The Recent Salesforce.com Incident and the Potential of Customer-Controlled Encryption

By Anthony James

Salesforce privately announced that data in the marketing cloud may have been accessed by third parties or inadvertently corrupted. The reasons? An error involving the Salesforce application programming interface (API) in the Salesforce marketing cloud, which is designed to let third-party systems connect with Salesforce Marketing Cloud. This could affect many thousands of customers from finance to healthcare and many other industries, and depending on Breach Notification required for those customers, that data may result in significant cost for notification and more. Having seen many high-profile SaaS and cloud applications having to report publicly possible data breaches, it is concerning that the breach is being handled via email to individual customers.

This is not the first time Salesforce has been challenged with data exposure. Earlier, in 2007, a Salesforce.com employee fell victim to a targeted phishing scam and was tricked into providing credentials to the perpetrators, which results in a breach of the Salesforce customer information that was accessible to that employee. Later on, customers whose data was stolen started receiving communications which, in turn, were used to acquire more sensitive information about them. Salesforce said that online criminals have been sending customers fake invoices, viruses, and keylogging software. The emails were sent using information that was illegally obtained from Salesforce.com via the initial breach.

Salesforce is just the latest in the recent array of cloud breaches, but given the size of Salesforce and the scope of their customer base, it could affect thousands of their customers, that could potentially expose data pertaining to millions of individuals. One of the core concerns of this possible breach is that in the letter distributed by Salesforce, they have little visibility into the extent of any data theft or tampering.

Many companies have accidentally exposed confidential and sensitive data being stored in cloud services to the internet unprotected.  Some recent and similar examples of this sensitive data being accidentally shared and made available to the public include the Pentagon accidently shared 1.8 billion intelligence data objects in a AWS database mis-configuration. In February, 2018 FedEx exposed the personal information of tens of thousands of users.

In February 2016, the Top Threats Working Group of the Cloud Security Alliance® published a comprehensive report on the Cloud Computing Top Threats. In this assessment of top threats the risks posed by APIs were well documented. Once an attacker has accessed the API all of your data is vulnerable. Even data encrypted at rest in the database is vulnerable and easily accessed. In the case of Salesforce, their encryption solution, which is designed to encrypt data held in the database is not able to protect from this type of data breach.

The solution?  Customer controlled encryption before the data is delivered to Salesforce, or other clouds.  End-to-end encryption for the Salesforce cloud can protect data at all points in its lifecycle, including this most recent report of an API exposure. End-to-end encryption, also called Zero Trust encryption, can protect data is at rest (in the database), in motion (anywhere in the network, API, middleware … anywhere) and in use. In the event  of the API data exposure announced today, or any of the other data exposure scenarios noted above involving misconfiguration,  if your Salesforce data was encrypted end-to-end there would be no breach to report.

To add insult to injury, Salesforce seemed unable to provide logging to show exactly who, if anyone, accessed the data and when. Not only was there a potential data exposure failure, but perhaps also a compliance failure depending on what data was potentially exposed.  This incident also exposed the weakness of Salesforce engineering of letting such a critical vulnerability passing through their checks.”

Anthony James is CMO of CipherCloud