Salesforce has become the operational core for customer engagement, revenue forecasting, and compliance reporting. This concentration of sensitive data creates an attractive target for sophisticated attackers while magnifying the impact of simple configuration errors. A recent breach through malware embedded in a Salesforce Commerce Cloud site compromised payment details from over 200,000 shoppers across three months, exposing names, card numbers, and security codes.

The threat landscape extends beyond external attackers. Insider activity—whether malicious or accidental—causes an increasing number of data breaches. Even well-intentioned users can delete critical records or misconfigure sharing rules, leading to exposure or permanent data loss. With the global average cost of a data breach reaching nearly $5 million in 2024, organizations need comprehensive security strategies that address both external threats and internal vulnerabilities.

Protecting Salesforce data requires a layered defense spanning configuration management, access controls, monitoring, and recovery capabilities. The four essential practices below provide a systematic approach for administrators, DevOps teams, and security leaders to build resilient CRM security.

1. Configuration Security and Health Monitoring

Salesforce orgs contain hundreds of security settings that control password policies, session timeouts, and encryption standards. These configurations frequently drift from best practices due to routine changes and system updates, creating vulnerabilities that attackers actively exploit.

• The Risk: Misconfigurations create the most common pathway for data exposure. Weak password policies, unlimited session timeouts, and expired certificates can turn routine access into security vulnerabilities.
• The Solution: Systematic configuration monitoring catches dangerous settings before they become breaches.

Implementation Steps

Start with Salesforce's built-in security assessment tools and establish regular monitoring cycles to maintain configuration hygiene.

Run Security Health Check Monthly 

From Setup, open Quick Find and select Health Check. This built-in tool grades hundreds of org settings against security baselines, returning a percentage score that shows whether passwords, sessions, certificates, and transport settings align with best practices.

Address findings in priority order:

• Very High Risk: Weak password requirements, unlimited sessions, expired TLS certificates
• High Risk: Overly permissive sharing settings, outdated encryption standards
• Medium/Low Risk: Enhanced security features not yet enabled

Select individual settings to edit them, or use "Fix Risks" to batch-apply recommended values. Always test changes in a sandbox environment before applying to production.

Establish Ongoing Monitoring 

Configuration drift occurs after every Salesforce release, new integration, or administrative change. Schedule health check reviews monthly, with weekly reviews during major system changes or compliance audit periods.

Success Metrics

• Maintain health check scores above 80%
• Resolve Very High risk findings within 24 hours
• Document all configuration changes with business justification

Compliance Impact: Regular configuration monitoring satisfies SOX, GDPR, and SOC 2 requirements for demonstrable security controls and change management processes.

2. Identity and Access Management

User credentials represent the primary attack surface in cloud platforms, providing immediate access to sensitive data when compromised. Modern phishing campaigns and credential stuffing attacks target even security-conscious users, while organizational growth naturally leads to permission creep beyond actual job requirements.

• The Risk: Compromised credentials and excessive permissions create the primary attack vectors for data theft. Password-only authentication fails against modern phishing campaigns, while permission creep gradually expands user access beyond job requirements.
• The Solution: Multi-layered access controls combining strong authentication, least-privilege permissions, and network restrictions.

Multi-Factor Authentication for All Users

Salesforce requires MFA for all products as of February 2022, recognizing that second-factor verification blocks credential-based attacks even when passwords are compromised.

Implementation Options:

• Mobile Authenticator Apps: Salesforce Authenticator provides push approvals and time-based codes; generic authenticators (Google, Microsoft) generate 30-second codes
• Hardware Keys: FIDO2/U2F keys (YubiKey, SoloKey) require physical interaction for high-assurance environments

Rollout Strategy:

1. Start with a pilot group of administrators and power users
2. Refine the enrollment process based on feedback
3. Distribute clear instructions and contingency plans for lost devices
4. Track adoption through built-in reports until 100% compliance

Least-Privilege Permission Management

Effective permission management requires regular audits to identify and remove excessive access that accumulates over time. Each quarter, audit user access permissions and update following the steps below.

1. Inventory Current Access: Export comprehensive lists of users, profiles, permission sets, and permission-set groups. Identify dormant accounts and overlapping access models.
2. Map Effective Permissions: Use "Who Sees What" reports to surface actual object, field, and record visibility. Flag hidden escalations and broad API scopes from third-party integrations.
3. Remove Excessive Access:

• Deactivate obsolete profiles
• Merge redundant permission sets
• Downgrade excessive privileges
• Favor permission sets over direct profile edits for easier rollbacks

4. Document and Schedule: Capture all changes, obtain business owner approval, and schedule the next quarterly review.

Network Access Controls

Geographic and network-based restrictions add an additional security layer by limiting access to recognized locations and approved networks.

Trusted IP Configuration:

• Navigate to Setup → Network Access to define trusted IP ranges
• Users from approved locations skip additional verification steps
• Configure Login IP Ranges at the Profile level for complete restriction

Session Security Policies:

• Set appropriate session timeout values, balancing security with productivity
• Enforce HTTPS for all communications
• Maintain current TLS configurations
• Implement login hour restrictions to limit after-hours access

Success Metrics

• 100% MFA adoption across all active users
• Zero accounts with unnecessary administrative privileges
• All login attempts from recognized IP ranges during business hours
• Quarterly certification of user access rights

Compliance Impact: Strong identity controls satisfy PCI-DSS, HIPAA, ISO 27001, and SOC 2 requirements for access management and regular access reviews.

3. Activity Monitoring and Threat Detection

Security incidents typically begin with subtle anomalies like unusual login locations or after-hours data access. Without continuous monitoring, these early warning signs can persist undetected for months while attackers establish persistent access and exfiltrate sensitive data.

• The Risk: Without continuous monitoring, security incidents can persist undetected for months. Geographic anomalies, unusual data access patterns, and privilege escalations often provide the first indicators of account compromise.
• The Solution: Real-time monitoring of user behavior, login patterns, and data access combined with automated alerting for suspicious activities.

Login Monitoring Implementation

Effective monitoring focuses on behavioral patterns that indicate potential account compromise or policy violations.

Geographic and Temporal Analysis:

• Monitor login attempts from unexpected locations or time zones
• Flag rapid geographic transitions that indicate credential sharing
• Alert on access attempts during restricted hours or from blocked regions

Session Behavior Tracking:

• Monitor for unusual data export volumes or patterns
• Track privilege escalation attempts and administrative action spikes
• Flag simultaneous sessions from different geographic locations

Automated Alert Configuration

Successful threat detection depends on alerts that identify genuine threats without overwhelming security teams with false positives.

High-Priority Alerts:

• Multiple failed login attempts from a single IP address
• Successful login followed by immediate bulk data access
• Administrative changes outside of approved maintenance windows
• Access to sensitive objects by users without business justification

Response Procedures:

• Immediate session termination for suspected compromised accounts
• Automated temporary account lockout pending investigation
• Real-time notifications to the security team via email and messaging platforms

Success Metrics

• Average detection time under 15 minutes for suspicious activity
• Zero false positives for routine business activities
• 100% of security alerts investigated within 4 hours
• Monthly review of monitoring effectiveness and rule tuning

Compliance Impact: Continuous monitoring demonstrates due diligence required by most regulatory frameworks and provides audit trails for incident investigations.

4. Data Protection and Recovery

Business-critical data faces threats from accidental deletions, ransomware attacks, and system failures that can halt operations. Salesforce's standard weekly export capabilities prove inadequate for rapid recovery when organizations need to restore operations quickly after security incidents or disasters.

• The Risk: Data loss from accidental deletion, malware attacks, or system failures can halt business operations. Salesforce's built-in weekly exports provide inadequate recovery capabilities for modern business requirements.
• The Solution: Automated backup systems following industry best practices with rapid recovery capabilities.

Comprehensive Backup Strategy

Enterprise-grade backup strategies follow industry-standard approaches that account for multiple failure scenarios and recovery time requirements.

The 3-2-1 Rule Implementation:

• Maintain three copies of critical datasets
• Store backups on two different media types
• Keep at least one copy stored off-platform

Automated Backup Schedule:

• Daily incremental backups for high-value objects (Accounts, Opportunities, Cases)
• Weekly full backups including metadata and configuration
• Real-time backup for critical financial and compliance data
• Encrypted storage both at rest and in transit

Recovery Planning

Recovery capabilities must align with business requirements and regulatory expectations for system availability. Establish recovery time targets and testing requirements based on business impact.

Recovery Time Objectives: 

• Critical systems: 4 hours maximum downtime
• Standard operations: 24 hours maximum downtime
• Historical data: 72 hours maximum downtime

Testing Requirements:

• Quarterly full recovery tests in sandbox environments
• Monthly spot-checks of backup integrity
• Annual disaster recovery exercises, including cross-functional teams
• Documentation of all recovery procedures with step-by-step instructions

Retention and Compliance

Data retention policies must balance storage costs with regulatory requirements and business needs.

Data Retention Alignment:

• Financial records: Minimum 7 years for SOX compliance
• Healthcare data: HIPAA requirements vary by record type
• EU customer data: GDPR "right to be forgotten" considerations
• Industry-specific requirements (FINRA, FDA, etc.)

Success Metrics

• 100% backup success rate for scheduled jobs
• Recovery time under 4 hours for critical systems
• Zero data loss in recovery testing scenarios
• Annual compliance audit approval for data protection controls

Compliance Impact: Robust backup and recovery demonstrate business continuity planning required by most regulatory frameworks and provide evidence of data protection due diligence.

Building an Integrated Security Program

These four security practices work together to create comprehensive protection:

1. Configuration Security establishes the foundation by ensuring system settings follow security best practices.
2. Identity and Access Management controls who can access what data under which circumstances. 
3. Activity Monitoring provides real-time visibility into potential threats and policy violations. 
4. Data Protection ensures business continuity when security controls fail or disasters occur.

Implementation Roadmap

Organizations should implement these security practices in phases to manage complexity and ensure proper testing of each component before moving to the next stage.

Phase 1 (Months 1-2): Foundation

• Implement MFA for all users
• Run initial Security Health Check and address Very High risks
• Establish basic login monitoring

Phase 2 (Months 3-4): Access Controls

• Complete a comprehensive permission audit
• Configure network access restrictions
• Implement automated backup for critical objects

Phase 3 (Months 5-6): Monitoring and Recovery

• Deploy advanced threat detection rules
• Conduct first full disaster recovery test
• Establish quarterly review cycles for all security practices

Ongoing Operations:

• Monthly configuration health reviews
• Quarterly access certification
• Annual security program assessment and improvement planning

Strengthen Your Salesforce Security Strategy

Modern security requires solutions that integrate seamlessly into existing workflows rather than adding complexity. The most effective approaches embed security controls directly into development and deployment processes, ensuring that security standards are maintained automatically as teams build and release changes.

Flosum provides a comprehensive platform that helps organizations implement and maintain these critical security practices within their Salesforce environments. By combining robust security controls with streamlined DevOps capabilities, teams can enforce security standards consistently while maintaining development velocity.

With FedRAMP authorization and enterprise-grade platform capabilities, Flosum offers security teams the unified tools needed to protect and monitor Salesforce environments effectively. Talk with one of our Salesforce experts to explore how the right platform can help you implement these security best practices seamlessly across your organization.