Salesforce is the world’s leading Customer Relationship Management solution. With around 150,000 users and a 24 percent market share, Salesforce powers huge sections of the digital economy.
Customers use Salesforce to store customer information, manage leads, and build marketing campaigns. Every day, users of the platform store and handle vast amounts of sensitive data. That's great for productivity, but it brings one key problem. Customer information is a gold mine for cyber-attackers.
Attackers can steal client data and sell it on the Dark Web. Or they could spy on your internal operations to gain a competitive advantage. Because of this, Salesforce clients should always prioritize data security. But how should you build an effective Salesforce security strategy?
This article explores your Salesforce data security options. Follow our list of Salesforce security best practices, to lock down your customer data and keep it out of malicious hands.
How reliable is Salesforce security?
Salesforce is relatively secure, with plenty of built-in features to protect client data. However, before we look at Salesforce security best practices, it’s important to note that security breaches have happened in the past.
No cloud platform is perfect. As the Hanna Andersson data breach showed, Salesforce is no exception.
Californian clothes retailer Hanna Andersson created a Salesforce instance to store data and handle global sales. Unfortunately, cyber-attackers breached the Salesforce platform, implanting malware on the brand’s apps. For three months in late 2020, data flowed out of the platform for sale on the Dark Web.
This was alarming news, but Salesforce acted to rectify the problems behind the breach. Measures like mandatory Multi-Factor Authentication and SSL encryption plugged existing Salesforce vulnerabilities. Security features now allow users to block malicious actors and counteract phishing attacks.
Related Articles
Agnė SrėbaliūtėAug 30, 20245 min read
Joanna KrysińskaJul 1, 202410 min read
If you apply the right controls and follow Salesforce best practices, achieving data security should be easy. Let’s explore how to do so in more detail.
Salesforce security basics
The first thing to note regarding Salesforce security is the shared responsibility model.
This model divides responsibility for data security. The Salesforce platform protects hardware, application code, and other infrastructure. But users must protect data in transit, regulate access, and manage audit procedures.
Salesforce offers plenty of basic and enhanced features to achieve these goals. Leverage them all to make data as safe as possible.
Basic salesforce platform features
Here's the list of in-built basic salesforce security features.
1. Multi-factor authentication
MFA requires more than one identification factor when users log onto Salesforce. This is the gold standard for safe access management. Since February 2022, MFA has been compulsory for all Salesforce accounts.
2. Health Check
Salesforce Health Check is an invaluable tool to understand your security posture. Health Check assesses how your implementation counters major Salesforce vulnerabilities. It assigns a percentage score to users, showing areas of improvement.
The service is free, so use Health Check to mark completed tasks and isolate priority areas for the future.
3. IP range assignment
IP range assignment uses IP ranges to block unauthorized access. Allowed IP addresses could include on-premises workstations, remote devices, and addresses used by your company VPN. Everything else is blocked.
4. Classic encryption
The standard setting on Salesforce applies 128-bit AES encryption. At this level, encrypted data protects against most intrusions but won’t deliver rock-solid data protection. Nevertheless, it’s a good starting point.
Salesforce Shield
Salesforce offers an extra suite of tools called Salesforce Shield. Salesforce Shield is a paid service that gives users the most comprehensive set of controls. IT teams can apply these controls in a way that suits their needs.
Core features of Salesforce Shield include:
1. Enhanced encryption
Shield platform encryption includes flexible data security measures. Admins can apply 256-bit AES encryption to specific apps or even down to the field level. Options also include self-managed encryption keys to customize how you protect critical information.
2. Logging
Event monitoring tools provide total awareness of your Salesforce implementation. Fire up real-time logs to check security processes and track different event types to detect security concerns. Logs provide valuable evidence to show compliance. Combine them with Transaction Security Policies to block sensitive data from leaving the Salesforce platform.
3. Field audit trail
The Field Audit Trail strengthens awareness and data security. Create forensic trails to map the history of data. Track custom objects through the platform, and retain different data sets for analysis.
Salesforce security best practices for businesses
How should users apply these security features? A quick list of Salesforce security best practices should supply the answers.
1. Manage secure access with Multi-Factor Authentication
Salesforce requires MFA for all users, but there are various possible authentication methods. It is important to find a multi-factor authentication system that suits your workforce.
A poor MFA choice will cause friction and dent productivity, and it could also make authentication procedures less secure. Here are the main options to choose from:
The Salesforce Authenticator app sends push notifications to mobile devices. This includes a one-time code that users enter alongside standard passwords and Account IDs.
Third-party authentication apps include OATH-based apps like Google Authenticator, Microsoft Authenticator, and Authy.
Hardware keys or security token devices use certified authentication standards to deliver one-time codes for every login. Salesforce supports industry leaders like YubiKey and Google Titan.
Authenticators built-into smartphones. This could include Apple’s Touch ID or Face ID. These options are easy to use, but may not be as secure as specialist authentication tools.
Companies with large mobile workforces will benefit from app-based authentication. But hardware keys are preferable for protecting admin-level accounts. The important thing is to find a multi-factor authentication method that blends user experience and flexible security.
2. Apply smart user privilege management
Assigning user privileges is a core challenge for Salesforce end users. Setting restrictive permissions limits the harm caused by security concerns like credential theft attacks.
IT teams control basic privileges via Salesforce user profiles. As a rule, set tight permissions that cover the resources employees need and nothing more. And minimize the number of users with admin privileges. Phishing attacks on over-privileged accounts are a common cause of data loss.
Privileges management on Salesforce goes further than account privileges. Flexible permission sets allow you to create temporary permissions for users. Security teams can create logical groups of users for short-term projects. This could include marketing campaigns where users need extended access to lead data, but only for a brief window of time.
The data security model is a good way to plan privileges management. This divides the Salesforce environment into three levels: organization, object, and field. Map privileges to the right level and assign the right access level for every role.
Organization level – The broadest security level. Admins can control organization-level access by authorized IP ranges or use Shield controls to block unauthenticated users.
Object level – Refers to application or domain access. At this level, admins create detailed profiles to apply privileges. Assign app access or block resources if required. Try to assign the access users need, but no more.
Field level – Admins can provide access to specific database fields. Assign read and write permissions, allow deletion and record creation, and determine export policies to keep confidential data in place.
3. Make Health Check part of your Salesforce routine
One of the most important security best practices is knowing how to use the platform’s native features to your advantage. This makes Salesforce Health Check your best friend when securing customer data.
Health Check provides a baseline to inform your security strategy and detect security vulnerabilities. The assessment tool provides a security score along with recommended tasks to improve your rating. You can also customize Health Check to suit your unique Salesforce implementation and business needs.
Use Health Check whenever you add new objects or apps to your Salesforce environment. The audit tool immediately highlights areas of concern, allowing you to refine your security posture accordingly.
4. Schedule regular Salesforce backups
It’s always a security best practice to plan for the worst. Every Salesforce implementation should have a disaster recovery plan. This includes scheduling backups to restore critical data and restart operations.
Backups should include raw customer data stored on your platform. But to ensure smooth resumption, companies also have to export metadata safely.
Salesforce provides both raw data and metadata storage, but on a limited scale. Consider third-party backup specialists to guarantee accurate and timely data restoration.
5. Have a plan to contain DevOps threats
Salesforce apps have several critical vulnerabilities that attackers can exploit. For instance, DevOps teams need to be aware of:
Cross-Site Scripting (XSS) – XSS exploits affect dynamic web interfaces such as customer payment portals.
Cross-Site Request Forgery (CSRF) – CSRF exploits create compromised web pages that persuade users to carry out risky actions. As with XSS, attackers can use this method to compromise Salesforce databases and steal confidential data.
SOQL Injection - Attackers inject malicious queries into database fields. This can allow free access to customer data if portals are poorly secured.
There are mitigation strategies for all of these attacks. A security best practice is to use Salesforce’s sandboxing tools.
Sandboxes let you quarantine suspicious code. Mirrored versions of development environments allow security teams to test code and remove vulnerabilities. That way, you can counter exploits before they take down your CRM system.
Salesforce secure access with NordLayer
There are plenty of ways to protect data with Salesforce security best practices. MFA protects against unauthorized entry. Encryption makes data unreadable to outsiders. Privileges management keeps confidential data off-limits to most users. And sandboxing lets you handle threats safely.
Following the best practices listed above is a good start. But you can harden your security setup by combining Salesforce’s native tools with NordLayer's third-party security solutions.
For instance, our access management tools make it easier to screen potential threats and admit authenticated users. Single Sign On brings your cloud assets together and makes password management simpler.
IP address whitelisting lets you approve NordLayer users while blocking everything else. There will be no way for malicious attackers to spoof authorized users. Your Salesforce implementation will also benefit from Nordlayer’s enterprise-wide security controls.
Applying security best practices with NordLayer's help is the best route to a robust Salesforce security posture. To find out more, contact our team today.
Joanna Krysińska
Senior Copywriter
A writer, tech enthusiast, dog walker, and amateur pastry chef, Joanna grew up in a family of engineers and mathematicians, so a techy mind is in her genes. She loves making complex tech topics less complex and digestible. She also has a keen interest in the mechanics of cybercrime.