Hardening Your Salesforce Organisation
It’s well known that Salesforce, like most cloud platforms, operates under a shared responsibility model when it comes to security. While Salesforce takes care of the infrastructure and core platform, customers are responsible for how they configure and manage access within their own orgs.
Thankfully, Salesforce gives you plenty of tools to do this—everything from permission sets to monitoring tools. But with that flexibility comes risk. A poorly configured org can leave you open to threats like data exfiltration, unauthorised access, and social engineering.
The good news? You can reduce this risk with a few simple steps. Below are some key actions you can take today to strengthen your Salesforce security posture. This isn’t a full list, but it’s a practical place to start.
🌐 Enforce IP-Based Access Restrictions
Start by locking down where users can log in from. Salesforce lets you define IP ranges for user profiles and Connected App policies. This stops logins and app access from unexpected or non-trusted IPs—like public VPNs or compromised devices.
It’s one of the simplest ways to reduce exposure to brute force and phishing attacks.
🔐 Apply Least Privilege—Especially for Data Tools
Don’t give users more access than they need. It sounds obvious, but it’s often overlooked—especially when it comes to tools like Data Loader.
This tool needs the “API Enabled” permission, which opens up the ability to download or upload large volumes of data. Limit this permission to only those who absolutely need it.
Review your profiles and permission sets regularly and be ruthless about what’s essential.
🔌 Control Connected App Access
External apps can be a blind spot. Tools like Data Loader and other integrations often connect through Connected Apps. Make sure you're controlling who can authorise and manage these apps.
Restrict high-risk permissions like:
Only admins who genuinely need these rights should have them. You can also introduce an app review process or allowlist known, safe tools.
🔍 Use Salesforce Shield for Monitoring
Salesforce Shield offers tools to monitor suspicious behaviour and enforce policies. Two areas to look at:
- Transaction Security Policies to flag or block risky actions, like large downloads.
- Event Monitoring to track data access, user activity, and API usage in detail.
You can also feed these logs into your existing SIEM or monitoring platform.
🔒 Enforce Multi-Factor Authentication (MFA)
Salesforce now requires MFA for direct logins, and for good reason. It’s a strong line of defence against account compromise.
Even so, educate users about MFA fatigue—that’s when an attacker spams approval prompts until someone clicks “Allow” out of habit. Explain why MFA prompts should never be approved if they weren’t expecting to log in.
For further control, consider configuring session security settings to tighten login behaviour.
📘 Keep Up with Salesforce’s Security Documentation
Salesforce regularly updates its guidance, and it’s worth keeping an eye on. The Salesforce Security Guide (PDF) is a solid reference for policies, tools, and practical steps.
Final Thoughts
Securing your Salesforce org doesn’t have to be complicated. Most risks come down to misconfiguration, excessive permissions, or lack of visibility. Take the time to review your setup and apply these small but meaningful changes.
And if nothing else—enable MFA, restrict IP access, and keep permissions tight.