Cloud 101CircleEventsBlog
The CCSK v5 and Security Guidance v5 are now available!

CSA Official Press Release

Published 06/15/2021

Cloud Security Alliance’s Critical Controls Implementation for Salesforce Identifies Best Practices for Security Operations in Salesforce

Cloud Security Alliance’s Critical Controls Implementation for Salesforce Identifies Best Practices for Security Operations in Salesforce

Reference document maps Salesforce controls to CSA’s 20 critical controls for cloud enterprise resource planning (ERP) customers

SEATTLE June 15, 2021 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today released Critical Controls Implementation for Salesforce. The 37-page guidance, authoredby CSA’s Enterprise Resource Planning working group, aims to help current and future Salesforce customers determine what security changes are required when deploying Salesforce in the cloud.

"Because of the nature of the data and processes that Salesforce supports, it's critical to comply with the regulations that surround an organization’s unique combination of data and processes, as well as the industry in which it operates. Implementing a system that ensures continuous compliance and that can act as a centralized point from which to monitor a control’s effectiveness in real time will help companies tailor their security requirements when deploying Salesforce,” said Juan Perez-Etchegoyen, co-author and co-chair of the Enterprise Resource Planning working group, and CTO for Onapsis, a leader in business-critical application security and the report’s sponsor.

Each of the 20 controls — among them those pertaining to User Accounts Management, Secure Integrations and API, and Change Management Controls — presented in the reference document is directly mapped to CSA’s overarching Top 20 Critical Controls for Cloud Enterprise Resource Planning (ERP) Customers and is further defined by:

  • Control Implementation: The control implementation defines the rationale for the control. IT leaders and information security and compliance professionals will benefit from understanding and mapping each control into their overarching IT operational and security and compliance controls.
  • Checklist: To implement each control, a checklist of specific requirements and/or steps is identified. Database and system administrators can use this section to implement the control.

“The extensive integration of Salesforce with external applications and data sources is common, but if improperly secured, these integrations are ripe for abuse, and production information and data may be easily compromised. The extensibility of Salesforce, while a compelling advantage, leaves a network open to risk. In order to mitigate the danger, it’s critical for security practitioners to have a clear set of security best practices to implement alongside Salesforce,” added Perez-Etchegoyen.

To take full advantage of the reference guide, it’s recommended that users be familiar with CSA's Cloud Controls Matrix (CCM) and the Center for Internet Security's (CIS) Benchmarks for security hardening.

The CSA Enterprise Resource Planning working group seeks to develop best practices to enable organizations that run their business on large ERP implementations, such as SAP or Oracle applications, to securely migrate to and operate in cloud environments. Individuals interested in becoming involved in Enterprise Resource Planning future research and initiatives are invited to join the working group.

The paper is available at no charge. Download the full Critical Controls Implementation for Salesforce now.

CSA research prides itself on vendor neutrality, agility, and integrity of results. Sponsors are CSA Corporate Members who support the findings of the research project but have no added influence on the content development or editing rights of CSA research.

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at, and follow us on Twitter @cloudsa.

Share this content on your favorite social network today!

About Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.

For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.