5 Critical Security Questions to Ask Your SI Partner

Dreamforce is just around the corner, with lots of opportunities to explore the marketplace of Salesforce AppExchange Partners who can help you manage and extend your Salesforce implementation. 

First off, why should you care about your partner's security practices? Most partners are given a shared login to production or sandbox orgs containing real IP about your Salesforce customizations and potentially real, sensitive customer data. Even more, most partners, like internal developers or admins will need access to the API's like the Metadata, REST, and Tooling APIs to use the vast array of developer tools available to work with your Salesforce org's configuration and data.

The Salesforce user accounts you provide for your partner are the keys to all your org's configuration and all its data. Every consultant and every tool they use with that user has the keys to everything.

The reality of most Salesforce consulting engagements doesn't quite match up with the ideal world painted by Salesforce's Master Subscription Agreement (MSA). Shared user accounts are common, despite the MSA's stance against them. It's a pragmatic approach that keeps costs down, but it introduces some serious security challenges.

So, as you mingle with SI partners at Dreamforce, here are five questions you absolutely need to ask:

1. How do you manage access controls for shared accounts used by multiple consultants?
   Look, we all know shared accounts happen, especially in development orgs. The real question is how they're managed. Are we talking about a free-for-all, or is there a system in place?
   
   Listen for mentions of access management tools, role-based permissions, or anything that suggests they're not just passing around a single login like a hot potato.
2. What systems do you have in place for real-time monitoring and alerting of suspicious activities in our org?
   "Trust, but verify" should be your mantra here. Your partner should have some way of keeping an eye on what's happening in your org in real-time.
   
   If they start talking about log analysis, anomaly detection, or alert systems, you're on the right track. If they look at you like you've just asked them to explain quantum physics, well... that's a red flag.
3. How do you handle secure credential management and rotation, especially for API access?
   This is where things often get dicey. Storing the sfdxAuthUrl in a text file on someone's laptop or sharing through chat isn't going to cut it.
   
   You want to hear about secure vaults, regular credential rotation, and maybe even some fancy OAuth flows. If they're still using the same API key from 2015, it's time to worry.
4. What security measures are in place for access to our orgs from your developers' local environments and tools?
   Developers are the wizards behind the curtain, but their local setups can be a security nightmare if not managed properly. Are they using encrypted hard drives? VPNs? How do they handle org credentials on their machines?
   
   A good answer here shows they've thought beyond just getting the job done to keeping your data safe in the process.
5. What is your process for conducting and providing detailed post-engagement audits of all actions taken in our org?
   This is the "show your work" of the consulting world. There are a lot of changes the Salesforce Audit Log alone won't tell you, like who made a change using a shared user account.
   
   If they use source control and automated deployment pipelines, most if this data is tracked and audit logs should be easy to provide. If not, listen for a commitment to transparency and openness about exactly what was done as part of the engagement.

And here's a bonus round for the security-conscious: Ask them about their approach to ongoing security training. The Salesforce ecosystem moves fast, and yesterday's best practices can be tomorrow's vulnerabilities. How do they keep their team sharp?

Remember, the goal here isn't to grill your partners until they sweat. It's about starting a conversation on security that goes beyond the usual "Yeah, we take it seriously" platitudes. You're looking for partners who have given these issues real thought and implemented solid practices.

So, as you navigate the Dreamforce crowds, don't be afraid to ask the tough questions. Your data security is worth it. And who knows? You might just find a partner who impresses the heck out of you with their answers to these questions. Now wouldn't that be a nice Dreamforce surprise?

We're Here to Help

By the way, if you're an SI partner reading this and breaking out in a cold sweat, don't panic. This is an opportunity. The partners who can answer these questions confidently are going to stand out in a big way. And if you're not there yet? Well, there are solutions emerging in the ecosystem (hint: keep an eye on what we're doing at Muselab) that can help you level up your security game.

Whether you're a partner trying to figure out how you would answer these questions from a customer or prospect or a customer wanting to better understand how to securely engage with partners, we want to hear from you. Book a free 1-hour consultation with me to discuss your questions, thoughts, or arguments with any of these questions.

Want to learn more about the security risks associated with the sfdxAuthUrl? Check out our blog post:
Securing Salesforce DevOps: Least Privilege Access Control, the first in a series of posts about how to manage Salesforce org credentials in automated build pipelines.