The rise of cloud computing and SaaS (Software as a Service) has dramatically reshaped the digital landscape, offering companies numerous benefits like scalability, cost-efficiency, and flexibility. In fact, the five largest SaaS companies in the U.S. have a combined market capitalization of $742.4 billion USD. The second largest SaaS company in the U.S. list, Salesforce serves over 150,000 customers across the globe, with customers from industries not limited to professional services, manufacturing, retail, banking, finance, media, life sciences, insurance, and real estate, to name a few. However, these benefits at this scale also come with a load of security challenges, making SaaS security an integral part of operations and IT. By following some best practices and strategies, organizations can better combat security risks and mitigate potential threats.
A recent incident that I discovered that created waves across the SaaS security landscape was the Salesforce data leaks earlier this year. An alarming number of companies, including banks, governmental agencies, and healthcare providers, were unwittingly leaking sensitive and private information due to a misconfiguration in public Salesforce Community websites. The security flaw allowed unauthenticated users to access records typically reserved for logged-in users. One such case was discovered in the state of Vermont, where at least five different Salesforce Community sites were found to expose sensitive data such as full names, Social Security numbers, addresses, phone numbers, emails, and bank account numbers of users and the general public. This was especially concerning for a Pandemic Unemployment Assistance program. Vermont’s Chief Information Security Officer Scott Carbee stated that the flawed sites were hastily created in response to the COVID-19 pandemic and thus did not undergo a standard security review.