Improve Salesforce Security With These 8 Best Practices
Salesforce is a highly secure platform, but there are still security best practices that your organization should follow to ensure the safety of its data and systems. Security on the Salesforce platform is jointly owned by the vendor (Salesforce) and the customer (your organization). This paradigm is known as the Shared Responsibility Model. As the vendor, Salesforce has provided world-class security features that can be configured and modified to meet your business and regulatory requirements. As the customer, you are responsible for understanding the breadth and depth of those security features and ensuring that they are correctly applied. Your customer data is critical to protect in Salesforce to guard against financial loss, maintain customer trust, meet privacy and legal requirements, and ultimately protect the integrity and quality of your data to meet future business needs.
Below are some of the top Salesforce security best practices our Salesforce security experts recommend. By following our guide, you can rest assured that your Salesforce instance is secure, your data is protected, and your system is protected from unauthorized access, security breaches, data loss, and theft.
8 Salesforce Security Best Practices
1. Incorporate Salesforce into your Cybersecurity Program
Before diving into Salesforce security features and best practices, it is important to ensure that your Salesforce platform is aligned with your enterprise security program. One of the principal goals of the enterprise security program should be to raise security awareness and promote a culture of security leaders in the organization. Most organizations align with an industry-standard security framework such as ISO 27001, NIST CSF 2.0, SOC 2 as they provide a methodical approach for managing and mitigating security risks. These frameworks measure and benchmark your security and controls to inform the current-state maturity level and identify gaps for future improvements. Your security program will help drive and implement these necessary improvements for Salesforce security features and align to enterprise security standards.
2. Set Your Password Policies
A quick win (high value and low effort) for improving your Salesforce security is to review and improve your password policies. These policies include password history, complexity, and length requirements, and are applied at the org level. Passwords should be complex, unique, and changed regularly. There is also the ability to set password policies by the type of user (based on Profile), and thus override the org-wide settings.
3. Implement Secure Authentication (MFA and SSO)
As of 2023, Salesforce has begun to automatically enable and enforce Multifactor Authentication (MFA) for all internal users. This is noteworthy because it is the single best security mechanism to protect against unauthorized access and breaches. MFA protects against common security threats such as brute force attacks, phishing, keyloggers, credential stuffing, etc., and has been proven to be over 99% effective at preventing certain types of attacks. While MFA will not guarantee security or stop all cybersecurity attacks, it certainly offers an additional critical layer of protection. MFA is also critical toward achieving a Zero Trust security framework, which means that your organization should treat every user/device as a threat and verify their access level before granting access.
MFA is supported in the following Salesforce products: Sales Cloud, Service Cloud, Analytics Cloud, Commerce Cloud, Experience Cloud, Financial Services Cloud, Health Cloud, Manufacturing Cloud, Marketing Cloud, Marketing Cloud Engagement, Marketing Cloud Intelligence, MuleSoft Anypoint, and Tableau Online. While MFA is not yet required for Experience Cloud sites for customer or partner portals (external users) it is highly recommended to improve your overall security posture.
Closely related to MFA is Single Sign-On (SSO), which allows secure authentication to many applications with a single set of credentials (i.e., username and password). The Salesforce MFA service can be configured for SSO with Salesforce as the Identity Provider. An Identity Provider is a trusted system that stores and manages digital identities and authenticates your users. You can also elect to leverage third-party Identity Providers such as Okta or Google.
7. Implement Salesforce Shield
Salesforce Shield is a suite of add-on security products designed to help organizations protect sensitive data in Salesforce and comply with industry regulations such as HIPAA, GDPR, CPRA, and PCI DSS. It provides data encryption, event monitoring, field audit trail capabilities, and the ability to find and classify sensitive data.
Data Encryption
Salesforce Shield provides enhanced data encryption, leveraging AES 256-bit encryption at the field level. This encryption for data “at rest” is applied to the data residing in Salesforce data centers and provides additional protections, as it is not readable as plain text should a bad actor seek to do harm. There are also additional options for managing your encryption keys, including bring your own key (BYOK). While Kenway highly recommends enhanced data encryption for sensitive data, it also has a tradeoff with the loss of some business functionality, such as filtering. Therefore, decisions and tradeoffs should be made with compliance and regulatory requirements balanced with preserving functionality such as the ability to use filters on encrypted fields.
Event Monitoring
Salesforce Shield includes real-time event monitoring, enabling you to see who is accessing data and from where. Monitoring offers fine-grain controls so that you have visibility to events such as report exports, API calls, logins, logouts, Lightning web clicks and errors, Apex executions, and Visualforce page loads. Event Monitoring is especially useful for “data loss monitoring” from a security perspective. Bad actors can export reports with critical business data and use them for unintended purposes, resulting in lost revenue or reputational risk. However, Event Monitoring provides an easy way to view activities and transactions that may be suspicious, such as exporting high volumes of sensitive data. A pre-built dashboard for analytics on additional usage and performance metrics complements event monitoring and can help with user adoption and performance optimizations.
Field Audit Trail
A favorite feature of Salesforce is the ability to enable field-level auditing for all changes, including the field name, old value, new value, the user who made the change, and the effective date/time of the change. This feature is out of the box in Salesforce, but there is a limit of 20 fields per object and 18 months for historical retention. Salesforce Shield increases the limits to 60 fields per object and historical retention up to 10 years. We recommend aligning with your compliance program and product owner to help prioritize the critical fields once you approach the upper limit of 60 fields.
Einstein Data Detect
Data Detect is a newer feature in the Salesforce Shield tool suite. It provides an easy way to scan your Salesforce data and identify sensitive data based on data patterns such as Social Security Numbers, Credit Card numbers, Emails, URLs, and IP Addresses. Our clients commonly have service agents or healthcare coordinators updating free-form text fields such as “Comments,” and Einstein Data Detect helps identify the aforementioned patterns in these harder-to-identify places. Once the scan results are provided, the flagged sensitive data fields are candidates for Salesforce Shield’s data encryption.
8. Stay Informed on Salesforce Security Updates
It’s worth mentioning that Salesforce is continuously pushing new releases, and it’s important for organizations to stay current. For instance, the Spring ’23 product release recently announced the end of life of permissions on profiles. This update is significant because permission sets have been elevated as the official mechanism for user management and limiting user access.
In addition to this update, the Spring ’23 release also includes a few other security enhancements, such as extended login history for OAuth flows, improvements to the Privacy Center (Preference Manager), and the Sharing Hierarchy.
Leverage Kenway Consulting’s Salesforce Security Experts
Security is paramount for Salesforce because it’s a mission-critical cloud application, and any security vulnerabilities or data loss can have severe consequences, including business interruption and reputational damage. By following the recommendations in this security guide, you will be equipped to improve and harden your security practices and meet compliance and regulatory requirements.
If you need help securing your Salesforce implementation or implementing Salesforce Shield, please reach out for a free consultation with one of our Salesforce security experts.
Salesforce Security FAQs
How secure is Salesforce?
Salesforce is a highly secure platform, and the company takes extensive measures to protect the confidentiality, integrity, and availability of its customers’ data. Here are some key aspects of Salesforce’s security practices:
- Data Encryption
- Access Control
- Regular Security Audits and Compliance
- Physical Security
- Secure Development Practices
- Threat Detection and Monitoring
- Customer Security Controls
Salesforce undergoes regular security audits and certifications to ensure that its security controls meet industry standards and regulatory requirements. This includes certifications such as ISO 27001, SOC 2, and GDPR compliance.
What is Data Security in Salesforce?
Data security in Salesforce refers to the measures and mechanisms put in place to protect the confidentiality, integrity, and availability of data stored within the Salesforce platform. Salesforce provides a range of features and tools to help organizations secure their data effectively. Here are some key aspects of data security in Salesforce:
- User Authentication: Salesforce requires users to authenticate themselves before accessing the platform. This can be done using passwords, multi-factor authentication (MFA), or single sign-on (SSO) with identity providers.
- Role-Based Access Control (RBAC): Salesforce allows organizations to define roles and profiles with specific access permissions. This ensures that users only have access to the data and functionality that they need to perform their job functions.
- Field-Level Security: Organizations can control access to individual fields within Salesforce objects, ensuring that sensitive data is only visible to users with the appropriate permissions.
- Data Encryption at Rest: Salesforce encrypts data at rest using industry-standard encryption algorithms. This ensures that data stored in Salesforce databases is protected from unauthorized access.
- Data Encryption in Transit: Salesforce encrypts data as it travels between the user’s device and Salesforce servers, using secure communication protocols such as HTTPS.
- Audit Trails: Salesforce maintains detailed audit trails that track changes to data and configuration settings within the platform. This allows organizations to monitor user activity and track any unauthorized or suspicious behavior.
- Event Monitoring: Salesforce provides event monitoring capabilities that allow organizations to track and analyze user activity in real-time. This can help detect and respond to security threats more effectively.
- Data Loss Prevention (DLP): Salesforce provides data loss prevention features that allow organizations to prevent the unauthorized sharing or transmission of sensitive data. This includes features such as data classification, encryption, and monitoring of data access and usage.
- Physical Security: Salesforce operates state-of-the-art data centers with multiple layers of physical security, including biometric access controls, 24/7 monitoring, and surveillance systems. These data centers are designed to protect customer data from physical threats such as theft, natural disasters, and power outages.
How do I ensure security in Salesforce?
Ensuring security in Salesforce involves implementing a combination of best practices, configuration settings, and user training to protect your organization’s data effectively. In addition to user authentication, access controls, data encryption and monitoring features, it is recommended to perform regular security assessments and implement security awareness training with users.
- Regular Security Assessments: Conduct regular security assessments and audits of your Salesforce implementation to identify and address any security vulnerabilities. Stay informed about security best practices and new features released by Salesforce to improve security.
- Security Awareness Training: Educate users about security best practices and Salesforce security features. Provide regular training and updates to ensure that users understand their responsibilities for protecting data in Salesforce. Encourage users to report any security incidents or suspicious activity immediately.