As defined by TechTarget, “Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization.”
“The elements of the triad are considered the three most crucial components of security. In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of reliable access to the information by authorized people.”
The massive growth of data being stored by Salesforce customers poses obvious challenges for the CIA model due to the incredible volume of information that needs to be protected and the rapidly evolving landscape of compliance regulations such as GDPR.
To add to the dilemma, a common misconception among SaaS customers is that the provider is responsible for any data on the platform. In reality, it’s the customer’s responsibility to protect all data. According to Salesforce Data Backup and Recovery Best Practices, “Salesforce maintains a copy of customer data for disaster recovery purposes, but it is important for customers to develop a data backup and recovery strategy as part of their overall data management and security model.” As such, Salesforce recommends investigating 3rd party vendors, such as Odaseva, which offers the only unified data governance (protection, compliance and operations) platform built for enterprises using Salesforce.
To fully demonstrate the importance of having control of your data, Florent Preynat, Head of Odaseva Support, describes a recent real-life incident experienced by Salesforce customers and how the Odaseva platform and team of experts were perfectly positioned to assist.
“On May 17, 2019, a faulty database script was run by Salesforce. The script, meant to include Pardot Campaign data into Salesforce Campaigns, accidentally gave users of current and former Pardot clients unwanted, broader permissions for some fields and/or objects. Salesforce initially responded by removing all permissions to all objects to the users of the impacted organizations, leaving some Salesforce customers with little option to maintain business continuity. The Odaseva Support team was alerted by some of our customers that were impacted by the incident and quickly responded to assist. Thanks to the Odaseva platform and expert guidance, our customers had continuous control over their data and were able to rely on their Odaseva backups to help resume critical business activity.”
If we view the incident through the lens of the CIA Triad, we find that the Salesforce incident was first an integrity issue (profiles damaged), then transformed into a confidentiality issue (people had access to data they were not supposed to have access to) then became an availability issue (Salesforce prefered to an availability issue compared to a confidentiality issue, which is why they shutdown the service).
Let’s dive a little deeper into how Odaseva was able to quickly assist customers during this critical incident.
At first, analyzing the issue was not an easy task for Salesforce customers, as nothing was officially disclosed at the time of the report. Nevertheless, Odaseva customers using our platform to protect their data were able to run what is referred to as “smoke testing”. With these API and compare capabilities, our customers were able to continuously control metadata (or data) which should remain unchanged by simply launching an hourly compare operation on any given scope. In this way, changes were quickly identified using the Odaseva Salesforce DX data extensions. This saved Odaseva customers hours of work and kept them in continuous control of their data.
To help those customers impacted by the incident, our Support Team used Odaseva Metadata to restore their profiles, permissions, and past backups of the now-downgraded metadata elements.
Odaseva solutions and expert guidance were able to help our customers lift some of the most critical permissions around custom objects, so that they could resume their business activity before Salesforce was able to completely resolve the issue.
“With Salesforce permissions issue that occurred in May 2019, our Odaseva backup allowed us to restore profiles. I’m not an IT person and needed a hand with my first restore. Support was very helpful and jumped online with me and walked me through the process. Very happy with this service.”
Jennifer Borkovich, Communications Manager & Salesforce Admin at Century, Inc
Salesforce AppExchange Review
As we have seen in this real-world example, backup and restore helped correct the integrity and confidentiality issues in this situation. However, it was insufficient to address the Salesforce datacenter availability issue. Learn more about Odaseva solutions solving availability soon!
