how to be a security minded admin by chris zullo
TRANSCRIPT
![Page 1: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/1.jpg)
Boston World Tour 2016How to be a Security-Minded Admin
Chris ZulloManager, Acumen Solutions | Salesforce [email protected]@chriszullo
![Page 2: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/2.jpg)
Salesforce Org SecurityOrganization AccessIP Ranges, Login Hours, 2FA
Organizational Wide DefaultOWD
Profiles Object Access, Types of Profiles
Roles Record Access, Role Hierarchy
Field AccessField Level Security
Best PracticesResources, Tips
![Page 3: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/3.jpg)
Login IP Ranges
• Limit IP addresses that users can log into Salesforce from (by profile)
• Can restrict by login or on every request• Lock sessions to IP address they started
on• These features ensure that if a malicious
actor steals credentials they cannot use them away from your corporate networks
• Working from home/road – VPN login
![Page 4: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/4.jpg)
What is Two-Factor Authentication?
+
![Page 5: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/5.jpg)
Organizational Wide Default - OWDDetermine what access and permissions users have to records they don’t own
Cannot grant more access to users than they have through their object permissions For most objects, organization-wide settings can be set to:• Public Read/Write/Transfer • Public Read/Write• Public Read Only • Private
Setup > Security Controls > Sharing Settings
![Page 6: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/6.jpg)
Profiles
• Set whether fields are visible, required, editable, or read only
• Controls Tab visibility• Controls App availability• Controls Object Permissions • (Create, Read, Edit, Delete)
• Setup > Manage Users > Profile
What a User Can Do
![Page 7: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/7.jpg)
Roles
• Hierarchy Examples:• Company Size• Product-based• TerritorySetup > Manage Users > Roles
What a User See
![Page 8: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/8.jpg)
Field Level AccessSetup > Security Controls > Field AccessibilityView accessibility by: 1. Object 2. Fields 3. Profiles
Field Access Options:4. Editable5. Read-only6. Hidden
![Page 9: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/9.jpg)
Controlling Access to Records
![Page 10: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/10.jpg)
Key Principles – The Human Factor
• Limit the number of users with admin rights• Provide users with minimum access to do their job• Create rigorous process for user
termination/deactivation• Basic security training for all users on
credential/password security, phishing, and social engineering
• Trailhead for ongoing, role-focused education• Effective security requires cross-org
communication https://developer.salesforce.com/trailhead
![Page 11: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/11.jpg)
Next Steps
![Page 12: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/12.jpg)
Key TakeawaysCheck your Security Settings!
Activate and use turnkey security features:• Enable two-factor authentication • Activate Login IP Ranges• Deactivate users in a timely manner (freeze them first!)
Consider the human factor when training Salesforce users:• Password security• Emails / phishing
![Page 13: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/13.jpg)
Resources & Tips• Trailhead: Data Security module• Who Sees What video series (YouTube)• Create a Salesforce Force Field for Your Users• Security Implementation Guide• ButtonClickAdmin.com• Freeze vs. Delete: You can't delete a user, but you can deactivate an account so a
user can no longer log in• TIP: When object- versus record-level permissions conflict, the most restrictive
settings win• TIP: Use Delegated Access to login as another user to help troubleshoot.
![Page 14: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/14.jpg)
thank y u
![Page 15: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/15.jpg)
Chris ZulloTriad (NC) Developer Group Leader, MVP
Chris ZulloManager, Acumen [email protected]@chriszullo
![Page 16: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/16.jpg)
AppendixAdditional Resources
![Page 17: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/17.jpg)
Organization AccessBy default, your active users can log in to your org from any location at any hour For increased security you can setup:• IP Ranges (Company/Org Level)
Users logging in outside the range are sent an activation code to the email address on their user recordSetup > Security Controls > Network Access
• Login HoursSpecify hours users can log into your orgSetup > Manage Users > Profiles > Select Profile > Login Hours
• Freeze User AccountsSetup > Manage Users > User | Select user > Click Freeze
![Page 18: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/18.jpg)
Permission Sets
Extending your existing Profiles• Manage Permission Sets
Setup > Manage Users > Permission Sets
• Assign Permission SetsPermission Sets > Manage Assignments > Add Assignments > Select User(s) > Assign
![Page 19: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/19.jpg)
Sharing RulesAllows users to see/edit data they don’t own in an otherwise private setupSharing Rules are set via your System AdministratorSetup > Security Controls > Sharing SettingsManual Sharing allows record owners to give Read and Edit Permissions to Users or Users in a Public Group
![Page 20: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/20.jpg)
Login IP Ranges• Recommended and available for all customers• Only access Salesforce from a designated set of IP Ranges• Two levels:• Org-level Trusted IP Ranges (permissive)• Profile-level Login IP Ranges (restrictive)
Enterprise, Unlimited, Performance, Developer:Manage Users | Profiles
Contact Mgr, Group, Professional:Security Controls | Session Settings
For more info, search Help & Training
![Page 21: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/21.jpg)
Password Security• Activate password complexity and rotation rules
Password expiration/reset every 90 days Password length at least 8-10 characters Password complexity – mix alpha and numeric characters
• User education No password/credential sharing Discourage password reuse across services Utilization of a strong password manager (example: LastPass)
• Utilize two-factor authentication (2FA) and single sign-on (SSO)
![Page 22: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/22.jpg)
Phishing Education
• Pervasive and effective attack vector for installing malware
• Education is key to prevention• https://trust.salesforce.com - recent
threats• If unsure about a Salesforce email, ask
us via [email protected]• Don’t open attachments that are
unexpected or from unknown senders
![Page 23: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/23.jpg)
User Deactivation• Deactivate users as soon as
possible• Removes login access while
preserving historical activity and records
• Sometimes users cannot be deactivated: assign new user or reassign approval responsibility first
• Know your IT department’s termination process
Best practice: Freeze users
first!
From Setup, click Manage Users | Users.Click Edit next to a user’s name.Deselect the Active checkbox and then click Save.
![Page 24: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/24.jpg)
Two-Factor Authentication (2FA)
• Provides an extra layer of security beyond a password
• If a user’s credentials are compromised, much harder to exploit
• Require a numeric token on login• Can be received via app, SMS, email,
hardware (YubiKey)
![Page 25: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/25.jpg)
Step-by-Step Guidance for Admins
• Try the 2FA Walkthrough created by the Salesforce Docs team
• Title: “Walk Through It: Secure Logins with a Two Factor Authentication”
• Shows you how to set up 2FA in an org• Only in “Classic”, but if configured,
applies to users assigned the permission in Classic or Lightning Experience• 2FA Walkthrough Link
![Page 26: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/26.jpg)
2FA Setup
Create a permission set titled “Two Factor Authentication” Name | Setup | Manage Users | Permission Sets | New
Step 1
![Page 27: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/27.jpg)
2FA Setup
Select the “Two-Factor Authentication for User Interface Logins” permission and save this permission set.
Now assign this permission set to the required user by clicking: Manage Assignment | Add Assignments | Select users | Assign
Step 2
![Page 28: How to be a Security Minded Admin by Chris Zullo](https://reader031.vdocument.in/reader031/viewer/2022020410/5888d9f21a28aba1058b6379/html5/thumbnails/28.jpg)
2FA Setup
Upon the next login, users will come across the following prompt:
Step 3