Salesforce is a highly secure platform, but there are still security best practices that your organization should follow to ensure the safety of its data and systems. Security on the Salesforce platform is jointly owned by the vendor (Salesforce) and the customer (your organization). This paradigm is known as the Shared Responsibility Model. As the vendor, Salesforce has provided world-class security features that can be configured and modified to meet your business and regulatory requirements. As the customer, you are responsible for understanding the breadth and depth of those security features and ensuring that they are correctly applied. Your customer data is critical to protect in Salesforce to guard against financial loss, maintain customer trust, meet privacy and legal requirements, and ultimately protect the integrity and quality of your data to meet future business needs. 

Below are some of the top Salesforce security best practices our Salesforce security experts recommend. By following our guide, you can rest assured that your Salesforce instance is secure, your data is protected, and your system is protected from unauthorized access, security breaches, data loss, and theft.

8 Salesforce Security Best Practices

1. Incorporate Salesforce into your Cybersecurity Program

Before diving into Salesforce security features and best practices, it is important to ensure that your Salesforce platform is aligned with your enterprise security program. One of the principal goals of the enterprise security program should be to raise security awareness and promote a culture of security leaders in the organization. Most organizations align with an industry-standard security framework such as ISO 27001, NIST CSF 2.0, SOC 2 as they provide a methodical approach for managing and mitigating security risks. These frameworks measure and benchmark your security and controls to inform the current-state maturity level and identify gaps for future improvements. Your security program will help drive and implement these necessary improvements for Salesforce security features and align to enterprise security standards.

2. Set Your Password Policies

A quick win (high value and low effort) for improving your Salesforce security is to review and improve your password policies. These policies include password history, complexity, and length requirements, and are applied at the org level. Passwords should be complex, unique, and changed regularly. There is also the ability to set password policies by the type of user (based on Profile), and thus override the org-wide settings. 

3. Implement Secure Authentication (MFA and SSO)

As of 2023, Salesforce has begun to automatically enable and enforce Multifactor Authentication (MFA) for all internal users. This is noteworthy because it is the single best security mechanism to protect against unauthorized access and breaches. MFA protects against common security threats such as brute force attacks, phishing, keyloggers, credential stuffing, etc., and has been proven to be over 99% effective at preventing certain types of attacks. While MFA will not guarantee security or stop all cybersecurity attacks, it certainly offers an additional critical layer of protection. MFA is also critical toward achieving a Zero Trust security framework, which means that your organization should treat every user/device as a threat and verify their access level before granting access.

MFA is supported in the following Salesforce products: Sales Cloud, Service Cloud, Analytics Cloud, Commerce Cloud, Experience Cloud, Financial Services Cloud, Health Cloud, Manufacturing Cloud, Marketing Cloud, Marketing Cloud Engagement, Marketing Cloud Intelligence, MuleSoft Anypoint, and Tableau Online. While MFA is not yet required for Experience Cloud sites for customer or partner portals (external users) it is highly recommended to improve your overall security posture.

Closely related to MFA is Single Sign-On (SSO), which allows secure authentication to many applications with a single set of credentials (i.e., username and password). The Salesforce MFA service can be configured for SSO with Salesforce as the Identity Provider. An Identity Provider is a trusted system that stores and manages digital identities and authenticates your users. You can also elect to leverage third-party Identity Providers such as Okta or Google.

7. Implement Salesforce Shield

Salesforce Shield is a suite of add-on security products designed to help organizations protect sensitive data in Salesforce and comply with industry regulations such as HIPAA, GDPR, CPRA, and PCI DSS. It provides data encryption, event monitoring, field audit trail capabilities, and the ability to find and classify sensitive data.

Data Encryption

Salesforce Shield provides enhanced data encryption, leveraging AES 256-bit encryption at the field level. This encryption for data “at rest” is applied to the data residing in Salesforce data centers and provides additional protections, as it is not readable as plain text should a bad actor seek to do harm. There are also additional options for managing your encryption keys, including bring your own key (BYOK). While Kenway highly recommends enhanced data encryption for sensitive data, it also has a tradeoff with the loss of some business functionality, such as filtering. Therefore, decisions and tradeoffs should be made with compliance and regulatory requirements balanced with preserving functionality such as the ability to use filters on encrypted fields.

Event Monitoring

Salesforce Shield includes real-time event monitoring, enabling you to see who is accessing data and from where. Monitoring offers fine-grain controls so that you have visibility to events such as report exports, API calls, logins, logouts, Lightning web clicks and errors, Apex executions, and Visualforce page loads. Event Monitoring is especially useful for “data loss monitoring” from a security perspective. Bad actors can export reports with critical business data and use them for unintended purposes, resulting in lost revenue or reputational risk. However, Event Monitoring provides an easy way to view activities and transactions that may be suspicious, such as exporting high volumes of sensitive data. A pre-built dashboard for analytics on additional usage and performance metrics complements event monitoring and can help with user adoption and performance optimizations.

Field Audit Trail

A favorite feature of Salesforce is the ability to enable field-level auditing for all changes, including the field name, old value, new value, the user who made the change, and the effective date/time of the change. This feature is out of the box in Salesforce, but there is a limit of 20 fields per object and 18 months for historical retention. Salesforce Shield increases the limits to 60 fields per object and historical retention up to 10 years. We recommend aligning with your compliance program and product owner to help prioritize the critical fields once you approach the upper limit of 60 fields.

Einstein Data Detect

Data Detect is a newer feature in the Salesforce Shield tool suite. It provides an easy way to scan your Salesforce data and identify sensitive data based on data patterns such as Social Security Numbers, Credit Card numbers, Emails, URLs, and IP Addresses. Our clients commonly have service agents or healthcare coordinators updating free-form text fields such as “Comments,” and Einstein Data Detect helps identify the aforementioned patterns in these harder-to-identify places. Once the scan results are provided, the flagged sensitive data fields are candidates for Salesforce Shield’s data encryption.

8. Stay Informed on Salesforce Security Updates

It’s worth mentioning that Salesforce is continuously pushing new releases, and it’s important for organizations to stay current. For instance, the Spring ’23 product release recently announced the end of life of permissions on profiles. This update is significant because permission sets have been elevated as the official mechanism for user management and limiting user access.

In addition to this update, the Spring ’23 release also includes a few other security enhancements, such as extended login history for OAuth flows, improvements to the Privacy Center (Preference Manager), and the Sharing Hierarchy.

Leverage Kenway Consulting’s Salesforce Security Experts

Security is paramount for Salesforce because it’s a mission-critical cloud application, and any security vulnerabilities or data loss can have severe consequences, including business interruption and reputational damage. By following the recommendations in this security guide, you will be equipped to improve and harden your security practices and meet compliance and regulatory requirements. 

If you need help securing your Salesforce implementation or implementing Salesforce Shield, please reach out for a free consultation with one of our Salesforce security experts.