Cloudy standing next to a hot air balloon and text.

5 Security Habits That Will Help Your Admin Career

By

As Salesforce Admins, you drive results and deliver business value every day. You automate processes and make them more efficient. You build amazing reports and dashboards to drive insights and provide increased transparency. And, every time you customize Salesforce, you personalize the user experience and help your users and executives do their jobs better.

Salesforce would not be what it is today without your passion and dedication. That’s why, at Salesforce, we’re so dedicated to helping you be successful. One of the best ways to get started is by building strong habits that ensure your success from day one. In our five-part series, Essential Habits for New Admins, we start by defining the four core responsibilities every admin has and the repeatable habits you can develop to make you and your organization successful.

You can watch the overview episode every Friday at 9:30 a.m. PT on Trailhead LIVE. PLUS, dive deeper into the makeup of each core responsibility and its habits in our Essential Habits series: User Management, Data Management, Security, and Actionable Analytics.

We’ve already explored the core responsibilities of user management and data management. Today, we’ll look at the third core responsibility, security. Watch the episode or dive in by reading the blog post below.

The importance of security

As an #AwesomeAdmin, the security of your Salesforce instance should always be top of mind. It’s your responsibility to ensure that your users have the right level of system and data access to do their jobs. It’s also your responsibility to follow industry best practices, like using multi-factor authentication (MFA) and requiring complex passwords. Security is one of the most important essential habits for you to practice.

Security at Salesforce

At Salesforce, we build security into everything we do, from the ground up. But our commitment to delivering secure products is only half the story because we believe security is a shared responsibility between Salesforce and our customers.

Protecting data is a partnership between Salesforce and the customer.

As a steward for your business’s security, you play a critical role in safeguarding your data and your customers’ data. Salesforce data is incredibly valuable, so we want to do our best to protect it. As a cloud service provider, we’re providing the secure infrastructure, features, and services that you can and should adopt. It’s your responsibility to pay attention to your individual security and privacy requirements.

Protecting your data

There are multiple layers within a Salesforce org, which means multiple ways to protect your data. The layers we want to highlight here are:

  • Org
  • Persona
  • Record
  • Field

An easy way to think of these layers is by biggest to smallest. All of your users have access to the Salesforce org, but a smaller number of people have access to each layer until you get down to the Field level, where, ideally, the least amount of people have access.

Limiting access is actually a good thing — we don’t want everyone to have access to EVERY piece of data in your org. That would be chaos, not to mention an issue for security and privacy compliance. Below, you’ll see the specific features that you can use to secure each of these layers.

Key customer controlled security measures.

Before we dive into specific security habits, let’s first go over the principle of least privilege (PoLP) which is a fundamental tenet of information security. The PoLP means that users should have the least number of permissions necessary to do their job.

Why, you ask? Well, limiting users’ permissions to only what is necessary prevents unauthorized access of sensitive records and information by only granting privileges to those people who absolutely require access.

With this principle in mind, let’s dive into the five main security habits we suggest you adopt to help you in your role:

  1. Review roles, sharing, and field-level security
  2. Run Health Check
  3. Align with IT
  4. Analyze logins
  5. Stay informed

Five essential security habits for all admins.

Let’s break down each of these habits!

Essential habit 1: Review roles, sharing, and field-level security

This habit is all about ensuring your users have access to exactly the data they need to do their jobs, and nothing more. Every year, you should plan to review the roles, any sharing rules you may have set up, and field-level security settings to allow specific fields to be accessed. Below are some questions to ask and things to consider when doing your annual review:

  • Have any new objects been created? What are the organization-wide defaults for that object? If you want it private, make sure it’s set that way.
  • How about your sharing rule criteria? Are they still valid, or do they need to be re-created based on new values or fields?
  • If you have custom roles, do they still align with your current business processes?
  • Finally, test your field-level security settings by using the “login as user” functionality.

You should also review your permission sets and permission set groups. When defining permission sets, always follow the PoLP as mentioned before. For additional security, you can activate session-based permission sets — this allows the user to have certain permissions only during a predefined session type (like when a user authenticates into your environment, for example).

And, you can now combine regularly linked permission sets into a single permission set group! When you update a permission set, all groups that contain that permission set are automatically updated, so you don’t have to worry about maintaining each group separately.

Let’s take a look below at sample settings for field-level security. You can use this as a starting point for your own org, but feel free to adapt it as needed based on your particular access levels.

Blueprint for field-level security.

📅 Make it a habit: You should review your roles, sharing, and field-level security annually to confirm the access levels follow the PoLP.

Essential habit 2: Run Health Check

Security Health Check is the best way to identify specific areas you can focus on improving security in your Salesforce org.

When you run Security Health Check, you’re comparing your Salesforce instance to an industry-standard security baseline. You’ll receive a Health Check score and specific detailed recommendations to follow up on. The recommendations you receive are grouped by high, medium, and low risk. If you see anything that’s high risk, it’s a good sign you should dive deeper and make some changes. You can also import additional custom baseline settings based on your company’s compliance needs.

📅 Make it a habit: To create a habit around running Security Health Check, plan to use this tool at least once per quarter. It’s a good idea to make a recurring calendar appointment so you don’t forget!

Essential habit 3: Align with IT

If you’re in a highly regulated industry like financial services or healthcare, then you probably have very detailed security policies that you’re well aware of. But even if you’re not in one of those industries, you should still make sure that your Salesforce security settings are aligned with your company’s policies.

When aligning with your IT team, there are a few things you’ll definitely want to do. We’ve outlined three top priorities:

  1. Coordinate your employee onboarding and off-boarding with your IT and HR teams.
  2. Require sophisticated passwords as well as a defined password change interval, like every 90 days.
  3. If your company is using single-sign on (SSO), you can configure Salesforce to work with your existing SSO provider.

If you’re not familiar with SSO, it’s another amazing way to protect access to your org. SSO lets users access authorized network resources with one set of credentials. With SSO, you validate usernames and passwords against your corporate user database or other client app, rather than Salesforce managing separate passwords for each resource. Think of SSO as a door to all of your most frequently used business applications — not just Salesforce, but everything. Once you log in, or “unlock” the door, you have access to all of these applications without having to log in to each individual one.

As we’re talking about security habits, it’s really important to highlight multi-factor authentication, or MFA. Enabling MFA is one of the easiest, most effective actions you can take to protect your business and customers — and everyone’s data. MFA is an important part of a defense-in-depth security strategy, and an early line of defense against attackers.

So, what is MFA? MFA adds an extra layer of security to your login process by requiring users to verify their identity with two or more pieces of evidence (or “factors”) to prove they are who they say they are. These factors are something the user knows, such as the username/password combination, plus something they have, like the code from an authentication app on a mobile device.

Talking to IT about Multi-Factor Authentication.

You may already use MFA without even realizing it! A familiar example of MFA is the process you go through when withdrawing money from an ATM. Your ATM card is the “something you have” and your PIN is the “something you know.” For more information on MFA, check out what Laura Pelkey, Sr. Manager, Security Customer Engagement, has to say at the time stamped here [13:04].

Before moving on to our next habit, it’s important to note that Salesforce now has the ability to classify your data at the individual field level to ensure you’re complying with your company’s policies. Below is a breakdown of how we can currently classify our data.

How to classify your data for compliance.

📅 Make it a habit: To create a habit around aligning with IT, plan to meet with someone from their team at least once a month to ensure policy compliance.

Essential habit 4: Analyze logins

To analyze logins, you’ll want to start by reviewing the login history and identity verification history. The login history for all your users is stored in the Login History area and the Identity Verification area in Setup.

Things you’re looking for here include anything out of the ordinary. You’re a detective! 🔎

  • Are there any unusual countries that people are logging in from?
  • Are there repeated unsuccessful login attempts from the same or multiple users?
  • Are there any logins from a strange application or platform you don’t recognize?

If you see any of the above, this is a clue that something might be off. You may want to investigate further, or even temporarily deactivate a user if needed.

📅 Make it a habit: To create a habit around analyzing logins, we recommend you take time each week to look for unusual patterns. If you find something unusual, temporarily deactivate that user until you get more information.

Essential habit 5: Stay informed

As an admin, you want to stay up to date with the latest security features. Below, you’ll see a few key ways to do this.

Tips for staying informed on security.

You may or may not have SSO or MFA enabled at your company, but, regardless, it’s important to stay informed about these security features.

If your company doesn’t have these enabled, the resources linked below can help you partner with your IT team, and give you step-by-step guides to enable and roll them out to your org. This is a one-time activity that can pay high dividends, and you’ll be using the latest and greatest technology. Think of this like transitioning to Lightning — once you’re there, you can’t imagine living without it!

  • Learn more about MFA here: sforce.co/MFAAdminGuide
  • Learn more about SSO here: sforce.co/UAModule

📅 Make it a habit: To create a habit around staying informed, be sure to set aside time each week to dig into topics like MFA and SSO, and continue to stay curious about all things security. Even if your org has already implemented some security best practices, staying informed and up to date positions you as an expert within your organization.

More essential habits

Now that you have a better understanding of the importance of security, the habits you need to master, and key takeaways for you to implement, you’re ready to roll! For a bird’s-eye view of all of the suggested habits and timelines for data management, check out our handy calendar below:

Security habits on a calendar.

Want to dive deeper? Check out our Trailhead LIVE episode, Essential Habits for Salesforce Admins: Security, on demand!

Additional resources

Astro and Cloudy on a mountain next to text that says "#4 Security Center Enhancements."

Learn MOAR in Winter ’22 with Security Center Enhancements 🔒

Follow and complete a Learn MOAR Winter ’22 trailmix for admins or developers by October 31 to earn a special community badge and enter for a chance to win one of five $200 USD Salesforce Certification vouchers. Restrictions apply. Learn how to participate and review the Official Rules by visiting the Trailhead Quests page. Security […]

READ MORE
Astro and Cloudy on a mountain next to text that says "#2 Restriction Rules."

Learn MOAR in Winter ’22 with Restriction Rules 🚫

Follow and complete a Learn MOAR Winter ’22 trailmix for admins or developers by October 31 to earn a special community badge and enter for a chance to win one of five $200 USD Salesforce Certification vouchers. Restrictions apply. Learn how to participate and review the Official Rules by visiting the Trailhead Quests page. Introducing […]

READ MORE

Have an Idea for a Story?

We are all about the community and sharing ideas.
Do you have an interesting idea or useful tip that you want to share?

SHARE YOUR IDEA