1. Configure Network Based Security
When it comes to network-based security, there are a couple of ways I recommend you configure your IP settings to increase the security of your instance.
Org-wide configuration:
Make sure you configure a trusted IP range for your organization. A trusted IP range is a list of IP addresses that controls login access for your whole organization. Trusted IP range is typically used to “Allowlist” IPs at the organization level. Once you set up a trusted IP range, users that login outside of that range are challenged to verify their identity to access Salesforce through an activation.
Example:
Let’s say one of your employees goes to Starbucks regularly to do work. Starbucks is outside of the trusted IP range. Which means when they try and login into Salesforce, they will be asked to verify their identity and then allowed into Salesforce. If that public IP is not removed from Salesforce. The next time that person goes to Starbucks, it will not ask that user to verify their identity.
How do prevent this?
Salesforce documents every browser activation. As an Admin, a best practice is to report on these activations on a weekly, monthly, or quarterly basis so you can eliminate any public IPs.
User-based Login Configuration:
Configuring Login IP is controlled on the user level. As an Admin you can specify a range of allowed IP addresses on a user’s profile.
Example:
At your organization let’s say Suzy works as a developer and Tim works as an Account Executive. Suzy isn’t client facing and does the majority of her work at the office. Tim, on the other hand, is constantly on the road meeting with clients. As an Admin you can configure different Login IP ranges for both Suzy and Tim based on what Profile they are assigned to. This adds an extra layer of security at the profile level.
2. Restrict Employees From Exporting Salesforce Data
Another important part of securing your Salesforce instance is to ensure users are not exporting data from your organization. Unfortunately, there is no way to completely block users from exporting data without blocking their access to that data. The best approach is to add friction to employees attempting to export data.
You can add friction to stop users from exporting data by disabling:
- Printable view
- Report export permission
- Allowlisting Apps (formerly Whitelisting Apps)
Disable Print Screen
Let’s look at an example to understand why disabling print screen is important.
Example:
Codey is a salesperson at your organization and he’s just taken a position at another company. Before he leaves, he wants to take all of his new leads with him. If “Print Screen” is enabled he can print the List View of a 1,000 records at a time and take the hard copies with him. This is a quick way to steal data from Salesforce. Also, there is no registry of that activity in the Audit Trail so an Admin can’t flag that a user has done this.
By disabling “Print Screen” users cannot print list views of a 1,000 records at a time. Instead, they’ll be forced to screenshot each individual screen at a time. It’s not a perfect solution, but it does add a considerable amount of effort on the user’s end.
Disable Export Report
A very powerful Salesforce feature is the ability exports reports in a CSV format straight from your instance. While I recommend you leverage this feature, you also have to ensure that only the right users have access to this.
For the most secure instance, you should configure who can export data as a permission set. Some organizations enable this on the Profile level but this leaves your organization vulnerable. Because this feature is so powerful, you should control this on the permission set level. Â As an Admin, it is important you know exactly which users have this permission so you can quickly remove it, if necessary.
Connected Apps – Allowlisting
Lastly, let’s talk about enabling “Allowlisting” (formerly Whitelisting) in your Salesforce instance. Let’s use Codey as an example again. Say Codey is also trying to use Data Loader to access his Salesforce instance to steal data. You can restrict users from accessing connected Apps by enabling “Allowlisting” in your Salesforce Org. By enabling the Allowlisting feature in Salesforce, all connected apps can only be accessible by Admins. Then, you can extend access to users via profiles or permission sets.
3. Two-factor Authentication
Setting up two-factor authentication is another simple way to increase the level of security of your instance. In Salesforce you can enable two-factor authentication on a profile level or a permission set level. I recommend you have users download and install Salesforce authenticator on their mobile phones.
Interface Logins
There are two categories of two-factor authentication in Salesforce. The most basic one is to enable two-factor authentication for user interface logins. This type of two-factor authentication everyone is familiar with. When a user tries to access Salesforce from a web browser, after they input their username and password, they will get an alert on their mobile phone that needs to be approved to complete the login process. Alternatively, they will be texted a code that they have to input into their web browser.
Reports
Salesforce also enables two-factor authentication to protect access to reports. In Setup, you can “Raise the session level to High Assurance” which will force users trying to access reports to authenticate. You can also enable “Raise the Session to High Assurance” only when exporting or printing reports. If you enable this, users will only be forced to verify two-factor authentication when they try to export a data or access certain reports.
4. Tracking Login History
Tracking login history is another easy way to increase the security of your instance as an Admin. Salesforce even provides a standard report in its out of the box functionality called “New Login Location Report”. Which means even when the Salesforce Admin is on vacation, other users in the organization can subscribe to this report.
Example: Â
Astro is the Salesforce Admin at an org where Codey is a salesperson. As we know, Codey just got another job, and he’ll be leaving soon. Codey keeps trying to sneak into Salesforce from a public network to download records. What Codey doesn’t know is, Astro can download Login history and see that Codey is trying to log in from an unknown IP. Astro can also see if Codey is using an application like workbench, Browser, Dataloader, etc.
5. Why you Should Enable Single Sign-on
Enabling single sign-on makes life easier for every end user but also your organization. Single sign-on is a secure method that helps your organization achieve the following:
Increased Adoption
By making it easier for users to be logged into every platform, you decrease frustration and increase adoption. A great example of this is, users can send email messages that contain links to information in Salesforce, such as records and reports. When the recipient of the email message clicks the links, the corresponding Salesforce page opens.
Single Logout
Single sign-on also means single logout. With single logout, when users log out from one application and are automatically logged out from other applications they are using. This leads to enhanced security.
Reduced Helpdesk Costs
Fewer help desk calls for password resets translates directly to bottom-line savings.
Improved Productivity
It takes an average of 20 seconds for a user to log into a platform. Not having to enter a password each time a user needs to access a platform saves time and makes users more productive.
Resources:
If you’re looking to learn more about Salesforce security, Trailhead is an incredible free resource that I strongly suggest you use. I specifically recommend these three modules:
Wrap Up:
Have more questions about security? Get in touch today. I love chatting with other Salesforce Admins and Developers about their challenges.
Download the Salesforce Security: Admin Checklist Presentation deck from Dreamforce 2018 here: bit.ly/securitychecklistdf18