It’s time for Part 2 of our Pillars of Salesforce Security series.
If you’re not caught up, take a quick look back at our Intro Blog and Part 1: User Access.
This post is all about System Access, and here is the key takeaway:
Don’t Give Systems Access They Don’t Need.
There are a few key topics that you should keep in mind here.
Third Party Apps
Third party apps can be extremely useful and provide you with a level of convenience across a variety of areas. However, you should ensure that the third party apps that you use do not have the ability to:
-
- Delete records
- Update Salesforce user information
- Update transactional records
- Access PII
It is crucial to ensure high-level safety measures while using third party apps. While these apps may provide you with less of a need to purchase additional costly software packages, they are not worth putting your Salesforce org at risk of security breaches.
Healthy Access Practices
It can be difficult to manage the access that different systems within your org have. Many companies have overlapping software within their orgs, so it can be easy for preferences to become tangled and hard to keep track of. This is why we have developed a checklist to help ensure that you have healthy access practices:
- Enable App AllowListing (More details on App AllowListing can be found over here on this blog.)
- Remove unused integrations and limit data access
- Uninstall expired managed packages
- Create a dedicated integration user profile
- Utilize API Only User
Following each practice in this checklist will provide your Salesforce org with more security to ensure your users’ information and your org’s data is safe.
Removing Integrations and Limiting Access
As part of our business, we regularly conduct Audits of large Salesforce orgs. In our experience, we often see that 30-50% of integrations that exist within the org are not active or not vetted by Salesforce. Not removing inactive users from your systems can lead to security inconsistencies (and risks) that can be easily avoided.
You can further the security of your systems by removing inactive integrations and limiting access of active users. Essentially, the main goal you should pursue is to prevent unauthorized users from installing packages and downloading Salesforce data. This can be achieved in several ways, however, we have found that the following practices yield the best results:
- Specify which apps users have access to
- Ensure that authorization of users can be managed at an org-wide level or for specific users
- Implement a scalable solution that applies the same limitation to new users while also creating a centralized location to manage existing user authorization
Summary
In short, your systems contain extremely valuable information that can be viewed and downloaded by unnecessary (or unwanted!) users if you don’t implement strong security practices. Use the resources and checklists we provided to maintain a healthy and safe approach to system authorization.
Stay tuned for the next instalment where we will cover the impact that Records and Data can have on your overall org security!
