtual private network (or VPN), sends a request to access online resources or uses network-dependent applications. Once disconnected from the organizational network, the DPI policy isn’t active. Thus, it’s crucial to permit access to internal resources and applications only when they are connected to the network.

The incoming data is screened and filtered using the nDPI engine against the DPI Policy defined by the company’s IT administrator. The user is connected to a requested website if traveling data packets don’t include blocked services.

However, the connection to the requested online resource is restricted if there is a match between the data packet and the DPI block list policy.

How NordLayer’s DPI Lite is different?

Some solutions allow DPI to incorporate extensive categories and be customizable for every client’s preferences to restrict content online. However, a more complex approach may lead to excessive expenses. It may also require challenging configuration and become limiting to the company’s disadvantage.

Extensive data processing defined with all types of possible keywords can disrupt the connection flow and block access to online resources that initially weren’t intended to be restricted. On the other hand, if the company is set for hardware infrastructure and decides to continue with the same type of DPI technology, it will need to know how to configure and perform in-house maintenance. All these additional steps create an unnecessary workload for IT administrators.

To streamline the DPI implementation to the company infrastructure, NordLayer incorporates an easy-to-launch and control DPI Lite feature. It is cloud-native and easy to add or remove without investing in excessive resources. Its activation takes short notice and can be managed centrally, enabling flexibility and focus to the teams and operations:

• Keep productivity on point. NordLayer’s DPI Lite feature encloses the company network with work-only online resources within employees’ reach. Leave no space for distractions, so teams are less likely to spend time on their personal activities and decrease the chances of human error.

• Establish security levels. Entering unsecured websites or downloading data to work-linked endpoints can become a freeway for malicious actors accessing internal data and resources. DPI Lite can help filter out hidden remote computer access and control software planted by cybercriminals.

• Quick implementation and adoption. DPI Lite, like all the other NordLayer features, is entirely cloud-based and thus simple to integrate into existing infrastructure. Besides short enablement time, it is compatible with other data processing features like DNS filtering by category, constructing a more robust organization security posture.

• Easy to adhere to business needs. The categories or services of DPI Lite are simple to manage. A complete list or a few exceptions can be added or removed from the DPI Policy as required to suit the company’s service scope.

NordLayer offers a packet inspection solution that doesn’t overwhelm network security strategy and focuses on the most common business pain points. A well-sifted service list doesn’t leave space to overthink data to block or spend time researching what online resources to consider, so no openings are left. Overall, DPI Lite helps organizations handle their teams’ efficiency and activity while at work.

Benefits of DPI Lite

Establishing limits for online activity while working is like a reminder to focus on your tasks. But it’s not just about preventing employees from distractions using company gateways.

Adding DPI Lite as an additional security measure fortifies network security and advances business performance in different ways.

Prevent data leaking

Whether intentional or accidental, data leaks are damaging to businesses. DPI Lite adds to security measures by restricting the download of data-leaking apps or the usage of data-sharing and emailing services. Suppose employees try to send files from the company network via Dropbox or Google Drive. In that case, DPI Lite will recognize data packets containing related ports, protocols, and headers and will stop the action from completing the request.

Eliminate traffic overload

Online activities create traffic on network gateways: the more requests, the more overloaded infrastructure, ultimately resulting in performance issues. DPI Lite implementation to the virtual private gateways helps limit created traffic as users cannot access online resources. Online streaming and seeding services or visual-heavy social media increase network usage a few folds. Hence, with DPI blocking, fewer data packets must be inspected and unclog the network. Out of user sight, out of admin mind.

Protect static IP addresses

Unrestricted internet usage could create convenient conditions for employees to hide behind company IP addresses to perform illegal activities. For exampl
e, using torrents on a work network can result in copyright holders initiating blocked IP addresses or even legal prosecution for piracy on the organizational level.

With open internet access, scam attempts have a free pass. If law enforcement authorities identify IP during their investigation of a crime done by your employee from the company’s IP address, it might lead to the company’s liability and even hardware confiscation. Hence, whether the network is managed internally or via a vendor like Internet Service Provider (ISP), deep packet inspection as an additional security measure can help establish internal online activity limits to prevent any illicit acts from happening under the company name.

Entering NordLayer’s DPI Lite

Organization-first mindset while at work or dealing with company-related content can be seen as restricting user activity. Although it’s a strong push toward cybersecurity strategy implementation, preventing possible gaps and openings.

Deep packet inspection is part of the bigger picture when combined with other NordLayer security features like DNS filtering by category, ThreatBlock, and Jailbroken/rooted device detection. Enforcing our remote network access solution into your company infrastructure and activating the DPI Lite feature is a matter of a couple of days or less. Organization administrators need to access NordLayer Control Panel, navigate to Servers or Gateways under the Network tab, and configure it by selecting Deep Packet Inspection (Lite) categories as required.

Utilizing simple and affordable tools like NordLayer’s DPI Lite doesn’t overcomplicate the existing cybersecurity strategy and upgrades team productivity, network performance, and company security for better business performance.

This flexibility is a game-changer for many businesses. But there’s a catch. To function properly, it’s essential to create a secure Azure environment. Otherwise, cloud apps and databases can leak sensitive data. Credentials may be at risk, and companies can suffer huge compliance penalties.

Fortunately, solutions exist. This blog will explain how to secure your cloud environment with Azure security best practices. And we will look at how to create a layered security strategy that goes beyond Microsoft’s controls.

Why is securing access to Azure so important?

Azure security matters because Microsoft’s cloud platform hosts a range of critical assets. Companies use Azure to host .Net apps for web applications or gaming DevOps. Azure storage accounts host SQL databases containing client data, while Kubernetes clusters support private cloud infrastructure.

Whatever Azure services companies rely on, security is a priority. Insecure Azure apps can leak data and provide an entry point for cyber attackers. And you cannot rely on Microsoft to cover every security challenge.

Azure clients have wide areas of responsibility to secure their cloud configuration. Clients need to restrict access to sensitive data. Users must manage access and exclude malicious actors. They also have to manage how data flows between cloud apps. The need for an Azure security policy is obvious when you put these tasks together.

Microsoft Azure security best practices

Any companies that rely on Microsoft’s cloud services should get to know Azure security best practices.

The best approach is adopting a layered strategy. Users should exploit security tools provided by Microsoft. But they should add additional security controls where necessary. These Azure security best practices will explain how the layered security approach works.

1. Map Azure assets and create a compliance strategy

The first step in layering Azure security is understanding the cloud environment. Before applying any of the best practices below, you must understand what assets need to be protected.

Map the cloud assets on your Azure platform. Include all apps and data stores, and classify data according to importance. You should know exactly where client data is stored and who has access to that data.

It is also advisable to create a clear compliance strategy for Azure environments. Define your core goals, including HIPAA, DCI-PSS, or GDPR compliance. Use these data security frameworks as a baseline to improve Azure security and meet regulatory requirements.

Track your compliance progress with the scoring tools in the Azure Security Center. The compliance dashboard provides detailed information about security levels and required actions.

2. Encrypt critical data

Data security on Azure apps is the responsibility of clients, not Microsoft. So take action to encrypt data and hide it from malicious actors.

Encrypt sensitive data at rest using Microsoft’s server-side symmetric key encryption tools. You can use these tools to segment data by importance. This ensures that operational data is available to employees. But financial or personal information is only accessible to users with specific encryption keys.

Azure Disk Encryption works alongside Microsoft’s SSE. It creates another layer of data security for virtual machines and data containers. This reduces the risk of attackers exploiting Virtual Hard Disk (VHD) files. Attackers will find it much harder to create virtual machines within Azure environments.

When you apply Azure encryption, key storage is your responsibility. Secure encryption keys in IAM controls in place to prevent unauthorized access. The Azure Key Vault is a good key management solution and integrates well with Azure app environments.

Users should also encrypt sensitive data in transit. Data constantly flows between Azure apps, remote devices, and on-premises workstations. VPN encryption provides a solution, adding another layer of protection above Azure security controls.

3. Create a backup and disaster recovery plan

A strong Azure security posture features a fall-back plan when systems fail, or attackers succeed. Microsoft offers an end-to-end DR service via Azure Site Recovery (ASR). Combine this with Azure Backup to create tailored data backup plans.

With an ASR failover plan, you can recover application states with minimal information loss. You might also add Azure Storage Replication, which regularly generates multiple copies of important files.

4. Secure sensitive data with robust controls

Encryption is not the only data security control for Azure users. Consider a range of additional tools and find a mix that secures sensitive data without compromising user experience. Options to think about include:

• Activate auditing tools. Users can instruct Azure to audit databases. This creates a data stream that tracks database changes. Data visibility makes it easier for security teams to detect anomalies and unsafe user activity.
• Add Azure SQL threat detection. Many Azure apps rely on SQL, but SQL presents critical security threats. Using SQL databases, turn on SQL threat detection to isolate security weaknesses and secure the threat surface.
• Use Azure Firewall. Azure Firewall adds another layer of data security protection for Azure-hosted apps. You can manage firewall settings centrally, and coverage can increase as new apps come online. Cloud-native TLS inspection provides valuable protection against malware attacks.
• Enable Azure Monitor alerts. Gain additional awareness by engaging Azure Monitor alerts. Users can target alerts at single resources and use many metrics to identify vulnerabilities. Azure Monitor Action Groups make it easy to automate alerts and deliver precise information when threats arise.
• Implement Azure Defender. Defender is a subscription-based security service that leverages extended threat detection and response (XDR) and contextual security. It covers hybrid and multi-cloud environments, delivering threat protection and remediation advice. Azure Defender may well be a sensible addition when securing complex cloud environments,
• Use Shared Access Signatures. Created via Active Directory, Shared Access Signatures let you manage access to Azure resources to third parties and employees for limited periods. Best practices include creating a SAS for all short-term network users, as it allows admins to set granular controls.

5. Manage access with IAM

Preventing illegitimate access to cloud infrastructure is one of the most important Azure security best practices. The best way to manage user access is by adding Identity and Access Management (IAM) to your security arsenal.

Microsoft provides a cloud-native IAM system called Azure Active Directory (AAD). AAD authenticates logins and compares user credentials to a secure Active Directory database.

IAM best practices for Azure include using AAD to set role-based access controls (RBAC). With RBAC, admins can put the Zero Trust ‘principle of least privilege’ into action. Every user has very limited privileges. Privileges only apply after users supply multiple credentials.

Role-based privileges have big practical benefits. Developers will not retain access to resources when their project involvement ends. Attackers obtaining their credentials will be relatively powerless. They will struggle to achieve Virtual Machine access. Breaching Azure SQL databases will be much harder.

Add another layer to your security posture by combining AAD with Single-Sign-On (SSO). SSO combines all cloud and on-premises assets. Remote workers can log in to the apps they need via a single sign-on portal.

Users can apply Multi-Factor Authentication (MFA) at this stage. This requests an extra authentication factor for each login, such as biometric data or one-time codes delivered to smartphones.

IP allowlisting also features in recommended Azure security best practices. Allowlisting lets you specify trusted IP addresses. You can add remote work devices or employee smartphones and exclude every other device until it passes MFA and IAM controls.

6. Add workload and VM protection

Azure security best practices include securing virtual machines via specialist controls. For instance, Azure includes the option of applying just-in-time controls for VMs. These Azure security controls allow users to access VMs for limited periods, removing the possibility of accessing assets after sessions expire.

VM controls also allow administrators to lock vulnerable ports and limit access to authorized users. Restrict access to RDP, WinRM, and SSH ports commonly used by VMs. Access should only be available when absolutely required.

You can apply controls easily by assigning workloads and VMs to Network Security Groups (NSGs). These groups define security procedures for each asset and add another protective layer via the Azure Firewall.

Additionally, remember to keep workload patches up to date. Unpatched Azure apps can be vulnerable to exploits. Automate software updates where possible and audit unpatched tools to minimize your exploit vulnerability.

7. Control the cloud perimeter with network security

Internal Azure cloud security works alongside general network security. Attackers can steal credentials from devices outside the cloud or launch attacks via internet-facing endpoints. This is why Azure’s best practices include measures to harden on-premises security. These measures can protect the whole network perimeter:

• Track internet-facing cloud endpoints and minimize the contact between the wider web and company resources.
• Use a Security Information and Event Management solution. SIEM tracks network traffic and identifies potential threats. Integrate it with Azure Defender to cover external and cloud-based vulnerabilities.
• Apply network segmentation. Separate cloud endpoints from data centers and workstations with internet access.
• Install a VPN or similar security tool to encrypt data and conceal user identities.

8. Audit user identities and access policies

Your Azure cloud security posture can weaken over time. What works now may degrade and create new vulnerabilities.

Azure security teams must audit every cloud security control and ensure continuing app and data protection. Audit app ownership regularly to ensure only active users have administrative privileges. Clean up Azure platforms by removing obsolete services, groups, and users.

Use the Azure Security Center to improve auditing procedures. The ASC includes machine learning analysis tools that provide feedback and suggest security posture improvements. Real-time monitoring and audit logs provide evidence to fine-tune your security setup.

How can NordLayer secure your access to Microsoft Azure?

Microsoft Azure cloud security requires a layered mix of internal cloud-based controls and solid external security. Users must protect data at the app level, followed by workgroups, platforms, and the entire company network.

The best practices listed above provide a roadmap to achieve security at the cloud level. Encrypt data and manage Active Directory identities. Leverage the Security Center to track user activity and run regular audits. And target virtual machines and apps with specific protection.

But that’s not enough. Add an extra security layer for rock-solid SaaS access control by safeguarding the network edge and protecting credentials outside the cloud.

NordLayer will help you achieve this. Encrypt in-transit data, apply for SSO, and screen access with IP allowlisting. Limit access to trusted IP addresses and exclude everything else – an important step towards a Zero Trust security posture.

Prevent data leaks by blending NordLayer’s network security tools with Microsoft Azure’s internal controls. To find out more, get in touch with our team today.

It’s easy to see why. Salesforce’s cloud-based tools save costs and time, simplify customer analysis, and integrate smoothly with other SaaS services. But is Salesforce a secure environment to run your business?

While Salesforce is generally safe to use, data security in Salesforce is still something users need to consider. Data breaches have exposed potential vulnerabilities. And users need to know how to use the Salesforce data security model when making their implementation more secure.

Data security in Salesforce

Data security is the protection of sensitive data handled by an organization. In the context of Salesforce, this refers to customer records, including financial information and private personal details such as names and contact details.

The consequences can be severe if an organization loses control of data privacy protection. According to IBM, the average cost of a data breach is approximately $4.35 million. Companies that lose large volumes of sensitive customer data can expect to pay hefty compensation.

Salesforce is no exception. In 2019, Salesforce client Hanna Andersson suffered a major data breach. A malware infection on the clothing retailer’s Salesforce platform exposed over 200,000 customer accounts. Neither Hanna Andersson nor Salesforce knew anything about it.

Three months after the Salesforce breach began, law enforcement officers discovered confidential data for sale on the Dark Web. Customers immediately sued under the California Consumer Privacy Act (CCPA).

Salesforce and Hanna Andersson eventually settled the claim in 2021. Both companies accepted shortcomings in protecting user data, detecting malware, and informing customers. And they had to pay as much as $5,000 to affected customers.

Related articles

In Depth

6 Network Access Control best practices

29 Dec 2022•13 min read

In Depth

SaaS Security 101: The Definitive Guide

10 May 2022•9 min read

The Hanna Andersson settlement shows that data security is a critical vulnerability and could happen to any Salesforce user. So let’s dig deeper into the Salesforce data security model to explain how secure the platform is and what companies can do to protect their data.

The Salesforce data security model

Since the 2019 Salesforce data breach, the platform has tightened up its native security features.

Data at rest on Salesforce is encrypted, concealing it from outsiders. Logging systems allow users to track weaknesses and handle alerts. MFA adds strength to authentication processes. And users can even create bespoke protection for data analysis with the Data Mask feature.

However, one set of controls in the data security field is all-important. Permission sets enable Salesforce users to manage data access. Users can use permission sets to ensure that only authorized users can access data. Everyone else is blocked by default – until they are granted necessary privileges.

There are four Salesforce permission sets. Each one plays a role in locking down confidential customer information:

• Organization level – At the organization level, users can manage access for all users in their enterprise. Multi-factor authentication factors make Salesforce portals more secure. Connection limits, location tracking, and IP range screening exclude malicious actors.
• Object level – Organizations can limit access to Salesforce databases and apps. Object level controls allow administrators to set aside portions of the Salesforce environment and create restricted zones with limited access.
• Record level – Security teams can create permission sets for specific records. Marketing teams may need access to information about customer purchases. But financial data can be locked away. Admins can set objects to read-only or allocate editing privileges for certain users.
• Field level – At the field level, users can restrict how users interact with database fields. This provides tight control over how data is used. Many employees may have object access to CRM data. Only a tiny number will have field level access to edit and export the most sensitive data.

Salesforce security issues

Applying access controls is critical, but users must also be aware of Salesforce security vulnerabilities. Be sure to factor in these issues when planning your security strategy.

1. Inadequate data classification

Before you can protect confidential data, you need to understand the data you hold. Companies need to classify every record according to its value and vulnerability. When you have that information, you can start creating field level controls and setting permissions.

Review your databases and assign risk levels to the information they contain. Use regulations as a framework. For instance, the CCPA mandates robust protection of customer financial records. HIPAA requires tight control of any patient data.

Classification matters because it isn’t always practical to secure all customer data. Unclassified data generates noise and confusion. Security teams are presented with false positives and waste time on securing low-value data.

2. Confusing data ownership

Who is responsible for securing your Salesforce CRM system? Many companies cannot answer this question and rely on multiple stakeholders to secure customer data.

Data ownership should be clear and communicated to all Salesforce users. Assign an individual or team to manage data security. They should ensure compliance with relevant regulations, apply native Salesforce controls, and integrate enterprise-wide security systems with the CRM system.

Take advantage of Salesforce’s training materials. The platform offers courses in identity and access management (IAM). With this information, your security manager can master Salesforce permission sets and protect critical databases.

3. Poor Salesforce security awareness

Knowledge about Salesforce security should extend beyond the data security lead. Every CRM user must know security policies and the importance of protecting against phishing attacks.

Remember the Hanna Andersson case. A single Salesforce cyber attack can compromise huge data sets. Poor training and a shallow security culture can have huge implications.

Extended awareness matters because Salesforce is highly customizable. Employees can easily misconfigure communities in the Experience Cloud. And teams can add Salesforce services without IT teams knowing.

Both actions expand the threat surface, potentially compromising a Salesforce environment. Avoid them by educating Salesforce users and creating policies that explain how to use the platform safely.

4. Not understanding how shared responsibility works

As with all cloud-based products, security responsibility is shared between Salesforce and service users. Unfortunately, this is something that users easily forget.

Users may assume that Salesforce protects data, but this is partially correct. Salesforce does encrypt data and guards against malware infection. Clients are responsible for ensuring secure access and object configurations.

Companies using Salesforce can over-provision employees, giving them too much access to sensitive data. They might allow wide third-party access to databases, even down to field level. Marketing teams could create vulnerabilities as they customize their Salesforce solution.

Be aware of your responsibilities under the shared responsibility model. If not, data breaches will probably be due to your own negligence.

Why do you need additional security in SalesForce?

Native security features provided by Salesforce are powerful but insufficient to achieve data security. Companies need to combine internal controls like Salesforce data encryption with external security solutions.

The 2019 data breach demonstrates why external security is so important. Salesforce and Hanna Andersson did not know about the malware infection. Security teams had no idea that gigabytes of user data had been stolen.

While the single data breach cost both companies plenty of money, the cost could have been higher without the actions of law enforcement professionals.

The initial malware infection involved a ‘magecart’ attack that skimmed customer data from the retailer’s payment portal. This agent probably arrived via a phishing attack on a Hanna Andersson employee. None of Salesforce’s internal controls could prevent it, but external security solutions could help.

SIEM tools to scan attachments and quarantine suspicious links can stop phishers in their tracks. IP allowlisting screens devices and permits access for approved IP addresses. VPNs encrypt company networks and conceal credentials from external observers.

Salesforce allows in-depth access management and security logging. But when fine-tuning their CRM security, companies should supplement native features with additional measures.

How can NordLayer help with Salesforce security?

Salesforce makes CRM simple, allowing eCommerce businesses to thrive. But recent data breaches have shown that the cloud-based platform has some critical cybersecurity vulnerabilities.

NordLayer’s tools supplement native Salesforce security and make it easier to achieve regulatory compliance.

Our cloud security solutions include access management tools and Single Sign On that bridge company networks and cloud portals. 

IP allowlisting is another core NordLayer feature. Allowlisting lets you set approved IP addresses and block everything else. This makes it safer to admit remote workers to your Salesforce environment. It also means that credential theft does not automatically provide access to your data. Attackers without approved IP addresses will still remain outside the perimeter, unable to steal customer information. 

Discover how to create a rock-solid Salesforce security posture. Get in touch with our team and discuss your options today.