Skip to main content

Get to Know Marketing Cloud Engagement Security

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe the types of Marketing Cloud Engagement encryption.
  • Choose the best features for your security needs.

Secure Your Data

You’ve probably heard that trust is our number one value at Salesforce. And it’s not just talk—trust is at the core of everything we do. Security is an important part of that trust—we process and store lots of data, and we want you to feel confident that we maintain and use that data in a secure and responsible way. That’s why we provide the tools and settings outlined in this unit to make sure that only authorized users (or external integrations) touch your data.


Some of these features require additional enablement in Marketing Cloud Engagement and can require some work before you begin using your account. These additional features allow you to customize our security offerings for your account, so plan your implementation strategy accordingly!

Choose Your Account Security Settings

Want more secure access to your account? Marketing Cloud Engagement gives you the power to go beyond a simple username and password. As part of your account configuration, you can set up extra security measures at login, like asking users to: 

Security settings also restrict the apps and information users can access in Marketing Cloud Engagement. That’s where admins come in. Marketing Cloud Engagement admins can assign roles and permissions to individuals for more granular control of access and activities, so work with your Marketing Cloud Engagement admin to fine-tune these settings and secure your account.

Know Your Passwords

Security—in any application—usually boils down to passwords. And in Marketing Cloud Engagement, that’s true as well. As a Marketing Cloud Engagement developer, you need to know two important passwords.

  • Your account password
  • The FTP password for your Marketing Cloud Engagement account

Both of these passwords are used in many automations—the account password to gain access to Marketing Cloud Engagement and authorize activities, and the FTP password to import and export data files. Remember that the entire account uses a single FTP password, so you need to make sure all users and automations are updated when changes occur. It’s also a good idea to change these passwords regularly (no less than every 90 days) to keep your account secure. And not just any password will do. Create a strong, unique password with:

  • Eight or more characters
  • Mix of letters and numbers
  • Mix of uppercase and lowercase
  • Special characters

Simplify Login with SAML and SSO

Passwords help secure our software, but we know you don’t want another password to remember. That’s why Marketing Cloud Engagement allows third-party, single sign-on (SSO) authentication via SAML 2.0. You can use Salesforce federated authentication or another service, depending on your security needs. After you activate this feature (with the correct metadata), Marketing Cloud Engagement users can securely access all the resources they need with fewer passwords. Hooray! We talk more about SSO in the next unit, so stay tuned.

Protect Your Data with Data at Rest Encryption

If you want to encrypt data within your account at rest, you can do just that with Data at Rest Encryption. This solution helps you encrypt data without modifying any existing code and protects against a variety of scenarios, including stolen physical media. In other words, if someone gets their hands on the drive that contains your data, Data at Rest Encryption prevents them from decrypting and accessing the data. This feature is transparent to Marketing Cloud Engagement and does not impact any application-level features.


These features store data in different locations, which prevents Data at Rest Encryption from implementing that data.

  • Predictive Intelligence
  • Audience Builder

In addition to this encryption, Marketing Cloud Engagement requires secure connections for API calls and SFTP interaction. As part of these interactions, Marketing Cloud Engagement uses tenant-specific endpoints to maximize security. You can find your account’s tenant-specific endpoints in the installed package you created to allow SOAP and REST API calls. Haven’t created the installed package? Hop over to Marketing Cloud Engagement APIs to learn more. All set? You can review the installed package in the Setup menu of your Marketing Cloud Engagement account.

Track Account Activity with Audit Trail

Part of keeping your Marketing Cloud Engagement account secure is knowing who is performing what actions in your account. After you assign the proper roles and permissions to your account users, any Marketing Cloud Engagement Security Administrator can track user actions using the Audit Trail feature. The basic version of Audit Trail is available to all Marketing Cloud Engagement accounts and provides 30 days of information for all users in your account.

  • User authentication
  • IP addresses
  • Changes to users, roles, and user permissions
  • Changes to Security Settings, such as logins, password changes, and logouts

There is also an advanced version of Audit Trail which captures changes to user agents, session IDs,  and business units—plus, changes to content and data for Email Studio, CloudPages, MobilePush, and MobileConnect.


Contact your Marketing Cloud Engagement account executive for information on enabling the advanced version of this feature.

You can retrieve available Audit Trail information via an automated data extract in Automation Studio or via REST API calls.

In the next unit, you learn about encryption keys and how they power Marketing Cloud Engagement security features.


Keep learning for
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities