Cybersecurity Best Practices Guidance from the “5 Eyes” governments

Doug Merrett
3 min readApr 20, 2023

--

A padlock inside a glowing hexagon with network traces coming from it — generic Cybersecurity type picture
Image by Freepik

An article published today (20 April 2023) by the United States Cybersecurity and Infrastructure Security Agency, the United States National Security Agency, the United States Federal Bureau of Investigation, the United Kingdom National Cyber Security Centre, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, and the New Zealand National Cyber Security Centre covers off a lot of great information around how to protect Smart Cities of the future.

Why am I asking you to look at this? It isn’t because you run a smart city, it is because the recommendations are useful anywhere and the authors have great links to places where you can learn more or get deeper information.

So, look at the article and skip to the Recommendations section (unless you are building a smart city).

I have provided a quick rundown of each recommendation:

  1. Apply the principle of least privilege
    The NSA has a short 4 page document on managing this and it corresponds well to Salesforce.
    - How many administrators do you need? (As few as possible)
    - Monitoring for anomalies (Use Setup Audit Trail to see promotion of users to admin or creation of admins)
    - Removal of privileges when they are no longer needed (Use expiry dates for permission sets)
  2. Enforce multi-factor authentication
    - Just do it.
    - You can use physical security keys, certificates, Touch ID or Windows Hello to provide MFA as well as authenticator apps. See Identity Verification in the Salesforce Setup area.
  3. Implement zero trust architecture
    This is mainly for folks who have their own network infrastructure, however it is gaining traction elsewhere
  4. Manage changes to internal architecture risks
    Again, more towards folks who have their own network infrastructure, however some tidbits around vulnerability scanning. This is a key feature for your corporate laptops/desktops. Make sure they are updating their OS, browser and anti malware tools often.
  5. Improve security of vulnerable devices
    If you have a VPN for your corporate access, there is some guidance here for you.
  6. Protect internet-facing services
    Salesforce does the majoity of this for you:
    - Credential Stuffing protection (and alerts if you have Event Monitoring)
  7. Patch systems and applications in a timely manner
    Again Salesforce does this for their systems, however you need to do it for yours, see #4 above.
  8. Review the legal, security, and privacy risks associated with deployments
    These are always changing and you need to keep on top of them. Regulated industries have many requirements in this area, however anyone holding Personally Identifying Information (PII) needs to be aware of your privacy requirements.
  9. Managed Service Providers and Cloud Service Providers
    The US Federal Trade Commission has a short blog article on keeping your data safe in cloud providers. Its six points are very useful for a starting point for discussions.
  10. Operational Resilience & Backup systems and data
    Pretty self explanatory, however many Salesforce customers do not do backups and they should. Look to the two market leaders in the space — Odaseva and OwnBackup.
  11. Develop and exercise incident response and recovery plans
    Things will go wrong. Follow the advice from the specialist departments and you will be in a better place when things do go wrong.

Thanks for reading and I hope this is of value. Please leave me comments/questions below.

My company, Platinum7, is a Salesforce Security, Compliance and Resilience specialist.

--

--

Doug Merrett

I worked for Salesforce as a Security Specialist for 13 years before starting my own consultancy — https://platinum7.com.au a Salesforce Consultancy Partner