SF-Admin-Checklist-2018

Salesforce Security: Admin Checklist

The following post was written by Prag Ravichandran Kamalaveni, Salesforce Practice Lead at CloudKettle. Prag is an experienced consultant and an avid supporter of the Salesforce community. In addition to being a 6X Salesforce certified consultant, he has helped more than 250 people become certified as either Salesforce Administrators or Developers. Prag, was selected to speak at Dreamforce 2018. In this blog post, we’ll be sharing an overview of Prag’s presentation: Salesforce Security: Admin Checklist. 
As a Salesforce Administrator, security should be a top priority. Here are the top five ways you can mitigate security risks as a Salesforce Administrator.

1. Configure Network Based Security

When it comes to network-based security, there are a couple of ways I recommend you configure your IP settings to increase the security of your instance.

Org-wide configuration:

Make sure you configure a trusted IP range for your organization. A trusted IP range is a list of IP addresses that controls login access for your whole organization. Trusted IP range is typically used to “Allowlist” IPs at the organization level. Once you set up a trusted IP range, users that login outside of that range are challenged to verify their identity to access Salesforce through an activation.

Example:

Let’s say one of your employees goes to Starbucks regularly to do work. Starbucks is outside of the trusted IP range. Which means when they try and login into Salesforce, they will be asked to verify their identity and then allowed into Salesforce. If that public IP is not removed from Salesforce. The next time that person goes to Starbucks, it will not ask that user to verify their identity.

How do prevent this?

Salesforce documents every browser activation. As an Admin, a best practice is to report on these activations on a weekly, monthly, or quarterly basis so you can eliminate any public IPs.

User-based Login Configuration:

Configuring Login IP is controlled on the user level. As an Admin you can specify a range of allowed IP addresses on a user’s profile.

Example:

At your organization let’s say Suzy works as a developer and Tim works as an Account Executive. Suzy isn’t client facing and does the majority of her work at the office. Tim, on the other hand, is constantly on the road meeting with clients. As an Admin you can configure different Login IP ranges for both Suzy and Tim based on what Profile they are assigned to. This adds an extra layer of security at the profile level.

2. Restrict Employees From Exporting Salesforce Data

Another important part of securing your Salesforce instance is to ensure users are not exporting data from your organization. Unfortunately, there is no way to completely block users from exporting data without blocking their access to that data. The best approach is to add friction to employees attempting to export data.

You can add friction to stop users from exporting data by disabling:

Disable Print Screen

Let’s look at an example to understand why disabling print screen is important.

Example:

Codey is a salesperson at your organization and he’s just taken a position at another company. Before he leaves, he wants to take all of his new leads with him. If “Print Screen” is enabled he can print the List View of a 1,000 records at a time and take the hard copies with him. This is a quick way to steal data from Salesforce. Also, there is no registry of that activity in the Audit Trail so an Admin can’t flag that a user has done this.

By disabling “Print Screen” users cannot print list views of a 1,000 records at a time. Instead, they’ll be forced to screenshot each individual screen at a time. It’s not a perfect solution, but it does add a considerable amount of effort on the user’s end.

Disable Export Report

A very powerful Salesforce feature is the ability exports reports in a CSV format straight from your instance. While I recommend you leverage this feature, you also have to ensure that only the right users have access to this.

For the most secure instance, you should configure who can export data as a permission set. Some organizations enable this on the Profile level but this leaves your organization vulnerable. Because this feature is so powerful, you should control this on the permission set level.  As an Admin, it is important you know exactly which users have this permission so you can quickly remove it, if necessary.

Connected Apps – Allowlisting

Lastly, let’s talk about enabling “Allowlisting” (formerly Whitelisting) in your Salesforce instance. Let’s use Codey as an example again. Say Codey is also trying to use Data Loader to access his Salesforce instance to steal data. You can restrict users from accessing connected Apps by enabling “Allowlisting” in your Salesforce Org. By enabling the Allowlisting feature in Salesforce, all connected apps can only be accessible by Admins. Then, you can extend access to users via profiles or permission sets.

3. Two-factor Authentication

Setting up two-factor authentication is another simple way to increase the level of security of your instance. In Salesforce you can enable two-factor authentication on a profile level or a permission set level. I recommend you have users download and install Salesforce authenticator on their mobile phones.

Interface Logins

There are two categories of two-factor authentication in Salesforce. The most basic one is to enable two-factor authentication for user interface logins. This type of two-factor authentication everyone is familiar with. When a user tries to access Salesforce from a web browser, after they input their username and password, they will get an alert on their mobile phone that needs to be approved to complete the login process. Alternatively, they will be texted a code that they have to input into their web browser.

Reports

Salesforce also enables two-factor authentication to protect access to reports. In Setup, you can “Raise the session level to High Assurance” which will force users trying to access reports to authenticate. You can also enable “Raise the Session to High Assurance” only when exporting or printing reports. If you enable this, users will only be forced to verify two-factor authentication when they try to export a data or access certain reports.

4. Tracking Login History

Tracking login history is another easy way to increase the security of your instance as an Admin. Salesforce even provides a standard report in its out of the box functionality called “New Login Location Report”. Which means even when the Salesforce Admin is on vacation, other users in the organization can subscribe to this report.

Example:  

Astro is the Salesforce Admin at an org where Codey is a salesperson. As we know, Codey just got another job, and he’ll be leaving soon. Codey keeps trying to sneak into Salesforce from a public network to download records. What Codey doesn’t know is, Astro can download Login history and see that Codey is trying to log in from an unknown IP. Astro can also see if Codey is using an application like workbench, Browser, Dataloader, etc.

5. Why you Should Enable Single Sign-on

Enabling single sign-on makes life easier for every end user but also your organization. Single sign-on is a secure method that helps your organization achieve the following:

Increased Adoption

By making it easier for users to be logged into every platform, you decrease frustration and increase adoption. A great example of this is, users can send email messages that contain links to information in Salesforce, such as records and reports. When the recipient of the email message clicks the links, the corresponding Salesforce page opens.

Single Logout

Single sign-on also means single logout. With single logout, when users log out from one application and are automatically logged out from other applications they are using. This leads to enhanced security.

Reduced Helpdesk Costs

Fewer help desk calls for password resets translates directly to bottom-line savings.

Improved Productivity

It takes an average of 20 seconds for a user to log into a platform. Not having to enter a password each time a user needs to access a platform saves time and makes users more productive.

Resources:

If you’re looking to learn more about Salesforce security, Trailhead is an incredible free resource that I strongly suggest you use. I specifically recommend these three modules:

  1. User Authentication
  2. Data Security
  3. Security Basics

Wrap Up:

Have more questions about security? Get in touch today. I love chatting with other Salesforce Admins and Developers about their challenges.

Download the Salesforce Security: Admin Checklist Presentation deck from Dreamforce 2018 here: bit.ly/securitychecklistdf18

You may be interested in

Considerations Before Implementing Salesforce Financial Services Cloud

Announced in 2015, Financial Services Cloud (FSC) is a long-standing offering from Salesforce. Its platform goal is to empower Financial Institutions to build deeper 1-on-1 client relationships, be more productive, and engage with clients everywhere. The platform includes capabilities for managing interactions, the full client lifecycle, financial goals, and regulatory compliance. Financial Services Cloud is […]

Read More

How to Prevent Flows from Running in a Sandbox

Flows are very useful tools within Salesforce. However, there may be instances when you have a Flow that you do NOT want to run in a Sandbox. For example, maybe you have a Scheduled Triggered Flow that sends emails, or triggers an integration. Were this Flow to run in a sandbox you would see unwanted […]

Read More

Sign up for the latest tips & news from CloudKettle

Thank you for subscribing.