ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
Salesforce Security Basics
2
Phishing and MalwareA way to get data from user like username & password.
3
Security Health CheckUse this tool to see healrh of the org using salesforce standards. We can create own custom standards.
4
Auditing1. Record Modification Fields
2. Login History
3. Field History Tracking
4. Setup Audit Trail
5
Salesforce Shield1. Platform Encryption: Shield
2. Event Monitoring: Who imported report, visit links etc.
3. Field Audit Trail: Upto 10 years of data
6
Transaction Security Policies
Ex:
A user with five current sessions tries to log in for a sixth session.
An administrator who is already logged in tries to log in a second time.
Retrieves more than 2,000 lead records
Takes more than one second to complete
7
8
Elements of User Authentication
9
PasswordsPolicies, Expire password for all, Reset password, Unlock users
10
CookiesTo seesion Id
11
Single Sign-On
1. Federated authentication using Security Assertion Markup Language (SAML)
2. Delegated authentication.
-------
1. Identity Providers: Provide the identity
2. Service Providers: Request for the identity
12
My DomainHighlight your business identity with your unique domain URL
Block or redirect page requests that don’t use the new domain name
Work in multiple Salesforce orgs at the same time
Set custom login policy to determine how users are authenticated
Let users log in using a social account, like Google and Facebook, from the login page
Allow users to log in once to access external services
13
Two-Factor AuthenticationSecond level of security to login, access report and connected app. User can use Salesforce Authenticator app or the Google Authenticator app.
14
Network-Based SecurityProfile and Org wise IP whitelisting
15
Device Activation1. Push notification or location-based automated using mobile app
2. U2F security key registered with the user’s account
3. Verification code generated by a mobile authenticator app connected to the user’s account
4. Verification code sent via SMS to the user’s verified mobile device
5. Verification code sent via email to the user’s registered email address
16
Session SecurityYou can control whether your org stores user logins and whether they can appear from the Switcher with the settings Enable caching and autocomplete on login page, Enable user switching, and Remember me until logout.
17
Custom Login Flows
18
Connected AppsUses Oauth and SAML
19
Desktop Client AccessConnect Offline and Connect for Office. User must have API Enabled permission to use these apps.
20
21
Configure User Authentication
22
Restrict Where and When Users Can Log In to Salesforce1. Login Hours
2. 2FA for UI and API Login
3. Enforce login IP ranges on every request.
4. Org-wide Trusted IP Ranges
23
Login FlowCheck Login Hours -> 2FA -> Check IPs
24
Set Password PoliciesUser passwords expire in, Enforce password history, Minimum password length, Password complexity requirement, Password question requirement, Maximum invalid login attempts, Lockout effective period, Obscure secret answer for password resets, Require a minimum 1 day password lifetime, Allow use of setPassword() API for self-resets
25
Expire all user passwordsExcept those users with the “Password Never Expires” permission.
26
High Assurance session requiredReport and Connected app get 2FA
27
Login FlowsVF and Flows
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100