Reported misconfigurations in the Salesforce Community Cloud once again shows how the industry needs to do a better job explaining the shared responsibility model for cloud apps.
The story first broke April 27 on the Krebs on Security blog, which reported that the state of Vermont had at least five Salesforce Community sites that allowed guest access to sensitive data. This included a Pandemic Unemployment Assistance program that allegedly exposed an applicant’s full name, Social Security number, address, phone number, email address and bank account number.
Krebs learned of the case from security researcher Charan Akiri, who reportedly said he wrote a program that identified hundreds of other organizations that were running misconfigured Salesforce Community pages. The Salesforce Community Cloud lets organizations build branded communities where they can share information, and users can connect and collaborate. These misconfiguration issues that lead to actual data leaks surface when Salesforce administrators mistakenly grant guest users access to internal resources.
A Salesforce spokesperson said as Krebs makes clear in his story, it’s a configuration issue. Salesforce added that while data exposure resulting from misconfigurations is not the result of a vulnerability inherent to Salesforce, the company has been “actively focused” on data security for organizations with guest users, and continues to release robust tools and guidance for customers.
“That includes proactively communicating with customers to help them understand the capabilities available to them, and how they can best secure their instances of Salesforce to meet their security, contractual, and regulatory obligations,” the spokesperson said.
It’s important to note that the misconfiguration issue in Salesforce Community was first addressed in August 2021, when researcher Aaron Costello posted a blog on the issue. Costello followed up several months later with a detailed how-to on locking down Salesforce Community sites.
Misconfiguration stands at the center of the shared responsibility model, said Corey O’Connor, director of products at DoControl. O'Connor said Salesforce could have been more forthcoming of the risk involved in what ultimately transpired, combined with configuration considerations or recommendations in terms of how consumers of their platform can prevent this from happening. However, O’Connor added, Salesforce consumers should have additional controls in place to prevent unauthorized access and mitigate the risk of data being exposed to the wrong identities.
“The bigger the organization, the bigger the problem and the higher propensity for a Salesforce admin to grant unauthorized access to internal resources,” said O’Connor.
Craig Burland, chief information security officer at Inversion6, added that like many other cloud platforms, Salesforce offers security dashboards and tools to monitor threats, but they don’t force customers to use them. And here’s where understanding the shared responsibility model becomes critical, said Burland.
“Organizations that haven’t read the fine print or choose to ignore their responsibilities in the model really own that risk," said Burland. "This is really just the tip of the iceberg. Companies have been moving their apps to the cloud for years, but somehow forgot to bring security along for the ride. Assuming that the provider is doing whatever is needed to meet security or compliance concerns fundamentally misunderstands the shared responsibility model.”
Burland was adamant that the solution isn’t that Salesforce needs to better. He said organizations need to do better.
“They need to apply the same lessons they learned internally to cloud apps, ensuring their admins have security training, regularly reviewing security dashboards, including cybersecurity in the process,” said Burland.
Roy Akerman, co-founder and CEO at Rezonate, still thought that Salesforce needed to do a better job of offering clear and concise notification to users and admins of the potential impact before they take an action, adding that it needs to make it a recurring activity of access rights review.
“The Salesforce community in this case is no different from any other ‘shadow’ SaaS apps data employees are exposed to on a daily basis and organizations should take an active role in monitoring and providing education beyond a basic Salesforce oversight of this matter,” said Akerman. “And it appears that an easy fix is for admins to be more judicious in how they grant guest access. Access rights are doomed to fail due to the manual nature, the set and forget, distributed responsibilities and lower priority when yet again employee effectiveness and desired time to answer is immediate.”