Two years ago, I left my strategic leadership role in the Department of Defense to join Own, motivated by the opportunity to protect the increasing amounts of data that government agencies store in the cloud, particularly Salesforce. As is often the case with data security, the greatest challenge is people, not technology. Many customers don’t understand the Shared Responsibility Model that Salesforce operates under and don’t realize they are responsible for protecting data stored in the cloud, including restricting access and maintaining backups. That is why I continue to be passionate about educating and empowering government agencies to ensure the security and compliance of their Salesforce data.

Anticipating Failure

Under the Shared Responsibility Model, Salesforce manages the security of the platform, while the customer maintains the security of data stored in the platform. This means that government agencies (and all organizations for that matter) using Salesforce are responsible for managing data classification, access control, disaster recovery, data retention, threat monitoring, and more. Unfortunately, most agencies lack visibility into their Salesforce data security and risks and have not tested their ability to restore data and operations after a disruption, compromise, or failure. Untested backups can create a risk if they do not work as expected - past studies of traditional backups found that 36% of them are incomplete, and 50% of restores fail.

Furthermore, reliable Salesforce data recovery requires a combination of specialized expertise and fit-for-purpose tools to restore and reconstitute only the damaged data and relationships, leaving the bulk of “still good” data untouched. Because of these challenges, most customers who Own guides through a Salesforce Security Risk Assessment and Data Recovery Readiness and Response (DR3) assessment are initially at a lower maturity level than desired and require Technical Account Manager support to improve.

For Federal agencies, not understanding their responsibility to protect Salesforce data can result in significant gaps in security controls defined in NIST SP 53r5. Federal agencies are also counting the days until September 30 to meet the administration’s mandate to implement zero-trust cybersecurity requirements. Gartner predicts that 75% of U.S. federal agencies will fail to implement zero trust security policies due to funding and expertise shortfalls. Such failures increase the risk of government services being unavailable and sensitive information being exposed.

Government agencies have an opportunity to address such failures and need solutions that reduce the time and cost of compliance, which is where Own FedRAMP® authorized solutions can help with technical capabilities that are accelerated with automation.

Rising Risks

Over the past year, we have observed significant increases in Salesforce vulnerability and data loss, resulting in data leaks and service disruptions. The most common causes of such SaaS data loss and corruption incidents are human mistakes, such as inadvertent deletion and integration errors.

Cloud-conscious attacks have increased by 110% between 2022 and 2023, according to the Crowdstrike 2024 Global Threat Report.

‍“The most ubiquitous impact technique was actually destructive, with actors removing access to accounts, terminating services, destroying data and deleting resources.” (2023 CrowdStrike Global Threat Report).

Insider threat highlights the importance of controlling access to data and maintaining least privilege access, including for contractors in development and test environments.

These rising risks, combined with data protection gaps, is a recipe for disaster, disrupting government services and exposing sensitive information.

Strengthening Security

By providing FedRAMP® authorized and interoperable data protection solutions for Salesforce, Own delivers the visibility and control that government agencies require to not only comply with published requirements but go beyond to thrive in a "de-perimeterized" world in an efficient and cost-effective manner.

Own Secure, which is a native application available in the AppExchange that is interoperable with FedRAMP®, encodes years of specialized Salesforce expertise to significantly cut costs and speed up identifying what data is highest risk, assessing how well sensitive data is protected, and computing risk scoring to help prioritize what to fix first with limited available resources.

Own Recover enables agencies to restore Salesforce data and metadata quickly and reliably, reducing downtime by 71% and increasing the efficiency of data recovery teams by 37%.

Own Archive helps agencies implement data retention and archival policies, which improves Salesforce performance, reduces storage costs by an average of 72%, and simplifies compliance and reporting.

Own Accelerate empowers agencies to innovate safely and securely in Salesforce with flexible data seeding and anonymization capabilities.

Federal system integrators have an opportunity and, in some cases, a responsibility to help government agencies seize their responsibility with our guide to protecting data and implementing Zero Trust in Salesforce. Contact me if you want to learn more about delivering Security Risk Assessments fueled by Own FedRAMP® authorized solutions.

Eoghan Casey is Vice President of Cybersecurity Strategy & Product Development at Own, creating innovative solutions for SaaS data protection and security analytics. He has 25+ years of technical leadership experience in private and public sector organizations, and is an internationally recognized expert in cyber risk mitigation and digital forensic investigation. He is on the Board of DFRWS.org and has a PhD in Computer Science from University College Dublin.