If you’ve been following along with our blog, you may have already seen our original post, The 3 Pillars of Salesforce Security.
In this post, we’re going to do a deep dive into the first pillar – User Access. And here’s the key message:
Don’t Give People Access They Don’t Need.
User Access is an essential ingredient in any successful security strategy. Here are a few things to keep in mind as you’re reviewing your own company’s approach to User Access:
1. Narrow Down Admin Access
We see it all the time. The majority of Users within a given Salesforce org have permissions far above and beyond what they actually require to do their jobs, often full admin access! Most Salesforce Users should NOT be Admins, and it has nothing to do with trusting the individual User with company data, but everything to do with decreasing your exposure to risk as an organization.
It’s important to take a step back and understand what full admin access actually entails – just because you aren’t part of the System Admin profile, doesn’t mean that you don’t have full admin access. Ask yourself if a user can:
- Manage other users
- Delete records
- Reset User Passwords/unlock users
- Login as any user
- Create and assign new permission sets?
These types of permissions fall under a Full Admin profile, and should be audited on a very regular basis.
2. MFA and SSO
You should be enforcing Multi-Factor Authentication (MFA) not just for every User of Salesforce, but for EVERY USER OF EVERY SYSTEM THAT CONNECTS TO Salesforce. (It always surprises us how many companies have MFA enabled for SF, but not for Marketo or some other connected system.) You should also consider Single Sign-On (SSO) for your org to help ensure secure access.
A recent Forrester study concluded that post-MFA implementation, an organization could achieve a 164% return on their MFA investment over 3 years, improve security through a 50% reduction in risk of material breach, avoid additional cyber insurance premiums, improve flexibility for “work from anywhere” employees, and avoid brand and reputation damage.
3. Prevent Users from Exporting Data
Also consider that there are steps that can be taken to prevent Users from exporting data. Disabling “Print Screen”, Disabling “Export Report”, and Enabling App Allowlisting (formerly Whitelisting) are all ways to add friction to Users exporting data from Salesforce.
The important takeaway here is to be conscious of which Users (or groups of Users) have access to which types of Salesforce data, and ensure that people only have the access that they truly need to do their jobs.
Stay tuned for the next instalment where we cover System Access in more depth!