5 security settings Salesforce admins can use to keep organization data safe.

For many enterprise companies, Salesforce is a complex web app of invaluable data. And the Salesforce admin has to make sure that configuration and security settings effectively protect that data. Everything from pages, projects, schedules, reports, lead outreach, and lots of personally identifiable data mean that a ton of potential problems could pop up if they’re not careful enough with their Salesforce data security.

Here are five Salesforce data security settings every Salesforce administrator needs to know:

Consider the out-of-the-box Org-Wide Defaults included in the Salesforce software. These settings have four options including Public Read Only, Public Read/Write, Public Read/Write/Transfer, and Private. It’s a good idea to restrict these options as much as possible while allowing enough leeway to let Salesforce users continue to do their work. This is also a great reason to get to know every department’s unique needs. Do you want everyone to have Public Read/Write access, or only those who really need it?

2. Salesforce Health Check

This built-in tool is a great way to find and repair potential weaknesses in your security settings. It compares your organization’s Salesforce security settings to a baseline and provides a summary score to give an idea of any security issues that need to be addressed. For example, Salesforce Health Check could find your minimum password length to be lacking, or recommend a higher number of maximum invalid login attempts allowed.

3. Auditing

Salesforce provides some easy ways to audit, so admins can learn more about how their systems are used. This can be incredibly important while diagnosing security issues. In addition to keeping track of login attempts, login locations, and IP addresses for the last six months, audits can reveal individual field value changes, the user who made the change, and they can log when your organization’s configuration is modified.

4. User Access Controls

Two-factor authentication is important for everyone these days, so it’s no wonder Salesforce includes this necessity. Basically, this means users will be asked to verify their identity by inputting verification codes sent via email, SMS, a mobile authenticator app, or a security token. Login attempts without valid credentials will be denied access to Salesforce. Besides preventing access from unauthorized IPs or IP ranges, admins can even restrict access based on the time and day and location of the login attempt. Admins can also configure custom login flows that add multiple levels of authentication beyond two-factor.

5. Salesforce Shield

Made available in 2015, Salesforce Shield introduced more layers of security including audit trails, event monitoring, and platform encryption. Field Audit Trail lets admins track up to ten years of accounts, cases, contacts, custom objects, leads and more. For healthcare, government, and financial groups that need access to extensive histories, this can be very convenient. Event monitoring, as the name implies, allows admins to see how users behave and how apps perform, which could help reveal anomalous behavior or other security vulnerabilities.

Platform encryption may be the most important tool in the Salesforce admin’s kit. It is built natively into the platform and lets customers encrypt sensitive data at rest.

For example, stricter policies to adhere to internal and external compliance regulations - such as GDPR - may require enterprise customers to retain sole control over all data protection processes when using cloud services. Only in this way, it can be ensured that no unauthorized persons at any time have potentially access to sensitive data.

In that case, it's worth looking for solutions from independent vendors like eperi that can be used in combination with Salesforce Shield without sacrificing key features of Salesforce.

The eperi Cloud Data Protection solution for Salesforce helps enterprise customers to easily address these kind of compliance requirements. It adds a transparent data protection and compliance layer to the Salesforce platform that gives an enterprise customer sole control over encryption, tokenization and advanced key management.

The eperi solution encrypts sensitive information before it is transmitted to the Salesforce Cloud. All encryption and decryption processes happen outside of the Salesforce Cloud – solely under the customer’s control.