CloudLock recently found 1% of employees create 75% of your security risk. These are often super-privileged administrators, heavy users, and integrations with other software apps. Here are 3 best practices to reduce your Salesforce security risk:
Who’s Really a System Administrator?
The default Salesforce System Administrator profile can control all data and sharing. Even in your Full Sandbox, they have access to a complete copy of your production data. Full System Administrators should be a trusted few. For other power users and consultants, create additional Profiles and Permission Sets with just the access they need.
Grant Minimal Permissions
You should have the same discussion about access to all your data. Who’s the single logical owner? Who else needs access? Does the benefit of sharing outweigh the security risk?
Salesforce’s basic structure of ownership and hierarchical sharing meets many needs. Conditional sharing rules can expand access to additional departments. I designed this security matrix to control data access though sales, implementation, and ongoing performance management:
Isolate Your Integrated Apps
That 1% of users installs 62% of apps, which inherit their broad user privileges and Salesforce security risk. 70% of their data sharing is with emails outside your corporate domain.
Isolate system integrations to a dedicated Salesforce User with limited Profile permissions. For instance, syncing your email marketing system only requires access to Leads and Contacts.
Isolate user-installed apps by limiting user Profile access to data. Even if a sales representative wanted to share all your prospects using an external app, they’d be limited to the Leads they own.
Finally, administrators should monitor logins and app authorizations from within Salesforce.
Quick Salesforce Security Risk Checks
To understand your Salesforce security risk from your top 1% of users, run these quick best practice checks:
- How many Users have full System Administrator Profiles?
- Which objects default to Public sharing with all employees?
- Which external apps are accessing your Salesforce?
Based on those answers, I can design the right Profile permissions to reduce your Salesforce security risk.