Recently, ArsTechnica and KrebsOnSecurity identified problems with Salesforce Experience Cloud websites that allowed too much data access for unauthenticated users. The ArsTechnica article is available here. The CCurrents team has completed dozens of successful, advanced Experience Cloud implementations and understands how tricky it can be to properly configure the security settings. Here are the top things that our team considers when locking down Salesforce Experience Cloud:
1. Limit Guest User Access: Guest users (users that are not authenticated) should have very limited data access in Salesforce Experience Cloud. Access can be restricted by properly configuring Sharing Settings, Object Settings, Field Level Security, and System Permissions for the guest user profile. There are other types of access like Data Categories and custom pages that should often be restricted as well. This AppExchange package shows what records guest users can access.
2. Role-Based Access Control: Implement role-based access control to ensure that other users only have access to the features and data they need. This can be done by creating different user roles and assigning appropriate access levels to each role. In particular, you should consider how much visibility users have of other users. These settings are documented by Salesforce in their help documentation.
3. Two-Factor Authentication: Enable two-factor authentication (2FA) to provide an additional layer of security beyond a simple username and password. This can be achieved by integrating Salesforce with a third-party authentication service, such as Google Authenticator or Duo.
4. IP Restrictions: Consider whether you can use IP restrictions to limit access to your Salesforce Experience Cloud from specific IP addresses or ranges. This can be especially useful if you only want to allow access to your community from a particular geographic location or a specific set of devices.
5. Monitoring and Auditing: Regularly monitor your Salesforce Community Cloud for suspicious activity and perform regular security audits to identify vulnerabilities. This can be done using Salesforce’s native tools, or through third-party security solutions that integrate with Salesforce. A great native tool is available here.
Hopefully this helps you improve the security of your Salesforce Experience Cloud. For a limited time, we’re also offering a free audit of Salesforce Experience Cloud instances. To take advantage of this offer, go to www.ccurrents.com/contact and use the code “XCLOUDMAY23” in your message.