When it comes to your Salesforce Org’s security let’s think of it as a fort
Your CRM contains a lot of important (and/or sensitive) data. By using Salesforce you are equipped with tools and resources for managing security, but don’t get complacent. Remember it’s as much your responsibility as it is Salesforce’s to always keep your guard up and your data secure.
When it comes to your Salesforce Org’s security, let’s think of it as a fort and the defense needs to be at two levels:
- The Defensive wall around your Fort: for external intruders.
- The Internal security of your Fort: for preventing trespassers.
The Defensive wall around your Fort
This is key for prevention against external intruders and to eliminate most of your external risk. It therefore needs to be strong, reliable and unbreachable.
To achieve this with your Salesforce Org, we can use the following tools or features:
- Enabling MFA (Multi-Factor Authentication)
- Performing Frequent Security Health Check
- Consider enforcing Login IP Ranges
- Enabling My Domain
- Decrease Session Timeout Thresholds
- Secure the external API Access using ConnectedApp, SSL Certificates or using secure credential management such as key management
- Implementing threat detection capabilities such as Salesforce Shield of Salesforce Event Monitoring
The Internal security of your Fort
It’s very important that users only have access to the information they need to do their jobs. A user should not be able to read, and in worst case update/delete information he/she shouldn’t have access to.
To achieve this is for your Salesforce Org we can use the following tools or features:
- Restricting Org-Wide defaults (following Principle of Least Privilege)
- Using carefully crafted Profiles, Permission Sets and Permission Set Groups
- Ensuring Custom Code respects best practices, sharing and field level security
- Implementing advanced security features such as Salesforce Shield Platform Encryption, Real-Time Event Monitoring, Field Audit Trail, etc.
- Auditing and Logging
- Last but not the least, if your Salesforce Org is highly customised and uses custom front end technology then make sure that it is protected from Cross Site Scripting attacks, SOQL injection and follows best practices and guidelines suggested by OWASP (Open Web Application Security Project)
What else should be done
While the above are tools for protection against threats, one should also consider having backups for a doomsday scenario. These are to ensure that there is minimum disruption to business in worst case scenario and can be achieved using:
- Version control and build process for your Org’s Metadata.
- Data Backup and Recovery strategy for your Org’s data.