Without correct configuration your customer data is at risk of being exported in bulk by a Salesforce Community user

How Secure is your Salesforce Community?

Salesforce is highly secure but as a configurable platform the onus is on you to establish appropriate security settings controlling access to data and functionality.

I come across large scale Salesforce Communities which are anything but secure, exposing large volumes of customer data, and providing access to functionality which makes bulk data extraction easy.

In one example a self-registered Salesforce Community user had more access to large volumes of customer data than the Salesforce system administrators. Sounds impossible but unfortunately this was a reality for one organisation I assisted.

Get Salesforce Community user access controls wrong and you effectively leave the front door open for someone to walk in and take your data!

The key question is how secure is your Salesforce Community?

Risks

When you start using Salesforce the defaults are for all data to be visible to all users. When you publish a Salesforce Community unless you specifically consider what level of access you want available to external users (customers or partners) you can inadvertently provide broader access than intended.

In my experience it doesn’t matter who did your community implementation. I have seen insecure community implementations from a range of tier-1 Salesforce partners.

If there is a data breach you could responsible to notify management, customers and regulators. It is in your interest to make sure your Salesforce Community is fully secure. Parker Harris, Salesforce’s co-founder, is quoted as saying “nothing is more important to our company than the privacy of our customers’ data”. You should have the same mindset.

The data breach risks are amplified if your Salesforce Community allows self-registration as this invites anyone, from anywhere in the world, to quickly gain credentials to access your Salesforce data. Hence you need to ensure the only data they can see is the data you want exposed.

Get access controls wrong in a Salesforce community and there are four key data risks:

  1. Visibility by a community user to internal data or data about other customers or users
  2. Export in bulk of internal data or data about other customers or users
  3. Data insertion to point internal use is impeded due to storage or API usage being exceeded
  4. Data update which corrupts internal data or data about other customers

Beyond that there are serious risks to brand and reputation, especially in jurisdictions like Australia within which you have legal obligations to keep customer data safe and potentially to notify regulators and customers if data is breached.

Artisan Consulting can Help

Artisan Consulting has the specialist knowledge to check if your Salesforce Community is secure and to provide direction on the steps to take if it is not.

We offer this service at a low-cost fixed price because we want your customer data to be safe.

If your organisation operates a Salesforce Community and you are not sure if access to data and functionality is secure as it should be then contact us today asking about our Community Security Scan service.

About the Author

Richard Clarke is the Salesforce Practice Director at PS+C Artisan. Richard has led Salesforce delivery teams in the Australia, New Zealand and the USA and applies over 20 years of enterprise software experience when delivering business value with Salesforce.com.

Richard currently holds 21 Salesforce Certificates and was first certified in 2009.