For many CISOs, CTOs, CIOs and other security leaders, there is increased pressure to comply with international data residency laws when using SaaS software like Salesforce. Adding to this burden is the need to address open security vulnerabilities on the platform to avoid data leakage. Major considerations for these imperatives include:
- Local government laws around data residency
- Security breaches and data loss occur every day with rising frequency
- SaaS and Salesforce are not immune to these threats and demands
How can security leaders comply with data residency requirements and achieve application security in Salesforce?
We asked Rene Devasia, Chief Compliance & Security Officer at InCountry (a leading global data residency provider) and Waqas Nazir, CEO & Founder at DigitSec (a security scanning tool built for Salesforce) to weigh in on the current state of data residency and security, considerations for security leaders around these two topics, and how their unique solutions solve for data residency and security (respectively) in Salesforce.
What’s the current state of Salesforce data residency and security around the globe?
Starting from ground up- data residency points to the region in which data is stored, geographically speaking and has become a concern because innovations in computing and data analytics create the risk of data theft, inappropriate use of data and other attendant problems. Therefore, despite the benefits of these advanced processing and sharing technologies, countries have erected barriers to curb the dangers of uncensored data flows outside their area. These laws ensure that data is stored in its country of origin.
The GDPR (General Data Protection Regulation) is the world’s most widely known and used data residency law. It has a stellar status among other laws, being innovative and extensive in its provisions and regulates compliance for the 27 member countries of the European Union on certain data types, especially personal data. Companies that process it are compelled to keep them protected within the EU and only transfer to regions with an equivalent standard of protection.
Other prominent laws are the PIPL, which governs the Chinese data landscape, PIPEDA for Canada, and 152-FZ for Russia. In the United States, data protection is mainly governed at the state level, with the California Consumer Privacy Act (CCPA) being one of the most notable.
The state of data residency in the world can generally be described as unharmonious. Laws are constantly changing in line with new trends, developments, and best practices.
The matter is even more complex for global enterprises that use Salesforce as a CRM tool. While Salesforce is a convenient, unlimited, and secure way to manage data, it is stringently subject to changing data regulations.
However, as these changes continue, we can expect that global laws will align more with each other to stabilize data residency across the world.
Today, InCountry offers the perfect solution for Salesforce compliance.
From our perspective, companies and organizations are still grappling with the fundamental understanding of the Shared Responsibility model for Salesforce security. Salesforce has traditionally been owned by “non-IT” stakeholders within an organization. Companies that “get it” are coming to us and saying, “We realized how mission-critical Salesforce has become to our operations and our CISO’s need better insight and monitoring of potential security vulnerabilities.” So, we’re seeing a real shift in the industry there.
That’s not just happening in the United States. We’re seeing interest in that from around the world. Many countries have strong compliance rules, not just for the data, but also for software development and application management. Our development team is very busy mapping more compliance frameworks to our scanning rules.
What are the considerations for CISOs around data residency and Salesforce security?
The wake of data residency laws are what pushed many companies to appoint chief information security officers (CISOs) and data protection officers (whose job is simply to execute compliance while the CISO has a more strategic and fluid role). They proactively create and advance cybersecurity and data protection strategy by enhancing infrastructure and IT security, as well as risk assessment and management.
When it comes to compliance, the CISO has the delicate role of forging security strategies and policies for the company to meet the ever-changing residency requirements. The job is more complex where the company is a multinational one because there is more than one regulation to comply with.
The CISO’s task is to develop these requirements, define the role of all leaders within the organization, and create initiatives for information security in line with the law and the company’s long-term objectives. Those within larger organizations often liaise with the in-house legal or data privacy team to interpret the large volumes of legal jargon contained in multiple privacy laws. Other companies, when not as large, usually outsource external counsel with privacy expertise to ensure their security strategy is in sync with privacy requirements in their regions of interest. Which is why we see CISOs taking advantage of InCountry to mitigate the burden of compliance.
One thing I’d like to emphasize is that it is really a cross-functional position that is in the middle of balancing operational efficiency and innovation with security and compliance.
I think many clients naturally see those things as polar opposites. With the right tools in place, you can create a lot of transparency around the liabilities and the opportunities which can drive a collaborative, cross-team approach to management.
Why is security and data residency important to tackle together?
The most experienced security leaders in the industry understand the importance of handling security together with data residency requirements. So many of these companies have made arrangements for frequent collaborations between security and data residency teams in order to master compliance with data regulations. By integrating data protection rules into their security incident response processes, organizations do a better job of maintaining security. Simulated exercises can help both parties forge effective communication routes and responses in preparation for real-life incidents. This method helps to align the objectives of both teams and ensure that there are no weak areas.
Let’s look at a practical example where security and data residency need to be tackled together. Salesforce is a reputable and efficient CRM tool for many businesses. However, residency regulations have made things particularly difficult for Salesforce users to effectively comply with both data security and residency concerns. Thanks to InCountry, both can be tackled concurrently.
With the Salesforce and InCountry integration, companies can manage customer data in any country, maintaining compliance with global and local laws efficiently and securely. InCountry’s solution for Salesforce checks all the boxes for security and data residency compliance. With just one Salesforce instance and no additional hardware, InCountry delivers a full-stack integration to our clients. We ensure compliance with the highest standards, including SOC, PCI, HIPAA, ISO, and other security standards. Our infrastructure allows you to have your data processed in the country of origin for residency compliance. We have different deployment models that meet both legal and audit requirements, even in geographies with the strictest data laws.
InCountry’s solution for Salesforce works even as client companies expand into new countries without breaking a sweat about data security and residency compliance.
One thing I’d really like to highlight is the fact that InCountry runs on Salesforce. The data and the software are running together so there isn’t any real question about scale or performance, all of that is handled by Salesforce while InCountry offers data management options. DigitSec’s platform exists outside of Salesforce, one of our key value differentiators is that we scan code and config that has been deployed to Salesforce and we leverage the Salesforce runtime to test it for vulnerabilities.
Running these security tests in-context means that you truly have an accurate understanding of how the code can be exploited, but just as importantly, you can substantially reduce potential false-positives. If an exploit is tried and failed, then you know it isn’t a true finding and you can spare your development team from having to track it down.
We stress with our clients how important it is for their entire development pipeline to be secure, whether that’s scanning code from a repository or within a deployed Salesforce environment, eliminating potential vulnerabilities with every Save and Commit is just fundamentally the best practice.
What problems do InCountry and DigitSec solve for clients?
InCountry helps global companies achieve complete data compliance in any country. Irrespective of where their headquarters are located, companies can deploy data residency policies appropriate to any jurisdiction they operate in including Europe, China, Vietnam, Saudi Arabia — and worldwide. One of the numerous benefits of InCountry’s solution is that organizations can perform a single integration to manage data residency compliance globally rather than juggling multiple systems in each country of operation.
InCountry is the first data residency-as-a-service provider allowing businesses to deploy a compliant solution in any country and region they choose. It securely manages regulated data worldwide. With the data residency solution, companies can complete the entire processing cycle within the original country without breaking any data rules.
Let me also share a little secret about our technique: We use an API to channel data to and from our top-tier data centers within the country. This infrastructure includes both notable hyperscalers like AWS, Microsoft Azure, Google Cloud Platform, and Alibaba Cloud, as well as local cloud providers in countries where the hyperscalers are not available.
While it may be argued that companies can achieve on their own what InCountry offers, the big deal isn’t merely compliance. It is more about the fact that our clients can channel their focus and resources into growing and expanding, not having to worry about the multitude of data regulations demanding compliance. We are clearly the leading data residency service provider.
Partnering with InCountry is the quickest and surest way to comply with data residency regulations and penetrate new international markets. We address data residency with a global view yet pay detailed attention to the most remote local regulations.
I hear from our Sales team all the time about companies that reach out to us because they are concerned about Security. We work with them on a Proof of Concept Trial and they run their first scan. Some companies are amazed at how many issues they have from years and years of different developers contributing to their codebase or managing their configuration. They get worried about all the work that is going to be required to resolve and the reporting that they need to do to their organization that can be an indictment of their work to date.
Other companies are pleased to discover that their developers have been very careful and they aren’t surprised by the number or severity of their findings. What’s interesting to us is that both of these types of companies instantly appreciate the value of automated security scanning. In the first instance, it’s like a weight has been lifted from their shoulders. They finally have a way to quantify and attack the problem, they just have to marshal the resources.
In the second instance, there is a strong sense of validation, but also an appreciation for the fact that our tool can free some of their focus for other priorities.
How do your solutions help with data residency, security and compliance?
All of InCountry’s software and operations are set up with data security and compliance in mind. Talking about our data security measures in brief detail, we have to mention our unique and secure data vault, with an active firewall to keep data within the regulated geography. Our servers are fully hardened, while we deploy isolated serverless functions where necessary.
Compliance is at the heart of InCountry’s solutions. We work ceaselessly to keep in step with residency regulations worldwide. But do not take our word for it — look at the audits and reports we regularly undergo to ensure our services are up-to-date. They include the SOC 1 Type II, SOC 2 Type II, and SOC 3 reports, as well as the GxP, the Security Trust Assurance and Risk (STAR) certification, and the ISO/IEC series of security standards.
InCountry is fully compliant with all data residency laws, global and local. This includes Europe’s GDPR, China’s PIPL, CSL, and DSL; UK’s DPA; the PCI-DSS, which regulates credit card information; the Health Insurance Portability and Accountability Act (HIPAA); and all others worldwide. Our customers are able to achieve instant security and compliance at a minimal cost.
Our platform doesn’t touch client data and that’s really a very important message that we deliver early on in our relationship with potential customers. Our focus is on the security and compliance factors of the customizations that an organization brings to their Salesforce code and configuration. As you think about how that data is manipulated and consumed, it’s incredibly important for organizations to recognize their responsibility to the security of that data and the processing.
Our scans and platform help companies look at their Salesforce customizations and quickly analyze for any potential vulnerabilities, or any potential deviations from critical compliance frameworks, like GDPR, PCI-DSS, HIPAA or ISO-27001. Our system and our licensing structure are designed to integrate directly into normal operations in a non-metered frame, so there aren’t any question about cost for running security scans. We encourage our customers to integrate it so that every point along their chain is checked and protected with every code modification or configuration change.
This frees the organization from any type of concern about whether their analysis of their security posture is out of date. They can rely on our reports and analysis to be contemporaneous with their very last change.
What kinds of companies can benefit the most from your services?
Any public or private business that collects any personal information or detail from your customers in the course of business is bound to comply with processing laws. In this category are independent software vendors, tech companies, healthcare outfits like hospitals and pharmacies, retail businesses, hotel service outlets, automotive companies, and every other country operating internationally on the Internet.
It follows that a critical need for these companies is a seamless security and compliance strategy that covers every aspect of their data processing, just like InCountry.
InCountry provides a special offering for Salesforce because we understand the unique burden of compliance they grapple with in managing customer personal information. However, our solutions can be accessed by every company which handles any type of regulated data and offers software as a service in any country.
InCountry provides benefits to each stakeholder group:
- IT: Better to use a single global system rather than multiple systems;
- Business: Global view of customers, tickets, and other business functions;
- Compliance/Legal: Compliant with local regulations and changing regulations;
- End-users: Continue to use the global SaaS system;
- CIO: Digital transformation with global SaaS that upgrades silo’d applications.
We really see uptake across the board and we have tried to find pricing plans that make this a reasonable expense for organizations of all sizes. Even organizations that don’t do much code development can benefit from our Configuration scans. However, we do see two important groups driving the most interest in our offerings.
First, as we spoke about earlier, we see CISOs and other C-Level leaders very interested in providing resources to their organizations that help them identify issues and focus precious resources on remediation. Our software is quick, reduces false-positives, and doesn’t have a marginal cost to run.
Secondly, we see a lot of consultants coming to us and asking for help in both running initial assessments, but then also tracking the progress of remediation. Many companies will reach out to consultants because their internal resources are already incredibly strained or they fear they don’t have the expertise, but consultants also realize that they need a way to generate those findings efficiently, communicate priority, and then develop remediation and action plans that can be effectively tracked.