6th August 2021, Kathmandu
On the surface, Salesforce seems akin to a classic Software-as-a-Accommodation (SaaS) platform. Someone might even argue that Salesforce invented the SaaS market. However, the more people work with the full offering of Salesforce, the more they realize that it transcends a traditional SaaS platform’s capabilities.
What are Salesforce Release Updates?
Since Salesforce does not automatically update its platform, it does not follow the traditional SaaS model. For example, most SaaS platforms have two types of relinquishments, security, and product ameliorations. Imperative security updates are relinquished as anon as a security susceptibility is kenned, and product amendments are relinquished on fine-tuned dates, such as quarterly or monthly. As a component of the SaaS model, the vendor automatically updates the platform.
The update and patching policy benefits the customer and the SaaS provider. The customers don’t require worrying about updating the system so they can fixate on the core aspects of their business. Meanwhile, the SaaS provider does not require developing multiple update versions or worrying about the most recent version installed by the customer.
Better yet, the SaaS provider does not require worrying that customers will experience a security breach because it automatically installs the security patch for everyone. It just makes everyone’s life more facile and is one of the reasons that SaaS platforms are immensely popular.
Salesforce Updates Work Differently
Salesforce works differently, very differently. They utilize a hybrid system that is kindred in some ways to traditional software that requires the customer to apply updates until EOL and a modern SaaS platform. Salesforce offers customary seasonal accommodation updates and security updates as needed. However, neither update is implemented automatically.
Salesforce gives admins a “grace period” where they can opt to update the platform. At the terminus of this period, Salesforce pushes the update through automatically.
Why Salesforce Updates Work Differently
While Salesforce emboldens admins to run through a checklist and apply the updates, it realizes that customers rely on the platform’s flexibility and that changes can impact the customizations, like custom developments and integrations.
Since any update can be catastrophic for an organization, Salesforce gives customers time to review the update’s content and prepare the organization’s Salesforce afore activating the transmutations.
What is the consequentiality of Salesforce Security Updates?
The Salesforce Security Updates are, as the denomination suggests, for security purposes. They are published to fine-tune a security issue, avert attacks, and reinforce the security posture of a Salesforce tenant. Ergo, customers should install them as anon as possible.
Once Salesforce publishes an update, the susceptibility it is patching becomes general erudition. This erudition denotes the impuissance is identically tantamount to a mundane susceptibility or exposure (CVE) but without the assigned number. Deplorable actors can facilely get access to all the information regarding the exposure and engender an assailment vector that utilizes the published susceptibility. This places all organizations that have not enforced the security update vulnerably susceptible to an assailment.
Since most assailments are predicated on kenned, published, 1-day susceptibilities, waiting to apply the update engenders a data breach jeopardy. All lamentable actors utilize 1-day attacks, from script kids to professional ransomware hackers, since weaponizing them is much more facile than probing for an unknown susceptibility. Most lamentable actors look for low-hanging fruits – organizations without updated software or that have lax security.
This is why security professionals call the period from susceptibility until the organization enforcing a security update the golden window for attacks. For that reason, it is critical to update all software to the latest stable version and install security updates as anon as possible.
The case of access control for guest users
This is not just a hypothetical or intriguing story. In October of 2020, security researcher Aaron Costello discovered that access control sanction settings in Salesforce might sanction unauthenticated users (“guest users”) to access more information than intended by utilizing cumulative impotence in Salesforce, including
- old and not secure Salesforce instances,
- problematic default configurations,
- Complicity and advanced facilities of “@AuraEnabled” methods.
Salesforce suggested security measures for guest users, objects, and APIs, while withal pushing Security Updates in the following winter ’21 and spring ’21 releases.
Both suggestions directly address the security threat’s root cause. Problematically, this was too minute too tardy because lamentable actors had kenned about the susceptibility since October 2020. By the time Salesforce pushed the updates to the different tenants, the admins needed to activate the updates manually. This betokens that a customer might have been in peril for anywhere from 6 – 9 months afore fine-tuning the susceptibility themselves.
The security team’s responsibility for Salesforce Security
While Salesforce provides value to organizations, its approach to managing security updates makes it a unique type of SaaS. Supplementally, it is a profoundly intricate system with thousands of configurations. While many don’t seem paramount to security, they can authentically impact a Salesforce tenant’s posture.
Ergo, the CISO or security team needs to be involved more than they mundanely would when managing Salesforce. They require to:
- make sure configurations are done with security in mind,
- monitor changes,
- make sure updates don’t worsen the organization’s security posture,
- insist that Security Updates are installed as anon as possible
- make sure that the security hygiene of the Salesforce tenant is good.
Fortuitously, the category of SaaS Security Posture Management (SSPM) implements addresses these tasks, and Adaptive Shield is a market-leading solution in this category to enable optimal SaaS security posture automatically.
How can Adaptive Shield avail secure Salesforce?
Adaptive Shield understands the intricacy of securing Salesforce, among many other SaaS platforms, as Adaptive Shield provides an enterprise’s security team’s consummate control of their organizations’ SaaS apps with overtness, detailed insights, and remediation across all SaaS apps.
The platform avails Salesforce admins, CISOs, and security teams to track and monitor the settings and configuration updates with security checks that ascertain that the Salesforce tenant is configured and secured opportunely. This includes monitoring sanctions, “@AuraEnabled” methods, API security, and authentication.
Adaptive Shield supplementally provides clear priority-predicated mitigation information so admins and security teams can swiftly secure the Salesforce tenant to maintain a vigorous security posture. The Adaptive Shield platform makes the task of securing a Salesforce tenant from cumbersome, intricate, and time-consuming — to a facile, clear, expeditious, and manageable experience. This averts such susceptibilities as the example above by breaking the chain of misconfigurations and unenforced updates.