So there you are, head Salesforce admin for your company. You have worked tirelessly to ingrain Salesforce into every aspect of your company. Your users are happy with what they can do, and management loves the reports and data. So, what could be better? Well, now that you have consolidated so much into one location, you have made a target. If you haven’t thought about security before (I am tsk’ing at you), now is the time to get on it.
The Goldilocks Zone of Passwords
Since everyone has a password, let’s start there. Salesforce allows you to set up some policies around your users’ passwords. Your first instinct may be to go strict — to make the passwords a minimum of 50 characters, at least one of every character type, lockout after only three wrong attempts, etc. I want you to step back and take a breath. If your password requirement is too great, it will cause confusion and frustration amongst your users. Put yourself into the shoes of sales reps who are gathering details from a client over the phone. Before they can get going, they need to type in 50 mixed characters from memory, and that just won’t work. Try to use empathy to come up with a sensible balance of rules to deter hackers, but not your coworkers.
Setting up your password policies is easy to do. Navigate to Setup, then to Security Controls > Password policies. Once you are on the screen, use your best judgement to set the policies to best suit your needs.
Locking Down the When and Where
A powerful tool at your disposal is the ability to restrict when and from where your users can log in. Depending on your corporate culture and existing infrastructure, this can either be nearly painless or completely unusable. First off, let’s talk time. Profiles can be given a range of times that they can login. This can help to reduce the times that attacks can take place, and it makes sense if all your users of a profile work at similar times. This breaks down, however, if you have a highly mobile workforce. You don’t want your sales rep who just flew to India to only be able to work with Salesforce when you have your profiles set up for standard working hours in the eastern time zone in America.
Likewise, you can set up a range of IP addresses to restrict from where a user can log in. If your company operates with a set range of IP addresses, restricting these can hinder outside actors trying to login. This could pose a problem for a mobile worker, but that can be overcome if your company already has a VPN (virtual private network) to allow remote users to appear on the same network as your internal users.
Knowing What You Have
Two-factor authentication is getting more popular as attackers get more sophisticated. The idea is that a password is a single factor and is comprised of “something you know.” With two-factor authentication, you add “something you have.” In many cases, this takes the form of an app on your mobile phone. This is useful, because how many of us don’t have a smartphone glued to us somewhere? Now, this is going to take some setup and some training — users are going to have to install the app and get used to being prompted for this token. It is a small inconvenience, but of everything on this list so far, it is pretty flexible and amazingly safe.
The setup for two factor is a bit more involved than a single screen. Luckily, Salesforce has some instructions to follow at its help site. If you are a hands-on learner and would like some practice before you let it loose in your own org, then there is a Trailhead module just for you.
Analog Tricks in a Digital Age
So far, we have looked at ways to throw roadblocks in front of attackers, but what if they just waltz up to the door and ask for the keys? Surely, you and your co-workers are savvy enough to avoid that, right? Well, let’s look at a hypothetical email:
Subject: Employee Benefits Manual (Updated)
Body: Good morning everyone. After some careful consideration and numerous meetings with our management and benefit provider teams, we have decided on a number of changes to our previously offered benefits. Some of you won’t notice any change while others may see a modest increase. Regardless, please download and read at your earliest convenience
After downloading and opening, your employees have now infected themselves with a keylogger that will record keystrokes. This sort of email plays on an employee’s hope that the new manual will better their own situation, as well as the gentle prodding in the final sentence.
“But, Bob,” you say, while holding a stack of invoices for the latest in virus software, “we have invested in top-of-the-line scanning with attachment inspection occurring at our firewall, email server, and client computers! Viruses are not happening here!” Well, who said it had to be a virus? Another bit of email lies:
Subject: Missing sales in reports
Body: Morning [NAME], I was running the reports for the last quarter and noticed that you made no sales? I figure that it’s a mistake so before any automatic disciplinary action gets kicked off, can you lend me your credentials so I can pull the relevant info into my reports? It will probably not get this taken care of before it becomes a mess, so I need the numbers now and we can get the fix after. Thanks.
There, no virus, pure human weakness. It works off a one-two punch of the slight that they look bad in the reports and the threat that some nameless disciplinary action is aimed at them, powder-primed, and could get them if they are not quick enough. No time to think, you have to act first and ask questions later.
The threat is called “social engineering,” and it is the most popular kind of attack. It uses an unwitting pawn on the inside to open the door to attack. You may notice that this is the longest section so far, and that is because for all the settings I have discussed, there is no checkbox or setting for this. The combination of all of the previous steps certainly makes life harder for an attacker, but this is still a human problem, and humans are squishy. This takes training, refreshers, and well-established protocol to beat.
Putting it all Together
The online world is peppered with a variety of threats, so it only makes sense that the best defense would be a variety of protections. Take a look at your users and business needs, and craft the solution that fits best. The time to start is yesterday, so get analyzing.