Choose the Right Salesforce Security Settings

Learning Objectives

After completing this unit, you’ll be able to:

  • Name the built-in security features you can leverage in Salesforce now.
  • Describe how multitenancy protects your org’s security.
  • Distinguish between monitoring and auditing.
  • Describe what determines which user sees what data.

Layers of Security

Protecting your data is a joint responsibility between you and Salesforce. The security features in Salesforce enable you to help your users do their jobs efficiently, without getting in their way any more than necessary.

Your Security Team

As a Salesforce admin, you’re automatically on your company’s security team. Security is the foundation of the entire Salesforce service. Not only are your data and applications protected, but you can build your own security scheme tailored to the needs of your organization.

Many layers of Salesforce security work together to keep your business safe. Your data is protected from unauthorized access from outside your company, and you also want to safeguard it from inappropriate usage by your own users. We take care of keeping your data stored where bad guys can’t get at it, and we protect it as it moves over the network. You keep track of your users, making sure the right users can work with the right data. Together we train your users to keep their data safe.

Salesforce security is a multi-layered foundation

You can activate features built into the platform to make the experience as secure as possible for your company. No security strategy or feature is bullet-proof. But shoring up your implementation with these capabilities decreases the likelihood that your org might be compromised, and may help reduce data loss even if it is.

Activating and using the turnkey features in Salesforce is the best way to get started on bolstering the security of your implementation. Go ahead and do the easy stuff right away. Criminals don’t let the low-hanging fruit hang. You shouldn’t either!


Salesforce is a multitenant platform: It uses a single pool of computing resources to service the needs of many different customers. Salesforce protects your org’s data from all other customer orgs by using a unique identifier, which is associated with each user’s session. When you log in to your org, your subsequent requests are associated with your org using this identifier.

Salesforce uses some of the most advanced technology for internet security available. When you access the application using a Salesforce-supported browser, Transport Layer Security (TLS) technology protects your information using both server authentication and classic encryption, ensuring that your data is safe, secure, and available only to registered users in your org.

In addition, Salesforce is hosted in secure server environments that use firewalls and other advanced technology to prevent interference or access from outside intruders.

Let the Right Users In

One powerful way to up your Salesforce org’s security is to require a second level of authentication when users log in. Users can respond to a notification from the Salesforce Authenticator mobile app, or they enter a code they get from their phone or a hardware token. This way, even if a user’s credentials are compromised, the user’s account can still be protected.

Require Multiple Kinds of Authentication

Salesforce makes it easy to set up multi-factor authentication through Salesforce Authenticator, which you can configure right from Setup. To minimize the burden on users, consider setting up multi-factor authentication just for some profiles, like for admins or users who have access to sensitive data, such as billing details.

Restrict the IP Addresses Users Can Log In From

Consider requiring users to log in to Salesforce from an IP address in an approved range of addresses. This usually means the addresses that belong to your corporate VPN. Anyone who tries to log in to Salesforce from outside the designated range of addresses can’t get in. This way, a malicious actor who steals login credentials via phishing or some other kind of attack still can’t use them outside of your corporate network. You can set up trusted IP address ranges for your whole org or for specific user profiles.

Deactivate Ex-Users

These days people change jobs more than ever. Your Salesforce users are constantly changing and shifting as people leave the company and new users are added all the time. When a user no longer works for the company, security is in your hands. Get users deactivated as soon as possible so that they can no longer use their Salesforce credentials to log in to your org.

Limit What Users Can Do

Several layers of access and control determine “who sees what” and “who can do what” in a Salesforce org. If you have multiple Salesforce orgs, separately configure these controls in each org.

What Can They Do?

You can restrict access to certain types of resources based on the level of security associated with the authentication (login) method for the user’s current session. By default, each login method has one of two security levels: standard or high assurance. You can change the session security level and define policies so that the specified resources are available only to users with a high assurance level.

What Have They Done?

Field Audit Trail lets you define a policy to retain archived field history data up to 10 years, independent of field history tracking. This feature helps you comply with industry regulations related to audit capability and data retention. The setup audit trail history tracks the recent setup changes that you and other admins have made to your org. Audit history can be especially useful in organizations with multiple administrators.

Here's a video that describes how you can control who can do what in your organization.

Even More Security Options

Encrypt Your Data

Platform Encryption gives your data a whole new layer of security while preserving critical platform functionality. The data you select is encrypted at rest using an advanced key derivation system. You can protect data at a more granular level than ever before, so your company can confidently comply with privacy policies, regulatory requirements, and contractual obligations for handling private data.

Platform Encryption is part of Salesforce Shield, a package of powerful add-on security features.

Trigger Automatic Actions on Security Events

Transaction Security policies evaluate activity using events you specify. For each policy, you define real-time actions, such as send a notification, block, force multi-factor authentication, or choose a session to end.

For example, suppose that you activate the policy to limit the number of concurrent sessions per user. In addition, you change the policy to email you when the policy is triggered. You also update the policy’s Apex implementation to limit users to three sessions instead of the default five sessions. All that’s easier than it sounds. Later, someone with three login sessions tries to create a fourth. The policy prevents that and requires the user to end one of the existing sessions before proceeding with the new session. At the same time, you are notified that the policy was triggered.

Transaction Security is part of Salesforce Shield, a package of powerful add-on security features.

Monitor Events in Your Org

Event Monitoring allows you to access event log files to track user activity and feature adoption and troubleshoot issues. You can also integrate the data log with your own data analysis tool.

Event Monitoring is part of Salesforce Shield, a package of powerful add-on security features.

Keep learning for
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities