Invisible pathways: Closing Salesforce identity security blind spots

Salesforce has evolved from a CRM into a suite of sales, marketing, commerce, service, and collaboration products in the Salesforce Customer 360 platform. That platform powers critical business functions for organizations across nearly every industry, including state and federal governments. It also serves as a repository for much of their most sensitive data, including customer payment information, financial transaction records, mortgage applications, healthcare data, and even voter records. This makes Salesforce an attractive target for threat actors.

Moreover, Salesforce Customer 360's most important feature — its near-infinite customizability, which makes it a dynamic business engine across sectors — also presents its most dangerous vulnerability: a uniquely complex web of identity and access permissions that is difficult to monitor and manage effectively, exposing data to unauthorized access and identity-based threats — from insider risks like a departing salesperson taking customer lists to sophisticated social engineering attacks.

Access misconfigurations create major Salesforce vulnerabilities

Recognizing the criticality of their Salesforce operations and data, most organizations have made significant investments in protecting their Salesforce infrastructure. They’re using data encryption and network security like firewalls, secure access gateways, and VPNs to prevent unauthorized access, integrating SIEM platforms for security monitoring, and putting data loss prevention (DLP) tools in place as backstops.

But the Salesforce security incidents have not involved threats breaching the perimeter. Rather, these potential vulnerabilities center on misconfigurations and oversights in access permissions:

KrebsOnSecurity: Many Public Salesforce Sites are Leaking Private Data

‍KrebsOnSecurity described how access misconfigurations were causing “a shocking number of organizations — including banks and healthcare providers” to expose sensitive data within Salesforce. The extremely common misconfiguration “allows an unauthenticated user to access records that should only be available after logging in.”

Dark Reading: Misconfigured Custom Salesforce Apps Expose Corporate Data

A security advisory warned that customized Salesforce instances — including several government agencies — have dangerous misconfigurations in access permissions that exposed sensitive data (including SSNs and user credentials) and could allow a threat actor to disrupt business functions. Dark Reading chronicled a years-long history of similar security advisories and incidents stemming from “common misconfigurations in Salesforce sites and applications, which often have run with lax permissions.”

The Hacker News: Non-Human Access is the Path of Least Resistance

The Hacker News highlighted why non-human identities (NHIs) and non-human access are now threat actors’ easiest ways into Salesforce. NHIs like API keys, tokens and service accounts are used to connect apps and resources with cloud services like Salesforce. But unlike human identities, NHIs are typically not covered by MFA, SSO or other IAM policies. “They are mostly over-permissive, ungoverned, and never-revoked. In fact, 50% of the active access tokens connecting Salesforce and third-party apps are unused.”

Security teams struggle to identify Salesforce access misconfigurations

The complex web of Salesforce identity and access permissions makes it difficult for security teams to get rapid, reliable answers to essential questions about who has access to what objects, reports, etc., how they obtained those permissions, and what actions they’ve taken with them.

In fact, in helping organizations assess their Salesforce access risks, we’ve seen many do not even have Shield Event Monitoring enabled. This means the security team does not have the appropriate log data to understand access activity in Salesforce.  

This fundamental flaw in access configuration leaves security teams woefully underpowered to investigate and respond to identity risks and security incidents, allowing breaches to go undetected and unresolved for days, weeks, or even months. Without Shield Event Monitoring enabled, it becomes virtually impossible to continuously enforce least-privilege principles and establish a Zero Trust environment, leaving business-critical assets and information exposed to risks around excessive and unmonitored privileges.

The hidden complexities of Salesforce access management

Why does Salesforce present a unique set of identity security challenges that cannot be effectively and efficiently addressed by native IAM tools and legacy solutions?

• Overprovisioning and default access rules: Most organizations rely on group membership, role-based access control (RBAC), and inherited permissions to streamline and accelerate onboarding and get users the access they need as quickly as possible (and with the least burden on IT). This approach inevitably leads to excessive access, and overprovisioned access leaves data and assets exposed to unauthorized use — especially if account activity is not actively monitored.

• Limited visibility to access authorization: Identity and access monitoring is hampered by the fact that many organizations manage Salesforce access and permissions through an external identity provider, such as an SSO tool. While SSO is a critical component of a modern security posture, it can also create a false sense of security. SSO provides authentication to get into Salesforce — but does not provide clear visibility to the specific access or action-level authorizations a user may have with individual resources within Salesforce. This makes it difficult to gain clear visibility of how identity and permissions flow across Salesforce and other connected systems.

• Complex customizations: No two Salesforce deployments look the same. Virtually every organization customizes objects, fields, and app integrations extensively, quickly adding significant complexity to the web of access and permission sets and groups. The IAM tools within SSOs are not built to give fine-grained visibility across these customized elements and third-party integrations.

• Automation and non-human identities: Companies pursue automation in Salesforce by integrating more apps and granting permissions to non-human identities (NHIs). Traditional IAM tools exclude NHIs, leading organizations to two paths: using specialized solutions that fragment identity visibility or leaving NHIs unmonitored and vulnerable.

• The unique risks of impersonation: The impersonation feature in Salesforce is tremendously helpful in customer support and internal administration use cases. However, most organizations do not have detailed visibility of impersonation activity, presenting a serious risk that privileged users’ misuse of this feature may go undetected.

• Reactive incident response: Despite SIEMs and other tools aimed at continuously monitoring and alerting on risky activities, threats stemming from compromised credentials or privilege abuse are typically only discovered after a significant breach or compliance violation has occurred. This lagging response is further delayed by the lack of centralized, fine-grained visibility that makes it painfully slow to answer essential questions around who has access to what, how they got it, and what actions they’ve taken with those permissions.

Oleria brings clarity to Salesforce identity security

Many organizations struggle to bridge the gap between Salesforce's native security tools and broader identity and access management (IAM) strategies. For example, while Salesforce's Security Health Check and other SSPM solutions provide valuable posture assessments, they often lack the ability to deliver continuous, actionable insights into actual access and usage.

Oleria Identity Security bridges the gaps and blind spots left by Salesforce’s native tools and legacy IAM solutions. Oleria goes beyond static checks by building a dynamic, composite access graph that combines data from your IdPs and Salesforce. 

Oleria gives security teams a single solution to manage and control all identity and access (both human and non-human) across Salesforce's Sales Cloud, Service Cloud, and CRM platforms.  With fine-grained visibility into accounts, opportunities, cases, and more, Oleria allows teams to understand not only who has access but also how they're using it. This granular view enables continuous posture management, proactive access monitoring, and precise least-privilege enforcement, ensuring that critical Salesforce data stays protected without sacrificing operational agility.

5 key strategies to reduce Salesforce identity security risk

1. Tame the complexity of Salesforce access

You can’t understand something you can’t fully see. Oleria enables security teams to unravel the intricate web of Salesforce permissions by providing a unified view of all access rights, regardless of how customized your Salesforce environment is. This allows you to see:

2. Eliminate overprivileged & inactive accounts

With that foundation of comprehensive and fine-grained visibility, security teams can tackle the overprovisioning problem head-on. Oleria helps pinpoint accounts that are no longer active or necessary — including machine accounts associated with non-human identities — so you can take action to enforce least privilege, reduce the attack surface, and reclaim unused licenses. 

3. Get unified control of non-human identities

Conventional IAM tools don’t cover NHIs, but a specialized non-human identity security product just adds complexity to an already-burdensome security stack. Oleria provides the same level of visibility and control for all types of identities, including NHIs. 

This includes API keys, service accounts, and connected apps. This unified solution allows security teams to follow the same least-privilege protocols, ensuring that NHIs have only the necessary permissions to perform their designated tasks, reducing the risk of unauthorized access or data breaches.

4. Shine a light on impersonation

The typical blind spot around Salesforce's impersonation feature is a huge vulnerability. Oleria provides visibility to monitor impersonation activity through detailed logs of all impersonation events, allowing you to identify any suspicious or unauthorized use of this feature. Security teams can track who impersonated whom, when, and for what purpose, ensuring that any misuse is quickly detected and addressed.

5.  Accelerate incident investigation & response

Between the cat-and-mouse game of evolving vulnerabilities and attack patterns, and the ever-present risk of insider risks (intentional or unintentional), complete prevention of identity-based security incidents is a pipe dream. But resiliency can’t depend on slow, manual investigation and response workflows that take days or weeks when every minute matters. 

Oleria eliminates the majority of the manual work and gives you the answers you need in seconds. The intuitive Access Graph makes it easy to understand the scope of an incident and identify the root cause. Oleria also provides purpose-built tools that make it faster to revoke permissions, suspend accounts, and take other necessary actions to contain the damage and prevent further harm.

Ready to strengthen your Salesforce security?

Contact Oleria to schedule a personalized demo and see how Oleria gives you critical clarity and control to protect your Salesforce organization.