A Guide to Your Salesforce Security Progress Report

Posted by Pete Thurston
Pete Thurston”

A Guide to Your Salesforce Security Progress Report

Breaking down how we analyze & score your real-time security posture

The Salesforce Security Progress Report is designed to provide easy access to deep insights about your real-time security posture. It is one of our Cloud Security Cockpit® on-demand reports that gives you a clear picture of your security controls, so you can see and understand where there’s risk (at last!).

To help you fully understand the Progress Report, below you’ll find definitions of the 6 security “lenses” and details on how we methodically score your posture - and if you're not getting a Salesforce Security Progress report on a regular basis, let's talk about Cloud Security Cockpit®!

Data Protection

How well is the information in the system being stored / access?

Data Classification
In order to align Salesforce to your organization's security posture, data classification levels should be defined and all fields in your Salesforce org should be assigned an appropriate classification level.
 
Potential High-Risk Fields
The fields listed in this graph within Security Insights are not classified as high-risk, but they contain words or phrases that are commonly referred to as high risk.
 
Seldom Used High Risk Fields
These are fields that are classified as high risk but are not used at all or very seldom used. The percentage of data classification completed is also taken into consideration in the scoring here.
 
Blocked by Configuration
These are fields that are on your encryption wish list but have configuration blockers that will prevent Shield Platform Encryption from being turned on or will cause loss of function if Shield Platform Encryption is turned on. These fields and their associated blockers should be reviewed to see if the blockers can be removed or remediated. The remediation plan will vary depending on the associated blocker(s). If the blockers can safely be remediated, the fields can then be encrypted.
 
Platform Encryption Analysis Jobs Per Month
It is recommended to run a Platform Encryption Analysis job within Shield Security Cockpit® at least once every 30 days so you can keep track of field changes that naturally happen within Salesforce.

Integration

Are applicable integrations implemented in a fashion that is consistent with the organization’s stated goals?

Insecure Remote Site Settings
Remote Site Settings are used to register an access external website resources and should always be used securely (HTTPS).
 
Unencrypted Settings
These are fields from Custom Settings or Custom Metadata Types that appear to be both unencrypted and containing sensitive configuration information.

Data Loss Prevention

How well is the information in the system being protected against loss?

Data Egress
Data egress refers to data leaving a network and is important to manage to prevent sensitive data loss.
 
Data Tracking
Tracking the changes to field data is an important way to monitor the data changes that occur within Salesforce. It is especially important to track field history changes for fields that are classified as high risk. The percentage of data classification completed is also taken into consideration in the scoring here. By default, 20 fields per object can be tracked but this number increases to 60 or beyond with Salesforce Shield Field Audit Trail.
 
Data Vulnerability
Users should have access to high risk fields and objects which contain those fields sparingly.
 
Defined History Retention Policies
History Retention Policies are part of Shield Field Audit Trail and are used to define how long field history data is stored on an object-by-object basis. History Retention Policies are supported for all custom objects and a sub-set of standard objects.

Access Control (Authentication)

Is the system accessible to the right users at the right times without compromising security of the org?

Non-Compliant Password Settings
Password settings are an important way to improve overall security within Salesforce. You can set password history, length, and complexity requirements and also specify what to do when a user forgets their password.
 
Users without IP Restrictions
Login IP restrictions are set at the profile level and limit unauthorized access to Salesforce by requiring users to login from designated IP addresses. By using Login IP Ranges, a defined range of addresses can be used to control access. Users who try to login from outside the specified IP address ranges will not be granted access.

Security Model (Authorization)

Is the Salesforce Security Model implemented in accordance with the organization’s needs?

Data Vulnerability
Users should have access to high risk fields and objects which contain those fields sparingly.
 
Report Access
Reports allow users to access large sets of data within Salesforce, only users who require access to reports should be assigned.
 
Users with Setup / Configuration
Users with the View Setup and Configuration system permission can view Setup pages which is generally reserved for System Admin type users. Security policies can vary but we generally recommend 20% or less of your total users have access to view Setup and Configuration.
 
Administrative Permissions
Administrative permissions include things like Modify All Data, Modify Metadata Through Metadata API Functions and View All Data.
 
Unused Custom Profiles
Custom profiles should only be created / maintained when users are identified who require them. Profile best practices call for the removal of unused profiles. Cleaning up unused profiles is an excellent way to keep profile proliferation to a minimum.

Monitoring

If data were to be maliciously accessed, used or modified, are processes and technology in place to raise awareness or support research?

Non-Compliant Session Settings
When a user successfully logs into Salesforce, a session is established. Session settings are used to control things like session timeouts, caching, connections and more and should be aligned to your organization's security posture.
 
Non-Compliant Key Management
Certificate and key pairs are used to verify a request is coming from your Salesforce org and should be generated if you're working with an external website. The Certificate and Key Management settings are part of the Salesforce Health Check.
 
Untracked Event Types
If you are licensed for Event Monitoring, it is considered best practice to track all event types that support data storage.
 
Active Transaction Security Policies
Transaction Security Policies are part of Salesforce Shield Event Monitoring and can be used to intercept real-time Salesforce events and apply appropriate actions based on the security policies you create. Event types supported include API, List view, Login and Report events and actions that can be taken include things like a notification, requiring 2FA or blocking the event altogether.
 

Here's more to explore:

  • Learn about Cloud Security Cockpit® to get your own Salesforce Security Progress Report and the tooling you need implement, manage and prove your Salesforce security controls
  • Already using Cloud Security Cockpit® and seeing value? Share your review on the AppExchange
  • Looking for a deeper look at your Salesforce security posture, and a risk-prioritized remediation playbook? Contact us to learn about a Salesforce Security Risk Assessment

Topics: Blog, Articles

Subscribe to the Blog