Salesforce Security Best Practices (US Edition)

Hello everyone. Good morning, good afternoon, good evening. Welcome to the Security Best Practices for Salesforce Professionals. I'm co-presenting with my friend Doug. Before we deep dive into the subject, let's get the disclaimer out of the way. We are not a law firm and whatever we are going to talk today is not legal advice. Both Platinum Seven and Cloud Compliance are Salesforce partners, but we are not Salesforce. Everything you're going to hear today is just our point of view on this subject. My name is Raul Gupta and I'm one of the co-founders of Cloud Compliance. Cloud Compliance is an AppExchange ISV partner. We are very focused on data privacy and AI, and these are some of the large customers that we have today. Thanks a lot. I'm Doug, and I focused purely on Salesforce security. I used to work at Salesforce for 13 years in the platform security space. So we're going to discuss a little bit about our agenda: talk about what data's at risk, and then go through points that we think you should be focusing on to keep your data safe. Security isn't difficult, but it never stops. The four simple steps: assess your org health, secure your application, secure your data, improve security awareness — and the cycle continues because security never stops. So let's look at the issues we're trying to protect against. T-Mobile had a big issue in the US. There's also challenging stuff with Equifax from a while ago. According to Verizon breach notifications, over 74% of breaches included a human element. It wasn't necessarily just a hacker getting in — it was either an error in the system, a privilege misuse, people raising their privileges where they shouldn't be, or stolen credentials and social engineering. 83% of breaches were external actors. But if you think about it the other way around, 17% were internal actors — your internal employees. They have access to all the data to do their job, and they have access to it right now. So it's very, very simple for them to take the data. Assessing your org health is relatively simple. Salesforce gives you a lot of capability there: Salesforce Health Check, Portal Health Check, Salesforce Optimizer — these are three free products built into every Salesforce environment, so please use them. One of the biggest threats I see for customers who have Salesforce digital experiences also known as communities is that you have publicly shared external objects. In fact it's more than 70% of my customers who've got communities had that issue — they did have publicly shared objects. Both the portal Health Check and Salesforce Optimizer will give you information about which objects are shared publicly. Now, in the breach information from Verizon, you saw that there was a lot of credential theft. That's when people steal username passwords. If you don't follow good password hygiene and you reuse your passwords, then that could be used to get into your version of Salesforce. Salesforce recently enforced MFA — multi-factor authentication. This is the absolute bare minimum for making sure that your user access is secure. I would suggest strongly looking at making sure that everybody uses MFA. The next option is to make sure that people are accessing your version of Salesforce from a corporate machine, not their own home machine or a machine on a public network like airport wifi. There are a couple of features Salesforce has that are free: you can configure access to your corporate IP address, which means users would log into the VPN and then access Salesforce from there. Certificate-based authentication gives you even more control. API access control is not enabled by default. You have to actually log a ticket with Salesforce support to get the API access control enabled in your org. By default, Salesforce auto-allows apps to connect — but I personally recommend customers use the API access control feature to restrict which apps can connect. Remove the View Setup capability from people unless they really do need it, because inside the setup area of Salesforce there's a lot of information that shouldn't be shared widely. For securing your data: field-level security, object sharing rules, and least-privilege access must be continuously reviewed. Sandbox data masking prevents production PII from reaching development and testing environments. Shield encryption secures data at rest, but authorized credentials still expose data at the application layer. Regular data audits identify over-exposed fields that increase breach impact. Security awareness is also critical: phishing simulations, regular training, and making sure your users understand the value of the data they're working with. Security is a cycle — you keep going because the threats will change, Salesforce capabilities will be improved and enhanced, and new technologies will come to market.