Skip to main content
2022-04-28

Core concepts and capabilities for the financial sector part 4

2022-04-28
Trust and security enforcement at all layers

Depending on what Data you are processing and what processes you are running in Salesforce, or any system, your worry around security differs for sure. Typically, a CRM system handles information of individuals and more specifically PII (Personal Identifiable Information) about these customers are most likely part of data in your data catalog. Adhering to the regulations and requirements around security and compliance in the financial sector is challenging, no question on that, and you can’t just go to your Compliance Officer and state that Salesforce is part of your Eco-system and hence you are compliant. However, Salesforce enables you to work more effectively with these regulations and compliance questions. Utilizing Salesforce in the right way also includes ensuring compliance throughout your business 24/7.

I’ve been fortunate to work with both CISOs and CCOs during my engagements and I hope to work with a lot more in the future. It always amazes me the impact that a Salesforce implementation has in an organization, it really comes in as a big splash in the middle of everything. It requires to hold a bunch of highly sensitive data, be integrated to numerous systems, allow access to multiple different types of users and maybe even a couple of external users! Salesforce is acting like that uninvited, maybe a bit too loud, guest at your small get-together. So how do you mitigate the risks and ensure the guest is welcomed, behaves well, and turns into a likable fellow in your tight gang? Well, you plan, you communicate, and you prepare and most importantly you involve

If there is something I bring with me into my next Salesforce engagement is this: your security and compliance department want exactly what you want: making it all fit together in the best possible way! So, involving the correct stakeholders early in an implementation phase is key, communicate the implementation plan, align time plans and have a continuous dialogue. Don’t leave it as the last step of your implementation plan, that will cause you and everyone else to have a severe headache.

Salesforce states “Success is built on Trust. Trust starts with transparency” and lifts Trust as one of their most important values. Take advantage of this, the Salesforce platform is secured at all layers of the infrastructure, data, integration, and user experience layers. You steer the security hardening from within Salesforce as an Administrator or Developer and there are so much you can extend security around. Access Controls, Authorization, Reporting and Data security.

When it comes to Data Security and Access to certain data entities or attributes on these entities Salesforce sticks out with the possibility to steer access controls for different users on different attributes of a data entity. For people with Salesforce experience this is an obvious thing, it is just there. Thinking about what goes on under the hood of Salesforce to make it possible is fascinating. To say that User A has access to see a customer record, but not the sensitive data attribute social security number, while User B can both see the Customer record in question and the social security number, but perhaps is not allowed to edit this field value, which is something only User C can do. This and a lot of similar requirements are solved with Sharing, Object Permissions and Field Level Security and this takes care of most requirements around who sees what when. For the remaining extremely complex requirements you can get a bit creative and mix standard solutions with some custom solutions and you have your implementation done.

At its core Salesforce allows you to simplify your requirements around security and compliance, further down we get into certain special scenarios such as GDPR etc. and what a good Salesforce implementation does is that it allows for you to adhere to the regulations in a more standardized way. You shouldn’t have to manually search in 5 different systems and manually deleting data when a customer calls and wants to remove all information of herself, at the same time you shouldn’t be allowed to remove data that is to be stored longer for regulatory reasons. Meeting requests around AML and similar can be a standardized process, fully automated, and helping to lower your shoulders around such requests.

Please join the conversation and share your thoughts with me.

In the next blog post we will dig deeper into: 

  • A thriving customer and partner eco-system
Written by Erik Ivarsson