TL; DR; (Too Long — Didn’t Read)
There is a lot of security content regarding Salesforce’s products and services available at https://compliance.salesforce.com, however for a quick overview of Salesforce’s security stance have a look at the Salesforce Security Privacy ARChitecture (otherwise known as SPARC) docs at https://bit.ly/SFDC_SPARC. These are publicly available (no login required) and make up part of your Salesforce contract…
Let’s get to the detail
The quality and volume of security content that Salesforce hosts is bigger and better than ever before. As at September 16, 2021, Salesforce’s Compliance website houses 299 documents. That is a lot of reading!
I was surprised to find out during my time at Salesforce, that the vast majority of Salesforce customers had no knowledge of the site or the content hosted there. When I showed it to them, they had questions though: How do I navigate all this stuff? What is actually there? And lastly — Is it useful to me?
Let me take you through the site and guide you towards documents I think are important for you to understand. I will refer to the documents by name, however there is usually a document for each applicable product in the folder, so have a look at the one(s) that are of interest. If you are using Sales, Service, or Platform you need to look at Salesforce Services, however some other sub-products/features have their own reports, Field Service for example. Everyone needs to read the Corporate Services documents.
Let’s look at navigation first: Log in using your production Salesforce username and password. If you do not have one, please see your Salesforce Account manager as they can request access for you — if they do not know how, please ping me and I will send them instructions.
You may need to choose a custom domain if you are using the MyDomain feature, and you also need your Multi Factor Authenticator as well — you are using Multi Factor Authentication aren’t you? (It is mandatory to have it operational by early 2022, so you may as well set it up now. It takes 2 minutes and involves installing a free Authenticator app on your phone).
After you are logged in, you will see the landing page:
Now the fun begins — which certifications are important to you? Which “services” are you using from Salesforce? These questions will answer what you should be looking at. You can navigate either by Certification or by Service or just get a list of all documents which you can sort by inverse date order to see the newest ones.
My Important Document List
Here is my list of the certifications/areas that are important to everyone:
- ISO 27001
- SOC 2
- PCI DSS
- Disaster Recovery & BCP
- External Security Assessments
- Standard Questionnaires, FAQ’s and Whitepapers
Why do I think these are important? Let me explain…
ISO27001 — Compliance with this standard is what the vast majority of companies undertake. Getting this certification means that companies have a good handle on their information security. See https://bit.ly/ISO27001_wiki for a quick rundown. In Salesforce’s case, besides the fact that they have compliance, they have published their ISO Statement of Applicability spreadsheet. This one sheet lists many hundreds of controls and their applicability to various Salesforce products. If you want to just read one document, this is the one.
SOC 2 — This is the short name for the American Institute of Certified Public Accountant’s System and Organization Controls. Even though it has been deprecated for many years, I have seen many customer questionnaires refer to it as SAS 70 — goes to show that they are just doing a checkbox exercise and not trying to actually understand the vendor’s security stance… Anyway, this report contains an external auditor’s comments on how Salesforce is complying with its policies and procedures. It is a relatively short document, and contains a list of controls and tests undertaken by the auditor to check compliance. This document is good to read if you want to see how the controls Salesforce say they are implementing are tested to make sure that they work.
PCI DSS — The Payment Card Industry Data Security Standard is a prescriptive standard for companies storing or processing credit card information which is why I am including it. The prescriptiveness is an interesting approach since most standards are saying you should do X, however does not explain how you should do it. Salesforce’s technology can be used in a PCI compliant fashion for storing and using credit card information in your business, however there are are a lot of controls that are needed to be managed by the business and you would also need to get your own PCI certification. The PCI Responsibility Matrix shows which controls are yours to look after and is a must read. It was created by Salesforce to comply with PCI DSS Requirement 12.8, where the service provider needs to document the roles and responsibilities so the Salesforce customer can use this for their own PCI DSS assessment.
GDPR — The European Union’s General Data Protection Regulation. This is here as it is a very good example of a law protecting an individual’s (data subject’s) personal data and protecting their rights to their data. It is also the basis for many other laws — the California Consumer Privacy Act amongst others and will be, I think, the “gold standard” for consumer data protection laws worldwide moving forward. Salesforce’s document on the compliance site is a list of questions and answers and will assist folks who need to comply with the law. There is a great Trailhead trail for this as well (and one for the CCPA). Salesforce have also published a Fact vs Fiction document which outlines a lot of myths people have around the GDPR requirements and is a good read — Did you know Encryption at Rest is not required to be GDPR compliant?
Disaster Recovery and BCP — This covers Salesforce’s policies and tests of Disaster Recovery (which includes Site Switching for Salesforce Services) and Business Continuity Plans. If you are interested in seeing how Salesforce data centres are kept running during other outages and how Salesforce tests their ability to fail over in an emergency, then this is the place. However, Salesforce’s backups are just that, Salesforce’s. They are not yours… You need to make sure you have a BCP and DR capabilities in respect to your Salesforce org — at least use the weekly backup capabilities and investigate partner solutions like OwnBackup and Odaseva for resilience and other great features like sandbox data seeding. If you accidentally mess up production data through a dodgy integration or similar, Salesforce’s backup will not get you back to where you were quickly or easily.
External Security Assessments — These are reports of penetration tests done by third parties on Salesforce’s apps. It will save you some cash to just read these instead of doing your own. However, if you want to do a penetration test on Salesforce, please make sure you follow this process, because unfortunately Salesforce will not assist with any findings unless you do…
Standard Questionnaires, FAQ’s and Whitepapers — Last but not least, this area has a lot of fantastic information: Salesforce Security Tips for Guest User Access Controls, Salesforce Secure Development Lifecycle Overview, Salesforce Security (Incident) Response Plan, and pre-filled in CSA CAIQ security questionnaires - an excellent source for detailed information.
- There is one place for a quick read to get the highlights: Salesforce SPARC (Security, Privacy and ARChitecture) documentation — https://bit.ly/SFDC_SPARC. It is publicly available.
- Instead of waiting for Salesforce to complete a security questionnaire, just download one that has been completed already from here.
- Many documents are updated frequently — check back at least every six months, however you can now get email notifications for your “starred” documents when they are updated.
- There are new types of documents appearing regularly, so come back and look around.
- Keep copies of previous documents so you can compare if needed.
- Make a list of documents to download and add to it when you see new ones of interest. You could use the new “starred” feature for this.