How Secure is your Salesforce Community?Salesforce is highly secure but as a configurable platform the onus is on you to establish appropriate security settings controlling access to data and functionality.

I come across large scale Salesforce Communities which are anything but secure, exposing large volumes of customer data, and providing access to functionality which makes bulk data extraction easy.

In one example a self-registered Salesforce Community user had more access to large volumes of customer data than the Salesforce system administrators. Sounds impossible but unfortunately this was a reality for one organisation I assisted.

Get Salesforce Community user access controls wrong and you effectively leave the front door open for someone to walk in and take your data!

So how secure is your Salesforce Community?

Risks

When you start using Salesforce the defaults are for all data to be visible to all users.  By default external (customer/partner) users have the same data access rights as internal users and are allowed access to the Salesforce API.

When you publish a Salesforce Community unless you specifically consider what level of access you want available to external users (customers or partners) you can inadvertently provide broader access than intended.

In my experience it doesn’t matter who did your community implementation. I have audited insecure community implementations delivered by a range of tier-1 Salesforce partners.

If there is a data breach you could responsible to notify management, customers and regulators. It is in your interest to make sure your Salesforce Community is fully secure. Parker Harris, Salesforce’s co-founder, is quoted as saying “nothing is more important to our company than the privacy of our customers’ data”. You should have the same mindset and because the Salesforce defaults provide broad access rights it is up to you to tighten them.

The data breach risks are amplified if your Salesforce Community allows self-registration as this invites anyone, from anywhere in the world, to quickly gain credentials to access your Salesforce data. Hence you need to ensure the only data they can see is the data you want exposed.

Get access controls wrong in a Salesforce community and there are four key data risks:

  1. Visibility by a community user to internal data or data about other customers or users
  2. Export in bulk of internal data or data about other customers or users
  3. Data insertion to point internal use is impeded due to storage or API usage being exceeded
  4. Data update which corrupts internal data or data about other customers

Beyond that there are serious risks to brand and reputation, especially in jurisdictions like Australia within which you have legal obligations to keep customer data safe and potentially to notify regulators and customers if data is breached.

How PS+C Artisan can Help

PS+C Artisan has the specialist knowledge to conduct a Salesforce Security Audit to cross check that your Salesforce Community is secure and to provide direction on how to remediate issues if any exist.

We offer this service at a low-cost fixed price because we want your customer data to be safe.

If your organisation operates a Salesforce Community and you are not sure if access to data and functionality is secure as it should be then contact us today asking about our Community Security Scan service.

Richard Clarke


Richard has led Salesforce delivery teams in the Australia, New Zealand and the USA and applies over 30 years of enterprise software experience when delivering business value with Salesforce.com.