Generally, large enterprises have internal IT security teams to thoroughly assess every addition to the enterprise. However, small and midsize businesses often don’t have such full-time staff. This difference raises the following questions in the context of SMBs:
- Who is responsible for ensuring data security during a new project?
- What happens when you discover that security best practices were not followed?
For us at SalesFix the answer to the first question is simple, as Salesforce consultants, it is our responsibility.
Regardless of the business size, it’s the responsibility of the consultants involved in any project to follow data security best practices. Security considerations start from the discovery phase and continue as part of post-production support and enhancement activities. At each step, there is an absolute need to advise our clients about data security related possible pros and cons. This helps our clients to make an informed decision on any specific requirement.
In most of the projects, Salesforce is part of an enterprise where there are other systems involved that interact with Salesforce for information exchange. The external systems teams may or may not have Salesforce data security related information. Educating such teams about Salesforce specific data security best practices is also a mandatory activity for any successful implementation.
Salesforce provides security controls at different levels. Each project has specific requirements, but the overall goal should always remain to take full advantage of data security controls. The required level of data access can be achieved through careful application of org-wide, objects, fields, and records level security. Additionally, all integrations with Salesforce should follow Salesforce recommended security guidelines and integration patterns for secure and effective use of resources.
With the Salesforce platform, there are many resources available that can be used to educate client teams in a focused way. One among them is Trailhead, a learning experience platform. Many client teams are also learning about the platform security offerings through Trailhead.
When you discover best practices were not followed
Sometimes you start serving a client and, as part of the overall health check of the client’s existing Salesforce production application, you find that Salesforce recommended security best practices were not implemented. Again, it’s the responsibility of consultants involved in the health check to present the possible risks to the client. Often, it’s helpful to present with enough data points and examples to ensure the message is communicated clearly. Additionally, for each security gap, a mitigation approach should be documented which, includes whether any activity needs to happen after hours. Such a document helps the clients to approve the work based on the severity of security gaps.
Remain safe proactively
Data security requires proactiveness from both consultants and system admins. As consultants, we need to stay alert by regularly conducting security audits of record modification, login history, field history tracking, and set up audit trail. Additionally, following every Salesforce release for new security features and regular health checks of the production application, also help in identifying any security gaps. While this is standard practice for us during a project, unless a managed services arrangement is in place, once a project is completed and handed over, this responsibility passes to the businesses system admin so, it is important they also stay alert.