You may have heard that your organization should integrate security functions into the Salesforce DevOps cycle from beginning to end. But that idea sometimes meets with resistance from developers and managers, who assume that security concerns will slow down releases. Velocity is critical, but quality, privacy and security are equally important for modern enterprises. Just consider the business impact when companies like Facebook, Microsoft, Verizon and Twitter experience massive outages — as they all did on one day in July 2019. Security breaches involving customer data have led to fines as large as $123 million for Marriott and some $230 million for British Airways.
Ultimately, factors like security, privacy, uptime and customer experience are going to be the scorecards for enterprise cloud deployment. Every company implementing Salesforce needs a structured and disciplined delivery pipeline that strikes a balance between maintaining an operational governance structure and rolling out innovations into the marketplace more quickly — as fast as hourly or daily. At the end of the day, that means moving toward continuous delivery with automated testing, monitoring and backups.
Why You Need Tools to Secure Your Salesforce Investment
Salesforce is a powerful vehicle for digital transformation, but it doesn’t include a number of capabilities necessary for seamless DevOps. The platform does not have a built-in structured release process or source repository. It struggles with version control, constant code overrides and conflicting metadata. Whether customers have three or 300 sandboxes, they face the challenge of keeping the data and metadata they contain in sync. There’s no real way to prevent merge conflicts and no core compliance strategy. At the end of the day, Salesforce wasn’t designed to be a collaborative environment that gets developers, technical architects and administrators working together in a closed-loop DevOps process. A solution like Copado, a DevOps platform that is 100% native to Salesforce, is key for implementing secure DevOps at an enterprise scale.
Where is Your Company on its DevOps Journey?
Every Salesforce customer is at a different point on the path to successful DevOps. The important thing is to keep moving forward on your journey, with security as an integral priority. Here are some of the factors that determine where your company is on the path:
- How much did you customize your salesforce implementation? How many production or sandbox environments do you have?
- What was the original branch management strategy for your code, or did you lack one?
- How experienced is your Salesforce delivery team? Does it consist of a team of core developers, or is it a hybrid of developers, administrators and others? Is your team in-house or external?
- How closely is your enterprise security team working with the Salesforce team?
- What are you using to back up your data and metadata? Do you have a governance structure?
The Five Levels of DevSecOps Maturity
While every journey looks different, there are five main stages along the path to optimal DevSecOps. Regardless of where your company is, the key is to understand your current strengths and vulnerabilities and map the way forward. Here’s what defines each of the five phases from a governance and security standpoint and how to level up.
At the first stage, your company is focused on selecting, deploying and managing the metadata in your Salesforce implementation. Your team likely lacks a single source of truth for modifications, struggles to develop coherently across multiple teams and doesn’t fully understand the metadata it owns.
Companies at this level face serious security and governance challenges:
- No audit trail. You’re not tracking any of the development changes your users make in Salesforce.
- No compliance strategy. You lack proactive alerts for compliance violations and may not be blocking users. Many people with no business doing so have permission to access private data.
- No quality gates. Users aren’t required to meet quality benchmarks as they move through the development cycle.
- No backups. Without proper backups of data or metadata, it can take days or weeks for your Salesforce production environment to recover after an outage, causing massive losses.
Getting to the next stage involves implementing a core audit trail, basic compliance and security testing and ad hoc backups.
Level 2: Version Control
About half of Salesforce customers find themselves at this stage. They’ve started to establish basic version control, compliance review and backups, but tasks remain manual and ad hoc. The team still lacks a structured, secure process to identify issues before they become security concerns.
Key security challenges persist in this phase:
1. Audit trail is not reportable. You have an audit trail in your Git repository, but it’s not reportable as it’s not available within Salesforce itself.
2. Manual compliance reviews. Reviews are not automatically initiated, so there’s room for error.
3. Ad hoc testing and validation. Without automation, problems can slip through the cracks.
4. Ad hoc backups. Backup intervals are left up to human operators, meaning there are no guarantees you’ll have what you need if an outage occurs.
Leveling up from here involves establishing a reportable audit trail in Salesforce, automating compliance gates and weekly backups and creating a plan for testing throughout the development process.
Level 3: Agile Releases
This is the stage that most Salesforce enterprise customers are aiming for today. It involves tying releases to an agile planning tool and to user stories that become a plan of record for changes implemented throughout the development pipeline. Agile releases align your company’s business goals with its Salesforce implementation objectives and security strategy.
While this level represents a solid foundation, some security and governance gaps remain:
1. Audit history reports are ad hoc. Automation is still lacking.
2. No compliance monitoring. Compliance checks are not automated.
3. Manual test plans and code review. Testing remains an inefficient, manual process with room for error.
4. Weekly backups are insufficient. Losing up to seven days of data and metadata is unacceptable for most enterprises.
Getting to the next level involves introducing automation to enable compliance and security to keep up with near real-time releases.
Level 4: Intelligent Automation
At this level, you’re moving quickly and have automated security and quality checks in key parts of the development pipeline. However, you still have manual steps in the process that can introduce security gaps.
This stage is a great place to be, but there’s room for improvement:
- Automation doesn’t extend to production. A number of manual steps and verification points exist before changes are released in Salesforce.
- No automated regression testing. The process of making sure recent code changes haven’t conflicted with existing features throughout the whole pipeline is still manual.
- Daily back-ups are not sufficient for real-time change. For companies with many thousands of users and multiple organizations around the world, losing even eight hours of work can have major repercussions.
Automating the entire DevOps process, from planning through release and monitoring, is what distinguishes continuous integration from true continuous delivery.
Level 5: Continuous Delivery
This is nirvana when it comes to DevSecOps. True CI/CD means delivering new capabilities to the market securely at a daily or even hourly rate. Today, fewer than 5% of Salesforce enterprises customers have achieved this level, but over the next few years, we predict one-third will catch up. This stage includes continuous and automated compliance monitoring, continuous regression testing and a near real-time ability to recover, with incremental backups every few minutes or hours. Ultimately, reaching this level will be the measure of whether your company’s Salesforce implementation is competitive in the market.
How Copado Can Help
For Salesforce customers looking to progress on the path to DevSecOps nirvana, Copado offers an enterprise-scale solution completely native to the platform. Copado’s products provide everything you need to optimize and automate the DevOps process, whether that means leveling up from where you are today or eventually achieving CI/CD. If you’re in the early stages of implementation, Copado can get you to the phase of agile releases. That involves setting up an audit trail within Salesforce, defining an order of operations for developers and administrators to follow while testing changes and deploying them upstream and setting up scheduled daily or weekly backups. The user story becomes the plan of record for all changes in the development strategy and all metadata that needs to be tested, tracked and audited. For those moving to advanced levels, Copado can automate testing, quality gateways, monitoring and backups to allow for true continuous delivery. Ultimately, companies that want to compete at the highest level in creating modern digital experiences must have security and compliance move at the speed of innovation?
Want more information? Contact us for a demo.