Step-by-Step Guide to Salesforce Security Health Check

Published on
October 2, 2024
Note: Generative AI was used to create this content

Understanding Salesforce Security Health Check

Ensuring the security of your Salesforce org is crucial for safeguarding sensitive data and maintaining user trust. A Salesforce security health check offers a straightforward way to evaluate and improve your org's security settings.

Key points covered in a Salesforce security health check:

  • Identify inactive or incorrect security configurations.
  • Measure your org's security against Salesforce’s recommended settings.
  • Quickly address security vulnerabilities with one-click fixes.

Maintaining the security of your Salesforce org is a shared responsibility. This is particularly important when you build custom apps, as these apps can impact the overall security of your org. By leveraging Salesforce's built-in Health Check feature, you can easily assess and improve your security posture.

Tython is a team of experienced Salesforce specialists. Over the years, we've helped various organizations, from small startups to large enterprises, strengthen their Salesforce security.

Stay with us as we dive deeper into running a Salesforce security health check and how to use it to protect your data.

Comprehensive overview of Salesforce security health check features and process - Salesforce security health check infographic infographic-line-5-steps-neat_beige

What is Salesforce Security Health Check?

A Salesforce Security Health Check is a powerful tool designed to help you evaluate and improve the security of your Salesforce org. Think of it as a dashboard that shows how your current security settings compare to Salesforce's recommended best practices.

Definition and Purpose

The Health Check provides a score ranging from 0 to 100, with 100 being the most secure. This score helps you understand how well your org's security settings align with Salesforce's recommended standards.

Salesforce Security Health Check Score - Salesforce security health check

Security Evaluation

The Health Check evaluates various security settings in your org, such as:

  • Password policies
  • Login attempts
  • Multi-factor Authentication (MFA)
  • Session settings
  • Clickjack protection
  • HTTPS
  • Cross-site scripting (XSS) protection

These settings are then categorized into high-risk, medium-risk, low-risk, and informational settings, making it easy to prioritize which areas need immediate attention.

Identifying IT Environment Vulnerabilities

One of the key benefits of the Health Check is its ability to expose inactive or incorrectly configured security mechanisms. This feature is crucial because any custom app you deploy can impact the overall security of your Salesforce org.

For instance, if your org's password policies are too lenient, it could make it easier for unauthorized users to gain access. Similarly, not enabling MFA could leave your org vulnerable to phishing attacks.

By using the Health Check, you can quickly identify these vulnerabilities and take steps to fix them, often with just one click.

Real-World Applications

Salesforce Health Cloud is a great example of how robust security features can improve user trust and data protection. Healthcare providers using Health Cloud rely on its security mechanisms to keep patient data safe. Features like platform encryption, event monitoring, and field audit trails ensure that sensitive information is well-protected.

These real-world examples underline the importance of regular security checks. If healthcare providers can trust Salesforce to secure patient data, you can be confident that a Salesforce Security Health Check will help keep your business data safe.

Importance of Regular Security Checks - Salesforce security health check infographic 4<em>facts</em>emoji_light-gradient

Next Steps

Now that you know what a Salesforce Security Health Check is and why it's important, it's time to learn how to run one. In the next section, we'll guide you through the steps to set up and execute a Health Check, ensuring your org is as secure as possible.

How to Run a Salesforce Security Health Check

Running a Salesforce Security Health Check is simple and can make a big difference in securing your org. Follow these steps to get started:

Setup

  1. Log into your Salesforce org.
  2. Go to the Setup page. You can find this by clicking on the gear icon in the top right corner.

Quick Find

  1. In the Quick Find box, type Health Check. Alternatively, you can scroll down the Setup menu to Security Settings and find it there.
  2. Select Health Check.

Baseline Dropdown

Once you're in the Health Check page, you will see a dropdown menu labeled Baseline. This menu allows you to choose the security baseline against which your org's security settings will be evaluated.

Salesforce Baseline Standard

By default, the Health Check uses the Salesforce Baseline Standard. This baseline includes Salesforce's recommended security settings. Your org's settings will be compared against these standards, and you'll receive a score from 0 to 100.

The score is calculated by measuring how closely your org's security settings (the "Your Value" column) align with Salesforce's recommended settings (the "Standard Value" column). Typically, more restrictive settings will increase your score.

Custom Baseline

If your organization has unique security requirements, you can import a Custom Baseline. This is particularly useful for industries with strict compliance needs, such as finance or healthcare.

To import a custom baseline:

  1. Prepare an XML file with your custom security settings.
  2. Upload the XML file through the Health Check page.

Using a custom baseline allows you to measure your org's security against your own standards, giving you a more custom view of your security health.

Running the Health Check

After selecting your baseline, the Health Check will display your security settings along with their current values and the recommended values. Each setting will have an Edit link next to it, allowing you to adjust it as needed.

You can also click the Fix Risks button to automatically change all settings to the recommended values. However, be cautious with this option as it may affect integrations or user access. It's often better to adjust settings one at a time and test them in a sandbox environment first.

By following these steps, you can run a comprehensive Salesforce Security Health Check and make informed decisions to improve your org's security.

Next, we'll dive into understanding your Health Check score and what it means for your org's security health.

Understanding Your Health Check Score

Once you've run a Salesforce Security Health Check, you'll receive a score that tells you how secure your org is. Let's break down what this score means and how to interpret it.

Score Range: 0-100 Scale

Your Health Check score ranges from 0 to 100, where 100 is the most secure. The score is calculated by comparing your org's security settings (the Your Value column) to Salesforce's recommended settings (the Standard Value column).

Your Value vs. Standard Value

  • Your Value: These are the current security settings in your org.
  • Standard Value: These are the recommended security settings provided by Salesforce.

The closer your values are to the standard values, the higher your score.

Risk Categories

Each security setting is categorized by risk level:

  • High-Risk: These settings have the most significant impact on your security score. For example, password policies and login attempts fall into this category.
  • Medium-Risk: These settings are important but not as critical as high-risk settings. Examples include session settings and multi-factor authentication.
  • Low-Risk: These settings have a moderate impact on your security. Examples include clickjack protection and HTTPS settings.
  • Informational: These settings are for your information and do not directly affect your score. They help you understand the overall security landscape of your org.

Example: Password Policy

Suppose your password policy requires a minimum length of 8 characters (Your Value), but the recommended setting is 12 characters (Standard Value). This discrepancy will lower your score. Adjusting the setting to meet or exceed the recommended value will improve your score.

Interpreting the Score

A higher score means your org's security settings are more aligned with Salesforce's best practices. However, a lower score indicates areas where your org's security can be improved.

  • 80-100: Excellent security health. Your settings are well-aligned with best practices.
  • 50-79: Good security health but needs some improvements.
  • Below 50: Poor security health. Immediate action is required to improve your org's security.

By understanding your Health Check score, you can prioritize which settings to adjust to improve your org's security.

Next, we'll look at the steps you can take to improve your Health Check score.

Steps to Improve Your Health Check Score

Improving your Salesforce Security Health Check score is crucial for safeguarding your org. Here’s how you can do it:

Edit Settings

Each security setting in Health Check has an Edit link. Clicking this link takes you directly to the page where you can adjust the setting to align with Salesforce's recommended values.

Example: If the recommended password length is 12 characters but your setting is 8, you can easily change this to 12.

Fix Risks Button

For a quicker solution, use the Fix Risks button in Health Check. This button automatically updates all your settings to Salesforce's recommended values.

Caution: Changing all settings at once can impact integrations or user access. It's best to test changes in a sandbox environment first.

Custom Baselines

You can import a Custom Baseline to measure your org’s security against industry-specific requirements.

Why Use Custom Baselines?

  • Regulated Industries: If you work in finance or healthcare, your compliance needs might differ from standard settings.
  • Customization: Tailor security settings to better fit your organizational needs.

To import a custom baseline, simply upload an XML file containing your specific settings.

Testing Changes in Sandbox

Before implementing changes in your live environment, test them in a sandbox. This helps identify any unintended consequences, such as:

  • Integration Issues: Ensure all integrations still function correctly.
  • User Access: Verify that users retain necessary access.

Example: Password Policy

Current Setting: Minimum length of 8 characters.Recommended Setting: Minimum length of 12 characters.

Steps:

  1. Edit Setting: Steer to the password policy and change the value to 12.
  2. Test in Sandbox: Apply the change in a sandbox environment to ensure no disruptions.
  3. Implement: Once tested, apply the change in your live environment.

By following these steps, you can systematically improve your Salesforce Security Health Check score and ensure a more secure org.

Key Security Settings to Review

When it comes to improving your Salesforce Security Health Check score, there are several key security settings to review. Let's break them down one by one.

Login Attempts

Why It Matters: Limiting login attempts helps prevent brute force attacks.

Salesforce Recommendation: Lock out users after three invalid login attempts.

Practical Tip: From experience, five attempts can be more user-friendly without compromising security.

How to Adjust:

  1. Go to Setup > Security Controls > Session Settings.
  2. Set the number of invalid login attempts to your chosen value.

Multi-Factor Authentication (MFA)

Why It Matters: MFA adds an extra layer of security by requiring a second form of verification.

Salesforce Requirement: By February 1, 2022, Salesforce requires MFA using an authentication app or security key.

How to Enable:

  1. Steer to Setup > Session Settings > Session Security Levels.
  2. Enable Multi-Factor Authentication.

Session Settings

Why It Matters: Session settings control how long users can remain inactive before being logged out.

Recommended Settings:

  • Timeout Value: 30 minutes for sensitive data
  • Force Logout on Session Timeout: Enabled
  • Disable Timeout Warning Popup: Optional

How to Adjust:

  1. Go to Setup > Security Controls > Session Settings.
  2. Configure the timeout values as needed.

Clickjack Protection

Why It Matters: Clickjacking can trick users into clicking something different from what they perceive.

Recommended Setting: Allow framing by the same origin only or don’t allow framing by any page.

How to Enable:

  1. Steer to Setup > Security Controls > Session Settings.
  2. Set clickjack protection for both Force.com and Site.com communities.

HTTPS

Why It Matters: HTTPS ensures that data transmitted between the user’s browser and your Salesforce org is encrypted.

Recommended Setting:

  • Enable HSTS for Sites and Communities
  • Require Secure Connections (HTTPS)

How to Enable:

  1. Go to Setup > Security Controls > Session Settings.
  2. Enable the required options for both HSTS and HTTPS.

Cross-Site Scripting (XSS) Protection

Why It Matters: XSS protection helps prevent malicious scripts from being injected into web pages viewed by other users.

Recommended Setting: Enable XSS protection.

How to Enable:

  1. Steer to Setup > Security Controls > Session Settings.
  2. Enable XSS protection.

By reviewing and updating these key security settings, you can significantly improve your Salesforce Security Health Check score and protect your org from potential threats.

Next, let's explore how to use Health Check for custom apps, including Lightning Web Components (LWC) and Aura Components.

Using Health Check for Custom Apps

Custom apps are a staple in many Salesforce orgs, custom to meet specific business needs. But with customization comes responsibility. Ensuring these apps are secure is crucial, and Salesforce Security Health Check can help you do just that.

Security Permissions

To ensure your custom apps run securely, you need to configure the right security permissions. Here are some key settings to consider:

Require HttpOnly Attribute

What It Does: The HttpOnly attribute makes cookies inaccessible to JavaScript, reducing the risk of cross-site scripting (XSS) attacks.

How to Enable:

  1. Go to Setup > Security > Session Settings.
  2. Enable HttpOnly for cookies.

Enable User Certificates

What It Does: User certificates provide certificate-based authentication using PEM-encoded X.509 digital certificates.

How to Enable:

  1. Steer to Setup > Security > Certificate and Key Management.
  2. Enable User Certificates.

Enable Clickjack Protection

What It Does: Clickjack protection prevents your site from being embedded in an iframe, protecting users from malicious sites.

Recommended Setting:

  • Allow framing by the same origin only (recommended).
  • Don’t allow framing by any page (most protection).

How to Enable:

  1. Go to Setup > Security > Session Settings.
  2. Set clickjack protection for both Force.com and Site.com communities.

By following these steps, you can significantly improve the security of your custom apps.

Next, we will dive into advanced tools for multi-org security, including Security Center and Salesforce Optimizer.

Advanced Tools for Multi-Org Security

Managing multiple Salesforce orgs can be a daunting task, especially when it comes to security. Fortunately, Salesforce provides advanced tools to help you keep everything secure and under control. Let's explore some of these tools.

Security Center

Security Center is a powerful, paid add-on for Salesforce that provides a centralized view of security metrics across multiple Salesforce orgs. This is particularly useful for large organizations with multiple instances of Salesforce.

Key Features:

  • Centralized Monitoring: View security metrics and alerts from all your Salesforce orgs in one place.
  • Quick Actions: Directly address security issues from the Security Center dashboard.
  • Compliance Tracking: Ensure all orgs comply with your company's security policies.

How to Use:

  1. Steer to Setup > Security Center.
  2. Connect your Salesforce orgs to the Security Center.
  3. Monitor security metrics and take action as needed.

Salesforce Optimizer

The Salesforce Optimizer is another invaluable tool for maintaining a clean and efficient org. It helps you identify and fix potential issues that could impact performance and security.

Key Features:

  • Unused Fields and Profiles: Identify fields, profiles, and permission sets that are not being used.
  • Security Recommendations: Get suggestions for improving security settings.
  • Performance Improvements: Find ways to optimize your org's performance.

How to Use:

  1. Steer to Setup > Optimizer.
  2. Run the Optimizer and review the results.
  3. Follow the recommendations to improve your org.

MFA Usage

Multi-Factor Authentication (MFA) is critical for protecting your Salesforce orgs from unauthorized access. While most orgs have basic MFA enabled, Salesforce is moving towards more secure methods.

Key Features:

  • Stronger Authentication: Use authentication apps or security keys instead of just text/email.
  • Mandatory MFA: Salesforce requires all users to use MFA by February 1st, 2022.

How to Enable:

  1. Steer to Setup > Session Settings > Session Security Levels.
  2. Enable Multi-Factor Authentication.
  3. Use the Multi-Factor Authentication Assistant for more detailed setup.

Salesforce Permissions Assistant

Managing Salesforce permissions can be complicated and mishandling user access and admin-level permissions can pose critical security risks.

Key Features:

  • Profile and Permission Set Analysis: Identify potential duplicate profiles and permission sets as well as those with dangerous permissions.
  • Dynamic Search: Easily find which permission sets and profiles provision a targeted group of permissions.
  • User Analysis: Compare side-by-side, comprehensive permission summaries for multiple users to answer the question of "who can see what and why?"
  • Permission History Tracking: Easily compare how your permission sets and profiles change over time.

How to Use:

  1. Go to the AppExchange listing and sign up for a free trial.

By leveraging these advanced tools, you can ensure that your Salesforce orgs remain secure and compliant.

Conclusion

Regular Salesforce security health checks are crucial. They ensure your org remains secure and compliant. Ignoring these checks can lead to vulnerabilities, risking data security and compliance issues.

At Tython, we specialize in providing expert security guidance and solutions. Our comprehensive permissions audit, RBAC implementation, and best practice adoption help maintain a robust security posture for your Salesforce org. We also offer ongoing monitoring to ensure continuous protection and compliance.

Permissions Audit

We conduct thorough audits to identify potential vulnerabilities and recommend actionable improvements. These audits cover everything from basic security settings to advanced configurations.

RBAC Implementation

Role-Based Access Control (RBAC) is essential for managing permissions effectively. By defining roles and assigning permissions based on job functions, we help you minimize the risk of unauthorized access.

Best Practice Adoption

Adopting industry best practices is key to maintaining a secure Salesforce environment. We guide you through implementing these practices, ensuring your org is both secure and efficient.

Ongoing Monitoring

Continuous monitoring is vital for maintaining security. Our Salesforce permissions monitoring service keeps a vigilant eye on your permissions, alerting you to any suspicious activity or unauthorized changes. This proactive approach helps you address potential security issues before they escalate.

By making regular security health checks a part of your routine, you can ensure your Salesforce org remains secure and compliant. Trust Tython to help you protect your org and secure your data.

For more information on how Tython can help you maintain a secure Salesforce environment, contact us.

Protect Your Org.
Secure Your Data.

Salesforce security is a shared responsibility. Don't try to solve it alone.