SAP & Onapsis Webinar: Log4j Threat Intelligence and Mitigation Strategies to Protect Your SAP Applications

The Onapsis Blog

The world of business-critical application security is dynamic, with new developments happening on a continuous basis. Check out our blog for recommendations, insights and observations on the latest news for securing your SAP®, Oracle® and Salesforce applications.

Top Tips for Salesforce Security

Top Tips for Salesforce Security

As more businesses move from on-premises to the cloud, companies lose visibility into the risk of their interconnected systems—and, in an interconnected application environment, one misconfigured system or security vulnerability can put the entire enterprise at risk. This is a trend that will only persist and evolve, so it is crucial that your SaaS solutions are protected and compliant. For many enterprises, Salesforce is the key application supporting customer-facing activity and contains sensitive information that cybercriminals would love to get a hold of. 
 
In our recent webinar, “Top Cybersecurity and Compliance Tips for Salesforce”, we went over why Salesforce security is so important and the best ways to mitigate risk. See below for the highlights and check out the full webinar here.

Why is Salesforce security important? 

First off, privacy. Salesforce contains all of your company’s customer and prospect contact information. Next, fraud—it is a system of record for sales and partner compensation and can be subject to fraud if someone was able to gain access and re-assign deals. Finally, confidentiality. Salesforce holds the data for all deals, pricing, discounting and confidential customer conversations that no organization wants their competitors to find out.
 
While built-in security features for Salesforce can help your teams control access and monitor events, these features do not give you the depth and breadth of insight you need to analyze and address risk across your interconnected business processes and applications.

What are the top ways to mitigate Salesforce risk?

Restrict Access to key PII and company data
Salesforce is a minefield of profiles, permission sets, custom permissions, account relationships and data sharing rules. Understanding who has access to what and how is essential. Permissions can be inherited based on more than 50 different criteria definitions (e.g. all employees from x department get y permissions). Be mindful of key administrative permissions like: view/modify all data, ability to create users, etc.
 
Understand permissions of key business operators
Understand the riskiest profiles and to whom they are assigned, specifically key standard profiles like System Administrator, Solution Manager and custom profiles set up for Partner Managers, Customer Service representatives, etc. Keep a close eye on changes to profiles and who they’re assigned to as time goes on with more and more people gaining access to the platform. Another place to pay close attention to is communities where we unknowingly provide unauthenticated access to data.
 
Understand integrations and connected applications
Integrations can take many forms. It could be custom applications developed in Salesforce, installing a package from AppExchange or creating your own Connected App. It’s vital to understand what interactions exist, why they are there and what they have access to.
 
Keep track of system setup and configuration drift
Salesforce behavior is controlled by Metadata—configurations, fields, layouts, permissions, profiles, etc. Some companies use the Metadata API to manage change to Metadata. Keep an eye on the Setup Audit trail and the changes to the system.
 
Identify anomalous business entities and activities
Look for common fields that may indicate a fraudulent entry, such as a P.O. box mailing address for major partners, public email addresses for key business contacts (GMail, Yahoo, HotMail), the same mailing address for multiple entities, same payment method for multiple entities, etc.

How can Onapsis help?

With Onapsis, you get a complete view into your most important applications whether they are hosted on-premises or in the cloud. The Onapsis Platform for Salesforce gives you application and business-level context to help you understand and analyze cyber risk within your Salesforce platform and across your interconnected business processes. Using Onapsis, you can analyze and compare your security configurations, including access and authorization controls, with best practice baselines for Salesforce. 

Onapsis provides your compliance, IT operations, security and audit and compliance teams with powerful automation, validation and reporting capabilities that ensure your organization’s core business applications and sensitive data are protected and compliant with best practices and relevant regulations such as General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Sarbanes-Oxley Act (SOX) and Payment Card Industry Data Security Standard (PCI DSS). With Onapsis, you can streamline and automate the audit process, eliminating as much as 90% of manual reporting tasks.

Hear more about these tips in our webinar and see how Onapsis can help reduce your Salesforce risk in this datasheet.

Secure your 
business-critical SAP,
Oracle, Salesforce
and SaaS apps

Get a firsthand look at the visibility, reporting and automation capabilities provided by The Onapsis Platform by scheduling a personalized demo with our application security experts.

Request a demo