Data Loss Protection and Your CRM System

Information Leak Prevention (also known as Data Loss Protection) is a fairly well established area for security software, but most of the marketing noise is about protecting financial system data from unauthorized access or transmission. Why is this functionality so important for a CRM system?

1 2 Page 2
Page 2 of 2

Let's move on to more systemic ILP issues in CRM. Because true CRM systems are integrated with several other company data assets, you need to look at the big picture to understand your vulnerability. CRM-native data may leak out of your Accounting, Order Entry, or e-commerce systems. CRM data may also be pushed into your customer support or warehouse/distribution software. These external systems are not likely to have the same security model as your CRM system has, so your analysts will need to look carefully for loopholes and back doors.

Of course, the reverse is also true: integration servers may push significant amounts of customer data into your CRM system from other parts of your enterprise. The highest visibility issues will relate to customer financials: social security numbers, health account numbers, bank account records, and credit card information. Although there are some good arguments for having these available in the CRM system, we always counsel our clients to avoid actually storing any sensitive customer financial data in the CRM database.

For almost any company (even in financial services), the system of record for the customer's financial data is in or near the accounting system. There's no reason to duplicate all of it in the CRM system, thereby triggering a PCI compliance audit.

A Guide to Practical PCI Compliance

Further, if you have customers in the European Union, special protections for personal and sensitive information are legally required. Instead of storing sensitive data in the CRM system, the data should be pulled over only when specifically needed to populate a screen, and be stored only in volatile memory. Data obfuscation strategies (such as fragmenting a row across several tables and linking them with hash keys) can also provide a line of defense.

Finally, you'll need to enact a series of ILP/CRM policies and procedures, such as:

• Reducing the number of people with system administrator privileges.

• Creating rules for locking down data (both for editing and access).

• Developing a policy and process for at-risk or soon-to-be-terminated employees.

• Turning off API access to the database for almost all users.

• Dramatically limiting the use of connectors to Office, Outlook, Excel, Google, or other contact managers, as well as any mass import/export tools.

David Taber is the author of the new Prentice Hall book, "Salesforce.com Secrets of Success" and is the CEO of SalesLogistix, a certified Salesforce.com consultancy focused on business process improvement through use of CRM systems. SalesLogistix clients are in North America, Europe, Israel, and India, and David has over 25 years experience in high tech, including 10 years at the VP level or above.

Follow everything from CIO.com on Twitter @CIOonline.

Related:

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 secrets of successful remote IT teams