🔒 SECURITY GUIDE

The Complete Salesforce Security Best Practices Guide

Protect your Salesforce org from breaches, ensure compliance (SOX, GDPR, HIPAA), and implement enterprise-grade security. Includes a 50-point security audit checklist.

⚠️

73%

of breaches involve CRM data

💰

$4.45M

Average breach cost

⏱️

287 days

To identify & contain

📈

90%

Preventable with proper security

One misconfigured permission set. One leaked API key. One phishing email. That's all it takes to expose millions of customer records and destroy your company's reputation.

After securing 50+ enterprise Salesforce orgs and conducting numerous security audits, I've compiled this comprehensive guide covering every aspect of Salesforce security—from basic user access to advanced threat detection.

🚨 Critical Security Alert

The average Salesforce org has 15+ critical security vulnerabilities. Most common: overly permissive profiles (87%), no MFA enforcement (62%), and exposed APIs (41%). This guide will help you identify and fix these issues.

The 7 Layers of Salesforce Security

👤

Layer 1: User Authentication

The first line of defense. Strong authentication prevents 99.9% of account compromise attacks.

✓ Multi-Factor Authentication (MFA) - Required by Feb 2022

✓ Single Sign-On (SSO) with SAML 2.0

✓ IP range restrictions by profile

✓ Login hours enforcement

✓ Password policies (complexity, expiration)

✓ Session timeout configuration

🛡️

Layer 2: User Authorization

Control what users can do once authenticated. Principle of least privilege is critical.

✓ Profile configuration (minimal baseline permissions)

✓ Permission sets for additional access

✓ Permission set groups for role-based access

✓ Field-level security (FLS)

✓ Object-level permissions (CRUD)

✓ Apex class and Visualforce page access

📊

Layer 3: Data Access Control

Ensure users only see data relevant to their role. Critical for compliance and privacy.

✓ Organization-Wide Defaults (OWD) - Private by default

✓ Role hierarchy for vertical access

✓ Sharing rules for lateral access

✓ Manual sharing for exceptions

✓ Team and territory management

✓ Restriction rules for ultra-sensitive data

🔐

Layer 4: Data Encryption

Protect data at rest and in transit. Essential for compliance and breach prevention.

✓ Platform Encryption for sensitive fields

✓ Classic Encryption for standard fields

✓ TLS 1.2+ for data in transit

✓ Encrypted attachments and files

✓ Key management and rotation

✓ Bring Your Own Key (BYOK) option

📝

Layer 5: Audit & Monitoring

Track all activities and detect anomalies. Critical for compliance and threat detection.

✓ Setup Audit Trail (6 months retention)

✓ Field History Tracking

✓ Login History monitoring

✓ Event Monitoring (Shield)

✓ Transaction Security policies

✓ Real-time alerting for suspicious activity

🔌

Layer 6: API & Integration Security

Secure external access points. APIs are the #1 attack vector in modern applications.

✓ OAuth 2.0 for API authentication

✓ Connected App permissions

✓ API rate limiting and throttling

✓ IP whitelisting for integrations

✓ Named Credentials for secure storage

✓ CORS and CSP headers configuration

🚨

Layer 7: Threat Detection & Response

Proactive threat hunting and incident response. Stop attacks before damage occurs.

✓ Salesforce Shield for threat detection

✓ Einstein Anomaly Detection

✓ Security Health Check monitoring

✓ Incident response procedures

✓ Regular penetration testing

✓ Security awareness training

Common Security Vulnerabilities & Fixes

Vulnerability	Risk Level	Impact	Fix
No MFA Enforcement	CRITICAL	Account takeover, data breach	Enable MFA for all users immediately
Overly Permissive Profiles	HIGH	Data exposure, unauthorized changes	Audit and restrict to minimum necessary
View All/Modify All Permissions	HIGH	Complete data access bypass	Remove and use sharing rules instead
Hardcoded Credentials	CRITICAL	System compromise	Use Named Credentials or Custom Settings
No Field Encryption	MEDIUM	PII exposure in breach	Enable Platform Encryption for sensitive fields
Unrestricted API Access	HIGH	Data exfiltration	Implement OAuth, rate limiting, IP restrictions
No Session Timeout	MEDIUM	Unauthorized access from unattended devices	Set 2-hour timeout for standard users
Shared User Accounts	HIGH	No accountability, compliance violation	Individual accounts for every user
No Audit Logging	MEDIUM	Cannot detect or investigate breaches	Enable Setup Audit Trail and Field History
SOQL Injection	HIGH	Data theft, manipulation	Use bind variables, escapeSingleQuotes()

Security Audit Checklist

🔍 50-Point Security Audit Checklist

Complete this audit quarterly to maintain security posture

Authentication & Access

MFA enabled for all users CRITICAL

SSO configured with SAML 2.0 HIGH

IP restrictions configured by profile HIGH

Password policy enforces 10+ characters MEDIUM

Session timeout set to 2 hours or less MEDIUM

Permissions & Sharing

No profiles with View All/Modify All CRITICAL

OWD set to Private for sensitive objects HIGH

Field-level security reviewed and restricted HIGH

Permission sets used instead of profile customization MEDIUM

Sharing rules documented and reviewed MEDIUM

Data Protection

Platform Encryption enabled for PII fields CRITICAL

Data masking configured for sandboxes HIGH

Files and attachments encrypted HIGH

Data retention policies implemented MEDIUM

Monitoring & Compliance

Setup Audit Trail enabled CRITICAL

Field History Tracking for sensitive fields HIGH

Security Health Check score > 80% MEDIUM

Event Monitoring configured (if Shield) MEDIUM

Compliance Requirements

SOX

SOX Compliance

✓ Segregation of duties in profiles
✓ Audit trail for financial data
✓ Change management process
✓ Access reviews quarterly
✓ Data retention for 7 years

GDPR

GDPR Compliance

✓ Right to erasure implementation
✓ Data portability tools
✓ Consent management
✓ Privacy by design
✓ Breach notification process

HIPAA

HIPAA Compliance

✓ PHI encryption at rest and transit
✓ Access controls for PHI
✓ Audit logging for all PHI access
✓ Business Associate Agreement
✓ Minimum necessary standard

Security Configuration Code Examples

Apex - Secure SOQL Query

// INSECURE - Vulnerable to SOQL Injection
String searchTerm = ApexPages.currentPage().getParameters().get('search');
String query = 'SELECT Id, Name FROM Account WHERE Name LIKE \'%' + searchTerm + '%\'';
List<Account> accounts = Database.query(query);

// SECURE - Protected against SOQL Injection
String searchTerm = ApexPages.currentPage().getParameters().get('search');
searchTerm = String.escapeSingleQuotes(searchTerm);
String query = 'SELECT Id, Name FROM Account WHERE Name LIKE :searchPattern';
String searchPattern = '%' + searchTerm + '%';
List<Account> accounts = Database.query(query);

// MOST SECURE - Using bind variables in static SOQL
String searchPattern = '%' + searchTerm + '%';
List<Account> accounts = [
    SELECT Id, Name 
    FROM Account 
    WHERE Name LIKE :searchPattern
    WITH SECURITY_ENFORCED
];

Apex - Field-Level Security Check

public class SecureDataAccess {
    public static List<Contact> getContacts() {
        // Check object accessibility
        if (!Contact.sObjectType.getDescribe().isAccessible()) {
            throw new NoAccessException('No access to Contact object');
        }
        
        // Check field-level security
        if (!Schema.sObjectType.Contact.fields.Email.isAccessible() ||
            !Schema.sObjectType.Contact.fields.Phone.isAccessible()) {
            throw new NoAccessException('No access to required fields');
        }
        
        // Query with SECURITY_ENFORCED
        return [
            SELECT Id, Name, Email, Phone
            FROM Contact
            WITH SECURITY_ENFORCED
            LIMIT 100
        ];
    }
}

✅ Security Best Practices Summary

Default Deny: Start with minimum permissions and add as needed
Defense in Depth: Implement multiple security layers
Regular Audits: Conduct security reviews quarterly
Continuous Monitoring: Use Shield and Event Monitoring
User Training: 90% of breaches involve human error
Incident Response Plan: Have a documented breach response procedure
Vendor Assessment: Audit all connected apps and integrations
Data Classification: Know what data you have and where
Encryption Everywhere: Encrypt sensitive data at rest and in transit
Zero Trust Model: Never trust, always verify

Your Security Score

Based on checked items in the audit checklist

Incident Response Plan

Detection (0-1 hour): Identify potential breach through monitoring alerts
Containment (1-4 hours): Isolate affected systems, disable compromised accounts
Investigation (4-24 hours): Determine scope, method, and data affected
Eradication (24-48 hours): Remove threat, patch vulnerabilities
Recovery (48-72 hours): Restore systems, verify security
Lessons Learned (1 week): Document incident, update procedures

📞 Security Incident Contacts

Salesforce Security: 1-800-667-6389
Trust.salesforce.com for system status
Your Security Team: [Configure in your org]
Legal/Compliance Team: [Configure in your org]

Need a Security Assessment?

Get a comprehensive security audit of your Salesforce org. We'll identify vulnerabilities and provide a remediation roadmap.

Get Security Assessment →

50-point audit • Compliance review • Remediation plan • Priority roadmap

Conclusion

Salesforce security isn't optional—it's essential. With data breaches costing millions and regulations getting stricter, a single vulnerability can destroy your business. Implement these security layers systematically, conduct regular audits, and maintain vigilance.

Remember: Security is not a one-time project but an ongoing process. The threat landscape evolves daily, and your security posture must evolve with it.

"The best time to implement security was at go-live. The second best time is now."