Home » Cloud » Salesforce Security Best Practices: Initially The Safety Comes First

Salesforce Security Best Practices: Initially The Safety Comes First

author
Published By Kumar Raj
Aswin Vijayan
Approved By Aswin Vijayan
Published On April 13th, 2018
Reading Time 7 Minutes Reading

Imagine This Out: One day, as usual, you are going to your office with mindset of doing work but, the time when you reach suddenly you get the information that someone tried to compromised your account Salesforce security. Unluckily, all of your core documents got leaked. At this situation, you are not having anything left apart from thinking that what all happened and why? Initiate Salesforce Security Best Practices!

Since long years, Cloud Security has always been the topmost reason due to which businesses hesitate to adopt the cloud services and that too the one that is appended with CASB. A survey says that around 200 professionals of IT security said that despite the information security concerns, only 35.0% of respondents say that the cloud-based platform is less secure than that of on-premises environment. However, 64.8% of respondents believe that cloud-based environment is either secure or comparatively more secure than that of on-premises applications. This type of trust comes out with the efforts shown by the dedicated security team for cloud service providers around the world. Among all, one of well-known cloud service providers is Salesforce, which puts its best in securing the client’s data and rendering eminent features needed for enterprises growth.

Through this blog, we are going to familiarize our readers with Salesforce security provided by the origin firm itself. After this, we will discuss top 17 experts recommended for Salesforce security best practices.

Salesforce Built-in Security

Trust Established by Salesforce: The trust of the Salesforce is a website for customers awareness, which makes them aware from performance and security issues, which can affect Salesforce security or work. This is the webpage where one can learn about the regular updates regarding phishing attacks and malware from which users need to be aware.

  • Additional Knowledge: Vawtrak is a new malware that is impacting the Salesforce customer’s working. This malware steals Salesforce login credentials and attempts the logging procedures in an unauthorized manner.

Salesforce and Compliance: The Salesforce uses a model of shared responsibility for information security as well as privacy. It acts as a data processor for regulated information like PII and PHI. This means that the cloud service providers is having responsibility to render sufficient amount of practices for physical as well as technical security. While, the Salesforce customers are responsible for the data integrity, its usage, and quality along with the data type being getting stored.
The Salesforce security contract involves all the clauses, which prohibit Salesforce from account accessing or leaking of data stored on their cloud. When there is update in technicalities of Salesforce for fixing problems or service outages, there can be some exceptions at this point.

Multi-tenancy: Salesforce cloud service is a multi-tenant environment. This states that this cloud service provider uses an individual collection of resources for cloud computing to equip the service that handles multiple tenants at a time. Of course, it is a high-security concern that data might get exchanged in between the accounts while processing. Don’t panic, the team of Salesforce security resolves this hassle by providing each and every organization a unique identifier. The identifier will be associated with a single session, which is originated by the user of the respective firm.

Auditing: The Salesforce cloud service maintains a track of all the login attempts done in past 6 months. It also records the location and IP address from where these attempts were done. For acquiring the visibility of data modification, administrators can activate the field of history tracking.

Salesforce Shield: In the year 2015, Salesforce developed a Shield for benefiting customers with three more security layers i.e., event monitoring, platform encryption, and audit trails.

  • Event Monitoring: This Salesforce security practice enables users to continuously view the user behavior and software performance. Without any single break, logs are generated and provided to the customers next day, through REST API and SOAP API. If an organization adopts Salesforce Analytics cloud service then, this event monitoring becomes the best for security purpose.
  • Audit Trails: It will be possible for administrators to view the overall field history up to 10 years back over the custom accounts, objects, cases, leads, contacts, and opportunities for sixty fields per object. In general, this feature is useful for big industries like financial services, healthcare, and the government agencies who need extending of audit trails.
  • Platform Encryption: This point for Salesforce data security enables organizations to encrypt the data at rest. It involves the content stored in files of Salesforce as well the fields. Salesforce employs the probabilistic encryption via 256-bit AES. According to the Salesforce, following data types are stored on cloud with platform encryption:
Files & Attachments Standard Fields
  • Attached to feeds
  • Attached to records
  • Documents in libraries, content, and files applications
  • Data tackled with Salesforce file sync
  • Email attachments, Notes, etc.
On The Object of Account:

  • Description, account name, websiteon the contact object: email, mailing address, description, etc.
  • First name, middle name, and last name
  • Home phone, phone, mobile phone, and other
Custom Fields

  • Email, text, text area, URL, and phone
On The Case Objects and Comments:

  • Subject, description, and body

Top 17 Experts Recommended Salesforce Security Best Practices

Following bullets are going to make readers aware from practices that cloud data security experts recommend for data protection in the Salesforce:

1. Activate the multi-factor authentication method for all end users. This will reduce the risk of unauthorized accessing.

2. In case of compromised tenants, activate the IP restriction for user logins.

3. Generate a security password that is the combination of lowercase alphabets, uppercase alphabets, symbols, and numbers. The minimum password length should be 8 characters.

4. Make a specific set of rules for sharing documents among the employees, restrictive as much possible. Administrators can use criteria of sharing rules, role hierarchies, permission sets, etc., for extending with this practice.

5. Allow the force re-login on the session timeout but, also apply a warning message for the same.

6. For resetting the account password, activate the obscured secret answer technique.

7. Maximize the incorrect login attempts up to 5 times.

8. Deactivate the caching and then, autocomplete the login page.

9. Without disturbing the Salesforce security, maintain the timeframe of session time out low, as much possible.

10. Expire the user account password within 90 days from its creation date.

11. The security text should not comprise of the word “password”.

12. Append a password history so that the same password does not get repeated for next 5 cycles of creating the new password.

13. While using the platform encryption, timely create a new account secret that will be generating the new encryption key.

14. Again, encrypt the already ciphered data with the recent key, if you are using older keys.

15. Make sure that the encrypted data is decrypted by the key that is getting destroyed.

16. Verify all the devices that are using Salesforce account on them with anti-malware software, current web browser version, and operating system.

17. Activate the clickjack protection for:

  • Setup and non-setup Salesforce pages
  • Customer Visualforce pages with the standard headers
  • Customer Visualforce pages with the headers disabled

CloudCodes For Salesforce Security

Things become messy for an administrator when a bundle of responsibilities comes to him. Therefore, CloudCodes have come with taking of duty to provide Salesforce security best practices. We understand the fear of organizations when they adopt cloud platform. This is the reason that we provide a single dashboard to manage multiple activities all at one place. All the security practices like access control, Single Sign-on, Shadow IT management, etc., are rendered by the CloudCodes, along with 24*7 assistance whenever needed.