To protect your data, maintain compliance, and ensure business continuity, here are the key Salesforce security controls every admin should implement now.
1. Multi-Factor Authentication (MFA)
MFA is the first line of defense against unauthorised access. Salesforce now requires all users to enable MFA for internal and external users.
Why it matters:
- Reduces the risk of credential theft
- Protects sensitive customer and business data
- Supports compliance standards like GDPR and ISO 27001
Implementation tip: Enforce MFA via Profiles and Permission Sets, and communicate to users before rolling out.
2. IP Restrictions & Login Hours
| Control | Purpose | Best Practice |
|---|---|---|
| Trusted IP Ranges | Limits login access to approved networks | Use for internal users, offices, VPNs |
| Login Hours | Restricts access to working hours | Prevents off-hours access by mistake or attack |
These settings help prevent unauthorised access even if credentials are compromised.
3. Connected App Security
Many Salesforce integrations use OAuth tokens, which can be exploited if left unmonitored.
Checklist:
- Audit all connected apps regularly
- Remove unused apps
- Rotate OAuth secrets periodically
- Set app permissions to least privilege
4. Permission Sets & Role Hierarchies
A well-structured access model is essential. Avoid giving broad access unnecessarily.
Tips:
- Apply least privilege principle
- Review roles & profiles quarterly
- Monitor for inactive users with high access
5. Event Monitoring & Audit Trails
Salesforce Event Monitoring captures login activity, API calls, and data access events.
Benefits:
- Detect unusual login patterns
- Identify potential internal risks
- Support audits and compliance reporting
Quick tip: Use Shield or native audit logs to automate alerts for anomalies.
6. Data Encryption & Field-Level Security
Sensitive data should always be encrypted and restricted to authorised users.
Action points:
- Enable Platform Encryption for sensitive fields
- Configure Field-Level Security for confidential data
- Review access to files, attachments, and reports
7. Regular Security Health Checks
Salesforce provides built-in Security Health Check to measure your org against best practices.
Pro tip: Schedule monthly reviews and address all critical/high risk points.
Putting it All Together
Implementing these controls doesn’t have to be overwhelming. A staged approach, starting with MFA, IP restrictions, and connected app audits, will drastically improve your security posture.
Need Help Securing Your Salesforce Org?
Cognition24’s Salesforce-certified experts provide fast, thorough security reviews to ensure your environment is fully protected and compliant.