Cloudmersive Private Cloud Storage Protection - Salesforce Service Cloud Configuration and Best Practices

Overview

Cloudmersive Private Cloud Storage Protection allows you to apply security policies to all of the files in your Service Desk and CRM systems, including Salesforce Service Cloud. Use these policies to block viruses, malware and other threats at the storage tier automatically, in real time, and with no code. In addition to scanning for viruses and malware, Cloudmersive can also scan for PII/PCI/PHI, NSFW Content Moderation, Spam, Phishing and Fraud.

General Approach

In general, the Cloudmersive Private Cloud Storage Protection system integrates with your Salesforce Service Cloud instance to get notified when new tickets (cases), messages and attachments are created/updated, and then responds to take action when needed.

The integration involves two main steps: first, you will input your Salesforce API credentials into Cloudmersive so that Cloudmersive can access and take action on files in your Salesforce environment. Second, you will configure Salesforce to send webhook notifications to the Cloudmersive endpoint when new cases, messages and/or attachments are created.

To provision the Cloudmersive Private Cloud Storage Protection system, talk to your Cloudmersive account representative.

Preliminary Planning

Before beginning the install, you will need to decide if you want to use Cloudmersive Storage Protection running in a Managed Instance or in a Private Cloud self-managed deployment.

If you wish to use a Managed Instance, talk to your Cloudmersive representative to provision the needed instance in the data center region(s) of your choice. Once deployed, proceed to step 1.

If you wish to use a Private Cloud self-managed install, talk to your Cloudmersive representative to provision the needed licenses into your account. Then, perform the Private Cloud installation of those services (or if it is an existing installation, perform the Update operation). Once ready, proceed to Step 1.

Storage Protection licenses also need to be added to your account; talk to your Cloudmersive representative to add these licenses.

Step 1 - Create the Cloud Connection

First, we need to create a secure Cloud Connection in your Cloudmersive Account portal to your Salesforce Service Cloud instance.

Navigate to your Cloudmersive Portal and click on Cloud Storage Protection. Click on Add Connection.

Under Connection Name, give your connection a meaningful name so that you can track this connection among others. Under Infrastructure, select which Cloudmersive infrastructure you would like to use; you can use a Cloudmersive Private Cloud endpoint or a Cloudmersive Managed Instance.

Under Cloud Storage Type, select Salesforce Service Cloud. Now fill in your Salesforce API credentials, including your Salesforce Instance URL, Client ID, and Client Secret from a Salesforce Connected App. Be sure these are accurate and correct, and no stray characters such as spaces are introduced. This information will be securely stored encrypted in a Hardware Security Module. You will not be able to view these settings later for security reasons, so ensure that the information is correct at this stage.

Under Outcome Actions, select what you would like to have happen when Clean or Infected files are found. Note that you can change these settings later.

Outcome Actions

Here for clean files - that is files with no infections, you can select from "No Action" which will take no action for the clean file, "Add Tag to Clean Files" which will create a tag called VirusScanResult and set its value to Clean, or "Copy File and Add Tag to Clean Files" which will copy the given file into the specified destination Cloud Connection, and apply the Clean tag, or Move which will move the specified file into the destination Cloud Connection (copy to destination and delete from source location).

Here for infected files - that is files with threats/infections, you can select from "Add Tag to Infected Files" which will create a tag called VirusScanResult and set its value to Infected, Delete Infected Files which will delete the original file (recommended), or "Copy File and Add Tag to Infected Files" which will copy the given file into the specified destination Cloud Connection, and apply the Infected tag, or Move which will move the specified file into the destination Cloud Connection (copy to destination and delete from source location).

When ready, click on Create Connection.

Step 2 - Connect Salesforce Service Cloud to Cloudmersive

Now, from the list of Cloud Connections click on Manage next to the one you just created.

Under API Keys click on Add API Key and select the API key you wish to use. This step is mandatory; if you do not complete it, scanning will produce unauthorized errors.

Next, you need to configure Salesforce to send webhook notifications to Cloudmersive when new cases, messages and/or attachments are created. The Manage screen will provide you with the Cloudmersive endpoint URL to use. There are two options for configuring these notifications: Outbound Messages via Workflow Rules, or HTTP Callouts via Salesforce Flow.

Option A - Outbound Messages via Workflow Rules

This option uses Salesforce Workflow Rules with Outbound Message actions to notify Cloudmersive. This is the simpler approach and does not require any Apex code.

Step 2A.1 - Add Cloudmersive Endpoint to Remote Site Settings

Before creating any outbound messages, you must allow Salesforce to communicate with the Cloudmersive endpoint. In Salesforce Setup, navigate to Security > Remote Site Settings. Click New Remote Site. Enter a name (e.g. "Cloudmersive"), and paste the Cloudmersive endpoint URL from the Manage screen of your Cloud Connection. Ensure Active is checked, and click Save.

Step 2A.2 - Create Outbound Message for New Cases

In Salesforce Setup, navigate to Process Automation > Workflow Actions > Outbound Messages. Click New Outbound Message. Select the Case object and click Next. Enter a name (e.g. "Cloudmersive Case Notification"), and set the Endpoint URL to the Cloudmersive endpoint URL from the Manage screen. Select the fields you want to send (at minimum, the Case ID). Click Save.

Step 2A.3 - Create Outbound Message for New Email Messages

Repeat the process above, but select the EmailMessage object instead of Case. Enter a name (e.g. "Cloudmersive EmailMessage Notification"), set the same Cloudmersive endpoint URL, and select the relevant fields (at minimum, the EmailMessage ID and Parent ID). Click Save.

Step 2A.4 - Create Outbound Message for New Attachments

Repeat the process again, but select the Attachment or ContentDocument object. Enter a name (e.g. "Cloudmersive Attachment Notification"), set the same Cloudmersive endpoint URL, and select the relevant fields (at minimum, the Attachment ID and Parent ID). Click Save.

Step 2A.5 - Create Workflow Rules

In Salesforce Setup, navigate to Process Automation > Workflow Rules. Create a new Workflow Rule for each object (Case, EmailMessage, and Attachment/ContentDocument):

  1. Click New Rule and select the object (e.g. Case).
  2. Enter a rule name (e.g. "Notify Cloudmersive on New Case").
  3. Set the evaluation criteria to "created".
  4. Set the rule criteria to match all records (e.g. "criteria are met" with Case: ID not equal to null), or configure specific criteria if you only want to scan certain cases.
  5. Click Save & Next.
  6. Under Immediate Workflow Actions, click Add Workflow Action > Select Existing Action > Outbound Message, and select the corresponding Outbound Message you created above.
  7. Click Save and then click Activate to enable the rule.

Repeat for EmailMessage and Attachment/ContentDocument objects.

Option B - HTTP Callouts via Salesforce Flow

This option uses Salesforce Flow to make HTTP callout notifications to Cloudmersive. This approach provides more flexibility and is the recommended approach for organizations using Salesforce's newer automation framework.

Step 2B.1 - Add Cloudmersive Endpoint to Remote Site Settings

Before creating any Flows, you must allow Salesforce to communicate with the Cloudmersive endpoint. In Salesforce Setup, navigate to Security > Remote Site Settings. Click New Remote Site. Enter a name (e.g. "Cloudmersive"), and paste the Cloudmersive endpoint URL from the Manage screen of your Cloud Connection. Ensure Active is checked, and click Save.

Step 2B.2 - Create an External Service or Named Credential (Optional)

For cleaner configuration, you can create a Named Credential in Salesforce Setup under Security > Named Credentials. Set the URL to your Cloudmersive endpoint URL and configure the authentication settings as needed. This allows your Flows to reference the Named Credential rather than hard-coding the endpoint URL.

Step 2B.3 - Create a Record-Triggered Flow for New Cases

In Salesforce Setup, navigate to Process Automation > Flows and click New Flow. Select Record-Triggered Flow and click Create.

  1. Set the Object to Case.
  2. Set the trigger to "A record is created".
  3. Optionally add entry conditions to filter which cases trigger scanning.
  4. Select "Actions and Related Records" for the optimized path.
  5. Add an Action element of type "HTTP Callout".
  6. Set the URL to the Cloudmersive endpoint URL from the Manage screen of your Cloud Connection.
  7. Set the Method to POST.
  8. In the request body, include the Case ID and any other relevant fields.
  9. Save and Activate the Flow.

Step 2B.4 - Create a Record-Triggered Flow for New Email Messages

Create another Record-Triggered Flow using the same steps above, but set the Object to EmailMessage. Configure the trigger for "A record is created" and include the EmailMessage ID and Parent ID in the request body. Save and Activate the Flow.

Step 2B.5 - Create a Record-Triggered Flow for New Attachments

Create another Record-Triggered Flow using the same steps above, but set the Object to ContentDocument or Attachment. Configure the trigger for "A record is created" and include the record ID and Parent ID in the request body. Save and Activate the Flow.

When using the Cloudmersive endpoint URL, ensure that if it is IP-address-based, that the correct IP address is used.

Once configured, Salesforce will automatically notify Cloudmersive whenever new cases, messages or attachments are created, and Cloudmersive will scan and take the configured action on the content or any associated files.