Many IT professionals are unaware of a major security threat to their networks via Salesforce as they assume standard network/desktop virus scanning software will protect their Salesforce environment(s). Or, they assume Salesforce includes a built-in virus scanning mechanism. Unfortunately, this is a common misconception that leads to serious consequences. Why? Because if a document is attached to the Salesforce environment through libraries, documents, chatter, communities, or public portals from both internal staff or external public submissions, there is no virus scanning protection available.
- Salesforce relies on third-party vendors (like Adaptus) to provide security/virus scanning tools,
- Salesforce has both internal and external areas within the environment which provides an opportunity to upload infected files,
- And in today’s corporate environment, most large enterprises operate under the BYOD (bring your own device) plans for workers where they are unable to control virus scanning software updates, etc. This is especially the case for mobile devices. Even if corporations do not employ the BYOD plan, they still rely on desktop virus scanning software to be installed on every computer and mobile device (tablet and cell phone) with current updates to protect against ever-changing malware/ransomware.
Areas of Vulnerability
There are generally three areas within a Salesforce environment where users would attach a possibly infected file:
- Documents, attachments, and content
- Community Portals
Documents, attachments, content, and chatter are typically used by internal employees. Community portals may be used to support internal employees, but public-facing portals where files are uploaded by the public directly to Salesforce pose an additional threat and major vulnerability. There is no way to ensure that files/attachments have been scanned for viruses before being submitted as files are coming in from the public, so a third-party virus scanning tool is necessary to protect the Salesforce environment.
Although corporations and government entities do have virus scanners on desktop and laptops, it doesn’t mean they are completely protected. There are countless cases, especially with laptops, where the virus scanner is outdated because something happened to the machine where the automatic updates didn’t go through. This is one of the biggest misconceptions IT security and business professionals have which poses the largest threat to organizations.
Essentially, Salesforce administrators and security specialists need to consider how the Salesforce environments are set up for both internal and external threats as there are several ways in which a corrupt attachment can make its way into a Salesforce environment – chatter, the documents/attachments/content areas, and community portals.
Anywhere there is an opportunity to attach a file and submit to the environment, there is a direct risk to the company. If an infected file is submitted via chatter, online form through a portal, or just attached as a supporting sales document, all it takes is for a reader to open the file and the entire Salesforce environment will be infected. It’s that simple.
Over the years, we’ve received a lot of questions surrounding the issue of why standard network/desktop virus scanning software doesn’t work for Salesforce. Here are 10 simple reasons why:
- What if an employee logs into Salesforce from home and doesn’t have a virus scanner on their home computer?
- What if an employee logs into Salesforce from a tablet or mobile device that does not have a virus scanning software on it and attaches a corrupt file?
- What if someone sends an email with a virus to a support email that attaches the virus to a case?
- What if someone submits a lead or case form and uploads a virus to a lead or case in Salesforce?
- What if someone has a virus scanner on their desktop that for some reason didn’t get the latest update?
- What if someone is a remote user with a laptop, and their laptop had not connected to the corporate network in a while and their virus definitions have not been updated?
- What if, when a file was uploaded to Salesforce, it had a virus, but at the time of the upload, the virus was unknown and the virus scanner did not catch it? Then, later, after the virus is discovered and the definition files are updated, the virus was already uploaded and potentially shared with a customer?
- With box, dropbox, google, etc., users can now upload files directly from their phones without ever having the file scanned.
- In the case of Salesforce communities, companies don’t control hardware and therefore can’t control if the user uploading the file has a virus scanner and if the virus scanner is up-to-date.
- Most corporations do not require virus scanners on mobile devices, especially since nowadays most companies reimburse people for the mobile expenses.
Currently, there are two third-party software’s available which provide virus scanning for large enterprises using Salesforce – EZProtect® by Adaptus, and Cloud Protection for Salesforce by F-Secure.
Both products do the job well, but EZProtect is the only solution designed by certified Salesforce architects who understand the vulnerabilities of Salesforce and supports scanning of multiple Salesforce environments under one license, on both commercial and FedRAMP approved hosting. The company, Adaptus, is also domestically based which is important to both state and federal government agencies and employs active development on the product to expand to other cloud-based tools such as box.com and others in 2018. For more information, please schedule a time to discuss with our team.