Security Basics

Understand Security Risk

• Secure Employee Behavior Is Equally as Important as Secure Technology
  • Phishing attacks target people, not technology
  • Hackers look to the weakest point in the network - often human error
• Intruders Exploit Human Behaviors
  • Criminals have learned they can exploit typical human feelings like curiosity and the desire to please to steal credentials
  • Other typical human feelings that can be exploited: Fear, Trust, Morality, Reward, Conformity, Curiosity
• Spot Basic Attack Methods
  • Phishing - attempting to acquire sensitive information by masquerading as a trustworthy entity
  • Malware - tricking users into downloading malicious software intended to access, damage, or control a device or network. Often delivered through phishing email.
  • Social Engineering - manipulating people into taking action or revealing confidential information
  • Exploiting Public Information
  • Tailgating - gaining access to a secured area by following a legitimate badge holder or persuading someone to let them in
  • Eavesdropping - listening in on private conversations
  • Dumpster Diving - collecting sensitive info from trash that was not appropriate destroyed
  • Installing Rogue Devices - gaining access to a secure network by installing a wireless router or USB thumb drive containing malicious software

Educate Your Users to Help Protect Your Org

• Users Have Access to Valuable Data
  • Employees who have access to sensitive data, like financial records or healthcare data, are valuable targets for hackers
  • Individual users play a critical role in keeping your data secure
  • Most valuable asset a company can possess is customer trust
• Pay Attention to Passwords
  • Passwords are first line of defense against unauthorized access to Salesforce
  • To increase protection of user accounts, Salesforce asks customers to use MFA - multi-factor authentication
  • Not all platforms offer MFA, so at a minimum, set password history, length, and complexity requirements to enhance password security:
    • Use unique passwords on each website
    • Use complex passwords - at least 10 characters, ideally a passphrase with at least one number and one character
    • Change passwords annually
    • Keep passwords to yourself
    • Use a password manager, like LastPass or 1Password
• Don’t Get Fooled by Phishing
  • Look up the subject or sender’s email using a search engine - other sources may have reported it to be a phishing attempt
  • Consider the source and verify links before clicking - check the url the link is actually sending you to before clicking it
  • Check with Salesforce or your company’s IT or cybersecurity team - they will likely need the email headers
• Involve Your Users in Security
  • The Salesforce Security team has determined that people who have taken security training are half as likely to click on phishing links, and twice as likely to report them, compared to untrained employees
• Dole Out Rights Sparingly
  • Principle of least privilege - provide users with the minimum access they need to do their job
  • Strong best practice is to limit the number of users with admin rights (generally no more than five) and check periodically to make sure they still need administrator permissions

Secure Your Remote Workplace

• Stay Vigilant at Home
  • Look out for phishing attacks that target people working at home
    • Use a VPN, virtual private network, to make your internet connection more secure
    • Secure your virtual meetings - use waiting rooms, screen sharing permissions, disable file transfer and recordings, etc
    • Secure your background - make sure your meeting window does not give away details about your home, family, or business. Best way is to use the blur feature or background screen image.
    • Secure your call - use headphones to minimize what others can hear
    • Secure your physical workspace - use a privacy screen on your computer
    • Back up your data - ideally to the cloud
    • Keep devices patched - rebooting regularly helps devices stay up to date with the latest versions of software and browsers

Choose the Right Salesforce Security Settings

• Layers of Security
  • Salesforce layers many security controls together, so that if one fails another will be in place to protect assets
• Admins are Key Security Team Members
  • It’s a Salesforce Admin’s responsibility to utilize available security controls, follow Salesforce’s security guidance, keep track of users, and make sure they have the right amount of access within Salesforce
  • Admins can activate features built-in to the platform to make the experience as secure as possible
• Multitenancy
  • Salesforce if a multitenant platform - it uses a single pool of computing resources to service the needs of many different customers
  • Salesforce protects your org’s data from all other customer orgs by using a unique identifier that is associated with each user’s session - subsequent requests are associated with your org using this identifier
  • TLS, Transport Layer Security, technology protects your information using both server authentication and classic encryption, ensuring your data is safe, secure, and available only to registered users in your org
• Use MFA to Keep Attackers Out
  • MFA is one of the easiest, most effective ways to help prevent unauthorized account access and safeguard your data
  • MFA means users respond to a notification from the Salesforce Authenticator mobile app or enter a code they get from a security token
• Restrict IP addresses Users can Log In From
  • Admins can require users to log in to Salesforce from an IP address that falls within an approved range
  • This restriction can apply to the whole org or just specific user profiles
• Deactivate Former Users
  • When a user no longer works for the company, it is the admin’s responsibility to promptly remove their access to Salesforce
• Limit What Users Can Do
  • Several layers of access and control determine “who sees what” and “who can do what” in a Salesforce org
  • Admins can also restrict access to certain resources based on the level of security associated with the login method - each login method has one of two security levels: standard or high assurance
    • Admins can define policies whereby certain specified resources are only available to users with high assurance level
• See What They’ve Already Done
  • “Field Audit Trail” lets you define a policy to retain archived field history data for 10 years, independent of field history tracking
    • This feature helps you comply with industry regulations related to audit capability and data retention
  • Setup audit trail history tracks recent changes that you and other admins have made to your org - this can be especially useful in organizations with multiple administrators
• Even More Security Options
  • Encrypt Your Data
    • Platform Encryption is part of the “Salesforce Shield” add-on - it gives your data a whole new layer of security
    • Selected data is encrypted at rest using an advanced key derivation system
    • This protects data at a more granular level, so your company can confidently comply with privacy policies, regulatory requirements, and contractual obligations for handling private data
  • Trigger Automatic Actions on Security Events
    • Transaction Security policies evaluate activity using events you specify
    • This can specify real-time actions, such as automatic notifications, blocks to stop specific operations, or options to end a session
    • Ex: suppose your business requires that employees use Salesforce to view reports and export data. For security purposes, you want to ensure they’re not export large amounts of data - you can use Transaction Security’s Condition Builder to create a custom policy that blocks report exports when they include a larger volume of records than you allow.
  • Monitor Events in your Org
    • Events Monitoring allows you to access event log files to track user activity, feature adoption, and troubleshoot issues - it also helps you detect any anomalies in your implementation that could indicate security risks like a data leak
    • You can also integrate the data log with your own data analysis tool

Use Health Check to Scan Your Security Configurations

• Dashboard to Assess Your Security Settings
  • “Health Check” dashboard is available in Setup - use it to improve your org’s overall security and improve your score with one click
  • Score from 0-100 shows how “healthy” your org’s security is
  • Compares “Your Value” to Salesforce’s recommended setting, “Standard Value”
  • Typically, making settings more restrictive increases your score
• Identify and Fix Security Risks in your Org
  • Setup > Quick Find > “Health Check” > Health Check
  • For each setting, you can click “Edit” to take you to the page where you can adjust the setting to the standard value
  • May be best to change some of these items in a Sandbox first - some of these changes may affect something unintended like an integration or accidentally remove access for some users
• Custom Baselines
  • By default, Health Check is set up to measure your org’s security against the Salesforce baseline, but its possible to customize it by importing an XML file
  • This can be useful for an admin who works in a highly regulated industry, like healthcare or finance, and has to meet strict compliance requirements that differ from the security industry standard
• View Security Across Multiple Orgs
  • If you run a Salesforce environment with multiple orgs, you can use Health Check across all of your orgs with Salesforce’s “Security Center”
  • This tool is an add-on, not available out of the box like Health Check, but has deeper capabilities
  • Security Center also provides insights to admins like how many users are using MFA and which users have admin-level permissions
    • Salesforce Optimizer also includes some of these capabilities