Your Guide to Salesforce Data Protection

That is the approximate cost of a data breach on any business worldwide in 2020. The number increases to 8.64 million dollars in expenses in the United States alone. Let…
Renganathan Padmanabhan
4 min read
Last updated October 27, 2021

3.86 Million Dollars.

That is the approximate cost of a data breach on any business worldwide in 2020. The number increases to 8.64 million dollars in expenses in the United States alone. Let us add that it takes an average of 228 days in 2020 to identify a breach event. These statistics alone can give any customer-facing business sleepless nights, and regulatory agencies worldwide can exert punitive action for any business not being scrupulous enough in their data security. The amount of money spent on data security and protection has continued to rise in the last three years, with a bulk of the IT budget spent on cloud and data security in 2020. Customer data platforms like Salesforce command the lion’s share of these customer data sets. So it follows that these businesses spend a bulk of their resources for Salesforce data security and protection every year.

If Salesforce is your record of customer data and you are looking to cover your bases on protecting and securing your data, this guide is for you. We will ensure that we show you how Salesforce could provide you all the necessary controls in securing customer data at different levels.

Salesforce Data Protection: Where to Start?

You cannot protect what you cannot see.

Thankfully, the Salesforce platform allows you to conduct a comprehensive security assessment of your Salesforce org instance in the form of a Salesforce Health Check. Health Check will enable you to run security checks as per the Salesforce Baseline Standard. However, you could also create your security baseline if you would like to enforce a much stricter assessment to run frequently.

Once the assessment is complete, you get a health check score. The Salesforce Baseline Standard runs across a set of standard values and provides you a health check score, ranging from Excellent for 90% and above to Very Poor for scores 54% and below. The Health Check checks across different settings, categorized as High-Risk, Medium-Risk, Low-Risk, and Informational. The settings vary widely, from enabling secure HTTPS connections and content security requirements to enforcing strong password policies and session timeout settings. Once you have run this health check, the Health Check application allows you to fix these settings to compliant values in one single action. You could also choose to review and select each setting separately if needed.

These settings are a great start to start identifying our readiness for data security and protection. From this point, there are two primary aspects around which Salesforce provides security controls to secure your data further. Let us dive deep into each of these aspects to understand how it helps you protect your data from each angle.

Step 1: Securing Salesforce Data

The Salesforce platform provides a data security model that aims to secure data at multiple levels from the organization to individual attributes and records. This tiered level of security allows you to restrict data access widely across the organization and then open up access for selected roles and users on the levels below.

The Salesforce platform provides security controls at four levels, namely:

Organization Level Security

Salesforce works on a multi-tenant architecture, where you can set up each organization differently to suit your business needs. You can restrict how your users access your Salesforce instance by setting up features like Trusted IP ranges and Custom Login methods. You can strengthen your org security setup further by using Salesforce Shield, a package of robust security features like Real-Time Event Monitoring and Shield Platform Encryption. These features, coupled with Field Audit Trail, help you set up organization-wide security policies and ensure that the proper controls are in place by monitoring them regularly.

Object Level Security

Salesforce consolidates most domain-level data sets and tables as objects and treats them as a consolidated means to enforce access with the help of profiles and permissions. Profiles help you enforce access privileges on a set of objects on a given domain like Contacts or Campaigns. Permission sets allow you to double down on the level of additional permissions you need to provide to specific users already present in a profile.

Field Level Security

You can restrict specific fields on an object within particular screens and reports using field-level security features to hide or provide read/write permissions for individual fields. These field-level restrictions allow you to control sensitive fields within objects to treat them differently based on each profile, thus providing a granular level of access customization.

Record Level Security

Record level security in Salesforce allows you as an admin to customize access and sharing of records for each profile. These security features allow you to enforce segregation of duties on the role, which can potentially only view records in their department but not across other departments. Record-level security also enables admins to set up discreet rules for sharing data by setting up ownership-based sharing rules based on specific roles and criteria.

Step 2: Securing Salesforce API and Community Access

data access from external sources

The Salesforce platform allows you to build multiple apps and services to consume your customer data, which opens up your instance to various opportunities to serve significant use cases. But this platform flexibility also opens up multiple vulnerabilities if these gateways to access your data are not secured well. As an admin, it is not enough to enforce the data security model within the Salesforce instance – a thorough look at how the platform enables access from the outside world is also essential. Let us look at our options to secure data access from external sources too.

API and App Access

Salesforce allows you to customize and designate App and API access to specific roles, where you could enable permissions ‘API only’ and grant the appropriate permissions for that role just to read data and not be able to modify any data inadvertently. The rules to enforce data access to external systems like Apps and APIs apply equally from how we have described the data security model earlier: lockdown permissions broadly and access to the bare minimum record and field level privileges the API might need to. You can also enforce password-level policies and location-specific restrictions on App and API roles, the same way as you could on actual users in your Salesforce instance.

Salesforce also allows you to whitelist specific apps, so ensure that you revisit the permissions provided to all the apps connecting to your Salesforce instance to ensure no dormant apps leave the door open to such vulnerable scenarios.

Access to Communities

The Salesforce platform is known for its Communities, where many different users and partners engage in collaboration. As an admin, you have to ensure that all users on the Community Platform have the right level of privilege, allowing them to access data on a need-to-know basis. Salesforce Communities might not be top-of-mind for data access and sharing considerations. Ensure that you configure your community instance as much as possible to authenticate users, thus providing the opportunity to assign them the appropriate level of access for the objects they need.

Salesforce Data Protection: A Continuous Endeavor

The Salesforce data security model allows for a great deal of customization and flexibility for you to set it up the way your organization needs it. As an admin, the buck would stop at you to enforce the right level of data access across the organization while still setting up your roles to perform their roles effectively. Be informed that implementing data security in your Salesforce instance is not a one-and-done exercise. Instead, consider devoting time regularly every month to audit your instance and tweak your security policies to protect the most prized asset of your business: your customers and their data.

At Varonis, we are at the forefront of enabling data protection and security. We have deep expertise in providing data security solutions through our comprehensive Data Security Platform.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Varonis DatAlert and IBM QRadar
Varonis now integrates with the IBM QRadar Security Intelligence Platform, with the Varonis App for QRadar. The Varonis App for QRadar adds context and security analytics to simplify investigations, streamline threat detection, and build...
Understanding Security Analytics Platforms
I’ve already written about the fundamentals of security analytics. To review: it’s the process of aggregating, correlating, and applying other more advanced techniques to raw event data in order to...
Varonis Joins Salesforce AppExchange
The Varonis Data Security Platform can now be found on the Salesforce AppExchange
Speed Data: Security Leaders, Salesforce, and Social Consciousness With Doug Merrett
Doug Merrett of Platinum7 shares his thoughts on the importance of education, philanthropy, and realistic expectations in the tech world.