Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA's Virtual AI Summit to discover AI's business impact, tackle security challenges, and ensure compliance with evolving regulations.

Enhancing Salesforce Security: Beyond Built-in Features

Published 01/03/2025

Home
Industry Insights
Enhancing Salesforce Security: Beyond Built-in Features

Written by Itzik Alvas, CEO, Entro Security.


Salesforce, the world’s leading CRM platform, boasts over 230,000 customers globally and dominates with a 20% market share. Organizations flock to Salesforce for its proven ability to drive results, reporting an average revenue growth of 25% annually and productivity boosts of up to 34% for sales teams. More than just a CRM tool, Salesforce has evolved into a platform for managing customer relationships, automating business-critical processes, and integrating third-party applications.

Yet, as the platform’s adoption skyrockets, so too does a risky misconception: the belief that Salesforce’s built-in security features alone are sufficient to protect sensitive data. This assumption could expose organizations to significant vulnerabilities in an era where data breaches are increasingly common and sophisticated.


The Shared Responsibility Model

Like most cloud services, Salesforce operates on a shared responsibility model. While Salesforce secures its infrastructure, organizations must configure and manage their Salesforce instances to protect data effectively. This responsibility is becoming increasingly complex as Salesforce grows beyond a simple application into a sprawling ecosystem.

This ecosystem includes third-party integrations, many of which introduce substantial security risks. A recent study revealed that 98.3% of organizations are connected to at least one third-party vendor that has suffered a breach in the last two years. Even more alarming, 50% of companies maintain indirect connections with at least 200 fourth parties—vendors of their vendors—that have experienced data breaches during the same period.


The Risks of Expanding Ecosystems

Salesforce’s expansion into tools like Slack exemplifies how its influence reaches beyond traditional CRM functions. For instance, an infamous breach at Disney involved attackers exfiltrating sensitive Slack data. As a result, Disney moved away from Slack for internal collaboration. This incident highlights how vulnerabilities in one part of Salesforce’s ecosystem can jeopardize the entire organization.

The stakes are high. Organizations must protect both Salesforce’s core CRM data and information stored in connected tools like Slack, where sensitive discussions and operational details often reside.


Third-party Integrations: Opening the Door to Vulnerabilities

One of Salesforce’s strengths is its adaptability, allowing organizations to customize their environments using third-party apps and integrations. Salesforce AppExchange, for example, offers over 7,000 integrations, ranging from low-code solutions to fully featured enterprise applications. However, not all third-party applications are created equal, and each brings unique security challenges.


Low-code Development Risks

Salesforce’s low-code tools empower non-developers to build custom extensions. While this democratizes innovation, it also introduces unintended security risks. Many low-code developers unknowingly share sensitive credentials—such as API keys—across unsecured channels like email or Slack. These shared non-human identities (NHIs) are often the target of attackers.


App Misconfigurations

Third-party integrations often lead to misconfigurations that expand an organization’s attack surface. Consider a common scenario involving the DocuSign eSignature package for Salesforce. While this integration streamlines contract management, updates may inadvertently change default settings—such as where signed documents are stored. Without proper oversight, sensitive contracts intended for legal and executive teams could become accessible to broader groups, creating unnecessary risks.


Broader Attack Surfaces

Third-party integrations also complicate data access management. With every new app, organizations introduce additional points of entry for attackers. Even if a breach starts with an external integration, the attacker’s ultimate goal is likely to compromise Salesforce’s core CRM data—the crown jewels of any organization.


The Unique Challenges of Non-Human Identities

As Salesforce environments grow, organizations must manage an expanding network of non-human identities (NHIs). These include service accounts, API keys, OAuth tokens, and other machine identities used for app-to-app communication and automation. NHIs are essential for connecting Salesforce with tools like marketing automation platforms, ERP systems, and collaboration tools.

However, NHIs present unique security challenges. They often operate with elevated permissions, making them lucrative targets for attackers. For example, a single compromised OAuth credential could provide an attacker with broad access to Salesforce APIs and sensitive data.


Stolen Credentials: A Growing Threat

According to IBM’s 2024 Cost of Data Breach Report, stolen or compromised credentials are now the most common initial attack vector, accounting for 71% of breaches. These attacks are also among the costliest, averaging $4.81 million per incident, and take the longest to detect—292 days on average.

NHIs exacerbate these risks because they don’t follow predictable behavior patterns, unlike human users. They often require long-lived credentials, contradicting best practices like frequent rotation. As a result, traditional identity and access management (IAM) solutions often fall short in addressing NHI-specific challenges.


Real-world Scenarios: The DocuSign Example

Returning to the DocuSign example, consider the OAuth credentials powering the integration. These credentials grant DocuSign access to various Salesforce APIs and objects, ensuring seamless functionality. However, this broad access makes the OAuth credentials an attractive target for attackers.

If these credentials are compromised, the attacker could manipulate or exfiltrate data without triggering alerts. This risk is compounded by the fact that machine identities don’t generate user behavior patterns that anomaly detection systems can easily recognize.


The Growing Attack Surface

As organizations scale their Salesforce usage, they often accumulate hundreds or thousands of NHIs. Each new integration or automated process adds to a sprawling, unmonitored attack surface. With specialized tools, security teams can track NHI permissions, detect misconfigurations, or identify unusual activity.


Common Salesforce Security Gaps

We’ve audited Salesforce environments across numerous organizations and uncovered recurring security gaps:

  1. Over-privileged Access: API users are frequently granted excessive permissions, such as “Modify All Data,” far beyond their operational needs. This overprovisioning creates significant risks if credentials are compromised.
  2. Outdated OAuth Tokens: Many environments contain outdated or inactive tokens, creating opportunities for attackers to exploit forgotten access points.
  3. Inactive Credentials: Credentials that haven’t been updated or reviewed since their initial setup are a common weak point, potentially allowing unauthorized data access or injection.
  4. Misconfigured Permissions: Improperly assigned permissions—such as human users receiving integration-level access—can disrupt operations and expose sensitive data.
  5. Lack of Access Controls: Many high-privilege accounts lack basic security measures, such as IP restrictions or multi-factor authentication (MFA), making them easy targets for attackers.
  6. Lateral Movement: Compromised credentials often allow attackers to pivot within the Salesforce environment, accessing third-party apps, no-code extensions, and other sensitive areas.


Building a Comprehensive Security Strategy

To secure your Salesforce environment, combine non-human identity management capabilities with Salesforce’s built-in security features:

  • Health Check: Monitor your Salesforce org’s security settings against best practices.
  • Multi-Factor Authentication (MFA): Add an extra layer of protection for high-privilege accounts.
  • IP Range Restrictions: Limit access to trusted locations.

By integrating these tools, organizations can create a robust security strategy that minimizes risks while leveraging Salesforce’s full potential.


Conclusion

Salesforce’s flexibility and ecosystem are its greatest strengths—but also its most significant vulnerabilities. As organizations expand their use of Salesforce, they must prioritize security, especially for non-human identities that operate at the core of automated processes and integrations.

Identity and Access ManagementSaaS GovernanceShared Responsibility Model

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Register for CSA’s Virtual FinCloud Security Summit
Key Management for Public Cloud Migration
Cloud Security for Startups 2024
Enhance your cloud security skills with CSA's online training options.
Related Articles:
Texas Attorney General’s Landmark Victory Against Google

Published: 12/20/2024

Decoding the Volt Typhoon Attacks: In-Depth Analysis and Defense Strategies

Published: 12/17/2024

Top Threat #7 - Data Disclosure Disasters and How to Dodge Them

Published: 12/16/2024

Break Glass Account Management Best Practices

Published: 12/16/2024