Salesforce Security Best Practices for 2025
Essential security configurations and practices to protect your Salesforce org and sensitive data.
Salesforce security isn't just about preventing breaches—it's about protecting your customers' trust, maintaining compliance, and ensuring your team has exactly the access they need.
1. Implement the Principle of Least Privilege
Users should have the minimum permissions necessary to do their jobs—nothing more. Start by auditing your current profiles and permission sets. How many users have "View All Data" or "Modify All Data"? Unless they're admins, they probably shouldn't.
2. Use Permission Sets Instead of Profiles
Salesforce is moving toward a permission set-based model, and you should too. Permission sets are more flexible, easier to audit, and allow you to grant access incrementally.
3. Enable Multi-Factor Authentication (MFA)
As of 2024, Salesforce requires MFA for all users. But "enabled" isn't the same as "enforced." Make sure MFA is actually required at login, not just available as an option.
4. Review Sharing Rules and OWD Settings
Your Organization-Wide Defaults (OWD) set the baseline for data access. They should be as restrictive as possible, with sharing rules opening access only where needed.
5. Audit Field-Level Security
Just because someone can see a record doesn't mean they should see every field on it. Sensitive fields like SSN, salary, or health information should be hidden from most users.
6. Monitor Login History and Setup Audit Trail
Salesforce provides built-in tools to track who's logging in and what configuration changes they're making. Use them. Set up alerts for suspicious activity.
7. Secure Your Integrations
Connected apps and API integrations often have broader access than individual users. Review your connected apps regularly and revoke access for anything no longer in use.
8. Implement Session Security Settings
Configure appropriate session timeout values—not too short (frustrating users) but not too long (leaving sessions vulnerable).
9. Use Salesforce Shield for Sensitive Data
If you handle particularly sensitive data, consider Salesforce Shield. It provides platform encryption, event monitoring, and field audit trail capabilities.
10. Regular Security Health Checks
Salesforce provides a built-in Security Health Check that compares your settings against baseline recommendations. Run it monthly and address any high-risk findings immediately.
Security Is Ongoing
Security isn't a one-time project—it's an ongoing practice. Build security reviews into your regular operations, and consider an independent audit to identify gaps you might have missed.