ITBusiness.ca

Shall We Dance? Salesforce.com proves the cloud-governance risk

By Alizabeth Calder

According to research by Rightscale.com, 91 per cent of us are using cloud-based service providers, and we are spending 24 per cent more on cloud solutions than in 2018 (1).

Cloud and SaaS providers are not immune to issues of skills and procedural gaps that cause problems, but we seldom consider the risk of a provider outage.  The cost per hour of a cloud outage can exceed $1 million (2).  

For those who missed it, Salesforce had a three-day outage recently (3), making them the new poster child for cloud-provider failure.  Interesting that this incident should happen to the company that led the cloud-based-reliance movement in the sales, marketing and contact management space.  

The situation seems to have resulted from a failure of either testing or oversight (ie. it was a preventable problem). The result was that all individual Salesforce users in a company were able to see and edit all of their company’s data, regardless of permissions. Although the company has not yet put out official statements, the sequence of events seems to be:

To be clear, we can give Salesforce a solid B+ on their response to this incident.  There are, however, some interesting object lessons to be taken:

  1. The new age of communication – Salesforce CTO Parker Harris took to Twitter to apologize – “To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologize for the impact it is having on you”. (5)  In the old days when a technology provider really messed up, the CEO apologized to their clients.  Is this the new standard for how our service providers address us?
  2. The new world of dependence – Companies using Salesforce have probably moved to a significant if not complete dependence on this platform to support sales.  (I suspect some salespeople are going to go back to keeping a local source of contacts and opportunities, in self-defence.) If this incident isn’t blamed for missing clients’ sales commitments in the next round of results calls, the only reason will be that it did not happen at the end of a month or a quarter.  Even then, it may have impacted some business results…
  3. A new level of folly in critical oversight – Third party oversight, including Cloud and SaaS providers, is a critical part of cyber security governance, but this outage won’t be covered by a standard cyber insurance policy.  Yet, according to supply chain research, nearly half of IT leaders lack confidence in business partner security postures and 25 per cent do not evaluate partner cyber security. (2) Responsibility is clear – liabilities have yet to be calculated.   

While the liability-dance between Salesforce and its’ customers has yet to play out, business leaders from the CIO all the way up to the Board may need to be a little less blasé about the third-party providers they believe are looking after things.  

As an IT executive, the fact that Salesforce owned the problem last weekend certainly made my job easier, but at the end of the day I still own the business’ access to critical systems and capabilities.  Thanks for the Twitter, Parker, but I’m waiting for the one that says you’ve added some privileged access monitoring and improved your testing protocols.

________

  1. https://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2019-state-cloud-survey
  2. http://www.tripwire.com/company/research/tripwire-2016-supply-chain-survey/
  3. https://www.crn.com/news/security/massive-salesforce-outage-resolved-with-gradual-access-restoration
  4. https://www.theregister.co.uk/2019/05/20/salesforce_outage_continues/
  5. https://marketingland.com/salesforces-pardot-went-down-for-15-hours-exposing-data-in-the-cloud-261257
  6. https://www.crn.com/news/security/-major-salesforce-outage-whacks-firm-s-marketing-automation-customers

 

Exit mobile version