Security Best Practice for Salesforce

Recently I was asked to put together a list of best practices for setting up security within the Salesforce^® platform.  The list below is originally from Salesforce but I’ve added a bit to it help explain it and provide my personal recommendations.

Educate your staff

Your employees are your highest level of risk for a security incident.  As humans we’re going to make mistakes but education can go a long ways in keeping your systems secure.  Teach your staff to always:

• Verify they are logging into a valid Salesforce website.  The web domain name must be salesforce.com.
• Only login into secure websites.  Every Salesforce login page will have “https” in the login webpage address.
• Type in the login URL manually or bookmark it and use it every time you login.  Be cautious of clicking on links from unexpected emails.
• Be diligent with emails.
  • Do not submit information from an email form
  • Do not respond to emails requesting confidential information
  • Be suspicious about emails with urgent requests
  • Never open attachments you’re not expecting regardless of who sent the email

Notify Salesforce of who your primary security contact

Salesforce will document your security contact’s information and keep them informed of security related communications.

• Appoint a security contact for your company.  This person will be responsible for application security.  Typically this is someone either in the Information Technology department or with a technology background.  They will establish and/or understand your company’s security policies.  
• Provide the security contacts information to Salesforce and they will receive security alerts.

Secure employee systems

Be sure to keep all your systems patched and updated.

• Update to the latest Internet browser.  The newer browsers help clearly identify bogus websites.  They also provide high levels of security controls.
• Deploy email filtering technologies that help stop phishing and spam messages from reaching your staff.  You do not need to have complex email systems for this technology.  Most common antivirus software can provide this type of protection so there should be no excuse for not protecting yourself.
• Install and maintain desktop protection.  Virus and malware detection and removal will help keep your system clean and safe from harm.  Always subscribe to your antivirus provider’s update services to keep protected from all new threats.

Implement IP restrictions

I partially agree with this Salesforce recommendation.  While it should be considered a best practice it may not always be practical in every situation.  Every computer connected to a network or wifi will have an IP Address assigned to it.  Within Salesforce you can restrict which IP Addresses are allowed to connect to your Salesforce system.  Salesforce gives you two methods to restrict IP addresses.

• Restricting logins by IP Address globally prevents computers that are outside your network from logging in.  If you need your staff to connect to Salesforce from home or from the road, this would prevent their access so use it carefully.  If you have a VPN or other remote access controls in place and staff connect to the office via those tools, then this can be a powerful security protection.
• Restricting IP Address at the Profile level prevents specific users (based on their profile) from connecting from outside an approved network.  This can be a great idea for non-traveling type of users who always connect from within the office.

Strengthen password policies

The password settings within Salesforce can be found under the Setup menu | Security Controls | Password Policies.

• Using strong passwords is a must as it makes it significantly harder to break
  • I would recommend nothing less than an 8 digit password length
  • I would recommend nothing less than having the system remember the last three passwords
  • Password question requirements cannot contain the password
• I recommend requiring passwords to expire no less than every 90 days
• I recommend requiring password complexity with a mix of alpha and numeric values
• I recommend allowing a maximum of 5 login attempts with a 30 minute lockout effective period

Require secure sessions

Session Security controls are located under the Setup menu | Security Controls | Session Settings.

• Require the use of secure sessions (https)
• I  recommend disabling the caching and autocomplete on login pages
• I recommend enabling SMS-based identity confirmation

Decrease the session timeout value

While I agree this is a best practice, it can be highly frustrating to the users as idle time will require them to log back in.  I recommend finding an effective balance with this one.  The default is two hours which I personally feel is a good compromise.  This settings are found under the Setup menu | Session Settings.

• Timing out the sessions faster helps prevent unauthorized access to Salesforce after no activity.  I would recommend the effective use of screen saver passwords to prevent unauthorized access but also appreciate the balance of security.  I also recommend never walking away from your computer without locking the screen.

Consider 2Factor authentication

Two factor authentication requires the person to know and/or have two pieces private information or device to gain access.

• Factor 1 is the username and password
• Factor 2 is a security id token.  Leverage your security team’s knowledge to help you fully understand your options.

Contact Salesforce or a qualified Partner for help

Security can be a complex topic so surround yourself with experts if you do not have them in house.  Call Salesforce for guidance or work with a certified Salesforce^® partner.