WithSecure™ Cloud Protection for Salesforce
Public services run on Salesforce. So do attackers.
Governments built open portals because citizens need frictionless access to services. Attackers noticed.
They don’t breach your perimeter. They submit a PDF. They paste a link. They upload a document. Your teams open it, your Salesforce processes it, and nothing inspects it on the way in.
That’s your new reality.
DC Health. The State of Vermont. These weren’t hypothetical. What’s protecting your agency?
Government bodies face an attack surface that is structurally different from the private sector. You cannot ask citizens to prove legitimacy before you accept their content. Your portals are open by design, your intake volumes are high, and the data you hold is among the most sensitive that exists.
Most public sector Salesforce environments were configured by service teams, not security teams. Guest-user permissions, external portal access, and third-party integrations create a combination of exposure that Salesforce’s native controls were never designed to address.
700%
increase in malicious Salesforce activity in 2025
98%
of all detected threats are URL-based
100%
of documented exposure events involved open portal configurations
Get the Salesforce Threat Landscape Report 2026
Our 2026 Salesforce Threat Landscape, and the numbers within it, proves that the public sector cannot afford to assume the platform protects it.
Trusted by enterprises worldwide
Rolls-Royce & Partners Finance
“We know all files and links accessed by users are scanned for threats immediately and are safe. This achieves both compliance and peace of mind.”
Rolls-Royce & Partners Finance
Osaka Prefectural Govt.
“We rate it highly because security is ensured and both citizens and personnel can use the system without being conscious of CPSF. It has been operated without any major problems, and approximately 480,000 infections have been registered.”
Shinji Teraoka, Senior Manager
AXA Group Operations
“WithSecure Cloud Protection’s solution runs quietly in the background. It doesn’t get in the way, but it gives us the assurance that everything passing through Salesforce is safe.”
Xavier Léon, Head of Reinsurance Business Applications
This is what it looks like when a government portal becomes the breach vector
Each of these incidents is documented. Each involved a public sector Salesforce environment. None required a sophisticated attack.
DC Health (2023)
DC Health operated five Salesforce Community sites with guest-user misconfigurations that exposed sensitive constituent data without authentication.
State of Vermont (2023)
A Pandemic Unemployment Assistance portal exposed names, addresses, phone numbers, email addresses, Social Security Numbers, and bank account details.
Experience Cloud targeted campaign (2026)
Salesforce issued an advisory about an active campaign targeting overly permissive guest-user configurations on public-facing Experience Cloud sites.
Salesforce wasn’t built for the threat model public sector faces
The assumption that open-by-design portals are someone else’s security problem
Public sector portals accept submissions from everyone. There is no friction by design, and that’s what makes them accessible. But accepting content from anyone, at scale, without inspection is exactly the condition attackers look for. Salesforce has no native way to assess whether the document a citizen just uploaded is safe.
The misconfiguration problem runs deep
Incidents are not caused by sophisticated exploits. They are caused by guest-user settings configured by non-security staff and are invisible to standard monitoring. Salesforce has no native tooling to surface these risks continuously.
Credential and identity risk is hidden
Public sector Salesforce environments are high-value targets for credential-based access. Staff often manage multiple accounts across citizen-facing and internal systems. Compromised credentials, OAuth token abuse, and lateral movement inside Salesforce are invisible to native controls, and go undetected until the damage is done.
Every service you put online creates a new path in
These are not edge cases. They are your core delivery channels:
- Constituent case management and complaints. Citizens and advocates upload supporting documents directly into Salesforce cases. Any one of those files could carry malware your caseworkers will open.
- Benefits and social programme applications. Applicants submit personal documents from home devices, public computers, and mobile connections. The files arrive without inspection. Your staff process them.
- Licensing, permitting, and inspection workflows. Businesses upload compliance documents and supporting materials. Third-party contractors and agents submit files that bypass your endpoint controls entirely.
- Grants intake and lifecycle management. Applicants, partner organisations, and delivery bodies share files and exchange links inside Salesforce communities. No URL scanning. No content inspection.
- Investigative case management. Caseworkers open attachments submitted by members of the public — often under time pressure, with no indication the content has been checked.
- Emergency programme management. High-volume, urgent workflows during crisis periods are a prime opportunity: submission volumes spike, scrutiny drops, and the pressure to process quickly creates exactly the conditions attackers exploit.
- Health and public health workflows. Clinical and public health data submitted through Salesforce portals is among the most sensitive your organisation holds — and among the least protected at the content level.
- Agentforce processing citizen submissions. Where AI agents handle or triage citizen-submitted content, they act on whatever they receive. There is no native inspection of what that content contains before they process it.
The missing security layer for modern Salesforce threats
Stop malicious files, URL-based attacks, identity abuse, and AI-agent risks in real-time — before they disrupt your business continuity. Trusted by Fortune 500 companies and governments around the world.
Malware protection
Stop malicious files
URL protection
Stop malicious links
Identity protection
Protect your Salesforce users
Protection for Agentforce
Protect your AI agents
QR code protection
Stop QR code threats
For the public sector, compliance is only half the picture
A data breach at a government agency is not just a regulatory matter. It is a public accountability matter. It becomes a news story, a freedom of information request, a parliamentary question. The constituents affected did not choose to share their data with you, they had to. That changes the nature of the obligation.
Here is how specific regulatory requirements map to the Salesforce risk picture, and what Cloud Protection does about each one.
United States
FedRAMP / FISMA / NIST SP 800-53
Requirement: Federal agencies and contractors must align cloud deployments to FedRAMP authorizations and FISMA-mandated controls, including continuous monitoring, access control, and incident response. Mission-specific authorizations such as FedRAMP High, IRS 1075, and DoD Impact Levels apply where relevant.
Salesforce risk: Files and URLs flowing through Salesforce workflows — including citizen-submitted content — sit outside the scope of most FedRAMP-aligned architectures. They enter the environment uninspected and are processed by staff who have no way of knowing they are safe.
How we help: Provides the real-time scanning and audit logging required to bring Salesforce content handling inside the boundary of FedRAMP continuous monitoring and NIST SP 800-53 control requirements.
IRS Publication 1075 / FTI Safeguards
Requirement: Where Salesforce workflows handle federal tax information, IRS Publication 1075 requires strict controls over access, incident detection, and reporting for federal tax information (FTI).
Salesforce risk: FTI submitted through Salesforce intake forms or stored in cases is not natively inspected for threats. A compromise carries severe reporting and remediation obligations.
How we help: Adds the content inspection and identity monitoring required for Salesforce environments processing FTI, with real-time alerting to support Safeguards incident reporting timelines.
CJIS Security Policy
Requirement: Agencies handling criminal justice information through Salesforce must comply with the FBI’s CJIS Security Policy, including access control, audit, and incident response.
Salesforce risk: External-facing case management and portal workflows that touch criminal justice information create access and content risks that Salesforce’s native controls do not address.
How we help: Provides identity monitoring and content inspection to support CJIS access control and audit requirements within Salesforce environments.
Canada
GC PBMM Profile / Cloud Guardrails / GC Cloud Security Risk Management
Requirement: Government of Canada cloud deployments must align to the Protected B, Medium Integrity, Medium Availability (PBMM) cloud profile and satisfy GC Cloud Guardrails, including continuous monitoring, incident management, and protection of sensitive workloads.
Salesforce risk: Sensitive constituent data — including benefits, health, and case information — processed through public-facing Salesforce portals is not inspected for threats that could result in unauthorised access or disclosure.
How we help: Adds the content inspection and monitoring capability required for Salesforce environments processing Protected B information, supporting GC Guardrail requirements and incident management obligations.
Australia
PSPF / ASD ISM / Essential Eight / IRAP
Requirement: Australian government entities must implement controls aligned to the PSPF, ASD’s Information Security Manual, and the Essential Eight. IRAP assessments are the primary assurance mechanism for government cloud services; Salesforce completed a 2025 IRAP assessment against PROTECTED-level controls.
Salesforce risk: An IRAP assessment covers the platform. It does not cover the content flowing through it. Files and URLs submitted by citizens and providers through public-facing portals are not inspected by default — and the ISM’s malicious code prevention and web content filtering controls apply directly to this gap.
How we help: Provides the malicious code prevention and URL filtering capability the ISM requires, supporting IRAP evidence and Essential Eight maturity across Salesforce environments holding PROTECTED-level information.
Europe
GDPR / NIS2
Requirement: NIS2 explicitly reaches public administration at central and regional levels, requiring proportionate risk management, supply chain security, and incident reporting within 24 hours of detection.
Salesforce risk: For most EU public bodies, Salesforce is a critical information system. Citizens submit content through it constantly. That content is an uninspected ICT risk channel that most organisations have not formally addressed under NIS2.
How we help: Reduces ICT risk within Salesforce workflows, supports supply chain risk obligations by inspecting third-party submitted content, and provides the detection capability that NIS2 reporting timelines demand.
Japan & New Zealand
Japan ISMAP / New Zealand PSR / NZISM
Requirement: ISMAP pre-assesses cloud services for Japanese government procurement. New Zealand agencies operate within the Protective Security Requirements and NZISM to protect government information and systems.
Salesforce risk: Platform-level assurance does not extend to content security. Files and URLs submitted by citizens and providers through Salesforce portals fall outside the platform assessment scope and must be addressed by the agency.
How we help: Provides the content inspection and incident detection layer that ISMAP and NZISM control requirements expect for government information systems processing external-origin content.
United Kingdom
GDPR / Data Protection Act 2018 / NCSC CAF
Requirement: UK public bodies must protect personal data, detect breaches promptly, and report to the ICO within 72 hours. The NCSC CAF requires proportionate security controls, incident detection capability, and supply chain risk management.
Salesforce risk: A misconfigured portal or malicious file submitted through a Salesforce community site can expose constituent data without any native alerting. By the time it is discovered, the 72-hour notification window may already have passed.
How we help: Real-time threat detection and audit visibility inside Salesforce means you know immediately when something requires investigation — giving your team what it needs to meet ICO notification obligations accurately and on time.
We are committed to high compliance
We provide all the necessary certificates and information to reassure you and your stakeholders. Find more details in our Trust Center.
ISAE 3000 Type 2
WithSecure™ Cloud Protection for Salesforce has ISAE 3000 Type 2 (international equivalent of SOC2 Type 2) assurance report, ensuring your data is managed securely,
ISO 27001
WithSecure™ is ISO 27001 certified, validating our rigorous data security practices. This prestigious certification confirms our adherence to the highest information standards.
EU GDPR
WithSecure™ helps organizations adhere to General Data Protection Regulation (GDPR) requirements, ensuring the secure handling of European citizens’ personal data.
SecurityScoreCard
WithSecure™ holds the highest cyber security vendor ranking from SecurityScoreCard, which evaluates companies on 10 key security factors, including remediation speed and risk mitigation.
Get a Free Demo
THE #1 SALESFORCE MALWARE PROTECTION SOLUTION
Fill the form and get:
Free 15-day trial – test the product without limitations
Real attack simulation and product demo
Free customized and actionable risk assessment
