Today on the Salesforce Admins Podcast, we’re talking to Prag Ravichandran Kamalaveni, Salesforce Lead at CloudKettle. We learn all about the new Trust Champions program, which recognizes trailblazers who have expertise in and champion or advocate for good security practices and effective use of Salesforce technology to protect their company’s data.
Join us as we talk about security best practices, lessons he’s learned about how to roll out Salesforce security features, and what you can do as an admin to get started.
You should subscribe for the full episode, but here are a few takeaways from our conversation with Prag Ravichandran Kamalaveni.
“For many Salesforce admins, security is something that they’re less comfortable with,” Prag says, “so when I started attending and hosting Trailblazer community meetings, most of my topics were around security.” When people started thanking him for helping them understand complex topics, Prag realized he not only had a gift for decoding security on Salesforce but for explaining it to others.
One big tip that Prag has is to use pen and paper before you turn on or off any security feature in Salesforce. “When it comes to security, there’s no user interface for how the sharing works,” Prag says, “so make sure you write down your sharing model and see how data is going to be shared. Spend time on visualizing how security is going to work inside your org.” Take the time to actually map out how everything is going to work to make sure you understand what’s going on.
Admins often have god powers in their own orgs, but when it comes to best practices, you want to restrict access across the org and apply the principle of least privilege for user records. “Salesforce provides so many great features on the verification and authentication process,” Prag says, “and my leveraging these features, Salesforce admins can significantly increase the level of security for sensitive operations by raising the users’ permissions to high assurance under session settings.”
A big part of keeping everything secure is taking advantage of the multi-factor authentication (MFA) features that are baked-in to the Salesforce platform. Safeguard access to your user accounts, and make sure that there’s more protecting your accounts than just usernames and passwords written down on a piece of paper somewhere. “As security threats grow increasingly common, it’s essential to implement stronger measures of account security,” Prag says, and he has some tips and tricks for how to get better adoption from users and get buy-in from leadership.
It’s important to remember that these security features are complicated and can often be nonintuitive, but you’re not in this alone. “Look to the community if you need help,” Prag says, “there are thousands of community groups in your local area, so feel free to log in and ask your question.” In the meantime, educate yourself and make sure you understand all of the security features Salesforce offers, and see what you can do to roll them out to your org.
Gillian Bruce:
Welcome to the Salesforce Admins Podcast, where we talk about product, community and careers to help you be an awesome admin. I’m Gillian Bruce and today we are talking about a brand new program we have at Salesforce, our Trust Champions Program. This is a program that recognizes trailblazers who have expertise in and champion or advocate for good security practices and effective use of Salesforce technology to protect their company’s data.
Gillian Bruce:
Now, as an admin, we know how important security is. This is a program that helps us understand a little bit more about how we can do that. And today we have a guest who is a trust champion. We’re welcoming Prag Ravichandran Kamalaveni to the podcast, all the way from Halifax, Nova Scotia, Canada, to talk to us about some security best practices, some things that he’s learned in his career about how to roll out some of these great security features that we have on the Salesforce platform and what you can do as an admin to get started. So without further ado, let’s welcome Prag to the podcast. Prag, welcome to the podcast.
Prag Ravichandran Kamalaveni:
Thank you so much for having me Gillian, I’m excited to be here.
Gillian Bruce:
Well, I very much appreciate you taking the time to join us because we have some important stuff to talk about, a topic that is very near and dear to admins hearts and that is security and trust. But before we get into that, I would love to know a little bit about you. Can you tell us a little bit why you are so focused on security? Was there something that happened in your career that kind of peaked your interest in this topic?
Prag Ravichandran Kamalaveni:
Yeah, absolutely. So I’m a Salesforce practice lead at CloudCradle and I’m a Salesforce trust champion, which is a brand new program. And I also lead a team of Salesforce admins developers, but there’s a very good story, which I would like to share, which makes me get into the security world. So I’m the type of person who likes to understand how things work since that’s my character I started visualizing how Salesforce security works. I think for many Salesforce admins, security is something that they always feel less comfortable with.
Prag Ravichandran Kamalaveni:
So when I started attending and hosting trailblazer community meetings, previously they’re known as Salesforce meetups, most of my topics were around security. So I was inspired when a solo admin came to me and thanked me for explaining how the data sharing model works, and what is the purpose of the associated share object in Salesforce. And then I’ve realized I’m not really good at understanding how security works, but also good at explaining them in layman’s terms. This realization pushed me to submit my topics to present at Dreamforce and luckily for the past three years, I got accepted to present on Salesforce security content. So this is my background around why I am super focused on talking about security.
Gillian Bruce:
Yeah, well, hey, explaining the Salesforce sharing model is no easy task as someone who had to learn how to do that early on in my career at Salesforce, it took me a while. So it’s fantastic that you discovered you were doing it successfully because I know a lot of people struggle with that. Just to kind of as an aside, is there a specific metaphor or analogy that you tend to see works best when explaining it to people?
Prag Ravichandran Kamalaveni:
Yeah, I understand why it is very hard to understand the security model and how it works is because when it comes to security, you can’t see and there is no user interface to see how the sharing has worked, right? It’s like visualization. So every time when you’re working around security, make sure you use paper, pen and write down your sharing model and see how datas are going to be shared. And also spend more time on visualizing how the security is going to work inside your Salesforce.org, because all the admins have god’s power, so they should be very, very cautious before they turn on or turn off any kind of security features in Salesforce.
Gillian Bruce:
I think that’s a great recommendation. I love how you say use pen and paper because so many of us like, “Oh, it’s on the app. It’s fine.” But yeah, actually mapping that out with a pen and papers, maybe even a pencil and paper, I don’t know, it might be good.
Prag Ravichandran Kamalaveni:
Yeah.
Gillian Bruce:
So let’s talk a little bit about, clearly security is something very important for admins to think about. For a multitude of reasons, admins we’re in the role of managing all of the data and managing all the users and access. But can you tell me a little bit more about, maybe admins may know, oh yeah, I know security is important and I need to give users the right permissions to access stuff. But let’s talk a little deeper, what are some real big reasons why admins should care about security and learning more and going a little bit deeper?
Prag Ravichandran Kamalaveni:
Oh, absolutely. So admins should care about security because as I mentioned before, they often have god powers in their own Salesforce.org and they set the level of access for other users. So it’s crucial, admins understand the best practices is to restrict access across the org and to apply the principle of least privilege for user accounts. So in my experience, often admins are good at providing appropriate access to metadata components like page layout, assignments, reports, dashboards foam, folders, et cetera. But when it comes to data access, it’s more nuanced as there are multiple factors involved.
Prag Ravichandran Kamalaveni:
So I think it’s really important that admins understand the data sharing settings such as internal sharing, external sharing, implicit sharing, et cetera. Then there is another reason admins should care about security is Salesforce provides so many great security features on the verification and authentication process. And by liberating these features, Salesforce admins can significantly increase the level of security for sensitive operations by raising the user’s permissions to high assurance under session settings.
Prag Ravichandran Kamalaveni:
So my advice to fellow admins is investing in understanding the Salesforce security features, which are available and look through the community, if you need help, right? There are thousands of community groups in your local area, feel free to log in and in this world everything is … which you also, feel free to log in and ask your question.
Gillian Bruce:
Okay. So you talked about multi-factor authentication. Let’s talk a little bit more about that because well, many admins, if you passed your admin cert you had to know at least a little bit about the sharing models and permissions and all of that, and that’s definitely one layer of your security, but you talked about multi-factor authentication. Let’s dig in a little bit deeper there. Why is this so important for admins and can you talk a little bit about how admins might want to consider using this for the first time, if it’s something they’ve heard about, but it hasn’t really been something that’s bubbled up as super important? Tell us Prag, why’d should admins really think about using MFA or multi-factor authentication?
Prag Ravichandran Kamalaveni:
Oh, absolutely. And I know all admins would agree that Salesforce has so many security features, but recently I’ve come across multi-factor authentication and I am most passionate about teaching others about security, data security. So Salesforce does a great job prioritizing the protection of customer data. And as security threat growing increasingly common, it’s essential to implement stronger measures of account access securities. That’s where the multi-factor authentication or also called as MFA, which is a relatively new feature, and that’s my favorite in the recent days.
Prag Ravichandran Kamalaveni:
So key part of our security strategy is safeguarding access to our user accounts and the use of credentials alone, doesn’t always provide sufficient protection. And I’m pretty sure in a lot of organizations, users are still using their username and password in a piece of paper, and somehow it will be accessible by someone. And if that happens, then that credentials are already been shared and compromised, right? So to avoid all those activities, Salesforce come up with a cool new feature called multi-factor authentication, which is simple and effective way to prevent unauthorized account access and safeguard our data and our customers’ data.
Gillian Bruce:
Okay. So MFA or multi-factor authentication, I love the way you described it as Salesforce has a very good security model about protecting the data security, but in terms of protecting account security, this is like an extra layer. So here’s the thing, I think everyone might, everyone, including maybe some people who are interviewing people on this podcast might have a list of passwords somewhere. Now they’re not for anything important, it’s more for like my stupid shopping accounts because I can never remember all my passwords.
Gillian Bruce:
But I think to your point, it’s really important, right? I get that … I remember actually my mother-in-law texting me and calling me because she’s freaking out because I think Facebook locked her out and wanted basically their version of an MFA to log her back in. And she was like, “I don’t understand what’s going on.” And I was like, “Linda, this is for your own good. This is a good thing-
Prag Ravichandran Kamalaveni:
It is true because in this digital world, if you just have one level of credentials, it’s easily compromised and there are a lot of unethical people who are trying to sneak in and try to get access to her account and to avoid all those, like almost all the bigger organizations or the bigger software applications comes with another factor of authenticating your access. So it’s very, very important if you have it available for any kind of applications you use, we strongly recommend you to turn it on.
Gillian Bruce:
Yeah. Yeah, I’ve been a huge advocate within my own friends and family groups of getting everybody on board with that. But one piece of that Prag, that, like I said, I had some issues trying to get my mother-in-law to understand why this is important, she should do it. When admins are implementing MFA, I’m sure getting users to adopt it and understand it is probably a little bit of a challenge. Can you have any tips or tricks or advice to share with admins about how they can approach that with their users?
Prag Ravichandran Kamalaveni:
Oh yeah, absolutely. So as there is a class of trust champions, so we are trained and we are educated to share a knowledge of how well MFA can be rolled out. And there are certain best practices, which I’m happy to share it with the audience who are listening to our podcasts. So from a top level perspective, it has been splitted into three phases. So in phase one called the get ready phase, which has three objectives or to learn, evaluate, and plan.
Prag Ravichandran Kamalaveni:
So we have to learn what is an MFA and how we can evaluate and how are we going to plan on rolling out that MFA. So that’s going to be considered as phase one. And in phase two, the priority is change management, the implementation, and then the launch of MFA to users. So when it comes to change management, and a lot of organizations and people who are using the same process or the same functionality, and most of the admins would have experienced when they are trying to move the users from Classic to Lightning, which is the change management.
Prag Ravichandran Kamalaveni:
And most of them would have struggled and spent so much time on educating their end users to understand the importance, the efficiency of moving to Lightning, that is a similar level of exercise we have to do when it comes to change management. And this is most important where when you are turning on MFA, when it comes to change management, always pick the small group who have more access to lot of administrative data and then slowly go bigger and slowly go to the bigger audience.
Prag Ravichandran Kamalaveni:
And then the last phase, which is kind of most important from my opinion is manage, is about managing the adoption of MFA and being available for support. Because once we implement MFA, we need to give the confidence to our end users that, hey, if your account gets locked, because we changed the new way of authentication process, make sure there is A, you have extra help from your internal organization and B, you dedicate your time reopening up office hours by opening up on every Wednesday afternoon, I’m going to dedicate my time help if someone is having any issues on understanding MFA from an end user.
Prag Ravichandran Kamalaveni:
So these are all the most recommended best practices I would recommend to admins.
Gillian Bruce:
This is a fantastic, Prag. I think this is really great way to think about it. I like how you compared it to, if you’ve done a Lightning migration, there are some very similar aspects to that. And I think, I would like to think that everyone’s on Lightening now, but I do know that there’s still a few folks out there working on that migration. So I think that’s a good tip. Use those resources, use that experience.
Gillian Bruce:
One question I have is, okay, so you can make your plan as an admin, you understand why this is important. What’s a way you can explain the importance and get buy in maybe from your senior executives or your organizational leaders on why you should take this step and do MFA. To me, it makes sense because security is super important, but there may be leaders that are like, “I don’t know, that’s a pain, I don’t need to do that, it’s not that important.” How do you kind of make that argument for making it a priority?
Prag Ravichandran Kamalaveni:
Yeah. So it’s completely going to be rely on admins because this is you are environment where you want to make sure that you are keeping your environment much secure. So when you are taking it to the executive sponsors, who’s going to let you to apply this change, you have to educate them saying like, how much we going to spend in terms of time and money if there is a data breach. Because what we are trying to handle right now or to solve right now is more often proactive approach of avoiding any kind of data breach in the future. So what is going to happen if some of user credentials has been compromised, and if we don’t have multi-factor authentication, it’s going to be much more easier because anybody who has access to user name password, and if they can gain access to their email address, even though the system is going to send them verification code, then the hacker can able to access all this information.
Prag Ravichandran Kamalaveni:
But multi-factor authentication is something where if someone is trying to hack your account, they need to gain access to your physical phone and your system value where they can access your credentials. So it’s a combination of two different devices and your credentials need to be compromised, which is technically not possible in this world. So that is going to be your approach you have to put it in front of the executive saying like, this data policy is something we have to add it as part of our organization, which is going to not just save our Salesforce.org, but also going to protect our customers information, which is always a key from Salesforce as an organization, right? So these are all the points which I would put in front of my executive if they are asking for why you need to do this.
Gillian Bruce:
Fantastic. I love how you say it, well, every executive can speak dollars and cents, right? And so when you say put the cost of a data breach together and then it’ll be like, so this is what it could be, but if we take the time now to implement this, we could avoid all of that down the line. So I think that is a very good positioning there. Now-
Prag Ravichandran Kamalaveni:
Yeah. And for an admin, if your company is an ISO certificate or if it is in SOC 2 certified or HIPAA certified, like one of those certification always forces you to have a two factor authentication enabled for any kind of software you use. And if the software provides you that you have to enable it. So you can use that as in key, saying like, Hey, based on our software application, we have to turn it on. So this is again, a great tool for admins who are struggling on explaining to the IT team who is also having a piece of decision making in this rollof period.
Gillian Bruce:
Yeah, compliance is a forcing factor, right? So that’s good to point out. So one thing I know is related to MFA and I think it might be helpful to clarify a little bit about the relationship between the two and then talk a little bit about why you might consider is single sign-on. So can you talk to us a little bit about how single sign-on works within Salesforce and then why you might consider that as an admin, trying to put that out in your organization as well?
Prag Ravichandran Kamalaveni:
Yeah, absolutely. So SSO, which is also in other terms of single sign-on, it’s a great way to improve a user’s login experience and it also reduces some of the risk associated with weak or reused passwords. So by using an identity provider, we can further secure Salesforce and other applications, which are connected to that identity provider, but controlling that passwords are commonly targeted by, again, attackers, there is still a chance that a user’s account could be compromised if an SSO implemented. So we strongly recommend enabling MFA for your identity provider as well as an additional safeguarding piece.
Gillian Bruce:
Okay. Well, yeah. And then that helps users reduce the millions of passwords that they have to remember too. Right?
Prag Ravichandran Kamalaveni:
So SSO is one of the favorite thing in most of the digital world where most of our clients are already enabled SSO and they just maintain one active directory, but they have MFA for that active directory and that’s how they connect to all the other applications. So it’s pretty interesting and it will be completely controlled by the IT team.
Gillian Bruce:
I love that. I love that. Okay, so it sounds like one of the secrets of success for MFA is to use SSO, right?
Prag Ravichandran Kamalaveni:
Yeah, absolutely-
Gillian Bruce:
Let’s use all the acronyms. So one of the things Prag, that I think, I hear from your expertise, you have so much thank you for sharing it with us. You’ve clearly done a lot of roll-outs and you’ve done a lot of talking to different companies about how they’re doing security and coping them figure out their strategies. What are some of the biggest challenges for managing security? Maybe I’m an admin who is just thinking about taking on some of these, what are some things I should look out for prepare for?
Prag Ravichandran Kamalaveni:
So this is a question which I always ask to myself for the last so many decades being in the Salesforce ecosystem. But one of the biggest challenge when it comes to managing security is you can’t make mistakes, right? So it’s an one time go, so you have to be very, very cautious when you are working around security. So a simple sharing rule mistake will enable access to the entire organization. A simple modifiable data checkbox, which is a tiny little check box on your profiles permissions. So checkbox on the profile level will change the entire database access for the profile users.
Prag Ravichandran Kamalaveni:
So as an example, if we provide export report features to a sales rep profile, and they can easily take all their potential client information when they move to another competitor, right? So though they are accountable for stealing data, we admins are responsible to answer for providing inappropriate access to those list of users. So one way admins can avoid or reduce the number of mistakes made is by having a planned and documented security strategy, testing that strategy in a sandbox and in a number of sandboxes and scratch orgs if you want to try out and following a phased roll-out approach.
Gillian Bruce:
I cannot stress enough the documentation piece. We’ve heard that from so many experts on the podcast, no matter what you’re talking about, but especially as you said with security, you can’t make a mistake. That one checkbox can completely change your whole org. So yeah, paying attention to the details because it’s very important there. Very important. So Prag, as we kind of get to the end of our conversation here, which I know we could talk forever about security. You have so much expertise, as you said, decades of experience. Very few people are willing to age themselves on the podcast like that. So-
Prag Ravichandran Kamalaveni:
Oh my God, I didn’t really-
Gillian Bruce:
You started really young, right? You started really young. It’s all good.
Prag Ravichandran Kamalaveni:
Yep.
Gillian Bruce:
So what if you were to give maybe a top one or two tips for folks to think about as it comes to security for admins, what are one or two things that you want to leave people with?
Prag Ravichandran Kamalaveni:
Okay. So the first thing is, educate yourself, make sure you understand all the security features of Salesforce. Things like, what is a health check and what is an optimized report. How I can understand those two and what are all the different security features, what Salesforce provide and make sure you follow the release notes, make sure you at least cover all the security topics to understand what are all the security features we have, which is going to be the very first one, which is again, as admins, we always learn on a daily basis. There is no end game for us on learning on the Salesforce world.
Prag Ravichandran Kamalaveni:
Then the second one is always look for options and opportunities whenever you can enable those security features and see how it is impacting your business users. And most of the time, people will not be happy by adding more security or adding frictions to their login process or any kind of process, but slowly roll out to those process and make sure that your executive sponsor or someone higher in the organization is covering your back and helping you to roll out those security features.
Gillian Bruce:
Great tips. I love it. Learning more is always the right thing to do. And then yeah, seeing how features work and getting that senior level support is super important. So great tips, Prag. Thank you so much for joining us today and sharing your trust champion expertise with us. I really appreciate it.
Prag Ravichandran Kamalaveni:
Thank you so much for having me Gillian. It’s a great treat to get to be here.
Gillian Bruce:
Excellent. Well, have a great day and thanks so much for joining us
Gillian Bruce:
Big thanks to Prag for taking the time to chat with me about all things security. A trust champion on the podcast admins, he is a great resource and there’s a whole crew of Trust Champions to help be your expert advisers as you are on your own security journey. So be sure to check them out. Some things that I got from my chat with Prag, number one, never underestimate the power of a pen and paper. So when you are approaching your security model, take out that pen and paper. There’s a lot of different levels of sharing rules and permissions. So actually documenting and kind of testing things out on that pen and paper as you go along super key, in addition, a documentation. Document all of the things it’s super important.
Gillian Bruce:
So another big thing that Prag, talked about that I know is very important for all admins is the principle of least privilege. So only granting access to data or unlocking those doors as needed. So by default, lock it all down and then unlock the things as individuals or groups need them. Another great thing I thought that Prag, pointed out was if you’re looking to get senior stakeholders bought into your plan and get them on board with maybe rolling out MFA, multi-factor authentication, use kind of a resource analysis say, hey, this is what a cost of a data breach would be in terms of time and resources and money. And that will quickly get them on board. And in fact, you, as the admin being the trust champion or security advisor for your organization very much puts you in a little more of a leadership role. And so you’ll quickly kind of become the expert that people look to and a great partner for your IT organization as well.
Gillian Bruce:
So don’t ever underestimate the value of security. It’s not that difficult to get things like MFA rolled out. And in fact, if you use single sign-on as well, it will make your users lives so much easier. So great tips from Prag, thanks so much to him for joining us on the podcast. Now, if you want to learn more about all things Salesforce admin, go to admin.salesforce.com to find more resources. And as a reminder, if you love what you hear, please take a moment and leave us a review. We love to see the reviews. The more people review us, the more admins in the world will be able to find us.
Gillian Bruce:
So take as few seconds and do that. I promise you Mike, and I read them all and we have a lot of fun. We get some good tips and some good suggestions in there as well. So please take the time to do that. You can also stay up to date with us on social for all things awesome admin @SalesforceAdmns no I on Twitter, my cohost Mike Gerholdt, @MikeGerholdt and myself @GillianKBruce. Thank you so much for listening to this episode and we’ll catch you next time in the Cloud.
Today on the Salesforce Admins Podcast, Admin Evangelist Josh Birk sits down with Kat Holmes, Chief Design Officer and EVP at Salesforce. Join us as we chat about diversity, accessibility, and her book, Mismatch: How Inclusion Shapes Design. You should subscribe for the full episode, but here are a few takeaways from our conversation with […]
Today on the Salesforce Admins Podcast, we talk to Lizz Hellinga, Consultant and Salesforce MVP. Join us as we chat about why product management principles in Salesforce are crucial if you want to take advantage of new AI tools. You should subscribe for the full episode, but here are a few takeaways from our conversation […]
Today on the Salesforce Admins Podcast, we talk to Tom Leddy, the Product Director of Decision Guides at Salesforce. Join us as we chat about decision making in the age of AI and why cleaning up your data is more important than ever. You should subscribe for the full episode, but here are a few […]
