Collaboration and cooperation are among the key benefits Salesforce offers its customers. The application’s sharing tools are typical of any cloud-based environment. However, ease of sharing is a two-sided coin, and there is a potential risk associated with publicly accessible links. Leaked documents can result in severe consequences, such as competitors gaining access to sensitive corporate information. It is essential to implement proper processes to mitigate these risks.
Salesforce has two primary methods for sharing files and documents. The file owner can either make the resource available to specific users or make it accessible to “anyone with a link.”
Sharing files with specific users can be time-consuming and cumbersome. As the file is passed to different stakeholders, the owner needs to add each user individually. This process requires coordination with external vendors to determine who needs access. Each user’s email address must be added individually, and if someone is missed, the owner needs to revisit the sharing settings to include them.
On the other hand, sharing a file with anyone who has the link is more convenient. The document owner can simply copy the link and share it with vendors without worrying about managing access. However, this approach increases the risk of leaks since there is no control over what happens to the file once the link is shared. Users can access files containing sales quotes, RFPs, personal details, financial plans, and more from any account, exponentially increasing the chances of unauthorized access.
Numerous incidents have happened in multiple types of collaborative SaaS apps which serve as cautionary examples. In one case, thousands of students and staff members in the NYC public school system had sensitive information exposed due to a data leak. Similarly, a school accidentally disclosed sensitive details related to the school system’s COVID-19 policies.
To prevent data leakage and loss, organizations should follow best practices:
Salesforce settings can be configured to prevent public link sharing. Follow these steps to disable Public Links sharing in Salesforce:
By disabling Public Links sharing in Salesforce users are unable to share files and documents through open public links or with external users. However, they still have the ability to share links via content deliveries, which allows additional security measures such as setting a password or an expiration date for the link.
Disabling Public Links and Content Deliveries is an important step in securing all new documents. One could disable all links by fully disabling the option as shown above, but if the option is re-enabled all previously created links be reactivated. This poses a huge threat to security teams and app owners who may think that by disabling the option to create a Public Link, previously created Links would be completely revoked (as is the behavior in other SaaS apps). This threat is magnified in organizations that have shared links for years and now have hundreds of thousands of links that must be located and locked down.
Follow these steps to fully disable previously created public links in Files:
This manual remediation process is tedious and time-consuming. Salesforce users have no visibility into the shared status of files, and its user interface doesn’t include the ability to delete old links. Users need API-based visibility and remediation guidance that scales to secure these publicly shared links.
An alternative approach to safeguard against over-sharing links is to utilize an SSPM (SaaS Security Posture Management) solution like Adaptive Shield. SSPM solutions help identify publicly shared resources, highlight links without expiration dates, or identify items that are set to allow guest sharing. Once the security team is aware of documents and files with these vulnerabilities, they can take necessary steps to remediate and secure the links at scale using remediation guidance from Adaptive Shield.
The post A Guide to Lockdown of Salesforce Links appeared first on Adaptive Shield.
*** This is a Security Bloggers Network syndicated blog from Adaptive Shield authored by zehava musahanov. Read the original post at: https://www.adaptive-shield.com/blog/a-guide-to-lockdown-of-salesforce-links/