Secure Your Data on Salesforce Before It’s Too Late!

By Laura Pelkey, Security Content and Communications Manager, Salesforce 

There is a lot of information out there telling you that you should protect your data. But why is data security important? More data exists online now than at any other point in time, and the quantity is only expected to keep growing. It’s important to protect yourself and your customers. If you’re using a CRM (customer relationship management) software such as Salesforce, you need to equip yourself with best practices on how to secure your data on Salesforce.

How Do We Define Data?

Data is any recorded fact or statistic. Personal data — otherwise known as personally identifiable information (or PII) — can be a birthday, home address, phone number, or even full name, if it’s in relation to any other PII. It can also be highly valuable information such as healthcare records, banking information, or social security number. The more valuable the information, the more money it’s worth (to hackers or people who buy information from hackers).

Data is not only personal information about an individual that can be found online. It can also be information about a customer that is stored on a company’s database. Recent data security protections like the EU’s General Data Protection Regulation (GDPR) are an important step in limiting what companies can do with the data that resides in their systems. There are also steps you can take to limit the data that gets exposed in the first place.

Related: Cloud Security: So Are We Secured (Or Not)?

Now that we’ve defined data security in general terms, let’s talk more specifically about how to keep your Salesforce data secure.

Secure Your Data on Salesforce

For administrators and developers, choosing data sets each user or group of users can see is one of the key decisions that affects how you secure your data on Salesforce. It’s important to limit the data your users are able to see and the permissions they have. Users ought to only have access to what is necessary to perform their job – this concept is called the principle of least privilege.

An example of when you might need to apply this theory is if you’re building an app to help manage the recruiting efforts at your company. The app will store a plethora of confidential data such as names, social security numbers, salary information, and feedback from existing employees. Only some teams or individuals within your company will need to have access to such sensitive information. In this example, recruiters will need access to everything, while some other users will probably only need editing rights to certain fields.

The Salesforce platform lets you maintain data security by assigning different data sets to different types of users. Therefore, users that need access to sensitive information can perform their critical job functions, while reducing the risk of data being stolen, leaked or misused.

Administrators (admins) are able to specify which users can view, create, edit, or delete any record or field in the app. This control can extend to your entire organisation (org), or simply an object, field, or individual record. By combining security controls at different levels, you can provide the ideal level of data access to all of your users while maximising the effectiveness of your data security controls.

Secure Your Data on Salesforce by Controlling Access

As we mentioned earlier, admins can control which users have access to which data in the org — a specific object, a specific field, or an individual record. It’s important to understand how these levels interact with each other. The list below gives a brief overview of which types of controls should be implemented at each level:

• Org-wide: Maintain a current list of users, up-to-date password policies and restrict IP login ranges.
• Objects: Limit access to specific data to groups of users at the object level.
• Fields: Restrict access to specific data, even if a user has access to the object.
• Records: Allow some users to access an object, but limit which object records they are allowed to view.

In addition to understanding how levels function, conduct a regular audit of the following components to ensure data security is maintained. Remember, security is never done!

• Record Modification Fields: This provides some basic auditing information including the name of the user who created the record and who last modified the record.
• Login History: Review a list of successful and failed login attempts for the past six months.
• Field History Tracking: Enable this feature to automatically track changes in the values of individual fields. Although field-level auditing is available for all custom objects, only some standard objects allow it.
• Setup Audit Trail: This logs when modifications are made to your org’s configuration.

Prioritise Data Security Settings in Salesforce with Health Check

Now that you understand the data security components and how they work together, you can move on to understanding individual security controls. Is there one place where you can manage all of your org’s most important security settings? Why yes, there is! It’s called Health Check, and it is a free tool that comes standard with CRM.

Health Check allows you to view your current security settings and prioritise your risk. This makes it easy (with one click!) to fix settings that pose a risk to your org. If you have multiple orgs, Salesforce has open sourced a tool called OrgMonitor that can help you bring the same simple management and prioritisation of security settings to all of your orgs in one view.

Article first appeared on the Salesforce Blog.

Lava is an authorised Salesforce Partner in Malaysia and has more than a decade of experience in cloud solutions which includes marketing automation, CRM implementation, change management, and consultation. We pride ourselves in not just being a CRM partner but in also understanding the needs of our customers and taking their business to the next level.