With over 230K customers globally, Salesforce has remained the number one CRM platform for years. Currently, they have a market share of over 20% of the CRM business. Salesforce is so sought after because organizations report an average revenue growth using the platform of 25% annually, with as much as a 34% productivity increase for sales teams’ performance. Organizations increasingly use the platform for everything from managing customer relationships to automating critical business processes. However, I’ve also observed a dangerous assumption that goes hand in hand with this rapid adoption—the belief that Salesforce’s built-in security features are enough to protect data.
Like most cloud services, Salesforce operates on a shared responsibility model. While it provides a secure foundation, it’s up to you—the organization’s in-house security team—to properly configure and manage the security of your Salesforce instances. This is especially critical now that Salesforce has gone beyond just an application; it’s now a vast ecosystem. This means you are working with many third-party apps or services, which bring significant security risks. Recent research found 98.3% of surveyed organizations were associated with at least one third-party that had experienced a breach in the last two years. In fact, 50% of organizations have indirect relationships with at least 200 fourth parties that have had breaches in the last two years.
In recent times, an infamous data breach occurred at Disney where all of the organization’s Slack data was exfiltrated by an attacker. Disney has since decided to migrate away from Slack to another tool for internal collaboration. Slack, a Salesforce company, is a example of how the influence of Salesforce has grown beyond CRM in recent years. Given this, it is essential to protect ALL your Salesforce data, both the CRM data and data in other tools like Slack.
Enterprise Security for AI Agents & Non-Human Identities
How third-party integrations make your Salesforce org less secure
Salesforce enables endless customization of its platform to suit every organization’s needs. One way it enables this is via a low code approach. This way non-developers can build extensions to Salesforce for their or their team’s unique needs. While this is a powerful enabler of innovation, an unintended consequence is that many of these low code developers end up sharing API keys and other non-human identities (NHIs) across collaboration tools like Slack, email, and Jira. It’s only a matter of time till an attacker gets a hold of these conversations, and along with them the all important NHIs that were exchanged. That’s exactly what happened at Disney, and if it can happen at a large organization as Disney, any other organization is just as vulnerable.
Apart from the low code applications, Salesforce App Exchange features over 7000 integrations with various companies, all implemented with various levels of scrutiny. These need to be screened by you as a Salesforce customer so you can be sure your security is not just in the hands of Salesforce.
Let’s say you’ve added the DocuSign eSignature for Salesforce package to your org. It’s a popular choice, and for good reason—it streamlines your contract signing process beautifully. But here’s where things get tricky. After a recent update, you notice that signed documents are being saved in a different location within Salesforce—one that’s accessible to a wider group of users than you intended. The update changed the default storage settings without any clear notification.
Suddenly, sensitive contracts that should only be visible to your legal and executive teams are exposed to your entire sales department. This is a perfect example of how Salesforce allows you to give third-party apps the ability to enlarge the data attack surface. When this happens every compromised API key can cause a serious flood of data to leak out of the organization’s perimeter.
While third-party apps introduce clear risks, attackers are actually after the crown jewels of your organization – your Salesforce data. They may enter via a third-party app, but their goal is to reach your priceless CRM data – and this should be protected at all cost.
Why non-human identities in Salesforce need special attention
As your org grows, you’re likely accumulating a vast network of non-human identities—service accounts, API keys, and integration identities that operate silently in the background while connecting your Salesforce instance to everything from your marketing automation tools to your ERP system. I’m talking about the API connections and automated processes that you use for machine-to-machine communication in your Salesforce ecosystem. These machine identities use app-to-app keys, such as OAuth tokens, API credentials, and webhook secrets, for secure communication and data exchange between systems.
Machine identities like sensitive credentials need extra attention because, according to the IBM X-Force Threat Intelligence Index, there has been a 71% year-over-year increase in cyberattacks that used stolen or compromised credentials. For the first time ever, abusing valid accounts became cybercriminals’ most common entry point into victim environments.
Machine identities usually have elevated permissions for multiple objects and operations. They’re like digital master keys—necessary for keeping your business processes running smoothly but potentially devastating if compromised. The Cost of Data Breach Report 2024 revealed that breaches involving stolen or compromised credentials took the longest to identify and contain (292 days). Compromised credential attacks can also be costly for organizations, accounting for an average of $4.81 million per breach.
Let’s take an example of the DocuSign integration again. Beyond the user-facing app, there’s likely a set of OAuth 2.0 credentials with broad access rights that enable it to interact with various Salesforce APIs and objects as needed for its functionality. This level of access is necessary for the integration to work properly, but it’s also a prime target for attackers for many reasons.
First, unlike human identities, machine identities don’t follow predictable behavior patterns, which makes anomaly detection incredibly difficult. They often require long-lived access tokens, which contradicts cyber hygiene best practices that advocate for frequent credential rotation.
Moreover, as your Salesforce footprint expands, you might manage hundreds or thousands of these identities with varying levels of access to Salesforce environments. Each represents a potential entry point for malicious actors, and traditional IAM lifecycle management practices fall short in handling their unique characteristics.
The result? A sprawling, unmonitored attack surface that grows with each new integration or automated process you add to your Salesforce org. This security challenge is as complex as it is critical and demands a new approach to identity management in the age of hyper-connected cloud ecosystems.
Your Salesforce security posture could have blind spots you haven’t considered
Using the Entro security platform, my team has scanned Salesforce environments across various organizations, and we have identified many security issues that go unnoticed.
1. Over-privileged access: We consistently found API users granted “Modify All Data” permissions, far exceeding their operational needs. Every CISO knows excessive access is a ticking time bomb. If these credentials are compromised, an attacker gets keys to manipulate or exfiltrate sensitive data across the entire org.
2. Outdated OAuth tokens: Many orgs are littered with outdated OAuth tokens for connected apps, some inactive for months or even years. Again, anyone who stumbles upon these forgotten access points can exploit them.
3. Inactive credentials: Time and again, we discovered Named Credentials that hadn’t been reviewed or updated since their initial setup. As these credentials often hold the keys to external system access, outdated or compromised credentials can lead to unauthorized data exchange or injection of malicious data into Salesforce.
4. Misconfigured permissions: Sometimes, permission sets intended for integrations were incorrectly assigned to human users and vice versa. This is bad not just from a security point of view but also because it can break critical business processes relying on these integrations.
5. Overprivileged services: Many high-privilege API users and service accounts lack basic security measures for Salesforce access to environments, like IP restrictions or multi-factor authentication. These powerful services become low-hanging fruit for attackers waiting to steal your credentials.
6. Lateral movement of a breach: Often secrets that are exposed within Salesforce may allow access to other parts of the platform such as no code applications, third-party SaaS applications, and CRM ticket details. When attackers find exposed NHIs in Salesforce they look for opportunities to move laterally through the system and extend their access.
How Entro helps secure NHIs in your Salesforce environment
With Entro’s one-click integration, you can easily discover all the machine identities and create a comprehensive inventory to eliminate blind spots in your Salesforce environment. Going beyond discovery, Entro’s intelligent classification system analyzes over 1000 types of service accounts and automated processes to provide context like ownership, permissions, and associated risks. This context helps security teams prioritize remediation efforts the right way. You can also easily detect misconfigurations and potential vulnerabilities, such as API users with excessive “Modify All Data” permissions or outdated OAuth tokens for connected apps.
Behind the scenes, Entro is always monitoring for unusual usage patterns or abnormal behavior so you know immediately when a machine identity has likely been compromised.
Overall, using Entro’s non-human identity management capabilities along with Salesforce’s built-in security features, such as Health Check, Multi-Factor Authentication, and IP Range Restrictions, you can create a robust security strategy to minimize risks in your Salesforce environment.
