It’s becoming more important every day to ensure you’re taking every step possible to secure your applications and data – but complex enterprise software isn’t always easy to secure. Password policies? Session Security? Clickjacking and CSRF protections? Sometimes it’s difficult to even know where to start!
… And that’s why we created Security Health Check. Security Health Check, or Health Check for short, is available on all editions of Salesforce, and is a tool designed to give administrators and security professionals an easy-to-understand view of the security posture of a Salesforce org.
What is Health Check, and how can it help me do my job?
Available in Setup, Health Check provides a bird’s-eye view of your org’s security settings. It is designed to be customizable – allowing you to create your own custom baseline security standards that reflect your company’s specific security policies. It’s also designed to be powerful – giving you the tools to quickly and easily address any identified risks or gaps.
As we discussed in our earlier blog post, Health Check allows you to summarize and communicate your org’s security landscape to the rest of your company. The tool is especially useful if you encounter conflicting priorities from end users and policy creators about something like password policy. With access to the Salesforce baseline recommendations, implementing and enforcing the recommended security policies is easier to explain and justify to your executive sponsors.
[Image: Health Check home screen in a demo org.]
By default, Health Check uses the Salesforce baseline standard to compare the security settings in your org against our recommended security settings. Your org will receive a Health Check grade (from 0-100%) based on how much it complies with or diverges from the baseline standard. Settings are broken up into risk categories of High-risk, Medium-risk, Low-risk and Informational. Settings in the High-risk category have a greater impact on your overall health check score, while settings in the Informational category have no impact on the overall Health Check score.
Knowing that you have settings that diverge from the baseline is important – but equally important is the ability to quickly and easily take action on identified risks. The Fix Risks feature in Health Check allows you to quickly fix all or some of the risks identified at the same time – in just two clicks!
[Image: Health Check score and Fix Risks button.]
Recognizing that not everyone will have the same security requirements (security is not a one size fits all kind of thing), we’ve added the ability to create custom baselines. This allows you to create a baseline that exactly matches your security and compliance needs. Custom baselines are created by exporting the Salesforce standard as an XML file, modifying it to meet your specific needs, then importing the resulting baseline. You can choose to set your custom baseline as the default for your org, ensuring that your custom baseline is loaded by default when you access Health Check.
Ok, I’m interested. But how can I use Health Check on more than one org?
When talking with customers about Health Check we often hear some version of, “Well that all sounds great, but I have multiple orgs and this seems like it only works on one org so… how do I do this across many orgs?”
It’s true – there’s no out of the box UI support for multiple orgs in Health Check. Managing the tool across multiple orgs can be time-consuming – and the more orgs you add, the more difficult it becomes. That’s precisely why the Security team at Salesforce set out to solve this conundrum and create a central place to surface Health Check data. As a result, a tool called OrgMonitor was born.
OrgMonitor is a web application written in Node.js to monitor the size, utilization and basic security posture of multiple Salesforce orgs, in production or sandbox environments.
OrgMonitor connects to each org via API through standard Oauth authentication. Once connected, the tool runs a set of SOQL queries against all connected orgs on an hourly basis, collecting important metrics including Health Check score and other identified risks. It also stores historical results in Postgres to provide a concise but in-depth view of the security health of all your orgs.
[Image: OrgMonitor sample home screen.]
The goal of OrgMonitor is to provide a sense of size/utilization and basic security posture of multiple Salesforce Orgs. OrgMonitor is open source software, and it’s now available for download in GitHub.
OrgMonitor has many uses, including the capability to:
- Answer questions such as how many Users, Profiles, Permission Sets, Roles, Pages, Classes, Objects your org has
- Provide visibility into users with high-level privileges (View All Data, Modify All Data, Author Apex, etc)
- Gather other metrics such as unused Roles and custom Profiles, Profiles without IP restrictions and Users without predefined corporate email addresses
[Image: See a snapshot of your users’ permissions in OrgMonitor.]
Ready to learn how to deploy OrgMonitor on your Salesforce instance, or practice running Security Health Check on Trailhead? Check out the following resources:
- How a Need for Multi-Org Health Checks Became OrgMonitor, on the Salesforce Engineering Blog
- Use Health Check to Scan Your Security Configurations, on Trailhead