Key Takeaways:
- Storing CUI, FCI, and PII data often requires Salesforce Government Cloud to meet compliance and security standards.
- Salesforce Government Cloud provides encryption, access controls, and compliance features, but organizations must implement additional security best practices.
- Preventing data spillage requires strong policies, process adjustments, and user training to ensure sensitive data stays within secure environments.
Understanding When Salesforce Government Cloud Is Necessary
In a previous blog post, Sunil described the differences between Salesforce Government Cloud and Salesforce Commercial Cloud as well as highlighted the questions that an organization may need to ask themselves in determining if Salesforce Government Cloud is needed. We will take a closer look at what type of data necessitates usage of Salesforce Government Cloud, how that data is stored and protected, and discuss ways with which spillage can still occur and how it can be mitigated.
Storage of sensitive data is a primary driver for moving to Salesforce Government Cloud
The question then is: what constitutes sensitive data? There are 3 types of data which we typically would encounter for customers that are pursuing or already operating on Salesforce Government Cloud:
- CUI
- FCI
- PII
Let’s define these real quick below:
CUI (Controlled Unclassified Information)
This is sensitive but unclassified information that the U.S. government wants to protect. It includes things like defense-related technical data, certain legal documents, or sensitive business info shared with the government. Basically, it’s info that isn’t top secret but still needs safeguarding. This information is typically identified on the documents shared by federal agencies with keywords like “CONTROLLED” or “CUI”. If you are unsure if something is CUI or not, the National Archives maintains the registry/reference information which can be found here: https://www.archives.gov/cui/registry/category-list
FCI (Federal Contract Information)
This refers to non-public information that a company receives or generates while working on a federal contract. It’s not meant for public release and is usually tied to contract performance, like internal reports or compliance documents. This information is not going to be labeled or identified like CUI is, so it’s a bit tougher to identify. The bottom line is that this information is related to a federal contract, or information in service of a federal contract, and is not publicly available. Note that this could be information coming from both sides of the relationship, e.g. the federal agency can send a network diagram of their infrastructure as part of scope of an existing services contract.
PII (Personally Identifiable Information)
This is any data that can be used to identify an individual, like names, Social Security numbers, email addresses, or phone numbers. It’s the kind of stuff you don’t want falling into the wrong hands because it can lead to identity theft. This one is likely obvious to most folks (and there are varying degrees of PII just as there are CUI and FCI). Well you may be wondering why storing things like names, addresses, and phone numbers requires Government Cloud when doing so is a very typical use case for Salesforce Commercial Cloud. The distinction here is that WHO the PII belongs to is important. If the PII belongs to or is sourced from a federal agency, then Salesforce Government Cloud is likely required. It is possible however that that particular agency does not require a FedRAMP or DoD IL4 compliant product to store this information so it would be wise to confirm that with them beforehand.
Your Sales and Service business units could store all 3 types of data within Salesforce AND also be required to pursue a certification in order to continue to do business with a particular federal agency so if your business is storing one or more of these types, you likely need to migrate your teams to Salesforce Government Cloud.
Salesforce Government Cloud secures your sensitive data
But how does it actually secure the data? Salesforce Government Cloud provides data encryption “at rest” and “in transit”. Encryption at Rest means that if someone were to get ahold of the physical servers or gain access to a database which stores Salesforce object data, they would not be able to read the information. Encryption in Transit refers to when data is being moved from one place to another: whether that’s from the Salesforce server to your browser, or between two different Salesforce servers. This prevents things like packet sniffing or other man-in-the-middle type attacks to gain access to data. One of Salesforce Shield’s products, Platform Encryption, can provide an additional layer of latitude in allowing for encryption at specific fields and allowing for bringing your own encryption key.
In order to get Salesforce Government Cloud compliant and certified, Salesforce had to implement (or partially implement) many security controls in order to lock the system down, which includes the above notes around encryption as well as capabilities for configuration of more security within the core platform. That is where the partially implemented security controls come in. While Salesforce has addressed many of the physical controls for the platform behind the scenes, there are controls that must be defined and then implemented on the consumer end, to ensure compliance. Some quick examples in Salesforce would include:
- Limiting the number of users that have System Administrator access
- Lowering the amount of time before a login session times out
- Adding whitelisting for logging in from specific IP addresses
- Implementation of SSO and Multi-Factor Authentication
Generally, implementing the principle of least privilege is a safe bet for designing an application on top of Salesforce Government Cloud (and really Commercial Salesforce as well). While it’s more convenient to have a longer session timeout or not having to manage and trace metadata updates, it is less secure and much more risky when storing any of the above data types. One thing to note is that the above examples aren’t necessarily tied to a specific certification like FedRAMP or CMMC but would generally apply across the board to secure your system on top of what Salesforce has done. For example, FedRAMP Moderate and CMMC Level 2 are based on the same NIST 800 controls for Access Control as well as Identification and Authorization so simply addressing MFA and SSO respectively will address both control families.
People and Process Risks
While simply operating on the Salesforce Government Cloud adds a significant bump in security, that only addresses the tech side of the equation when it comes to securing data. Both the people and process sides of the equation will likely need to be enabled or updated respectively in order to prevent the spillage of any of the above data types.
Spillage is when data leaves the Salesforce Government boundary and enters into a system that is not authorized to contain it. From a technical perspective, operating within Salesforce Government Cloud native features, the only risk of spillage is when users export data via reports or API but it’s not realistic to expect organizations to not have other systems or personnel that may need information from the Government Cloud.
Mitigation of people and process risks (beyond the above controls) comes in two parts: policy and traceability. Many certifications and controls (including the two mentioned above: FedRAMP and CMMC) require an organization to define, document, and execute enforcement of policies which prevent the human element from compromising data security. So in using Salesforce Government Cloud, it is likely that the business process for your Sales or Service teams would absolutely need to be adjusted to prevent spillage.
Vectr Solutions can implement a secure data strategy for your business on Salesforce Government Cloud
Navigating the complexities of identifying and securing sensitive data in Salesforce Government Cloud can be challenging. Ensuring that Controlled Unclassified Information (CUI), Personally Identifiable Information (PII), and other sensitive data are properly classified, stored, and protected requires a strategic approach.
At Vectr Solutions, we specialize in helping organizations on Salesforce:
- Identify and classify sensitive data to meet compliance standards
- Implement secure architecture to safeguard critical information
- Re-engineer processes to align with regulatory requirements and enhance operational efficiency
With our expertise, you’ll have a compliant and secure Salesforce Government Cloud environment tailored to your unique needs.
Contact a Vectr Solutions expert today to ensure your sensitive data is secure, compliant, and seamlessly integrated into Salesforce Government Cloud!
