Cybersecurity Best Practices Guidance from the “5 Eyes” governments
An article published today (20 April 2023) by the United States Cybersecurity and Infrastructure Security Agency, the United States National Security Agency, the United States Federal Bureau of Investigation, the United Kingdom National Cyber Security Centre, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, and the New Zealand National Cyber Security Centre covers off a lot of great information around how to protect Smart Cities of the future.
Why am I asking you to look at this? It isn’t because you run a smart city, it is because the recommendations are useful anywhere and the authors have great links to places where you can learn more or get deeper information.
So, look at the article and skip to the Recommendations section (unless you are building a smart city).
I have provided a quick rundown of each recommendation:
- Apply the principle of least privilege
The NSA has a short 4 page document on managing this and it corresponds well to Salesforce.
- How many administrators do you need? (As few as possible)
- Monitoring for anomalies (Use Setup Audit Trail to see promotion of users to admin or creation of admins)
- Removal of privileges when they are no longer needed (Use expiry dates for permission sets) - Enforce multi-factor authentication
- Just do it.
- You can use physical security keys, certificates, Touch ID or Windows Hello to provide MFA as well as authenticator apps. See Identity Verification in the Salesforce Setup area. - Implement zero trust architecture
This is mainly for folks who have their own network infrastructure, however it is gaining traction elsewhere - Manage changes to internal architecture risks
Again, more towards folks who have their own network infrastructure, however some tidbits around vulnerability scanning. This is a key feature for your corporate laptops/desktops. Make sure they are updating their OS, browser and anti malware tools often. - Improve security of vulnerable devices
If you have a VPN for your corporate access, there is some guidance here for you. - Protect internet-facing services
Salesforce does the majoity of this for you:
- Credential Stuffing protection (and alerts if you have Event Monitoring) - Patch systems and applications in a timely manner
Again Salesforce does this for their systems, however you need to do it for yours, see #4 above. - Review the legal, security, and privacy risks associated with deployments
These are always changing and you need to keep on top of them. Regulated industries have many requirements in this area, however anyone holding Personally Identifying Information (PII) needs to be aware of your privacy requirements. - Managed Service Providers and Cloud Service Providers
The US Federal Trade Commission has a short blog article on keeping your data safe in cloud providers. Its six points are very useful for a starting point for discussions. - Operational Resilience & Backup systems and data
Pretty self explanatory, however many Salesforce customers do not do backups and they should. Look to the two market leaders in the space — Odaseva and OwnBackup. - Develop and exercise incident response and recovery plans
Things will go wrong. Follow the advice from the specialist departments and you will be in a better place when things do go wrong.
Thanks for reading and I hope this is of value. Please leave me comments/questions below.
My company, Platinum7, is a Salesforce Security, Compliance and Resilience specialist.
