Continuous Monitoring at Salesforce
From high-level policies to everyday practices, trust is reinforced in everything we do at Salesforce. For Salesforce Government Cloud, our commitment to trust is amplified through elevated compliance controls tailored to public sector markets. Through standards like the FedRAMP High Impact Baseline and Department of Defense Impact Level 4 Baseline, we ensure our products are steeped with the security needed to protect sensitive government data.
Earning a FedRAMP authorization for an IT system isn’t easy. It’s usually a year-long endeavor or more, requiring substantial engineering and financial resources to implement the required security controls, complete an audit with a Third-Party Assessment Organization (3PAO), and obtain Authority to Operate (ATO) from the Authorizing Official (AO). As with all IT systems, regular maintenance of the system’s security posture is a constant cycle. FedRAMP requires that users regularly maintain their system through a process known as Continuous Monitoring.
What is Continuous Monitoring?
Continuous Monitoring is the process of actively monitoring a FedRAMP-authorized information system for security risk and posture. Not only are cloud service providers (CSPs), like Salesforce, required to monitor information systems for new and previously-known vulnerabilities, but we must also track and remediate these vulnerabilities within a specified timeframe. For example, “high” severity vulnerabilities must be remediated within 30 days. In addition, we provide Plan of Action and Milestone Reports (POA&M) to the 3PAO—which not only helps keep us in good standing with our auditors, but also informs our resolution strategy and recommendations to avoid similar issues moving forward.
There are many characteristics that define a GovCloud environment, one of which is a barrier surrounding and limiting access to its contents, called an authorization boundary. This boundary poses a challenge to cloud service providers monitoring these systems for vulnerabilities, because standard tools—like the ones used for classic Customer 360 offerings—don’t have access or visibility into the environment. While it’s relatively simple to set up scanning tools to operate inside the boundary, it is more difficult to track, report, and remediate their findings when those findings are considered sensitive and cannot be exported outside of the authorization boundary.
Salesforce developed a custom service called Louper to address the difficulties in monitoring inside an authorization boundary. Louper works by automating two primary continuous monitoring processes to increase the ability to track and remediate vulnerabilities. First, the service consumes vulnerability scan results within the environment. Louper inspects these reports to identify all discovered vulnerabilities, which are then referenced against a database of previously discovered vulnerabilities. If a new vulnerability is found, Louper notifies the appropriate team of the work needed to remediate the vulnerability.
Secondly, by keeping a historical record of all vulnerabilities within the system, Louper can automatically generate the POA&M report for the 3PAO. This report contains an itemized list of all vulnerabilities, which Louper can dynamically maintain using the latest data. As a POA&M report can contain thousands of entries, using automation to generate the report saves significant time and money over manual creation.
It’s All About Trust
Continuous monitoring is just one of the ways we design security into our compliant cloud. This extension of Salesforce’s robust company-wide security posture exists to serve our #1 company value, trust. With Salesforce Government Cloud Plus our customers have access to industry-leading CRM, service, platform, analytics, public sector applications, and other industry solutions, that help government customers and contractors achieve mission success and digital transformation across the industry.
To learn more about Salesforce Government Cloud offerings, contact a Government Solution Expert: 1-844-807-8829.