Businesses are embracing sales force automation as a way to deliver a more efficient sales and go-to-market program. The leading application for this is Salesforce, which is also the world’s leading cloud-based software provider. Salesforce is used by sales teams to manage revenue-generating quotes, forecasts, allocations, and attributions and is the core system directing a significant cost center and associated variable commission payments. Sales employees are empowered to perform advanced business processes, including accessing, managing, and controlling sensitive material and privileged company information.
Using automation to enable efficiencies throughout the organization can deliver enormous benefits. However, this enablement also introduces risks. Users with inappropriate access to sensitive company data can introduce compliance and security risks to the organization and the potential for occupational fraud and abuse. The ACFE studies rank the sales team as a high-risk department to commit occupational fraud, along with the operations, accounting, and management departments (ACFE Report to Nations).
The concept of internal risk in Salesforce can easily extend beyond its banner of CRM (Customer Relationship Management). Salesforce is typically tightly integrated with the company’s financial and operational systems, such as a company’s Enterprise Resource Management (ERP) systems. The result is that tightly coupled processes often occur in both the ERP and Salesforce such that risks may not be isolated to just one of these systems. Conflict of Interest risks are a threat within and throughout Salesforce itself, and significant risk exposure of conflicts increases when actions in Salesforce cross over to the ERP. Typical risks can range from exposing a client’s personally identifiable information (a GDPR violation) to fraudulent returns management, misstated bookings, money laundering exposure, and commission payment manipulation.
Access Reviews and Segregation of Duties in Salesforce
System security for Salesforce affects an organization’s overall Governance, Risk Management, and Compliance (GRC) program. It should be baked into the Salesforce system design and any coupled business processes between Salesforce and the ERP. By performing a risk assessment as part of the system design, security teams and business process owners can determine the access privileges for each user to minimize the possibility of users viewing or changing critical information outside their job responsibilities.
Sales staff rely on Salesforce data to pursue new opportunities, track prospect interactions, and calculate their sales projections. Frequent changes in the sales department, such as reorganizing sales teams, reassigning accounts, and modifying operational responsibilities, require that the access requirements to data in Salesforce by the sales team are constantly changing. There is also tremendous pressure on the organization to grant the sales staff additional access to information they feel might help them deliver revenue, even if that information is not technically required to perform their job.
Such rapid changes in work assignments and requests for additional access can lead to confusion and unnecessary risk. Users should only be assigned the minimum access privileges to Salesforce they require to perform their jobs. Failure to establish and maintain regular access reviews and certifications can lead to Segregation of Duties (SoD) conflicts and critical access (CA) violations.
Risk Mitigation in Salesforce
Risk mitigation processes help organizations using Salesforce in the following areas:
- Manage Segregation of Duties (SoD) risk – One priority is to manage risk exposure within Salesforce by analyzing SoD conflicts and sensitive access down to the most granular functional levels of access by Salesforce record and field.
- Automate User Access Reviews and Certifications – User access data can be collected and distributed automatically to Business Process Owners and management team members for periodic access reviews and certifications. Security team members can focus only on critical risk items, ignoring those roles with minimal or no risk associated with them (like read-only or inquiry-only roles). The Access Certification process should notify supervisors and Business Process Owners to certify a user’s access rights and tracks the users who have been reviewed along with any outstanding actions that remain to be completed.
- Monitor SoD risk across all your business applications, not just Salesforce – View user access and SoD risk across multiple ERP/CRM/HCM systems. Salesforce manages significant sensitive processes, but it is often linked with Order Management, Finance, and Supply Chain systems. As processes, customer, partner, and vendor activity will touch Salesforce and these other systems, it is important to also deploy SoD across all of these applications.
Managing Risk in Salesforce with Fastpath
Fastpath Assure® provides comprehensive risk management tools to help companies identify and mitigate user access security risks in Salesforce and other critical business applications, including their ERP and HCM applications. Businesses use Fastpath to monitor access security risk, mitigate Critical Access and Segregation of Duties conflicts, and provide the necessary documentation to internal and external auditors.
In addition, Fastpath provides the following capabilities:
- Quickly identify security conflicts within and across profiles and permission sets
- Analyze segregation of duties by user, system, object, field, or custom permission
- Sign-off for risk and conflict mitigations
- Perform security analysis and generate alerts with automated report scheduling
- Customize reports to meet specific needs for delivery in many formats (Excel, PDF, etc.)
- Assists in regulatory compliance (SOX, HIPAA, FDA, etc.)
Fastpath partner Protiviti has written an excellent blog, Keeping Salesforce Secure: What You Need to Know, describing the Salesforce Security Model including a discussion of how user access security in Salesforce contains two types: record level, which includes data access, and object-level, which provides for functional access.
If you are concerned about Salesforce application security, consider starting with the objectives outlined in this blog:
- Understand the Salesforce security model
- Create and establish a security framework
- Evaluate the current environment, comparing it with the organization’s framework
- Assess risks and determine steps for remediation
Click here to request a short demonstration to see how Fastpath can help your company manage your access risk and compliance efforts.