Gen AI tools increase efficiency, provide insights, and offer recommendations, but with those capabilities comes increased risk.
Salesforce Einstein Copilot is a powerful conversational AI assistant integrated into the CRM’s platform, designed to enhance productivity by automating tasks. However, many Salesforce users don’t realize their role in protecting their org’s sensitive data.
Salesforce Ben Technical Instructor Andrew Cook and Varonis Field CTO Brian Vecci recently held a session on tips for preparing for a Copilot rollout. They discussed how to lock down data the AI tool shouldn’t access and explained why security is every user’s responsibility.
Salesforce’s shared responsibility model
While Salesforce is responsible for securing the SaaS app’s infrastructure, platform, and services, the security of the information stored within the CRM tool lies squarely on the user’s shoulders.
Salesforce’s shared responsibility model states that although Einstein Copilot securely processes and does not retain data, customers are responsible for the data itself, its permissions, and its usage.
“Copilot has no way to know who and what is supposed to have access to what data,” Brian said. “So customers must ensure Copilot is used responsibly.”
Using the shared responsibility model to understand which security aspects an organization is responsible for and which fall under the SaaS application’s domain can help security teams mitigate risks and protect sensitive information.
You can see a traditional breakdown of the shared responsibility outlined below, which several cloud providers such as Salesforce, AWS, and Microsoft adhere to at their organizations.
A traditional shared responsibility model.
Einstein Copilot security challenges
Copilot can make a Salesforce user’s life much easier but can also be an insider threat’s best friend, Brian said.
The AI tool can help users quickly find C-level contacts for revenue accounts, identify sensitive PII data, and easily determine the highest and lowest-paying customers.
“All of these actions are potentially dangerous,” Brian said. “But if you’re doing a good job with preventative controls, making sure that people and applications only have access to what they’re supposed to, and are monitoring how data is being accessed and when there’s potentially malicious access, then everything should be locked down.”
However, Brian said that employees often have more access to data than they need, and sensitive data may be hidden in unexpected places.
Preparing your organization for Einstein Copilot
With complex roles, permission sets, and org-wide configurations, it’s virtually impossible to see which users can do the most damage in Salesforce.
To protect your org before, during, and after a copilot deployment, Brian recommends locking down permissions, ensuring proper data handling through training and guardrails, and identifying sensitive data that AI shouldn’t have access to.
Protect your sensitive Salesforce data with Varonis.
Varonis gives you a complete view of effective access for every Salesforce user, allowing you to easily right-size permissions and get to a least privilege model. Ensure compliance by only allowing people to access the data they need to do their jobs.
Varonis for Salesforce also gives you the power to locate and control hard-to-find regulated data across all your Salesforce instances. Whether it’s stored in records and fields or files and attachments, we’ll find, surface, and protect it.
“You’ll be able to automatically visualize where you have exposures and where you have risk,” Brian said. “You’ll be able to automatically lock everything down.”
Watch the entire discussion to see how Salesforce Einstein Copilot can help your org and learn more about your role in securing data.
