Shared Responsibility from the Start

Did you know Salesforce operates with a shared responsibility model, similar to other cloud services like AWS and Azure? It’s true. From the moment you take ownership of your Salesforce organization—starting when you log in for the first time and create your first users—you are responsible for key aspects of data protection. For instance, are the users using strong passwords and multi-factor authentication? Consider all changes made to your Salesforce organization (e.g., those captured in the Setup Audit Trail). Were these changes made with the shared responsibility model in mind?

How the Shared Responsibility Model Applies to Salesforce

As solutions have evolved from being hosted on-premises to IaaS, PaaS, and SaaS, responsibility has gradually shifted from customers to cloud service providers (CSPs). Salesforce offers PaaS and SaaS solutions, both of which require customer involvement, meaning that responsibility is never fully transferred to the CSP. Areas like system integration, identity access management, authorization models, monitoring, auditing, and secure development remain either the customer’s responsibility or shared between Salesforce and the customer. This means configuration, low-code, and pro-code customization are all covered by the shared responsibility model.

DevSecOps: A Key to Shared Responsibility

Security is not a one-time event but an ongoing process. To achieve security, a comprehensive, continually applied set of processes is necessary. Just like unit tests and quality checks should happen every time you check into the version control system or deploy, security checks are essential to upholding your role in the shared responsibility model. If you’re familiar with DevOps, which integrates development and operations, you’re ready to embrace DevSecOps, which also addresses your obligations under the shared responsibility model. By automating security audits and mitigation within DevSecOps processes, you ensure consistent fulfillment of your responsibilities. Plus, a robust DevSecOps process enhances security and boosts solution velocity!

Next Steps & Learning More

Are you just now becoming aware of your obligations within Salesforce’s shared responsibility model? If so, you likely have questions. Valtree Corporation is here to assist. We bring a wealth of experience in implementing DevSecOps and delivering Salesforce solutions to help customers meet their shared responsibility obligations. Reach out to us for guidance, and explore the resources listed below.

Resources:

• Salesforce: Standard Questionnaires, FAQs, and Whitepapers
• Look for the document titled Security Perspective on the Shared Responsibility Model
• Salesforce Security Guide
• Migrating to the Cloud: What Shared Responsibility Means For Your Organization
• Salesforce B2C Commerce Shared Responsibility Model
• AWS Cloud Security: Shared Responsibility Model
• Azure: Shared Responsibility in the Cloud