By Francis Scudellari
Data is the lifeblood of your CRM. Without good data, your automated processes and analytics become pale shades of what they could be. Without it, your organization can’t grow and flourish. Keeping that data secure is as vitally important as obtaining it.
Most organizations choose Salesforce because of its reputation for reliability, and Salesforce does a great job of maintaining a high level of security on its servers, but there are additional measures system administrators can take to further lock down their data. Over the past year Salesforce has released enhancements to security to help administrators do just that, whether by quickly taking access away from former users or keeping it away from black-hat hacks.
In a networked world where the need for security is quickly gaining an equal footing with the desire for convenience, and the stories of data breaches, trap doors and vulnerabilities proliferate, more enhancements are sure to come.
We would all like to think that our organization’s most-valued staff will never leave us, and when they do we hope the transition is well fplanned out and painless. The reality is that we can’t plan for every departure, and the details of replacing someone, especially our administrators and power users, can get messy. Life throws better curves than Clayton Kershaw.
Have you ever tried to deactivate a user license, but couldn’t right away because the user was set up as the Default Workflow User, or was referenced in a Custom Hierarchy field? “Freezing” the user is your best option when you need to immediately prevent someone from logging in while sorting out these extra steps to deactivate their user account. Just go to the user’s detail page and press the Freeze button.
Keep in mind that freezing a user does not free up the license allocated to them in the same way that deactivating them does. You won’t be able to reassign that license until the user deactivation is complete.
I’ve also found that freezing users can come in handy as a way to temporarily block access while performing system upgrades, such as converting to the new Household Account model in the Nonprofit Starter Pack. You can’t easily freeze large groups of users in the Setup interface, but you can use an ETL tool such as the Apex Data Loader to batch update the IsFrozen field on the User Login object.
Let’s face it, users can be pretty lax about how they enter passwords. You can set password policies in Salesforce to insure they’re not entering “123456” or “password”, but even with stronger passwords there are vulnerabilities. For example, what if someone uses the same password for all of their online accounts?
Salesforce offers risk-based authentication to help mitigate such a scenario. Whenever a user tries to log in from an unrecognized device, Salesforce will require they enter a security token to confirm identity. Ideally the user would choose to have this token texted to their mobile device, but many choose to email it instead, and email accounts can be compromised by hackers.
Two-factor authentication is an extra level of security you can add to insure that if passwords and email accounts fall into the wrong hands, your data won’t also end up there. By assigning the “Force two-factor authentication on UI login” permission to a user profile, you can always require entry of a time-based token in addition to a username and password. The tokens can be generated from any mobile device using the Salesforce Authenticator app.
Besides applying two-factor authentication at the user profile level, you can also assign a Two-Factor, High Assurance policy for specifically protecting access to resources such as Reports & Dashboards or Connected Apps.
The Salesforce video Enhancing Security with Two Factor Authentication does a really good job of demonstrating both of these applications.
Login Flows, a feature added with the Winter 15 release, is another way you can augment your organization’s security policies.
Login Flows allow you to design custom business processes in the Flow Designer that are invoked when users with associated Profiles log in. The Flow assigned applies to all the ways that the Profile can access the Salesforce platform, and it works not just with the standard username-password authentication, but with Single Sign On and Social Sign-on.
Login Flows are a great way to customize the login experience for different types of users, and part of that customization can be to add an extra layer of security. For example, you could require the two-factor authentication described above for certain login scenarios.
You could also use a Login Flow to ask a secret question of the user whenever they authenticate, or you could use it to send notifications to your system administrator when a user logs in from an IP outside your trusted range or after business hours.
To get a much fuller understanding of the power of Login Flows, including the steps to create the types of Flows described above, check out this great article from Developer Force.
You might be interested in these related posts: