All SaaS applications invariably have their own strong security measures. However, the strength of any security feature is only as good as how well it is used or configured. This is where adherence to best practices helps.
Here are 10 tips on best practices that should be adopted by companies deploying Salesforce for ensuring information security -
1.Set strong password policies
There are 3 essentials of a strong password security policy -
2.Enable Multi-Factor Authentication (MFA) for all users.
This reduces the risk of unauthorized access. MFA helps add another layer of user identity verification on attempting to log in. The first factor is the username and password and the second factor is based on a verification code. This can be validated using an authenticator app (on the phone) or typing in the security key shared over email.
3.Limit session time
Users sometimes do not log off and leave their computers unattended. By automatically closing sessions that are inactive for a period of time, the risk of unauthorized access is minimized. While Salesforce default timeout is 2 hours, you can set this for a shorter duration like 30 minutes.
4.Enable Salesforce Shield
Salesforce Shield is a family of 3 add-on tools -
5.Run Health Check periodically
This helps you to identify and fix potential vulnerabilities in your security settings. You can monitor the strength of your security policies by comparing your security score against a security baseline standard (Salesforce Baseline Standard).
6.Restrict application login based on IP range
This forces the users to log in to Salesforce from a pool of specified IP addresses only. Administrators can specify this range of permitted IP addresses. Any login attempt from any other IP address is denied.
7.Setup Field Audit Trail
Field Audit Trail allows you to track a variety of both standard and custom objects (up to 60 objects and 20 fields per object) and helps in enforcing stringent audit requirements for your Salesforce org.
8.Configure object level security
You can specify the base-level access to create, read, edit, and delete records for each object. You can manage object permissions using permission sets and profiles.
9.Set field level security
You can control which user profiles can view, edit, and save information on specific fields within your org.
10.Define record level access rules
You can manage record permissions by using the Organization-wide sharing settings, defining role hierarchies and creating sharing rules. This will determine the records a user can access.
And all this needs to be done on a regular basis. It is NOT a one-time exercise!
Please keep in mind that protecting your data is the joint responsibility between you and Salesforce. Salesforce empowers you with a lot of security tools. You need to be vigilant and diligent enough to apply them.
Over configuring security rules can impact user productivity. So you need to tread the fine line between maintaining the sanctity of your data and enabling users to work efficiently.
Just in case you are a bit paranoid about the security of your information within the Salesforce environment, we at SK have a specialized service for enhancing Salesforce security.