Salesforce Admins, how secure is your Org? Jenny’s Admin Tip #15

DSC_6279Security is always going to be a hot topic, especially when it comes to the cloud. And with the recent Sony, iCloud hacks etc, the question relevant to all users is….just how safe is this?

Salesforce is 100% committed to maintaining the confidentiality and integrity of their customers’ data. As a result they use a multi-layered approach to protecting key information. With secure data centres which offer 24 hour manned security, environmental controls, network protection, fire detection, disaster recovery, backups and much more, customers can rest assured that their data is in safe hands.

However, whilst Salesforce protects your information in the data centre, what can you do as a Salesforce Admin to enhance the security for your users and clients. After all, nothing gives easier access to client data then a stolen phone or laptop especially with Salesforce1 (more on that next week).

To protect your data on your devices, Admins can set login restrictions by considering the following:

Password Policies

If your company has a strong password policy, then Salesforce has a number of password settings that could help users keep in line with them. From password expiration date, enforced password lengths, complexities, login attempts, to secret answers, password history and 1 day password lifetime. Your company, with the help of your Salesforce Admin can make accessing Salesforce as secure as can be.

For more information regarding Salesforce Password Policies, click here.

IP Addresses

Set at profile level, Admins can set Login IP Address restrictions so that when users login outside of the IP range, they will not be able to access Salesforce. Likewise, to help protect your org’s data from unauthorised access, Admins can list a number of trusted IP Address that users can login from without receiving any login challenges. Be warned, trusted IPs do not entirely restrict users from accessing Salesforce,  as once they have completed the Risk Authentication (below), they will be able to login.

For Trusted IP setup go to:

Salesforce – Setup>Security Controls> Network Access> New.

Risk Authentication

The Salesforce platform always performs a Risk Authentication when a user is attempting to access Salesforce from an unidentified device (different network location, browser etc). Salesforce will send users a one time verification code to their email or phone which will need to be keyed in and then verified in order to access the user interface.

To check out your current settings go to:

Salesforce – Setup>Security Controls>Activations.

2 Factor Authentication

Set at the profile level, Admins can set up 2 factor authentication to require users to enter a time based token as a second form of authentication when they login to Salesforce.  Once set up, users will need to download the Salesforce Authenticator app to create OTPs (one time passwords)  directly from their mobile device. Salesforce does not require 2 factor Authentication only on login, but can also be based upon session security levels – fine grain policies on application access or access to reports and dashboards.

For more information on how to setup 2 factor Authentication  check out the Salesforce video here.

Login Hours

Set at the profile level, Admins can set login hour restrictions to enable users to access Salesforce at set times. So if you set the login hours from 08.00am- 17.30pm, and a user is still actively using Salesforce, they will be logged out at 17.30pm. This means that they will not be able to login until 08.00am the following morning  and any unsaved data added to records will have been lost.

To set login restrictions:

Salesforce – Setup>Manage Users>Profiles>Edit.

OAuth  Authorisation

If your company uses 3rd party clients, then make sure your access credentials are not being compromised. Using OAuth (pronounced O as in go and Auth as in goat. Thanks Peter Chittum), an open protocol, ensures that third parties have access to your server resources without having access to your company’s credentials. So instead of supplying a username and password, security tokens are handed out to specific sites for access to specific resources for a defined period of time.

For more information on using OAuth, check out this amazing blog from Jeff Douglas, here.

If you would like more security related material then check out Desynit’s Good System Blog on ‘What we can learn from Sony, MoonPig, and Taylor Swift on Cloud Security’ or watch out for the Cloudlife Podcast this week, 23rd Jan, with a special guests (TBC, but sadly, not Taylor Swift).

See you next week.


By Jenny Bamber
26 January 2015
Jenny's Admin TipsThe Good Systems Blog

Share this post

Catt to action

Amet aliquam id diam maecenas ultricies mi eget mauris

Lorem ipsum dolor sit amet, consectetur elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.