Simple steps include setting API Ranges and Login Hours to reduce attack risks, using Session Security to safeguard against unauthorized access, and implementing stringent Password Policies for stronger defenses. Leveraging Org-Wide Sharing Settings and Permission Set Groups helps restrict data access, minimizing potential damage in case of a breach.
Utilizing the Salesforce Integration License and Connected Apps ensures secure integration scenarios, with these features being user-friendly and readily available in Salesforce.
- API Ranges and Login Hours - Implementing API Ranges and defining Login Hours significantly reduces the risk of an attack, as hackers need to gain network access during business hours.
- Session Security - Utilize session security to minimize network exposure when a user leaves the computer unattended while logged in. It also mitigates internal attack risks, such as unauthorized use of another employee's session. Consider restricting to Salesforce health check standard values and implementing High-Assurance Session Security for sensitive setup operations.
- Password Policies - Adopt Salesforce health check standard values or implement more stringent ones. Consider setting a minimum password length of at least twelve characters with complexity requirements, enhancing resistance to brute force attacks. Reevaluate the frequency of mandatory password changes, leaning towards longer intervals (e.g., ninety days) based on recent research that suggests such changes can lead to weaker passwords. Encourage users to handle complex passwords effectively by introducing password managers.
- Org-Wide Sharing Settings - Leverage org-wide sharing settings to secure data at the most restrictive level. Utilize additional record-level security tools selectively to grant access, minimizing potential damage from a security breach.
- Use Permission Set Groups - Deploy Minimum Access User profile to establish optimal default access for users. Extend permissions through permission set groups, adhering to the principle of least privilege to mitigate security risks.
- Use Salesforce Integration License - Leverage up to five complimentary API-only licenses for integrations in certain editions. Ensure compliance with the principle of least privilege by using permission set groups. Restrict UI access and avoid assigning the System Administrator profile to integration users. Minimize the use of user password login flow for integration users.
- Connected Apps - Install connected apps and tailor restrictions as needed, preferably tied to specific permission sets. Create a dedicated connected app for each integration scenario, using digital certificates to reduce the risk of exposed passwords and potential damage in the event of a breach.
Summary
For comprehensive security in Salesforce, it is highly recommended to implement all the features mentioned above. Utilizing these features collectively forms a robust defense against potential security threats. These features are not only user-friendly but also readily available as out-of-the-box functionalities in Salesforce, making their implementation a straightforward and effective practice to enhance overall system security.
