Securing Salesforce in a Time of Crisis

In these tumultuous times of the Coronavirus pandemic, the best and the worst are coming out in people.  It is really amazing to see how people are banding together to help those in greatest need by creating care packages for furloughed workers, neighbors singing together from their front porches, and manufacturing personal protective equipment for medical professionals.  On the flip side, the technology and security industries have continued to warn that a global pandemic is the exact opportunity cyber-thieves are looking for.

More people than ever are working from home, often with fewer security defenses on their home networks than they would have in the office. Even in critical infrastructure and other high-sensitivity environments where it would be impossible to securely work from home, skeleton crews at the office and general distraction can create windows of vulnerability. And in times of stress or distraction, people are more likely to fall for malicious scams and tricks.


“This global crisis is an emergent vulnerability in the broadest sense possible,” say Lukasz Olejnik, an independent cybersecurity researcher and consultant who has been analyzing the digital security risks posed by the pandemic. “The current situation poses enough challenges. Any additional undesirable events would just make it more difficult. So one worst case consequence of a cyberattack could be slowing down crisis response, for example in the health care sector.”

– WiReD Magazine, Coronavirus Sets the Stage for Hacking Mayhem


As Salesforce professionals, while we rely heavily on the expertise of cybersecurity specialists to keep our computers and networks safe, there are measures we can take to secure our own instances of Salesforce to ensure our users and data are safe.  Luckily, the Salesforce resources are plentiful and the Ohana is happy to help those that ask. 

I would also like to note that most of the following content is not original thought and it has been gathered as a resource to share and spread the wealth of information others have provided.

The list below is not comprehensive of all security features and functionality available within Salesforce, but rather a group of quickly implemented features that provide a high ROI to secure a Salesforce org.

Timely User Management

One of the easiest security measures that can be implemented is to maintain a tidy user base within your org.  Deactivate users as soon as possible once they either leave the company or change roles within the company and no longer need Salesforce access.

Restrict When and Where Users Can Log In

You can restrict the hours during which users can log in and the range of IP addresses from which they can log in and access Salesforce. If IP address restrictions are defined for a user’s profile and a login originates from an unknown IP address, Salesforce does not allow the user to log in. These restrictions help protect your data from unauthorized access and phishing attacks.  This Help article contains links to several key features.

User Authentication Features

Here’s the recommended Trailhead Module for User Authentication.  It’s better reading than the help articles.

Two-Factor AuthenticationtwoFactor

Two-factor authentication is the most effective way to protect your org’s user accounts. As a Salesforce admin, amplify your org’s security by requiring a second level of authentication for every user login. You can also require two-factor authentication when a user meets certain criteria, such as attempting to view reports or access a connected app.

My Domain

My Domain is a prerequisite to several valuable security settings and features that really help control the login experience, security policies, and user authentication.  There’s really a lot to understand here so I’ll provide a few reference points.

  1. My Domain Help Article
  2. My Domain Trailhead Module
  3. My Domain FAQ

Single Sign-On (SSO)

Usually you will need to work with your IT Security Team to enable and configure SSO for your org (Help Article or Trailhead Module).  This is a very user-friendly feature because it allows users to log into Salesforce with company network credentials instead of remembering another username and password.

Increase Requirements of Password Policies

While SSO make be a more user-friendly feature, password policies typically make life harder for users.  Here are a few of the common policies that should be reviewed.

Reduce Password Expiration Length

The default password expiration length is 90 days.  Switch this to a shorter time period to force users to constantly change it.

Password Complexity & Minimum Password Length

Set the complexity to the highest level and keep a high minimum length to ensure passwords are sufficiently complex.

Enforce Password History

Did you know you can prevent users from reusing passwords?

Maximum Login Attempts

Keep the attempt count low, but not low enough for those of us with fat fingers!

Security Health Check

The Security Health Check is a dashboard within your org that allows you to review the overall security of the org.  With Health Check, you can identify and fix vulnerabilities in your security settings, all from a single page. A summary score shows how well your org is aligned with the Salesforce-recommended standard.


The Health Check score is calculated by a proprietary formula that measures how well your security settings meet either the Salesforce Baseline Standard or your selected custom baseline. Settings that meet or exceed compliance raise your score, and settings at risk lower your score.

There are four risk categories: High-Risk, Medium-Risk, Low-Risk, and Informational. The risk categories affect your Health Check score, with High-Risk settings counting the most, Low-Risk settings counting the least, and Medium-Risk settings, well, they’re in the middle. Settings in the Informational category do not factor into your Health Check score.

But Wait… There’s More…

The features listed above are just the tip of the iceberg for keeping your Salesforce org secure.  There are many more features and products that can be leveraged: session settings, data encryption, Shield, and even internal data security, such as Roles, Profiles, Permission Sets, and Sharing Settings.

Trailhead and Badges and Certs… oh my!

In addition to the Trailhead modules previously identified, the Security Specialist Superbadge will allow you to test your mettle with a real life business security scenario and apply the knowledge gained from completing the prerequisite modules.


And finally, there are two certifications available specifically related to security: Sharing  and Visibility Designer and Identity and Access Management Designer.  Both are components within the Architect pyramid of certifications, as shown below.


Ohana Means Family

Remember that you can always reach out to the greater Salesforce community in the Trailblazer Community  if you need assistance or have questions about a feature, product, or tricky security issue.  Someone has likely seen or experienced what you are going through and can lend a helping hand.