There is a lot of information out there telling you that you should protect your data. But why is data security important? More data exists online now than at any other point in time, and the quantity is only expected to keep growing. It’s important to protect yourself, and your customers, by using the Salesforce platform securely and staying in the know about data security best practices.


How Do We Define Data?

Data is any recorded fact or statistic. Personal data, otherwise known as personally identifiable information (or PII) can be a birthday, home address, phone number, or even full name if it’s in relation to any other PII. It can also be highly valuable information, like healthcare records, banking information or social security number. The more valuable the information, the more money it’s worth to bad actors (hackers or people who buy information from hackers).

Data is not only personal information about an individual that can be found online - it can also be information about a customer that is stored in a company’s database, for example. Recent data security protections like the EU’s General Data Protection Regulation (GDPR) are an important step in limiting what companies can do with the data that resides in their systems, but there are also steps you can take to limit the data that gets exposed in the first place.

Now that we’ve defined data security in general terms, let’s talk more specifically about how to keep your Salesforce data secure.


Securing Your Salesforce Data

For administrators and developers, choosing data sets each user or group of users can see is one of the key decisions that affects the security of your Salesforce org. It’s important to limit the data your users are able to see and the permissions they have to only what is necessary to perform their job - this concept is called the principle of least privilege.

An example of when you might need to apply this theory is if you’re building an app to help manage the recruiting efforts at your company. The app will store a plethora of confidential data, such as names, social security numbers, salary information and feedback from existing employees. Only some teams within your company need to have access to this sensitive information - in this example, recruiters will need to access everything, while some users will only need edit rights to certain fields.

The Salesforce platform lets you maintain data security by assigning different data sets to different types of users, allowing users who require access to perform critical job functions while also reducing the risk of data being stolen, leaked or misused. Admins are able to specify which users can view, create, edit, or delete any record or field in the app. This control can extend to your entire org, or simply an object, field, or individual record. By combining security controls at different levels, you can provide the ideal level of data access to all of your users while maximizing the effectiveness of your data security controls.


Secure Data by Controlling Access

Admins can control which users have access to which data in the org, a specific object, a specific field, or an individual record. It’s important to understand how these levels interact with each other. The list below gives a brief overview of which types of controls should be implemented at each level:

  • Org-wide: Maintain a current list of users, up to date password policies and restrict IP login ranges.
  • Objects: Limit access to specific data to groups of users at the object level.
  • Fields: Restrict access to specific data, even if a user has access to the object.
  • Records: Allow some users to access an object, but limit which object records they are allowed to view.

In addition to understanding how levels function, conduct a regular audit of the following components to ensure data security is maintained. Remember, security is never done!

  • Record Modification Fields: This provides some basic auditing information including the name of the user who created the record and who last modified the record.
  • Login History: Review a list of successful and failed login attempts for the past six months. For more information, see Monitor Login History.
  • Field History Tracking: Enable this feature to automatically track changes in the values of individual fields. Although field-level auditing is available for all custom objects, only some standard objects allow it. For more information, see Field History Tracking.
  • Setup Audit Trail: This logs when modifications are made to your org’s configuration. For more information, see Monitor Setup Changes.


Prioritize Data Security Settings in Salesforce with Health Check

Now that you understand the data security components of the platform and how they work together, you can move on to understanding individual security controls. Is there one place where you can manage all of your org’s most important security settings? Why yes, there is! It’s called Health Check, and is a free tool that comes standard with CRM. Health Check allows you to view your current security settings and prioritize your risk - making it easy (with one click!) to fix settings that pose a risk to your org. If you have multiple orgs, Salesforce has open sourced a tool called OrgMonitor that can help you bring the same simple management and prioritization of security settings to all of your orgs in one view.


Additional Resources