Start tracking your progress
Trailhead Home
Trailhead Home

Get Started with Secret Protection

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain what application secrets are.
  • Explain who we need to keep application secrets from.
  • List three risks of exposing application secrets to Salesforce admins.

Introduction to Application Secrets Protection

Virtually every application handles sensitive data of one kind or another. Whether it’s the password a user enters to authenticate to the application or an encryption key that protects data at rest, these are called application secrets. If attackers or malicious users get access to the secret, they can use it to access confidential information or systems. 

How to secure secrets is important for developers to consider on any platform, including Salesforce. In this module, you learn how to identify secrets in your applications and how to determine which is the most effective method for storing and protecting those secrets.

What Are Secrets?

We’ve been discussing the term secrets, but what do we mean? In this module, when we refer to secrets, we mean data that can be used to verify what privileges a user has in a given situation. 

Here are some common examples.

  • Passwords and passphrases
  • Encryption keys
  • OAuth tokens
  • Payment information, such as credit card numbers and PINs used to authenticate a payment transaction
  • Social Security numbers, which can be used to verify individual identity

In addition to these examples, your business can consider other forms of data as secret and subject to additional protection. For example, you can be under a regulatory requirement to encrypt some types of user data. Laptop opened to a login page. In a callout circle, a hand presses a key icon on a phone to effect 2FA login.

Who Are We Protecting Secrets From?

Now that we know what we need to protect, let’s talk about who we’re protecting this information from. Maybe you’re imagining an attacker. We definitely want to safeguard sensitive data from external attackers who try to break into your Salesforce instance. But let’s also consider the risks of exposing secrets to other users, including Salesforce admins, AppExchange developers, and customers. 

Consider the following scenarios.

  1. A user accidentally downloads malware and their Salesforce session is compromised.
  2. A disgruntled employee who was recently laid off but still has access to their company's systems.
  3. A Communities user discovers they have privileged API access.

In each of these scenarios, an improperly protected secret can become visible to someone who should not have access to it. For these reasons, it’s a good idea to protect secrets from different types of users, including:

  • Standard users: Users with normal Salesforce licenses and average permissions
  • External users: Users with reduced permissions, potentially using a Communities license or viewing data through a Force.com site
  • Administrator users with administrative access: Users with normal Salesforce licenses but above average permissions, up to Modify All Data

Keep in mind that not every secret needs to be protected from every type of user. The goal of this module is to give you tools to protect application secrets so that even the most sensitive piece of data can be safely stored in Salesforce. 

Why Protect Secrets from Admins?

Admins are in positions of greater trust than other users because they have a higher level of access to the system. Remember the principle of least privilege? We want to take care to grant only the bare minimum of privileges that a user, program, or process needs to perform their assigned function. Granting admins access to additional items like encryption keys can seem harmless, but here are some things to consider. 

  • If a stored secret is the password to an external service, the Salesforce admin might not be authorized to access the service directly. So to protect that service, you’d want to make sure they don’t have authorization.
  • The stored secret can be an encryption key that no user, including the admin, can access. And so, again, you’d want to make sure that an admin can’t access it.
  • Even if an admin can’t see the secret, an attacker can try to get the secret by compromising the admin’s account.

Just because someone can access something, doesn’t mean it’s a good idea! 

Now that you know how important it is to secure secrets you can determine the most effective method for storing and protecting secrets as you complete your application development. Next, we look at how to use the Salesforce Platform security features. 

Resources