Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

Your Guide to Salesforce Data Protection

4 min read
Last updated Oct 27, 2021


    3.86 Million Dollars.

    That is the approximate cost of a data breach on any business worldwide in 2020. The number increases to 8.64 million dollars in expenses in the United States alone. Let us add that it takes an average of 228 days in 2020 to identify a breach event. These statistics alone can give any customer-facing business sleepless nights, and regulatory agencies worldwide can exert punitive action for any business not being scrupulous enough in their data security. The amount of money spent on data security and protection has continued to rise in the last three years, with a bulk of the IT budget spent on cloud and data security in 2020. Customer data platforms like Salesforce command the lion’s share of these customer data sets. So it follows that these businesses spend a bulk of their resources for Salesforce data security and protection every year.

    If Salesforce is your record of customer data and you are looking to cover your bases on protecting and securing your data, this guide is for you. We will ensure that we show you how Salesforce could provide you all the necessary controls in securing customer data at different levels.

    Salesforce Data Protection: Where to Start?

    You cannot protect what you cannot see.

    Thankfully, the Salesforce platform allows you to conduct a comprehensive security assessment of your Salesforce org instance in the form of a Salesforce Health Check. Health Check will enable you to run security checks as per the Salesforce Baseline Standard. However, you could also create your security baseline if you would like to enforce a much stricter assessment to run frequently.

    Once the assessment is complete, you get a health check score. The Salesforce Baseline Standard runs across a set of standard values and provides you a health check score, ranging from Excellent for 90% and above to Very Poor for scores 54% and below. The Health Check checks across different settings, categorized as High-Risk, Medium-Risk, Low-Risk, and Informational. The settings vary widely, from enabling secure HTTPS connections and content security requirements to enforcing strong password policies and session timeout settings. Once you have run this health check, the Health Check application allows you to fix these settings to compliant values in one single action. You could also choose to review and select each setting separately if needed.

    These settings are a great start to start identifying our readiness for data security and protection. From this point, there are two primary aspects around which Salesforce provides security controls to secure your data further. Let us dive deep into each of these aspects to understand how it helps you protect your data from each angle.

    Step 1: Securing Salesforce Data

    The Salesforce platform provides a data security model that aims to secure data at multiple levels from the organization to individual attributes and records. This tiered level of security allows you to restrict data access widely across the organization and then open up access for selected roles and users on the levels below.

    The Salesforce platform provides security controls at four levels, namely:

    Organization Level Security

    Salesforce works on a multi-tenant architecture, where you can set up each organization differently to suit your business needs. You can restrict how your users access your Salesforce instance by setting up features like Trusted IP ranges and Custom Login methods. You can strengthen your org security setup further by using Salesforce Shield, a package of robust security features like Real-Time Event Monitoring and Shield Platform Encryption. These features, coupled with Field Audit Trail, help you set up organization-wide security policies and ensure that the proper controls are in place by monitoring them regularly.

    Object Level Security

    Salesforce consolidates most domain-level data sets and tables as objects and treats them as a consolidated means to enforce access with the help of profiles and permissions. Profiles help you enforce access privileges on a set of objects on a given domain like Contacts or Campaigns. Permission sets allow you to double down on the level of additional permissions you need to provide to specific users already present in a profile.

    Field Level Security

    You can restrict specific fields on an object within particular screens and reports using field-level security features to hide or provide read/write permissions for individual fields. These field-level restrictions allow you to control sensitive fields within objects to treat them differently based on each profile, thus providing a granular level of access customization.

    Record Level Security

    Record level security in Salesforce allows you as an admin to customize access and sharing of records for each profile. These security features allow you to enforce segregation of duties on the role, which can potentially only view records in their department but not across other departments. Record-level security also enables admins to set up discreet rules for sharing data by setting up ownership-based sharing rules based on specific roles and criteria.

    Step 2: Securing Salesforce API and Community Access

    data access from external sources

    The Salesforce platform allows you to build multiple apps and services to consume your customer data, which opens up your instance to various opportunities to serve significant use cases. But this platform flexibility also opens up multiple vulnerabilities if these gateways to access your data are not secured well. As an admin, it is not enough to enforce the data security model within the Salesforce instance – a thorough look at how the platform enables access from the outside world is also essential. Let us look at our options to secure data access from external sources too.

    API and App Access

    Salesforce allows you to customize and designate App and API access to specific roles, where you could enable permissions ‘API only’ and grant the appropriate permissions for that role just to read data and not be able to modify any data inadvertently. The rules to enforce data access to external systems like Apps and APIs apply equally from how we have described the data security model earlier: lockdown permissions broadly and access to the bare minimum record and field level privileges the API might need to. You can also enforce password-level policies and location-specific restrictions on App and API roles, the same way as you could on actual users in your Salesforce instance.

    Salesforce also allows you to whitelist specific apps, so ensure that you revisit the permissions provided to all the apps connecting to your Salesforce instance to ensure no dormant apps leave the door open to such vulnerable scenarios.

    Access to Communities

    The Salesforce platform is known for its Communities, where many different users and partners engage in collaboration. As an admin, you have to ensure that all users on the Community Platform have the right level of privilege, allowing them to access data on a need-to-know basis. Salesforce Communities might not be top-of-mind for data access and sharing considerations. Ensure that you configure your community instance as much as possible to authenticate users, thus providing the opportunity to assign them the appropriate level of access for the objects they need.

    Salesforce Data Protection: A Continuous Endeavor

    The Salesforce data security model allows for a great deal of customization and flexibility for you to set it up the way your organization needs it. As an admin, the buck would stop at you to enforce the right level of data access across the organization while still setting up your roles to perform their roles effectively. Be informed that implementing data security in your Salesforce instance is not a one-and-done exercise. Instead, consider devoting time regularly every month to audit your instance and tweak your security policies to protect the most prized asset of your business: your customers and their data.

    At Varonis, we are at the forefront of enabling data protection and security. We have deep expertise in providing data security solutions through our comprehensive Data Security Platform.

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    Free Data Risk Assessment

    Join 7,000+ organizations that traded data darkness for automated protection. Get started in minutes.