MEETING WRAP UP

Thanks so much for joining us for this very insightful session.

Recording: https://us02web.zoom.us/rec/share/MePIlheBEfPTYEJlxCDLTRsBWvCl2fVTbZPLsoAkREZkrUADukyzj29liA0vpMvR.haOGB1LDwiJxdbgA?pwd=DBBjuSMUSsUTs6j_qwAAIAAAAHqJ-TvR1c3s4UnStIFRYDq-GRaaURoAtFpL0Dftv3uGpvamzE-tg3IJJDG8gkSIeTAwMDAwNA

Countries

• Aotearoa NZ: Whakatu Nelson, Tāmaki-makau-rau Auckland, Ōtautahi Christchurch, Te Whanganui-a-Tara Wellington, Papamoa, Te Papaioea Palmerston North
• Australia: Brisbane, Sydney, Canberra, Melbourne
• Malaysia
• Indonesia
• India
• Korea
• France
• USA

Celebrate: Alex C Agentblazer Innovator

Useful Links from Raksha:

https://help.salesforce.com/s/articleView?id=005132367&type=1&utm_source=techcomms&utm_medium=email&utm_campaign=FY26_Core_4013001

https://help.salesforce.com/s/articleView?id=005132365&type=1&utm_source=techcomms&utm_medium=email&utm_campaign=FY26_Core_4013001

Backup: Most Backup/Restore integration accounts cannot run under Integration User Licence as this does not have some needed permissions. They are 'free' until need to access industry cloud objects. Then need a 'paid' PSL

Weekly export is an option, but can't really restore from it. It doesn't include metadata such as Apex Classes, Apex Triggers, VF pages. It’s highly unreliable & subject to resources being available: have to clear jobs that never run, & some fields that stop it from running if included.

I've got customers using DBAmp into a SQL Server instead. The one thing that DE does that I've not found a way to do in other methods is files & attachments

Mark Barcham slide deck: https://trailblazercommunitygroups.com/events/details/salesforce-salesforce-user-group-wellington-new-zealand-presents-dont-panic-your-guide-to-backups-lets-network-lunch-talk-backups-with-merkle-mark-barcham/

SF Inspector Reloaded link from Jade:

https://github.com/tprouvot/Salesforce-Inspector-reloaded/wiki/How-to#use-sf-inspector-with-a-connected-app

Zoom AI Summary

Quick recap

The meeting focused on SF security best practices & recent updates to address social engineering threats, including changes to connected apps & authentication methods. Doug presented comprehensive guidance on securing Salesforce environments, covering topics like API access control, data protection, & user access management, & emphasizing the importance of regular security assessments & backups. It concluded with a demonstration of API access control configuration & discussions of Chrome extension risks.

All attendees

Inform staff that no one from IT will ask them to assist in installing an app into Salesforce, & to report such requests

Implement API Access Control to mitigate security risks from connected apps

Review Salesforce Health Check & improve security score

Ensure all external sharing or wide defaults are set to private unless absolutely necessary

Limit system admins to 3-5 ppl

Set up regular data backups, at minimum using the weekly export feature

Develop & practice a security incident response playbook

Educate users on cybersecurity best practices, particularly regarding outdated operating systems & browsers

Consider implementing IP restrictions to limit access to corporate networks

Push back on third parties requesting system admin access for integrations

Use data masking tools for sandbox environments

Delete data that is not providing business benefit

Use the User Access Report app from the App Exchange, especially for communities

Implement the Own data backup solution

Review & fix any security issues identified in code scans, particularly SOQL injections & cross-site scripting vulnerabilities

Consider using single sign-on for larger companies

Consider implementing NIST cybersecurity framework for security guidance

Verify who needs access to connected apps and pre-authorize them through perm sets before enabling API Access Control

Consider downloading source code for Chrome extensions like Salesforce Inspector Reloaded & implementing it themselves for better security control

Review how to use Salesforce Inspector with a connected app for improved security

Administrators: 

Log a tech support ticket to enable API access control

Review all connected apps & either block or install them appropriately

Set up perm sets for approved connected apps

Summary

Salesforce Security Updates and Best Practices

Doug presented on SF security, focusing on the shared responsibility model where SF handles infrastructure security while customers manage field-level security. He discussed recent social engineering attacks against multiple companies & announced SF's upcoming changes to mitigate these threats, including restricting uninstalled connected apps & removing device flow authentication from dataloader. He recommended using Salesforce's Security Center, conducting regular code scans, & performing health checks to assess & improve security, noting that most SF communities have incorrect configurations that expose risks. He discussed security best practices for SF, emphasizing the importance of API access control, limiting external sharing, & using Lightning login for passwordless access. He advised against broad sharing rules & highlighted the risks of SQL injections, cross-site scripting, & sharing violations. He recommended using single sign-on, IP restrictions, & SF's event monitoring tool with transaction security policies to protect data. He also stressed the need to classify fields as PII & use integration user licenses instead of system admin access for third-party integrations. Anna agreed that pushing back on unnecessary system admin access for 3rd party apps is crucial.

Data Security and Backup Strategies

Doug emphasized the importance of data masking in sandbox environments to protect against data breaches, using tools like SF's data mask or cloud compliance tools. He advised reducing the number of system admins to 3-5 & using the User Access Report app for better user access control. He also highlighted the need for regular data backups, suggesting SF's backup tool or Odaseva & addressed Stephen's concern about Salesforce's data corruption issue in NPSP, recommending tracking change history & maintaining regular backups.

Doug discussed data security and privacy in SF, emphasizing the importance of tracking user consent for data usage & addressing embedded PII issues. He highlighted the need for improving security awareness among users by educating them on cyber security best practices & upgrading outdated devices. He also stressed the importance of having a cybersecurity playbook in place to handle potential breaches or system failures, & recommended using tools like CICD for continuous security checks in development cycles.

Government Reference and Integration Demo

Doug shared an American Government publication for reference & encouraged participants to review it for future guidance. He demoed system integration & security, after addressing a query about checking system impact from a database issue. Doug advised he would cover this in the upcoming demo. Hilde raised concerns about adapting SF's nonprofit package for her org, & Doug suggested leveraging online communities & SF support for guidance. Stephen offered to assist Hilde further. Shane inquired about Slack-Salesforce integration security & Doug acknowledged limited knowledge but suggested seeking answers in SF community groups.

Salesforce API Access Control Overview

Doug demonstrated how to configure & use API access control in SF to manage connected apps & user permissions. He showed that without API access control enabled, any user could install & access connected apps, potentially compromising data. With API access control enabled, admins can block or install apps, manage policies, & grant access to specific users through profiles or perm sets. He emphasized the importance of reviewing & managing existing connected apps before activating API access control.

Chrome Extensions Security Risks

Doug discussed the risks & security concerns associated with using Chrome extensions. He advised against using them due to potential access to sensitive data & the risk of supply chain attacks. Instead, use connected apps with OAuth flows for better control & security. If choose SF Inspector Reloaded, should download the source code & implement it themselves to have full control over the deployment.

API Access Control and Inspector

The meeting focused on API access control & SF Inspector usage. Doug explained how to use API access control & shared documentation links, while Jade provided info about using Salesforce Inspector with connected apps to limit access. Anna & Raksha confirmed they would share links & chat summaries, noting the session had good international participation with circa 50/80 registered attendees joining.

Original Listing

Join us for an exclusive virtual session with Doug Merrett, a renowned Salesforce Security expert from Melbourne, as we delve into the crucial aspects of digital security for your Salesforce organization. In light of recent social engineering incidents and data breaches, securing your org has never been more essential. Doug will provide a practical deep dive into the often-overlooked elements of Salesforce security, moving beyond the basics to explore the four pivotal stages of security. Learn how to: 🔍 Identify if your org has security issues ❗ Understand the importance of these issues 🛠️ Address and rectify them using mostly standard Salesforce capabilities 🔐 Benefit from a quick demo of powerful features like API Access Control Discover why security is a continuous, evolving process rather than a one-time task and how you can stay proactive in protecting your org. Don't miss out on this opportunity to enhance your knowledge and safeguard your data. RSVP now to secure your spot!