How to Deal With Sensitive Data in Salesforce: A Guide to Data Classification

Salesforce Ben and the Varonis team up to discuss Salesforce data classification best practices.
Megan Garza
3 min read
Last updated June 8, 2023
id badge graphic with passport booklet underneath, red exclamation point showing security breech


Salesforce houses massive amounts of customer data, and protecting that data is at the core of business best practices. With personally identifiable information (PII), personal credit information (PCI), customer lists, and more stored in Salesforce, it’s never been more important to secure and classify your sensitive data.

Salesforce Ben Founder Ben McCarthy and Varonis Senior VP of Strategic Programs David Gibson held a session all about protecting your Salesforce environment. They shared best practices for managing sensitive data across multiple Salesforce Orgs, how to set up data classification using native Salesforce functionality, and how Varonis can help you find sensitive data and identify who can access it — all with just a few clicks.

Key takeaways

The type of data found in Salesforce may not be what you’d expect. When navigating your Salesforce Org, there are certain types of sensitive data you anticipate seeing: personally identifiable information, personal credit information, customer lists, pricing information, and so on.

However, you may be surprised to find a lot more under the hood. “Whenever you’ve got end users involved, you kind of have to buckle your seatbelt because sensitive data is going to be in the obvious places, but it’s also going to be in the places you might not expect,” David said.

The most common way this information winds up in Salesforce is through integrations, Ben said.

“If you have the functionality where someone can send an attachment, that will also get attached to the case record,” Ben said. “They can be sending you absolutely anything, and it will get stored in your Salesforce.”

This could include sensitive information like health records, contract attachments, legal documentation, or even API keys.

“If you’re using Salesforce properly, it’s going to be at the center of your business,” he said. “Information from different systems are naturally going to end up in Salesforce.”

Protecting and locating data

Before you can protect sensitive data, you first have to locate it. In late 2020, Salesforce implemented a data classification feature that allows you to configure sensitivity levels, customize compliance categories, and create reports, building a picture of what information is being stored and whether or not it’s sensitive.

This process can be labor-intensive and time-consuming, though. “It is a bit of work,” Ben said, “but unfortunately, it’s necessary.”

Enter automation.

“With the amount of fields and the amount of data that’s not in fields in Salesforce, it’s a logical conclusion that you’ll need to automate at some point,” David said. But when attempting to automate classification, you’ll want to avoid the traditional viewpoint that Salesforce only houses structured data.

“A lot of folks think of Salesforce as a structured data store, and it certainly is — it’s got tables, it’s got columns, it’s got rows — and from a classification perspective, structured data is an easier beast to tame,” he said.

However, David pointed out that over the years, Salesforce has evolved. While it is still highly structured, the CRM tool has also become highly collaborative, which can make identifying PII a little more complicated.

“An individual phone number might not count by itself as PII for some of these regulations, but if you join that with more information like an address or name, then all of a sudden, it does qualify,” he said. And if you are looking to automate classification in Salesforce, and you’re going into it with a structured mindset, field by field, you might miss sensitive data located where it shouldn’t be.

Reduce your blast radius.

Once you determine what information is stored in Salesforce, and have identified if that information is indeed sensitive, then you can take the necessary steps to remediate risk.

If you find overexposed data, David said, you have a few options:

    1. Lock the data down. Fix the org-wide defaults and broad sharing rules such as “read all,” “modify all,” and “export reports.”
    2. Block access to the data. Encrypt, obfuscate, or tokenize the information.
    3. Move the data. Limit export rights on these types of records.

Once you can visualize your blast radius — where we have sensitive data, where is it exposed, who’s using it — then you can start to reduce that blast radius and manage it going forward.

Protect your sensitive Salesforce data with Varonis.

With complex roles, permission sets, and org-wide configurations, it’s virtually impossible to see which users can do the most damage in Salesforce. Varonis gives you a complete view of effective access for every Salesforce user so that you can easily right-size permissions and get to a least-privilege model, ensuring compliance by only allowing the necessary people access to sensitive data.

Learn more.

Watch the full discussion to learn all the ways you can protect sensitive data in Salesforce. While you’re there, sign up to be notified of upcoming webcasts.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Salesforce Security: 5 Ways Your Data Could be Exposed
Salesforce is the lifeblood of many organizations - Here are five things you should know about your Salesforce security and how to effectively reduce risk
How Varonis Saves Salesforce Admins Hours in Their Day
Varonis provides industry leading Salesforce management and permission implications capabilities to help save Salesforce admins hours in their day.
Varonis Announces Salesforce Shield Integration
Varonis now integrates with Salesforce Shield to provide deep visibility into Salesforce and help organizations secure their mission-critical data.
Salesforce Misconfiguration Causes Sensitive Data Leaks
Brian Krebs recently reported that an alarming number of organizations—including banks and healthcare providers—are leaking sensitive information due to a misconfiguration in Salesforce Communities.