12 Salesforce Security Best Practices for 2024

Written by Hatice Ozsahan and David Worthington on August 24, 2023

Share This Article

Salesforce dominates the CRM landscape with a 19.8% market share — more than its four leading competitors combined. Such prevalence underscores its reliability and vast reach, but it also emphasizes the pivotal role of security. 

Cloud and SaaS platforms mostly rely on a shared responsibility model. In other words, some of the responsibilities in terms of your account and data security lie on your shoulders, while the vendor handles the remaining measures.

This guide will walk you through 12 quintessential Salesforce security practices crucial in safeguarding your Salesforce account and sensitive data against attack vectors.

1. Run Health Check

Integrated within Salesforce’s foundational architecture, the Health Check tool provides administrators with a comprehensive and complementary solution to evaluate and optimize their organization’s security configurations.

This instrumental tool pinpoints and suggests remedies for any detected security vulnerabilities and empowers admins to establish and maintain custom baseline standards, ensuring that security protocols are tailored to and in harmony with specific business requirements. By leveraging Health Check, organizations can ensure their Salesforce instance remains robust against potential security threats and is aligned with best practices.

2. Enable MFA

Multi-factor authentication (MFA) is a formidable defense mechanism, introducing an additional security layer to counter prevalent threats, including phishing attempts, credential stuffing, and unauthorized account access. Organizations adopting MFA significantly bolster the protective barriers safeguarding their Salesforce data. 

An Identity Provider (IdP) will offer single sign-on (SSO) with MFA and other security controls like Conditional Access and can automate authorization/provisioning to manage users while increasing IT’s operational efficiency. Not all MFAs are the same. Some authentication factors are even phishing-resistant and can only be run by managed devices that your organization trusts.

This enhancement is not just a recommended best practice but arguably one of the paramount steps in fortifying a company’s digital assets and ensuring the integrity of its Salesforce data against potential breaches.

3. Evaluate User Privileges

Permission sets let you control who can do what in your Salesforce setup. Start by understanding the main jobs and tasks your users do. Based on this, set up the right permission sets. If some permissions might be risky, remove them. But if a user needs them, you can return those permissions using permission sets. This way, everyone gets to do their job, but things stay secure. An IdP can assist in this process by automating provisioning workflows.

4. Use The Principle of Least Privilege

The principle of least privilege means giving users only the access they truly need to do their jobs. Instead of allowing everyone to do everything, it’s safer to limit their access. If someone only needs to view data but not change it, then that’s all the access they should get. This reduces risks. If someone’s account gets into the wrong hands, the damage they can do is limited. It’s a simple but powerful way to keep your Salesforce setup more secure.

5. Allow Access Only to Trusted Login IPs

To keep your Salesforce data safe, limiting where people can log in using IP addresses is a good idea. Admins can set specific “safe” IP ranges. This means only logins from these trusted IP addresses will be allowed. If someone tries to log in from a different, non-trusted IP, they’ll either be blocked or asked to prove they’re really who they say they are. This helps guard against unwanted access and phishing attacks. Conditional Access provides this and more.

6. Ensure Connection Security

To protect your Salesforce data, it’s essential to have a secure internet connection. Regular use of remote connectivity solutions like an application proxy, SASE (secure access service edge), or VPN  is a great way to add an extra layer of safety. 

Also, take the time to adjust your router’s settings: turn on encryption (preferably WPA2 or WPA3) and keep its firmware updated. This helps stop outside devices from sneaking onto your network and keeps your data safe from prying eyes. Certificate-based authorization for RADIUS is even more secure and convenient for your users; it streamlines on/offboarding as well.

7. Use an Authenticator

Another Salesforce security best practice is using the Salesforce Authenticator. It’s a straightforward two-factor authentication method, adding an extra layer of protection. Users simply tap on their mobile device to approve logins and actions. Plus, it can recognize and automatically verify logins from safe places. If you prefer, you can also choose third-party options like Google, JumpCloud Protect,or Microsoft Authenticators. 

JumpCloud Go™ can eliminate codes and passwords for  faster, safer, more seamless user authentication with hardware-protected, phishing-resistant technology. It’s all about making security easy and effective for everyone.

8. Use a SaaS Security Tool

Implementing security measures becomes essential with the increasing reliance on SaaS solutions like Salesforce. Incorporating a SaaS security tool allows businesses to actively monitor potential vulnerabilities, oversee user access, and manage privileges efficiently across all SaaS apps used in your company, including Salesforce. Such tools promptly flag any anomalies or suspicious activities within your Salesforce environment. 

9. Train Users about Security Awareness

Educating your team is a crucial step in protecting your Salesforce data. Even the best security tools can be bypassed if users aren’t aware of potential risks. Regular training sessions can help your team recognize threats, like suspicious emails or unexpected login prompts. By keeping everyone updated on the latest security practices and potential dangers, you empower them to be the first line of defense against cyber threats. Remember, a well-informed team is a safer team.

10. Apply Password Security Best Practices

Passwords are often the first line of defense against unauthorized access. It’s essential to ensure they’re strong and hard to guess. Encourage users to create unique passphrase for Salesforce, avoiding easily guessable ones like “password123” or their birthdates. 

Regularly changing passwords, avoiding repetition across different platforms, and using combinations of letters, numbers, and symbols can make them more secure. Additionally, avoid sharing passwords or writing them down where others can see them. Following these simple rules can greatly reduce the risk of unauthorized access. An IdP can enforce a global policy.

Create, store, and protect user credentials locally on devices, and centrally manage passwords, with JumpCloud Password Manager.

11. Strengthen Data Security with Shield Platform Encryption

Salesforce Shield is a suite of enhanced security tools specifically designed for Salesforce. It’s tailored to ensure businesses can trust, comply, and confidently govern their essential apps. Shield Platform Encryption stands out within this suite by offering unparalleled data protection. 

Unlike standard encryption that only protects data during transmission, Shield Platform Encryption secures your data even when stored or at rest. This ensures businesses meet high standards set by privacy policies, regulatory bodies, and contract agreements concerning sensitive data handling.

Alongside Platform Encryption, Salesforce Shield also features Event Monitoring and Field Audit Trail. Together, these tools create a robust security framework. If you’re considering Salesforce Shield, consult your administrator to see if it’s available for your organization.

12. Beware of Phishing Emails

Phishing is a sneaky tactic where scammers use fake emails to trick users into giving away private information. These deceitful emails often look like they come from legitimate sources but have hidden agendas. By clicking on links or downloading attachments from these emails, users might accidentally install harmful software that captures their data.

Always be cautious and double-check any unexpected or suspicious emails. If something doesn’t seem right, it’s best to avoid it and consult with your IT team or security experts.

What Are Salesforce’s Security Features?

Salesforce offers a comprehensive suite of security features designed to ensure your data’s safety and optimize user experience. Here’s an overview:

Security Health Check:

  • Designed for admins, the Health Check tool allows you to pinpoint and rectify potential vulnerabilities in your security settings from a single dashboard.
  • A summary score reflects your organization’s security status against a set baseline, such as the Salesforce Baseline Standard. Custom baselines can also be uploaded for a more tailored assessment.

Phishing and Malware:

  • Salesforce prioritizes transparency and trust. If you encounter anything suspicious linked to your Salesforce setup, you must immediately report it to [email protected] and your internal IT team.
  • Salesforce provides real-time data on system performance, security alerts, and phishing or malware attempts at trust.salesforce.com. This site also offers security best practices and guidelines for organizations.

Manage Redirects to External URLs:

  • Safeguard users from harmful links by controlling actions when a user clicks on a link, redirecting them outside the Salesforce domain.
  • Options include blocking such redirections, notifying the user of the external redirection, or marking specific external URLs as trusted for hassle-free access.

Security Infrastructure:

  • Salesforce employs cutting-edge Internet security technology. With Salesforce-supported browsers, your information is shielded through Transport Layer Security (TLS) technology. This ensures data integrity and accessibility only to authenticated users within your organization.

Auditing:

  • Auditing offers insights into system usage, a key factor in detecting and resolving security issues.
  • While Salesforce’s auditing functionalities provide valuable data, they are most effective when paired with regular internal audits to monitor and curb potential misuse.

Salesforce Shield:

  • Salesforce Shield is a robust security solution comprising three pivotal tools to integrate superior trust, compliance, and governance into your essential business applications.
  • Components include Shield Platform Encryption, Event Monitoring, and Field Audit Trail. It’s recommended to consult your Salesforce administrator about Salesforce Shield’s availability for your organization.

Salesforce Security FAQ

Is Salesforce a secure platform?

Yes, Salesforce is a secure platform, employing advanced internet security technologies and best practices to ensure data safety and user protection.

How do I ensure security in Salesforce?

To ensure security in Salesforce, routinely utilize tools like Security Health Check, set trusted login IP ranges, enable MFA, and train users on security best practices.

What is the basic security of Salesforce?

The basic security of Salesforce includes user authentication through passwords and usernames, profile-based access controls, and Transport Layer Security (TLS) for data protection during transmission.

What is the best practice to control a Salesforce system?

The best practice to control a Salesforce system is to follow the Principle of Least Privilege: granting users only the permissions they need to perform their roles, combined with regular audits and monitoring for any security anomalies.

What is an example of a password best practice in Salesforce?

An example of a password best practice for Salesforce would be enforcing a complex password policy that requires a combination of uppercase letters, lowercase letters, numbers, and special characters, with periodic mandatory resets.

Get Started With JumpCloud

Deploying a cloud identity management solution helps streamline the process of securing increasingly distributed enterprise workflows. The right cloud Identity and Access Management (IAM platform) helps you improve insider risk management with automation and ready-made compliance solutions. 

A modern cloud identity management solution like the JumpCloud Directory Platform empowers you to:

  • Securely connect employees to their devices (systems, mobile, servers), IT applications (on-prem or the cloud), files (cloud hosted or on-prem) and networks via VPN or Wi-Fi
  • Leverage best in class security using Zero Trust principles
  • Limit management overhead and improve security and user manageability 
  • Connect your cloud servers (hosted at AWS, Google Cloud, Azure, or elsewhere) to your existing AD or LDAP user store
  • Comprehensively manage Windows, Linux, macOS, iOS, and Android endpoints regardless of location
  • Connect users to applications that leverage either LDAP or SAML-based authentication
  • Manage user access to VPN and Wi-Fi networks securely through a cloud RADIUS service
  • Implement multi-factor authentication (MFA) everywhere

All of these capabilities (and more) create a platform that connects users to virtually all of their IT resources regardless of provider, platform, protocol, or location, while also enabling admins to automate the onboarding and offboarding process and gain detailed visibility into all access transactions.

You can try JumpCloud for free to determine if it’s right for your organization. 

Our customers tell us that asset management is also important for security and IT operations. JumpCloud is enhancing its platform to unify SaaS, IT security, and asset management.

Hatice Ozsahan

Hatice is a Product Marketing Manager at JumpCloud, often busy bringing product value to life with compelling messages that resonate across all channels. When not at work, she’s either battling it out in online video games or getting creative with her art projects.

David Worthington

I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter