Sensitive Data in Salesforce?

November 18, 2022


If your organization uses Salesforce, then this post is worth checking out. Let’s start with some questions to set the table. See if you can quickly identify the answers to these questions.


Who manages your organization’s Salesforce environment? A CRM team, or perhaps your IT team? What area of the company is responsible for managing this team? Perhaps it’s the SVP of Sales, or the CFO leadership?


Regardless of which team or group manages the Salesforce environment, the more central question remains, is there a clear organizational understanding of access controls with Salesforce? This includes external identities like contractors or partners, over-permissive access, and undesired access to sensitive data.


Why are these things relevant? Most often, there is a significant disconnect between the team managing Salesforce and the organization’s security team. Or in the case of Salesforce being managed by the IT or Security team there is often a lack of visibility and understanding into the complex nature of the Salesforce permission model. This observation has been proven by countless assessments performed with the Varonis DatAdvantage Cloud platform. If you’re not familiar with this product platform, please see my last blog post here.


Examples of typical discoveries include finding sensitive data in locations it should not be, identification of non-desirable apps that utilize Salesforce via API and may pull sensitive data, and wide-scale misconfigurations that would allow bad actors and attackers an easy attack vector.



A Changing Landscape

Varonis has long maintained that data is what companies have the most of and know the least about. Being in this industry for over 20 years I agree. Most companies I speak with have truly little understanding of what data they have, their data is extremely unorganized, security controls are weak or in some cases non-existent, and sensitive data is found in every possible location.


Now more than ever data is moving to the cloud and with it sensitive data is also shifting to the cloud. According to Okta1 the average large company has 187 different SaaS apps, each with their own configurations, permission models, and sharing features. Considering this scope, when these cloud applications are scrutinized it becomes clear their security controls aren’t aligned with Zero Trust.




Regardless of your Salesforce management situation there is a common and noticeable gap among enterprise customers throughout the marketplace. This gap parallels a common theme more traditionally thought of in on-premise applications. That gap I’m referring to is locating and identifying sensitive data and understanding access controls and activity as it relates to sensitive data.


Salesforce is usually obtained due to a decision made at the business level. However, what is often not recognized is that the security controls within Salesforce are more complex than traditional security controls. Therefore, the skillset and time to manage the security controls drastically increase.


What would it take to find an effective permission set within Salesforce natively? To gain a clear picture of what a user can do in Salesforce natively, one must consider the permissions a user was granted through their Profile and add each different Permission Set and Permission Set Groups to see the complete picture of a given user’s effective permissions. Not only that, but there are other considerations such as specific permissions being muted.


Further, what happens when an admin needs to compare users’ effective permissions? If they have somehow manually tracked all the various permissions that comprise a user’s effective permissions this could be helpful for an initial comparison, albeit tedious and time consuming. However, what happens after time has passed and permissions have changed? The admin would have to laboriously go through the entire manual process again to ensure an accurate comparison. Varonis offers a great write-up specific to permission comparisons within Salesforce. You can read it here.


Picture 1 below is a depiction of all the locations within Salesforce that an admin would have to sift through to find the effective permissions of a given user.



Picture 1


Let’s see what a few of the items covered in the above depiction look like to the admin within Salesforce. Picture 2 shows a user, and we notice her Profile.



Picture 2


Next, in Picture 3, if the admin drills into the Account Executive profile they are shown Object Settings and System Permissions. Both these areas are a good place to start to see some of the user permissions.



Picture 3


If the admin then looks at the System Permissions, they will see what is shown in Picture 4 below. Note, there are over 250 settings to check within!



Picture 4


Lastly, and for the purposes of this blog post I won’t go further than Picture 5 and Picture 6 below showing the Object Settings. There are over 100 objects, and each contains multiple fields.



Picture 5



Picture 6


There are many more areas within Salesforce for an admin to check to fully understand effective permissions. Things such as Default Sharing Settings and Organization-Wide Defaults as well as hierarchies that may be assigned. As you can see tracking and understanding your users’ effective permissions within Salesforce is no small task. However, it is critical for the health and security of a business to do so.



What About Addons?

What is Salesforce Shield? Simply put it is a product addon that is bought separately from Salesforce that offers encryption, field classification, certain field activity auditing and event monitoring. These features and functionality are great and do offer some improvements to the native Salesforce platform at a cost. Price point for this addon is often a key issue customers face when looking to enrich their Salesforce experience.


But beyond cost, let’s look at some other key considerations.


Shield doesn’t assist in permission management and as you now know, Salesforce has hundreds of configuration settings and system permissions. This is a significant gap that customers are noticing.


Shield does perform some classification but only on certain fields and typically only around identity (PII). It also will not sort classification results by type of regulation.


Further, we are seeing an increasing demand for the ability to classify sensitive data within attachments inside CRM platforms. Increasingly, auditors are looking to see if there are proper security controls around sensitive data. Think of all the files attached to cases, opportunities, or customer accounts within Salesforce. Could you identify where this sensitive data is? Could you further understand not only where it is, but what types of sensitive data exist, and most importantly, who has access to it?


What about event details? While Shield provides detailed events it lacks event enrichment. Consequently, this means there isn’t a way to visualize activity or see any contextual intelligence behind the events.


While Salesforce offers some decent addons such as Shield or even a Privacy and Security Center, at times, these addons can fall short and can be expensive and challenging to implement.



Where to Now?

Let’s look at Picture 7 below. It is a fitting example of what you wouldn’t be able to see natively in Salesforce.



Picture 7


So, what are you looking at? This is a sample screenshot from the Varonis DatAdvantage Cloud platform analyzing the effective permissions of an entity within Salesforce. It pulls in all the different vectors of how a user can gain access and aggregates the data into the “Effective” column for easy viewing and comparison.


As discussed earlier, Salesforce permissions can be derived from profiles, underlying permission sets and object permissions, roles, or individual permission settings.


In Picture 8, we can see this user’s effective permissions are granting most of the sub-permissions, such as Manage IP Addresses and Manage Data Integrations, among others. The power of having a complete permissions mapping in a single pane of glass gives organizations an edge in this space that they’ve not had before.



Picture 8


Let’s not forget individual Field Access either. Once you examine the corresponding tab, as shown in Picture 9 below, you gain immediate visibility into a given user’s individual object access levels.



Picture 9


Varonis DatAdvantage Cloud normalizes permission complexity across monitored cloud platforms with the CRUDS method. If you’re not familiar with the CRUDS acronym, it simply stands for Create, Read, Update, Delete, Share. You can read more about it here.


Securing Salesforce often requires a cross-team understanding of potential security risks, how to reduce and eliminate those risks while ensuring that the product can effectively serve its intended purpose.


Let’s look at some additional examples below.


In Picture 10 we can see high-level statistics on sensitive data over the last 30 days. Essentially, what types of sensitive data were found within your files, how many total files, overexposed sensitive files, and some other key statistics. This is all in a glance. Any one of these could be clicked to provide further context and filtering.



Picture 10


In Picture 11 we can see basic object information such as size, number of hits for sensitive data, and the sensitive data classification categories.



Picture 11


Once you examine an object, whether it be a folder or file, you gain additional context. Specifically, Picture 12 shows us Entitlements (permissions), and Compliance information for the “w2file.pdf.”



Picture 12


We can see this file has several individuals with access to it. Some of these identities are external to the company, some of which have Read, Update, and Delete permissions. We also see on the compliance tab that specific PII, PCI, and financial data exist within the object.


As you can see, Varonis DatAdvantage Cloud quickly and easily exposes gaps in security and compliance within Salesforce. It uses the same data classification engine and methods you may be familiar with from Varonis’ more traditional enterprise platform.


What solution are you using that can classify sensitive data within Salesforce attachments and perform file analysis? Do you have full visibility into effective permissions mappings? What about activity monitoring that leads to meaningful alerts?



How About an Assessment?

The Varonis DatAdvantage Cloud platform can fundamentally change your organization’s visibility into where sensitive data lives, who has access to it, and what activity has been taking place. It makes permissions simplification a reality. It does this all while building cross-cloud profiles and enabling cross-cloud threat detection and investigation to your other SaaS-based applications.


That’s right, the platform doesn’t stop at Salesforce, it even allows for classification in Google Workspace, AWS S3, and Box. These capabilities drastically reduce your blast radius while offering a single-pane of glass into your critical cloud-based applications.


I chose Salesforce to focus on because it is something most organizations heavily utilize yet have limited or no visibility into security risks within. Typically, organizations store a vast amount of customer-specific and sensitive data in Salesforce with a lack of capability or understanding of Salesforce permission complexity which prohibits Zero Trust achievement.


So, what data exists in your organization’s Salesforce? What about your other cloud services?


If you’d like to further understand Salesforce permissions, and learn who sees what within Salesforce, I encourage you to look at this video series from Salesforce. It will help you understand how roles, profiles, and sharing rules work together to provide access to the myriad of objects and records within your Salesforce organization.


Optiv can connect to and assess your SaaS applications in minutes. The output of these assessments is typically eye-opening and leads to larger conversations around data, identity security and compliance in the cloud. Contact your Optiv client manager to inquire about an assessment for your organization.





Jeremy Bieber
Partner Architect for Varonis | Optiv
Jeremy is Optiv's Partner Architect for Varonis, specializing in understanding unstructured data, data governance/compliance and data protection.

With over 22 years of experience, Jeremy began professionally working with technology during the late 1990s at Electronic Data Systems and later at Hewlett-Packard. In 2016 he joined Varonis, consulting with clients and implementing the Varonis Data Security Platform to ensure client achievement of least-privileged access models and proactive threat detection, locating and ensuring sensitive-data compliance on-premise and in the cloud.

Over the course of his career, Jeremy has achieved a range of industry certifications including over a dozen Microsoft certifications, certifications from VMware, Hewlett-Packard, Smarsh and Varonis. He can pull from his lengthy experience including system administration, architecture, engineering and consulting to provide a seasoned focus on data security.

At Optiv, he uses this real-world experience to relate how the Varonis Data Security Platform will enhance the overall security goals for our clients, reduce risk, detect abnormal behavior and ensure compliance.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit