Start tracking your progress
Trailhead Home
Trailhead Home

Get to Know Marketing Cloud Security

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe the types of Marketing Cloud encryption.
  • Choose the best features for your security needs.

Secure Your Data

You’ve probably heard that trust is our number one value at Salesforce. And it’s not just talk—trust is at the core of everything we do. Security is an important part of that trust—we process and store lots of data, and we want you to feel confident that we maintain and use that data in a secure and responsible way. That’s why we provide the tools and settings outlined in this unit to make sure that only authorized users (or external integrations) touch your data.

Note

Note

Some of these features require additional enablement in Marketing Cloud and can require some work before you begin using your account. These additional features allow you to customize our security offerings for your account, so plan your implementation strategy accordingly!

Choose Your Account Security Settings

Want more secure access to your account? Marketing Cloud gives you the power to go beyond a simple username and password. As part of your account configuration, you can set up extra security measures at login, like asking users to: 

Security settings also restrict the apps and information users can access in Marketing Cloud. That’s where admins come in. Marketing Cloud admins can assign roles and permissions to individuals for more granular control of access and activities, so work with your Marketing Cloud admin to fine-tune these settings and secure your account.

Know Your Passwords

Security—in any application—usually boils down to passwords. And in Marketing Cloud, that’s true as well. As a Marketing Cloud developer, you need to know two important passwords.

  • Your account password
  • The FTP password for your Marketing Cloud account

Both of these passwords are used in many automations—the account password to gain access to Marketing Cloud and authorize activities, and the FTP password to import and export data files. Remember that the entire account uses a single FTP password, so you need to make sure all users and automations are updated when changes occur. It’s also a good idea to change these passwords regularly (no less than every 90 days) to keep your account secure. And not just any password will do. Create a strong, unique password with:

  • Eight or more characters
  • Mix of letters and numbers
  • Mix of uppercase and lowercase
  • Special characters

Simplify Login with SAML and SSO

Passwords help secure our software, but we know you don’t want another password to remember. That’s why Marketing Cloud allows third-party, single sign-on (SSO) authentication via SAML 2.0. You can use Salesforce federated authentication or another service, depending on your security needs. After you activate this feature (with the correct metadata), Marketing Cloud users can securely access all the resources they need with fewer passwords. Hooray! We talk more about SSO in the next unit, so stay tuned.

Protect Your Data with Transparent Data Encryption

If you want to encrypt data within your account at rest, you can do just that with Transparent Data Encryption using SQL Server’s built-in protection technology. This solution helps you encrypt data without modifying any existing code and protects against a variety of scenarios, including stolen physical media. In other words, if someone gets their hands on the drive that contains your data, Transparent Data Encryption prevents them from decrypting and accessing the data. If you use this feature, your API requests can take a bit longer to process due to the added encryption and decryption time, but otherwise this process goes unnoticed. It’s important to note that Predictive Intelligence, Audience Builder, and Social Studio can’t use Transparent Data Encryption.

In addition to this encryption, Marketing Cloud requires secure connections for API calls and SFTP interaction. As part of these interactions, Marketing Cloud uses tenant-specific endpoints to maximize security. You can find your account’s tenant-specific endpoints in the installed package you created to allow SOAP and REST API calls. Haven’t created the installed package? Hop over to Marketing Cloud APIs to learn more. All set? You can review the installed package in the Setup menu of your Marketing Cloud account.

Track Account Activity with Audit Trail

Part of keeping your Marketing Cloud account secure is knowing who is performing what actions in your account. After you assign the proper roles and permissions to your account users, any Marketing Cloud Security Administrator can track user actions using the Audit Trail feature. The basic version of Audit Trail is available to all Marketing Cloud accounts and provides 30 days of information for all users in your account.

  • User authentication
  • IP addresses
  • Changes to users, roles, and user permissions
  • Changes to Security Settings, such as logins, password changes, and logouts

There is also an advanced version of Audit Trail which captures changes to user agents, session IDs,  and business units—plus, changes to content and data for Email Studio, CloudPages, MobilePush, and MobileConnect.

Note

Note

Contact your Marketing Cloud account manager for information on enabling the advanced version of this feature.

You can retrieve available Audit Trail information via an automated data extract in Automation Studio or via REST API calls.

In the next unit, you learn about encryption keys and how they power Marketing Cloud security features.

Resources