19.8%- that’s how much market share Salesforce occupies, making it the indisputable global CRM market leader. A MarTech behemoth, Salesforce brings companies and customers together, powering trillions of consumer, platform, and employee interactions in the process. It’s not wrong to say, thus, that Salesforce Marketing Cloud is privy to enormous amounts of priceless data across several organizations and industries. And wherever there is sensitive data, cybercriminals are always at its heels.
Now, Salesforce has pretty decent security measures in place, but in a time where every cybercrime is more sophisticated than the next (in 2022 alone, damages inflicted from cybercrime totalled $6 trillion), it’s not prudent to regard them as their sole line of defense. Should you not have robust data security and privacy mechanisms in place, you risk having all your data swindled and your operations capsized overnight. In this article, we are going to present a host of proven techniques that will help you get on top of every single vulnerability in your Marketing Cloud. Let the fortification begin!
1. Carefully Configure Your Account Security Settings
This is pretty basic, of course, and yet many businesses blatantly disregard it. Leverage Marketing Cloud’s security settings to make your account as impregnable as possible. And no, these security measures aren’t simply confined to defining a username and a password. You’ve much more sophisticated protocols at your disposal, such as using a multi-factor authentication system to implement an additional verification method for login. Now, this could either be:
- On your Salesforce Authenticator mobile application, or
- On time-based one-time passcode authentication apps like Microsoft Authenticator, Google Authenticator, or Authy, or
- Using security keys which support WebAuthn or U2F; these include the likes of Google’s Titan Security Key and Yubico’s YubiKey.
Using these measure you can amp your salesforce marketing cloud security. Additionally, a host of new security measures have been announced in the Winter 2023 release which gives you more avenues to fortify your account.
This discussion would be incomplete without us taking a closer look at the security settings that Marketing Cloud accords to a user. Let’s dive in:
- Session settings: Here, you can determine the duration for which an application will remain open in a browser before the session times out. It is always recommended, thus, to specify a short session time out (10-20 minutes). Doing so will allow you to steer clear of unauthorized access attempts while you’re inactive. How is inactivity assessed, you ask? Based on the time elapsed since your last interaction with the user interface.
- Username and logins: There are two interesting settings you can use over here. First is the “login expires after inactivity” setting. Using this, you can reset the old login information if the account has been inactive for a considerable period of time (say 3-4 months). This will prevent old accounts from being hacked by malicious users. Keep in mind that this login inactivity expiration maneuvre spares not even API users. Should they wish to avoid this, they are advised to log in via the UI. Next is the “invalid logins before lockout” setting. As the name suggests, this setting lets you define the maximum number of tries a user gets to enter the correct credentials. Most Salesforce experts will suggest you peg this value as 3. Once you exceed this limit, you will be asked to reset the password. In cases when the application locks an account, the concerned user will be able to neither gain access nor request an activation code until the administrator unlocks the account. Additionally, you have the “minimum user length” setting, which determines the number of characters that will comprise a particular username. As you can probably guess, the more the characters, the harder it will be for an unauthorized user to crack it. At the very least, you are required to input a minimum of 8 characters.
- Password policies: With the help of the “minimum password length” setting, you can decide the number of characters your password will encompass. Again, as was the case with usernames, a longer password presents more grief to malicious users. Generally, a password consists of several types of characters – numbers, alphabets (both upper case and lower case), and special characters. Hence, your password’s complexity depends on the combination you concoct using them. Then, there’s the “enforce password history” setting which governs the frequency with which a password can be reused. Also important to note is the “user passwords expire in” setting- this allows users to specify the minimum interval after which the old password must be replaced by a new one.
- Data export settings: By enabling the “enforce export email allowlist” setting, you can basically ensure that the application exports data to only those email addresses listed on the export email allowlist.
Occasionally, users trade these recommended settings for convenience (like setting sessions and passwords to never expire), thereby severely compromising the security of their accounts. Therefore, go above and beyond the recommended settings if need be but never dismiss them.
2. Monitor Admin Access
Take into account the structure of your organization before deciding who all gets access to your Marketing Cloud account. In most cases, the primary reason for Salesforce security issues is over-authorization. By granting access to a user, you render them with the following abilities:
- Capability to export customer data
- Modify data extensions and get access to installed package credentials
- Install their personal data, which is difficult to find and can go unnoticed for a long time
All of these actions hold serious gravity, you’d agree? Hence, it is absolutely vital that access is only granted to a select few, preferably those occupying the upper echelons. A good way to control access is by using business units in Marketing Cloud. With them, you can create a hierarchical structure, which in turn, will regulate how the information is accessed. Branding elements like email display names, physical mailing addresses, and email reply addresses can also be controlled with the help of business units.
3. Evaluate The Access Level of Your Users
For the convenience of its users, Marketing Cloud contains a bevvy of default user roles, all with varying levels of access. These roles fall under two categories- Marketing Cloud roles and Email Studio roles. Problems arise when organizations assign multiple roles to users. For instance, imagine everyone in your organization having the Marketing Cloud Administrator or Administrator role (the highest hierarchies in Marketing Cloud and Email Studio, respectively)! The resulting chaos, one even shudders to imagine.
If at all there’s an absolute need to assign multiple roles to a particular user, keep in mind that they will only be able to impart the functionalities of the most restrictive role- Marketing Cloud does this by default. SFMC allows you to assign roles at a business unit level too. This comes particularly handy in cases where users don’t need complete access to all the business units they are present in. Evaluating the access level of your users overall, helps you keep a ton of Salesforce email security issues at bay.
4. Share Installed Packages Access With Essential Users Only
Installed Packages in SFMC contain components with basic configuration details for the application or API integration one is creating. Each and every Installed Package comes with its own set of permission and credentials scope. The significance of managing them securely, hence, can’t be overstated. Identify your essential users and make sure they are the only ones who have access to it, failing which, your risk inviting a deluge of security threats.
Often, in a bid to broaden their horizons of learning and experimentation, SFMC admins end up producing numerous instant Installed Packages to analyze their integrations, resulting in a wide scope of permission. This must be avoided at all costs. Why? Because someone who has access to both the Installed Package credentials and Admin’s portal can provide credentials for access to your Marketing Cloud Instance through the API. This can prove to be a major security breach.
Since the Installed Package credentials are not limited to any one specific user account, even disabling the account will not bear any fruit; the account holder will still have the capacity to retain their account. This is all the more incentive for you to share Installed Packages access only with essential users. And when you do so, give only the scope of required permission to Installed Packages. Always check for Installed Packages that are either no more in use or were developed for testing. Remove these packages if needed.
5. Don’t Treat Marketing Cloud as a Data Warehouse
Owing to the fact that storing data on Marketing Cloud doesn’t cost a single penny, most businesses give in to the habit of keeping all sorts of data in there, forever. This is a severely unhealthy practice, putting you at risk of violating security laws (GDPR, CPRA and the like discourage storing data indefinitely), and your data, increasingly prone to breaches.
Therefore, before you place any nugget of information inside the Cloud, ask if it serves any purpose. Don’t keep it there solely as a precautionary measure; upload it only if you are going to act on it in the very immediate future. It’s prudent, thus, to have a strict data retention policy in place. Additionally, to nullify security threats, you should also get into the habit of backing your data up periodically. You can also check some of the Salesforce marketing cloud best practices in another blog of ours to get more understanding.
Wrapping It Up
Once you have ensured the integrity of your Marketing Cloud, nothing can stop you from leveraging the full potential of this powerful platform. We hope the guidelines shared above are able to help you in that endeavor.