Protecting the home of your Customer data – Salesforce Security and Reference Architecture Options

Salesforce, salesforce security, Data Protection Solutions, Data Retention, CCPA, GDPR, Sandbox Data Masker, Sandbox Data Mask,

My brother and I are currently building a family house back in India (where it all began for us) and we’re at the stage where we have to decide on the wall height and gates to the house.


Up for this discussion was also, what types of doors and locks do we want to buy for the garage, main entrance and other rooms.


As simple as it may sound, the struggle to make a decision was real. Why? There were too many options – from expensive to cheap to even doing nothing!


After all who needs a gate? A gate kinda kills the aesthetics and it’s just there as a security measure. Why would someone break in? We can address it later if that actually happens anyway.

Its not a matter of if it happens but a matter of when it happens

Our home is where our heart is and where we should feel the safest at all times

The same way your CRM, Salesforce, where your customer data lies is the heart and fuel of the company and should be kept secure.

In my experience, as a Data Privacy and Security professional, I have been in many conversations where businesses acknowledge the value of securing their customer data but can’t put a number on it (ROI).

This has them postponing implementation or taking shortcuts which ends up biting them later.


In the era of GDPR, CCPA/CPRA and other country specific regulations where data privacy is at the forefront, many companies are being exposed.


If you are a CISO, Data Protection Officer, Solutions Architect or business owner who is keen to understand how to secure your Salesforce customer data, below are Salesforce Security and reference architecture options or techniques that would have you sleeping soundly at a night

Salesforce Security and Reference Architecture options to secure your Salesforce Customer data

1.) Fence to stop the thieves from getting in – IP Whitelisting, Multi-Factor Authentication(MFA), Single Sign-On(SSO)

Building a fence/wall is a basic security technique that you need to have in place for your Salesforce instance.

Not having one is a signal to all sorts of hackers saying: Easy target. You don’t want to be embarrassed for doing the least.

There are 3 ways to address this:

  1. Whitelisting– Whitelisting IP improves security for your organization beyond usernames and passwords. This basically decides who can and can’t access based on their IP addresses. A typical use case would be a hacker trying to login with credentials of someone from an IP address not whitelisted, his access would be denied.

  2. Multi-Factor Authentication(MFA) –Sometimes either through phishing or other means, an employees password could be leaked. MFA ensures that when logging in, from a suspicious device or location, an employee or user is required to confirm via a different piece of evidence.

  3. Single Sign-On(SSO) – SSO reduces the number of attack surfaces because users only log in once each day and only use one set of credentials. Reducing number of logins improves company security because when you require employees to have different passwords, they usually don’t!

2. Secure your valuables in the Barn – Sandbox Data Masking
You will be surprised at the number of valuables that exist in your Salesforce Sandbox.

These test environments are usually exposed to third party vendors and contain sensitive customer data. I recently run a poll and was surprised at the number of people who had not noticed this was a huge security risk.

2. Secure your valuables in the Barn – Sandbox Data Masking

You will be surprised at the number of valuables that exist in your Salesforce Sandbox.
These test environments are usually exposed to third party vendors and contain sensitive customer data.

I recently run a poll and was surprised at the number of people who had not noticed this was a huge security risk.

A Sandbox Data Masker  neutralizes those risks ad consequences of a data breach.

As mentioned, due to the sensitivity of the data on a sandbox, the data masker simply replaces the sensitive data with dummy data.

In my opinion, this is a must for every organization because NDAs don’t cut it! Money can’t be an excuse for not investing in one because there’s a free version for small businesses as well on the Salesforce AppExchange.

3.) No Jewellery in the living room or cash under mattress business

  • Organization Wide Default (OWD) settings & Data Visibility is the baseline level of access that the most restricted user should have. Access can be opened up further by Role Hierarchy. In order to prevent unnecessary access of your valuable data to the most restricted users , these settings should be closely monitored and restricted.

  • High Assurance sessions allow users to setup security of certain areas in Salesforce for example who can whitelist IP and who can manage reports. This setting gives an additional layer of security.
  • Data Retention and Data Minimization – A data retention policy is a set of guidelines that helps organisations keep track of how long information must be kept and how to dispose of the information when it’s no longer needed.

If your data does not possibly contribute to revenue growth, it’s not something you want to keep.

This obsolete data will never bring you a dollar in the door and your best solution is simply to reduce it. This technique is a GDPR requirement and there are SAAS products to cover this on Salesforce today

4.) Protect against Infrastructure attacks

Shield Encryption is nothing but ‘security at database level’ which protects data and maintains compliance. The advantage of Shield is that it encrypts sensitive data at rest while preserving business application functionality of the org.

5.) Record suspicious activities with Alarm systems and Security cameras

Two Techniques come to mind which are similar to alarm systems and security cameras in the Salesforce ecosystem. They ensure all activities are recorded and lets you know who did what, at what time. They are:

Salesforce Classic Field history– A standard feature of Salesforce which allows you to track changes on standard or custom fields on an object which can be viewed on a record’s History related list.

Shield Field Audit Trail – This is an add-on feature that lets you define a policy to retain archived field history data up to 10 years from the time the data was archived. This feature helps you comply with industry regulations related to audit capability and data retention.
Comparison of Standard Field History tracking vs Shield Field Audit Trail

Class time is over – It’s time to apply all of this theory (techniques) to your Salesforce orgs and reduce your data security vulnerabilities.

The best part is a majority of these techniques come at 0 cost and can give YOU that quick-win to keep your home safe.

An example is the FREE(Trial) Sandbox Data Masker listing on the Salesforce AppExchange. for Sandbox data masking.

The Cloud Compliance app for data retention is also available on the appexchange at affordable pricing.

For more information about Cloud Compliance visit us at: and book a demo

Picture of Saurabh Gupta

Saurabh Gupta

Saurabh is an Enterprise Architect and seasoned entrepreneur spearheading a Salesforce security and AI startup with inventive contributions recognized by a patent.

Related Articles