PG - Salesforce Data Governance: What 'Dark Secrets' Lurk in Your Instance? - Pete Thurston

let's get started I'm good evening welcome to besides Las Vegas proving ground this talk is Salesforce data governance what dark secrets lurk in your instance our speaker for this is Pete Thurston a few announcements before we get started we want to thank our sponsors especially our inner circle sponsors critical stack and Valley mail and stellar sponsor sponsors silence Microsoft and Robin Hood it's their support along with other sponsors and donors and volunteers that make V sites possible these talks are being streamed live so as a courtesy to our speaker in our audience please check and make sure your cell phone is set to silent if you have a question after the talk just please raise your hand we'll

call on you one at a time and ask our speaker to repeat your question for the YouTube audience and that's it let's get started please welcome Pete Thurston last session of the day right yeah exactly we're gonna knock this out as fast as possible to do all Q&A at the bar promise but ya know so hi my name is Pete thank you for hanging out until 7 p.m. in Las Vegas very impressed today we're gonna talk about we can think a lot about salesforce but really broadly we're gonna talk about platforms as a service and some of the core kind of things to be concerned about or to keep an eye on as businesses continue to

evolve deeper into the past world really really quick just so I know who I'm talking to if you are a Salesforce customer today can I get one of these ok me too or just a deep gasp will work as well or if you're working with any other kind of platform as a service systems AWS ServiceNow things like that more deep gasps cool let's figure all that out so Who am I so my name is Pete I've worked with Salesforce specifically we're gonna again we're gonna talk a lot about Salesforce today keep these things in mind across any other systems you're working with but I've worked with Salesforce since 2007 I've got a lot of experience starting out as a developer

before then I was a database developer on kind of traditional systems and when I became a Salesforce customer in 2007 I really quickly started to realize that like we weren't applying the same security concerns to Salesforce or other cloud platforms that we were to everything else we were doing right so as a customer of Salesforce I started looking around and I said if we need to find somebody who can help us out with that who can help us figure out how we're going to apply all of our defense-in-depth strategies that we have is a very large financial services company at the time to Salesforce I couldn't find one so I started one and so now there's a company called Rev cult

and that's my company and and the the key point the reason I bring this up is not necessarily to say hey come to Rev cult we're awesome we are but it's really just to kind of say you know why am i worthy of being in this room talking about this I've been doing this for a very long time really focus specifically on security for these emerging platforms as a service out in the cloud I am married I've got some kids I've got a whole lot of guitars my last time I gave this talk I was actually very excited the only question during Q&A was what my favorite solid-body electric guitar was we can have that conversation I'll be more than

happy to have that conversation at the bar but so that's me that's that's how I live that's what I do so what we're going to do today is we're going to talk through from a platform security perspective what are the seven most common things that I see when I go out and I am getting in my hands dirty and client orgs we do security risk assessments for Salesforce engagements all the time and a lot of what you're going to hear today and a lot of what you're gonna see today might be considered rude entry and I think one of the really key things to keep in mind is we have this conversation today is that security for

platforms in the cloud out in the universe today is pretty rudimentary and so keeping in mind that we focus with the basics we get all those things kind of lined up so that we can take it to the next level that's a lot of what we're gonna talk about today so what do I see all the time out in the field when I'm getting you know busy in client orgs we're also gonna talk about like where do you start so when you have that business conversation of how do you address these problems where do you start and how can you start to move the needle in the right direction so seven things and don't worry at the end

there's like a wrap-up slide so the first thing is not knowing who can see what in the system salesforce specifically has a very robust like security model right so you have these foundational security and then you have the ability to expose information to greater and greater user groups well as companies scale as things change as you start to add new roles and responsibilities and new apps into the system it's very hard to keep your hands on everybody who can gain access to what information the vast majority of the organizations that I go into when we look at hey what is your security model who has access to what information they normally can't answer that question and

so not knowing who can access what information is the first thing that we see all the time and so that's number one number two is moving too fast so these platforms Salesforce very specifically broader other platforms as well make it very easy to add new business point solutions as time evolves so hey you know finance needs a new solution to track all the incoming checks or hey HR needs to track all the job applications that are coming through it's very easy to spin up these applications super quick right so you can if you could put anything out there you you want to and you can you know enable your business users to start killing it

why wouldn't you right well it's very easy to move really really fast it's also really easy to move too fast and not think about like okay well the second screen of adding a new field to Salesforce is which users should have access to that field it's very easy to be like next and go on and just kind of get these new information data point storage options into the system so making sure that you take the time to really focus on what you're doing as you build the application see it all the time everybody goes real fast and they get things built and every is happy until the auditors show up so this actually happens all the time

that everyone's an admin scenario you'll get somebody comes up to your admins desk and says hey I gotta get this really critical report it's got to go to the entire C suite it's got to be there tomorrow for an investor meeting it has to have every single record in it we got to get it today period and frankly the security model is pretty complicated and it can be hard to restrict what type of information those people really should have so a lot of times people will say hey you know what I'll make you an admin for today go run your report and then I'll fix it tomorrow and spoiler alert tomorrow means never thank you somebody

finished my sentence we're meant to be but but yeah I mean but it does I mean it happens all the time so I go into orgs all the time I see 80% 80 plus percent of your users our system administrators now not only they have access to all your data they also have access to all of your intellectual property they can go start changing your code they can drop a class they can remove you know objects from the system this is a very very high-risk thing that frankly just literally happens in almost every single Rd that I could look at this is my favorite comic that we've created here at revel and it's a quote

from an actual customer this is an actual developer quote HTTP HTTP is 80% of HTTP 4 out of 5 ain't bad this is literally happened in a meeting that I had with a client but one of the things I really want to talk about here from an integrations perspective so as more and more information moves to the cloud or you know the internet like websites right as more and more information moves to the cloud integrations become critical because you can't move an entire business to one platform overnight right but what you can do is you can start to put some core functionality together and then hook into your existing systems I haven't been in the work and Italy sorry an

instance in org whatever in the last couple of years that wasn't integrated to something and they've the really key point with integrations that integrations mean a lot of different things to a lot of different people there's API point-to-point integrations there's ETL integrations there's Susan runs a report at 8:15 on Fridays and saves it off on this FTP server and then something picks it up on Saturday right like integrations mean a lot of different things to a lot of different people and so making sure that you actually understand what's out there is really really important now if you don't know Salesforce intimately like at a code level you do need to be aware if you're responsible for information

security in this platform that it's really easy to do things like build a custom rest endpoint for your org that is publicly accessible to the internet so you could hit some visualforce page and you could just do call it get on like every single account in York right that is a problem knowing how to look for it is really really really important there are not controls in the core platform to avoid things like that insane situation you just need to know that that it's out there it's possible and that you need to have an informed way to look for those things and monitor them on the occuring basis the other things I see all the time with

integrations is people replicating system replicating the data or duplicating the data out of Salesforce and other systems so whether that's a backup solution or whatever and then when it lands in the new home it's fundamentally either less or way more secure than Salesforce which might tell you something right like if your replicating information off to a database and that data point is really critical to be encrypted at rest maybe that should be up north in the source system right or vice versa so making sure that as you integrate information as this information flows throughout the throughout your organization that you're treating the same data points with the same level of security and concern throughout very

important so there is this thing in Salesforce in the setup menu it says health check which seems relatively innocuous do we have any CISOs in the room cool so when you're sisa finds out about this thing right they're gonna be like hey go run the health check and tell me how secure we are in salesforce that's gonna happen it is literally like a number and you pull up a screen it says hey we're 70% secure and you go yeah we're good or boo we're not good there's a lot that the health check can't check right so it can be a false sense of security it can also be a red herring in a lot of cases there's a

couple of really key things about the health check Salesforce specific the first thing is it can only look like to see if settings are like on or off they can't tell you has code been written in an insecure fashion are you sending in incidental call-outs are you sending your information outside of the system you can't do those things but it can check if stuff is like on or off it's not invalid it's not useless right but it is it's valuable but it's not the end of the story the other key is that it is based on whatever Salesforce decided was there best practices for you for your org so making sure that you actually configure this thing to be tailor fit to

whatever your baseline kind of settings are very important so most of these platforms in the cloud right Salesforce is a great example of it they're basically just databases on websites right so their whole purpose is to collect and manage information and store it somewhere so that people can to that information you actually really need to be able to enable your users to interact to that information add new information change it delete it whatever they gotta do now the key is if somebody makes a mistake or maliciously tries to extract information from the system how do you at least know that that's occurring and recover from it if something goes sideways there's actually a lot of robust tools in the platform

that allow you to do things like that like tracking just basic stuff like track and field history like when people change key data elements how can you see what the previous value was and restore it or being able to leverage like there's the weekly export service so you can save off all the data on a weekly basis and if you need to go do forensics you can do it most people just don't turn that stuff on right so data loss prevention is a huge one I mean the the biggest one I see is in the cartoon in there and this is the thing I hear about all the time where people come and they're like hey you know this key sales

person the Rainmaker left last week we're pretty sure you took the whole book with them how do we know that's one element of it but there's also just like changes to information and how do you know that people you know how do you restore that information if they inadvertently change it so really key DLP all right so there's this product called Salesforce shield it's actually three products it's a blanket product but the idea is that it allows you to do some advanced security controls for Salesforce encryption at rest event monitoring so you can do things like check when the salesperson exported all the accounts and feel a lot of trail so you can kind of have an advanced or an

enhanced version of DLP for field history tracking most of the people I work with have bought shield and have never done anything with it so they're paying for it and it's remarkably not inexpensive I'll say it very kindly cuz I'm a very good Salesforce partner but it's it is not a cheap product and most of the people I know who watch shield have never turned it on so making sure that if you do need to go that route if you do need to have level up your security and do things like encryption at rest you know enhanced DLP event monitoring if you buy it please God use it so what can you do right where can you start the very first

thing is to know your data you know we talk to people all the time and say you know hey don't worry about it you know for Salesforce we just use it for sales it's fine and then you find out hey it's hooked into your website you're collecting from your forms on your website you're getting all these people randomly typing in you know a thousand characters of text in their case comment or whatever it might be right you start to look at the data it starts to get really hairy really fast but the biggest thing that I tell people is just know what you actually have in the first place if you go to your Salesforce admin

and you say what do we have in Salesforce 3 make don't worry about it's just cases right but really push them on it really figure out what are the data elements are getting stored inside that system you probably are applying data classification to other systems in your in your organization there is absolutely no reason that Salesforce should not fall under that same purview so once you know the data and you know how you feel about that information and how you need to protect it then you can move on to knowing who your users are who is actually interacting with that information this is surprisingly complicated in Salesforce specifically they because they have such a robust

security model that allows you to define a baseline and expand access at a user by user level it's actually pretty complicated to get to this this level of information but it doesn't make it any less critical it's absolutely essential that you understand who the users in your system are and what information that they can interact with at that point you can take that data classification the sensitivity that you apply to those fields and the people who have access to it and you can start to make decisions so the third thing is know what's out there know what the landscape is what are your options we talked a little bit about shield earlier right so shield is that platform

encryption event moderating field a lot of trail but that's that's not the only solution right there's other things out there there's Cosby's out there cloud access security brokers anybody here work for a Cosby cool not a huge fan of Cosby's I'm not against them I don't think that they're worthless I hid but I think they're part of a tool box and they're they try to basically broker access to data across all your cloud platforms which means that they can't get into the intricacies of each one and so that's nobody's fault it's just it's a different piece of the toolbox but backup or store solutions DLP solutions make sure you look into what's out there event monitoring is

actually really powerful it can really watch every single thing that happens in your auric from every click that anybody does inside of Salesforce out of the box there's not a lot of intelligence to it there's not a lot of like anomaly detection or behavior or behavioral analysis or any of that stuff but there's some stuff out there so know what's available so that you can apply that to what you really need to achieve inside your system all right we're getting really close I yes I read the book it said I'm supposed to say you're allowed to take photos so you're allowed and take photos if you want of any of this including myself but anyway this is kind of takeaway slide

right so what are the things we talked about know who your users are make sure that as you build you're tending to security as you go please cut not everybody needs to be an admin know what integrations are and keep them tight please the health check is definitely not what people think it is if you bought shield use it know your data know your users know what's possible know me I'm here to help one thing I do want to call out here is on the bottom right so it's the Salesforce if you're not a Salesforce user or if you're not intimately familiar with it has this whole LM at this learning management system called trail ed trial heads kind

of actually really cool and free I keep that bottom right hand link up-to-date as much as I can it's basically I like security essentials for Salesforce trailhead so feel free to check it out it'll walk you through some of the fundamentals and the basics of security for Salesforce email me I'm pretty sure you could tweet me if I put my Twitter thingy up there it's for stock Pete so you know check it out on YouTube later I guess to remind yourself but anyway that's me thank you very much for your time I think we have a few minutes for Q&A and a few minutes for Q&A how was your water experience this is the this is what I got I killed it

all right yeah please so for the internet have I read or looked at any of the NIST or cybersecurity frameworks right for cloud security right so looked at and read of course yeah a lot of people aren't getting to the point where they're still ready to apply the newer like the the standards right so what a lot of people are still focused on is some of the legacy like ISO 27 K type stuff and they're having a really hard time translating that to the cloud is that where your questions kind of coming from so yeah a lot of people are still kind of hung up on the legacy ISO stuff 27 k1 specifically and I'm really

excited about the new frameworks and I can't wait till somebody adopts it so so we can really start to push it forward cool any other questions yeah

that's a great question yeah um so so again for the people on the recording the question was do we do pen testing or do we require admin access to perform assessments on instances yeah so the first so there's actually two questions so the first one has a kind of a cool answer actually Salesforce has in the last 18 to 24 months ish rolled out a complimentary pen testing service so you can actually work with Salesforce directly to do pen testing against your instance I'm sorry no no they do they do outside pen testing so this is you can do the check mark scan yes but also they do like legit pen testing now that will

actually do endpoint inspection and all kinds of stuff right so it will fire against your instance inside your container inside the org the great part about that is I believe they and don't quote me on this internet but I believe they do a complimentary every six months and so when we do risk assessments we will I kind of basically accommodate that so what will work with Salesforce and with the client to do that and then what we do is we kind of go to the next level so again that's really just pen testing right so that's just invasion testing it's it's it's very very useful it's very very powerful I don't mean to diminish it but it can't kind of check

for data egress and things like that so what we do is we kind of go to the next level we do actual code and configuration assessments so to your question of like do we require admin access yes we do obviously will sign any paperwork we need to do but when we do it yeah so we have some automated tooling that can check things that automated to link and test and then we have a lot of human checks around things like you know you you can do kind of crazy stuff like put call out endpoints into like custom settings and we need to actually go look at the custom settings to see what those Colorado endpoints are

things like that so we go pretty deep on on those so we'll do code config and then facilitate fan testing and some other stuff yeah no problem and then when we would the other thing we'd make available as we actually have some products that are available for for Salesforce that do like the who sees what the access management things like that and we can't basically reverse engineer the whole security model to figure out who can access what information any other questions I'm with you man all right to the bar thank you guys