Two years ago, I left my strategic leadership role in the U.S. Department of Defense to join Own (formerly OwnBackup), motivated by the opportunity to protect the increasing amounts of data that government agencies store in the cloud, particularly Salesforce. As is often the case with data security, the greatest challenge is people, not technology. Many don’t realize that Salesforce operates under the Shared Responsibility Model so don’t understand the customer is responsible for protecting data stored in the cloud, including restricting access and maintaining backups. That is why I continue to be passionate about educating and empowering government agencies to ensure the security and compliance of their Salesforce data.
Anticipating Failure
Under the Shared Responsibility Model, Salesforce manages the security of the platform, while the customer maintains the security of data stored on the platform. This means that government agencies (and all organizations for that matter) using Salesforce are responsible for managing data classification, access control, disaster recovery, data retention, threat monitoring, and more. Unfortunately, most agencies lack visibility into their Salesforce data security and risks, don’t know what ‘bad’ looks like in these environments, and haven’t tested their ability to recover rapidly. These blindspots leave gaps in security compliance and can result in exposure of sensitive information and disruption of mission-critical operations. Untested backups can create a risk if they don’t work as expected.
Certain Salesforce backup products miss important information and have limited ability to restore data, making it both time-consuming and difficult (perhaps impossible) to get Salesforce data back into good condition after a data loss or corruption occurs. If they can’t be used to recover, then the backups are actually just increasing the attack surface by storing data in an additional location with the hope it will remain secure and be useful.
Furthermore, reliable Salesforce data recovery requires a combination of specialized expertise and fit-for-purpose tools to restore and reconstitute only the damaged data and metadata, leaving the bulk of ‘still good’ data untouched. Because of these challenges, when Own performs a Salesforce Security Risk Assessment and Data Recovery Readiness and Response (DR3) assessment for customers, they are initially at a lower maturity level than desired and require a Technical Account Manager support to improve.
For Federal agencies, not understanding their responsibility to protect Salesforce data can result in significant gaps in security controls defined in NIST SP 53r5. Federal agencies are also counting the days until September 30 to meet the administration’s mandate to implement zero-trust cybersecurity requirements. Gartner predicts that 75% of U.S. federal agencies will fail to implement zero trust security policies due to funding and expertise shortfalls. Such failures increase the risk of government services being unavailable and sensitive information being exposed.
Government agencies have an opportunity to address such failures and require solutions that reduce the time and cost of compliance, which is where Own FedRAMP® authorized solutions can help with technical capabilities that are accelerated with automation.
Rising Risks
Over the past year, we have observed significant increases in Salesforce vulnerability and data loss, resulting in data leaks and service disruptions. The most common causes of such data loss and corruption incidents are human mistakes, such as inadvertent deletion and integration errors.
Insider threats have surged as remote work has grown, highlighting the importance of controlling access to data and maintaining least privilege access, including for contractors in development and test environments.
Cloud-conscious attacks have increased by 110% between 2022 and 2023, according to the Crowdstrike 2024 Global Threat Report.
“The most ubiquitous impact technique was actually destructive, with actors removing access to accounts, terminating services, destroying data and deleting resources.” (2023 CrowdStrike Global Threat Report).
These rising risks, combined with data protection gaps, is a recipe for disaster, disrupting government services and exposing sensitive information.
Strengthening Security
Own is the clear leader in Salesforce data security and ensuring compliance for the world’s most complex and highly regulated organizations. By providing FedRAMP® authorized and interoperable data protection solutions for Salesforce, Own delivers the visibility and control that government agencies need to not only comply with published requirements but go beyond to thrive in a "de-perimeterized" world in an efficient and cost-effective manner.
Own Secure, which is a native application available in the AppExchange that is interoperable with FedRAMP®, encodes years of specialized Salesforce expertise to significantly cut costs and speed up identifying what data is highest risk, assessing how well sensitive data is protected, who has access to it, and computing risk scoring to help prioritize what to fix first with limited available resources.
Own Recover enables agencies to restore Salesforce data and metadata quickly and reliably, reducing downtime by 71% and increasing the efficiency of data recovery teams by 37%.
Own Archive helps agencies implement data retention and archival policies, which improves Salesforce performance, reduces storage costs by an average of 72%, and simplifies compliance and reporting.
Own Accelerate empowers agencies to innovate safely and securely in Salesforce with flexible data seeding and anonymization capabilities that help increase development efficiency, reduce costly errors, and protect sensitive information.
Federal system integrators have an opportunity and, in some cases, a responsibility to help government agencies enhance data security with our guide to protecting data and implementing Zero Trust in Salesforce. Contact me if you want to learn more about delivering Security Risk Assessments fueled by Own FedRAMP® authorized solutions.
