Security is always going to be a hot topic, especially when it comes to the cloud. And with the recent Sony, iCloud hacks etc, the question relevant to all users is….just how safe is this?
Salesforce is 100% committed to maintaining the confidentiality and integrity of their customers’ data. As a result they use a multi-layered approach to protecting key information. With secure data centres which offer 24 hour manned security, environmental controls, network protection, fire detection, disaster recovery, backups and much more, customers can rest assured that their data is in safe hands.
However, whilst Salesforce protects your information in the data centre, what can you do as a Salesforce Admin to enhance the security for your users and clients. After all, nothing gives easier access to client data then a stolen phone or laptop especially with Salesforce1 (more on that next week).
To protect your data on your devices, Admins can set login restrictions by considering the following:
If your company has a strong password policy, then Salesforce has a number of password settings that could help users keep in line with them. From password expiration date, enforced password lengths, complexities, login attempts, to secret answers, password history and 1 day password lifetime. Your company, with the help of your Salesforce Admin can make accessing Salesforce as secure as can be.
For more information regarding Salesforce Password Policies, click here.
Set at profile level, Admins can set Login IP Address restrictions so that when users login outside of the IP range, they will not be able to access Salesforce. Likewise, to help protect your orgโs data from unauthorised access, Admins can list a number of trusted IP Address that users can login from without receiving any login challenges. Be warned, trusted IPs do not entirely restrict users from accessing Salesforce, ย as once they have completed the Risk Authentication (below), they will be able to login.
For Trusted IP setup go to:
Salesforce – Setup>Security Controls> Network Access> New.
The Salesforce platform always performs a Risk Authentication when a user is attempting to access Salesforce from an unidentified device (different network location, browser etc). Salesforce will send users a one time verification code to their email or phone which will need to be keyed in and then verified in order to access the user interface.
To check out your current settings go to:
Salesforce – Setup>Security Controls>Activations.
Set at the profile level, Admins can set up 2 factor authentication to require users to enter a time based token as a second form of authentication when they login to Salesforce. ย Once set up, users will need to download the Salesforce Authenticator app to create OTPs (one time passwords) ย directly from their mobile device. Salesforce does not require 2 factor Authentication only on login, but can also be based upon session security levels – fine grain policies on application access or access to reports and dashboards.
For more information on how to setup 2 factor Authentication ย check out the Salesforce video here.
Set at the profile level, Admins can set login hour restrictions to enable users to access Salesforce at set times. So if you set the login hours from 08.00am- 17.30pm, and a user is still actively using Salesforce, they will be logged out at 17.30pm. This means that they will not be able to login until 08.00am the following morning ย and any unsaved data added to records will have been lost.
To set login restrictions:
Salesforce – Setup>Manage Users>Profiles>Edit.
If your company uses 3rd party clients, then make sure your access credentials are not being compromised. Using OAuth (pronounced O as in go and Auth as in goat. Thanks Peter Chittum), an open protocol, ensures that third parties have access to your server resources without having access to your company’s credentials. So instead of supplying a username and password, security tokens are handed out to specific sites for access to specific resources for a defined period of time.
For more information on using OAuth, check out this amazing blog from Jeff Douglas, here.
If you would like more security related material then check out Desynitโs Good System Blog on โWhat we can learn from Sony, MoonPig, and Taylor Swift on Cloud Securityโ or watch out for the Cloudlife Podcast this week, 23rd Jan, with a special guests (TBC, but sadly, not Taylor Swift).
See you next week.
Jenny
Our independent tech team has been servicing enterprise clients for over 15 years from our HQ in Bristol, UK. Let’s see how we can work together and get the most out of your Salesforce implementation.