back arrow
All Blogs

5 Tips for Keeping Salesforce Marketing Cloud Secure

Salesforce Marketing Cloud (SFMC) is a cloud service offered by Salesforce, a software company focussing its business around cloud-related software as...

Salesforce Marketing Cloud (SFMC) is a cloud service offered by Salesforce, a software company focussing its business around cloud-related software as a service. To put it in other words, Salesforce Marketing Cloud works as a robust marketing automation platform. It isn’t only highly customizable but is also designed to meet the diverse needs of an organization. Be it storing critical data structures in Data extensions or creating personalized journey builder activities, SFMC can do it all seamlessly. 

Cross site request fraud

However, despite being the largest software and programming company, Salesforce like other CRMs faces some of the common security concerns. Here’s a look at some of the potential security threats that come along SFMC.

This is a malicious practice that convinces and tricks a genuine, registered user into conducting an undesirable action on a server with lots of vulnerability. 

Injection of HTML

It is an attack that brings HTML in a vulnerable position. For example, such an attack makes iframe display an entirely different page than what is intended.

Remote code execution

It is a kind of attack that looks for vulnerabilities into target servers while executing input data. 

Cross site scripting

Cross site scripting makes use of Javascript on a vulnerable domain and convinces a user to click on an ambiguous or malicious link. As a result, the browser executes the JavaScript and leads to a lot of mishappenings. 

Arbitrary redirects

This attack camouflages a malicious site with a typical server URL and traps the user to click through it. 

So, these are the security risks you can face when working with Salesforce Marketing Cloud. However, you still can use SFMC seamlessly. All you need to do is protect your data. Wondering how you can leverage Salesforce Marketing Cloud while keeping your SFMC instance safe and secure? Take a look at the tips below and you will understand it all. Here you go.

1. Limit user permission and admin access

Marketing Cloud gives admin the power of setting specific access permission on the basis of per user. Especially when admins create OAuth access tokens, they make sure the tokens are valid only for important tasks. However, at times the intricate details of a set of data can get overwhelming. As a result, the Admin gives access to a majority of users in an SFMC account. Though it does save a little time while creating a new account, giving access to the Admin feature should certainly not be the case. A user having Admin access has the ability to do the following things:

  • Capability to export customer data
  • Modify data extensions and get access to installed package credentials
  • Install their personal data which is difficult to find and can go unnoticed for a long time

This is the reason it becomes critical to secure your SFMC instance. As mentioned already, you can do so by limiting Admin access to a maximum of 2-3 users. You can even give suitable roles and permissions to other users on the basis of their responsibilities. In short, keeping your SFMC instance secure requires you to assign only the important permissions to the tokens as well as the Installed Packages. 

2. Give installed packages access to essential users

Ensuring that only essential users get access to Installed Packages will save you from a lot of security threats. To put it in other words, it is critical to manage the Installed Packages securely. Remember, each and every Installed Package comes with its own set of permission and credentials scope. SFMC Admins, in their quest of learning and experimenting with the usage of API, most of the time come up with a lot of instant Installed Packages to analyze their integrations, resulting in a wide scope of permission. This is not a good thing to do and should be avoided at any cost. Having access to both the Installed package credentials and Admin’s portal can provide credentials for access to your Marketing Cloud Instance through the API. This can prove to be a major security breach. 

In addition, the Installed Package credentials are not limited to a particular user account. As a result, even if an account has been disabled, the account holder has the capacity to retain their account. However, you can avoid this and maintain the privacy of your SFMC instance by following the below-mentioned steps:

  • As told already, make sure you give Installed Packages access only to essential users
  • Make it a point to give only the scope of required permission to Installed Packages
  • Always check for Installed Packages that are either no more in use or were developed for testing. Also, remove these packages if needed

3. Keep a check on API users

An API user works towards the integration of SFMC with Sales or Service Cloud through the Marketing Cloud Connect. In this context, you must know about the API user checkbox option which is present while creating or editing users in a Marketing Cloud. This is where security needs to be taken care of. You can do so by not enabling this option. However, if there’s an urgent requirement to enable the option, it should be done only in selected cases. In general cases, each and every API access should be verified through OAuth2. Remember, you must avoid authenticating it through username and password. Also, while you are creating an API user, you must make use of a Dedicated Integration User and avoid using an actual user account. All in all, it is critical to keep a check on API users and limit their access. It can help you in two ways:

  • It won’t allow any user to exploit the access  of the API
  • It would help in safeguarding the security vulnerabilities along with any kind of loss of data

4. Make your tokens safe

While storing your token values, make it a point to refresh tokens on your external server. You must request a new access token only when you need one. Also, make sure to store that particular value in memory. Remember, these tokens are as important as Salesforce account credentials and require the same kind of security and priority. 

5. Leverage updated TLS

Always use an updated version of the TLS configuration in your external web servers. Once you do this, you can work towards requesting TLS enforcement to Marketing Cloud APIs. Also, make it a point to make your access token appear only in the authorization header. 

Wrap up

Security and safety of Marketing Cloud should be the topmost priority of organizations. Therefore, it is imperative to analyze and re-evaluate your security needs regularly. Hope you are feeling more secure now. The above-mentioned tips will surely come in handy for safeguarding your SFMC instance. So, make the most out of it.

Did you like this post? Do share it!
The following two tabs change content below.

Kevin George

Kevin is the Head of Marketing at Email Uplers, one of the fastest-growing full-service email marketing companies. He is an email enthusiast at heart and loves to pen down email marketing content. You can reach him at or connect with him on LinkedIn.

Leave a Reply



Email Template

Transform your requirement into visually-appealing & high-converting email templates.


Focus on your business strategy; let us handle the day-to-day operation of your email campaigns.


Eliminate the woes of hiring and training for resources with our dedicated team of scalable email experts.


Get more from your paid marketing campaigns through conversion-driven landing pages and banners.