Salesforce is a highly secure platform, but there are still security best practices that your organization should follow to ensure the safety of its data and systems. Security on the Salesforce platform is jointly owned by the vendor (Salesforce) and the customer (your organization). This paradigm is known as the Shared Responsibility Model. As the vendor, Salesforce has provided world-class security features that can be configured and modified to meet your business and regulatory requirements. As the customer, you are responsible for understanding the breadth and depth of those security features and ensuring that they are correctly applied. Your customer data is critical to protect in Salesforce to guard against financial loss, maintain customer trust, meet privacy and legal requirements, and ultimately protect the integrity and quality of your data to meet future business needs.
Below are some of the top Salesforce security best practices our Salesforce security experts recommend. By following our guide, you can rest assured that your Salesforce instance is secure, your data is protected, and your system is protected from unauthorized access, security breaches, data loss, and theft.
Before diving into Salesforce security features and best practices, it is important to ensure that your Salesforce platform is aligned with your enterprise security program. One of the principal goals of the enterprise security program should be to raise security awareness and promote a culture of security leaders in the organization. Most organizations align with an industry-standard security framework such as ISO 27001, NIST CSF 2.0, SOC 2 as they provide a methodical approach for managing and mitigating security risks. These frameworks measure and benchmark your security and controls to inform the current-state maturity level and identify gaps for future improvements. Your security program will help drive and implement these necessary improvements for Salesforce security features and align to enterprise security standards.
A quick win (high value and low effort) for improving your Salesforce security is to review and improve your password policies. These policies include password history, complexity, and length requirements, and are applied at the org level. Passwords should be complex, unique, and changed regularly. There is also the ability to set password policies by the type of user (based on Profile), and thus override the org-wide settings.
As of 2023, Salesforce has begun to automatically enable and enforce Multifactor Authentication (MFA) for all internal users. This is noteworthy because it is the single best security mechanism to protect against unauthorized access and breaches. MFA protects against common security threats such as brute force attacks, phishing, keyloggers, credential stuffing, etc., and has been proven to be over 99% effective at preventing certain types of attacks. While MFA will not guarantee security or stop all cybersecurity attacks, it certainly offers an additional critical layer of protection. MFA is also critical toward achieving a Zero Trust security framework, which means that your organization should treat every user/device as a threat and verify their access level before granting access.
MFA is supported in the following Salesforce products: Sales Cloud, Service Cloud, Analytics Cloud, Commerce Cloud, Experience Cloud, Financial Services Cloud, Health Cloud, Manufacturing Cloud, Marketing Cloud, Marketing Cloud Engagement, Marketing Cloud Intelligence, MuleSoft Anypoint, and Tableau Online. While MFA is not yet required for Experience Cloud sites for customer or partner portals (external users) it is highly recommended to improve your overall security posture.
Closely related to MFA is Single Sign-On (SSO), which allows secure authentication to many applications with a single set of credentials (i.e., username and password). The Salesforce MFA service can be configured for SSO with Salesforce as the Identity Provider. An Identity Provider is a trusted system that stores and manages digital identities and authenticates your users. You can also elect to leverage third-party Identity Providers such as Okta or Google.
Authentication verifies your identity and confirms, "Are you who you say you are?" Authorization, on the other hand, grants users access to resources and actions (create, read, update, delete). The best practice to follow is to limit access and adhere to the "principle of least privilege." This principle specifies that users should only have the minimum access required to perform necessary functions.
Adhering to this principle and limiting access fortifies your Salesforce instance against threats of unauthorized access by reducing access points and the attack surface, thus lowering the risk profile. In practice, this means that Profiles and Organization Wide Defaults should be reviewed regularly to ensure they offer only the baseline level of access. Other features, such as permission sets and roles, should be utilized for layering on additional access, and should also be reviewed routinely.
It is especially important to review and monitor your privileged users, such as System Administrators, as they can quickly increase your exposure and risk. Salesforce offers a range of features to limit access, including roles, role hierarchies, profiles, and permission sets.
Another protection that Salesforce offers is IP Login Restrictions, which can limit exposure to attacks and prevent unauthorized access. This is a great option for SaaS applications like Salesforce to lock down access to IP address ranges that belong to the organization network and greatly reduce the attack surface. Keep in mind that IP addresses can be static (the IP address remains the same) or dynamic (the IP address can change).
Static IPs work best for implementing this restriction as dynamic IPs will change and may require additional work for your Salesforce Admin to update the allowed IP ranges. This restriction can be applied at either the org-level or the profile level to meet unique requirements. It’s also important to mention that Salesforce allows you to restrict Login Hours based on Profiles. This feature is especially useful if you have users (e.g., support team, service agents) who should not be accessing the system outside of normal business hours.
The last thing to note is that you should also monitor your logins to identify potential threats. By monitoring logins and IP addresses, you can take actions on threats such as login attempts from unknown IP addresses and permanently block them.
Your Salesforce org includes a free "Health Check" assessment service that evaluates the security controls and settings and offers suggestions to improve security. By running Health Check, you can identify potential security vulnerabilities and risks. We recommend that you run Health Check for all new implementations, and at least quarterly to proactively identify security weaknesses.
Health Check provides a single dashboard view of most of the Salesforce security settings, giving admins launch points to fix or enhance security features. The Health Check Score is central to this tool and indicates your org's security settings compared to the Salesforce security baseline. Salesforce recommends immediate remediation if your score is 67% or below. If you score 68% or above, you should routinely review and plan for remediation to improve overall security.
Additionally, you can create your own custom baseline to compare your Salesforce org's security settings against your security program standards and better align with your internal standards.
Salesforce Shield is a suite of add-on security products designed to help organizations protect sensitive data in Salesforce and comply with industry regulations such as HIPAA, GDPR, CPRA, and PCI DSS. It provides data encryption, event monitoring, field audit trail capabilities, and the ability to find and classify sensitive data.
Salesforce Shield provides enhanced data encryption, leveraging AES 256-bit encryption at the field level. This encryption for data "at rest" is applied to the data residing in Salesforce data centers and provides additional protections, as it is not readable as plain text should a bad actor seek to do harm. There are also additional options for managing your encryption keys, including bring your own key (BYOK). While Kenway highly recommends enhanced data encryption for sensitive data, it also has a tradeoff with the loss of some business functionality, such as filtering. Therefore, decisions and tradeoffs should be made with compliance and regulatory requirements balanced with preserving functionality such as the ability to use filters on encrypted fields.
Salesforce Shield includes real-time event monitoring, enabling you to see who is accessing data and from where. Monitoring offers fine-grain controls so that you have visibility to events such as report exports, API calls, logins, logouts, Lightning web clicks and errors, Apex executions, and Visualforce page loads. Event Monitoring is especially useful for "data loss monitoring" from a security perspective. Bad actors can export reports with critical business data and use them for unintended purposes, resulting in lost revenue or reputational risk. However, Event Monitoring provides an easy way to view activities and transactions that may be suspicious, such as exporting high volumes of sensitive data. A pre-built dashboard for analytics on additional usage and performance metrics complements event monitoring and can help with user adoption and performance optimizations.
A favorite feature of Salesforce is the ability to enable field-level auditing for all changes, including the field name, old value, new value, the user who made the change, and the effective date/time of the change. This feature is out of the box in Salesforce, but there is a limit of 20 fields per object and 18 months for historical retention. Salesforce Shield increases the limits to 60 fields per object and historical retention up to 10 years. We recommend aligning with your compliance program and product owner to help prioritize the critical fields once you approach the upper limit of 60 fields.
Data Detect is a newer feature in the Salesforce Shield tool suite. It provides an easy way to scan your Salesforce data and identify sensitive data based on data patterns such as Social Security Numbers, Credit Card numbers, Emails, URLs, and IP Addresses. Our clients commonly have service agents or healthcare coordinators updating free-form text fields such as "Comments," and Einstein Data Detect helps identify the aforementioned patterns in these harder-to-identify places. Once the scan results are provided, the flagged sensitive data fields are candidates for Salesforce Shield's data encryption.
It's worth mentioning that Salesforce is continuously pushing new releases, and it's important for organizations to stay current. For instance, the Spring '23 product release recently announced the end of life of permissions on profiles. This update is significant because permission sets have been elevated as the official mechanism for user management and limiting user access.
In addition to this update, the Spring '23 release also includes a few other security enhancements, such as extended login history for OAuth flows, improvements to the Privacy Center (Preference Manager), and the Sharing Hierarchy.
Security is paramount for Salesforce because it's a mission-critical cloud application, and any security vulnerabilities or data loss can have severe consequences, including business interruption and reputational damage. By following the recommendations in this security guide, you will be equipped to improve and harden your security practices and meet compliance and regulatory requirements.
If you need help securing your Salesforce implementation or implementing Salesforce Shield, please reach out for a free consultation with one of our Salesforce security experts.
How secure is Salesforce?
Salesforce is a highly secure platform, and the company takes extensive measures to protect the confidentiality, integrity, and availability of its customers' data. Here are some key aspects of Salesforce's security practices:
Salesforce undergoes regular security audits and certifications to ensure that its security controls meet industry standards and regulatory requirements. This includes certifications such as ISO 27001, SOC 2, and GDPR compliance.
What is Data Security in Salesforce?
Data security in Salesforce refers to the measures and mechanisms put in place to protect the confidentiality, integrity, and availability of data stored within the Salesforce platform. Salesforce provides a range of features and tools to help organizations secure their data effectively. Here are some key aspects of data security in Salesforce:
How do I ensure security in Salesforce?
Ensuring security in Salesforce involves implementing a combination of best practices, configuration settings, and user training to protect your organization's data effectively. In addition to user authentication, access controls, data encryption and monitoring features, it is recommended to perform regular security assessments and implement security awareness training with users.