Because of the current Covid-19 crisis, many companies have shifted to remote working. Even as the restrictions will be lifted in the future, many businesses might adapt a work from home policy more widely. Although this can be seen as a positive shift, it also brings security risks as employees are working outside companies’ secure networks. Cloudideas has been working remote since 2011 so we know how this works. That is why we created a comprehensive checklist of the most important Salesforce security settings which should be reviewed. We also added the links to the Salesforce articles that you can access to set each step up in your Salesforce org.
Salesforce security checklist
Every user in your Salesforce org has an unique username and password. It is therefore paramount that all passwords are secure and strong. Salesforce provides a number of configuration settings to achieve this.
Why is this useful: We will never get tired of repeating this because it is super important and relatively simple to do; you should always make sure that your passwords are extremely secure to prevent cyber attacks.
2. Login IP Address Ranges
On some profiles in your Salesforce org you can set Login IP Range addresses from which users can log in to your org. The access for users which are outside the login IP range is then forbidden and are not be able to log in. For example you can set the IP address of your employee’s home as an accepted address. This setting can be defined while editing profile properties in the most common Salesforce editions. You can also implement IP address restrictions for all access requests. In this case Login IP Address Ranges will be enforced for every page request e. g. requests from client apps and for each profile with login IP restriction.
Why is this useful? It allows you to limit the access for those users who are outside the login IP range, giving you more control on who can access your Salesforce org.
3. Login Hours
Not only can you set login locations, but it is also possible to define login hours for each profile in your Salesforce org. Users will be able to log in only within the specified time frame and will have no access outside of this time. Please note that Login Hours can be specified only at profile level and not at the org level.
Why is this useful? You can for example define the specific working hours for your employees, therefore limiting the time frame for the logins and securing more security and control over your org.
4. Two-Factor Authentication for User Interface and API Logins
Two-Factor Authentication is probably the most effective protection option of your users’ accounts. You can prompt users of each profile to utilize a second form of authentication every time they log in with their credentials (username and password) to Salesforce via user interface. A second factor of authentication can be for example a mobile authentication app or a U2F security key.
For API logins, users of every profile can be required to use a verification code instead of a standard security token. This verification code is called a time-based one-time password or TOTP and it is generated by an authenticator app which is connected to the user’s account.
There are also some other possible control options of prompting users to identity verification after logging in with their credentials. For example, you can have users receive a code in an SMS to verify their identity. Since this option is enabled for all orgs by default, you should contact Salesforce support if you want to disable it.
Another identity verification option is to receive the verification codes by email. This is also enabled by default for all orgs but it cannot be disabled. However it is possible to prevent identity verification via email, if one of the other verification methods such as SMS, Salesforce Authenticator, TOTP (time-based one-time password) and U2F (physical key) is in use.
Why is this useful? These security measures allow you to have more than one identification method making your org harder to access and therefore more secure against cyber attacks.
5. Device Activation
Device activation is an additional layer of security on top of the username and password which stores and evaluates information about the device that was used for identity verification. If users try to log in to Salesforce from an unrecognized browser or application they are prompted to verify their identity again.
Why is this useful? Especially when people are working from different locations on a regular basis (home or client visits), they might be using different devices such as a phone or a tablet to log in. This provides an additional security layer to your org for these situations.
6. Session Security
Session Security allows you to control when an inactive user session expires. Every time a user logs in to Salesforce, a session with the platform is established. When a user leaves the device unattended you are able to limit exposure of your network using Session Security. It allows to limit the risk of attacks when another person tries to take over the user’s session. You can define a specific time for inactivity, after which a user is logged out.
Why is this useful? Although we shouldn’t, it does happen that we leave our devices unattended. This allows to limit the risk of somebody else taking over your Salesforce session.
7. Login Flow
A login flow is a customised post-authentication process that users go through before they can access your Salesforce org. It can be used to enforce strong authentication or to collect user information. The flow can be activated after users have entered their credentials but before they access your org. For example you can prompt them to enter the answer to a previously defined secret question or enforce strong authentication such as two-factor authentication using a security key, SMS or biometric.
Why is this useful? With this option you can customise your own login flow, giving you more control over the security of your org.
The takeaway from this article is that by using these Salesforce security features you are able to protect your data and empower your users to work safely and efficiently. If you don’t have time to activate all of the 7 security measures, make sure to at least have your passwords protected and Two-Factor Authentication set up.
Lastly, if you need any assistance with the set up, Cloudideas are happy to help you to evaluate and configure your Salesforce security concept. Feel free to reach out to us with any questions.