I’m watching SalesForce’s AppExchange platform with interest. What I’m really curious to know is how many of their large (publicly-traded) customers are using these apps for their sensitive data. And by "sensitive data", I mean something that they could get dinged for in a Sarbanes-Oxley audit.
I’m mostly keeping an eye on AppExchange for this due to the fact that SalesForce.com is by far the most successful ASP with the biggest percentage of publicly traded customers. From my knowledge of SOX, just holding sales information isn’t much of a risk. If someone manages to hack into your SalesForce account somehow and get a lead’s contact information you’re not exposed to much liability. However, these AppExchange applications branch out into dozens of different areas, and at first blush here’s a list of information they contain that could potentially violate a SOX audit if they’re not secured properly:
- Customer service data can (and often does) contain customer financial information. The Patriot Act also requires a certain way of handling transaction data and record retention.
- Customer payment information is definitely covered under SOX
- Human resources data is certainly always sensitive
- Patient health records are covered under both SOX and HIPAA
- Parner marketing is even covered, as it can contain competitive information such as marketing launch plans and product roadmaps.
For that matter, are these services (or SalesForce itself) logging security events in a way that can be monitored by a company’s Security Officer? That’s usually a SOX requirement as well, and I haven’t been able to find anything that addresses it yet.
Now, this probably isn’t an issue for smaller companies that aren’t subject to SOX (although it’s certainly something they should be thinking about, especially if they ever hope to partner with any publicly traded companies). However, proper handling of this data, and adherance to best practices and SOX-compliant processes should be of a lot of interest to bigger companies. If one of these AppExchange products isn’t written properly and leaks out sensitive data, it could mean jail time for a CFO. Is there anything to prevent an AppExchange app from publishing an RSS feed of people’s Social Security Numbers?
Just a thought. But what I’m curious to see is how much data large companies are going to allow to live outside their firewall. They don’t control what happens at SalesForce, and their butts are on the line, not SalesForce’s. I can’t say I’d be comfortable with that idea, especially when SalesForce is allowing these third party apps to access its data. Even if the companies making these apps don’t have access to the data, the apps themselves do, and it’s pretty darn easy to sign up for them once you’re a customer of SalesForce–they practically push them on you.
How far can the ASP model go inside the enterprise? I have to imagine at some point the CIO has to insist that the data reside in the company’s data center so that they can actually control security. Not to mention that with ASP’s smaller than SalesForce there’s a lot of due diligence that has to be done to ensure that the company has adequate perimeter security, physical security, etc, in place. In fact I did an entire post on security requirements a while back (from my days as an IT Director), and there are a lot of them that need to be considered before using an ASP.
I’ve personally seen and worked with several small companies that violate these principles left and right, but yet partner with publicly traded companies and handle their sensitive data every day. In my opinion it’s just a matter of time before one of these companies is compromised and the credit card transactions for a publicly traded company are obtained, and the whole thing comes crashing down.
