Marketing Cloud Security Part 1: A Comprehensive Guide to Access Control

In today's digital landscape, data security is of paramount importance when developing or implementing any application. Salesforce understands this importance better than anyone else and offers a range of tools and features that enable robust data security. These settings can be classified into three categories: 

• Access to Platform/marketing cloud instance
• Data access
• Data visibility

The below diagram is a high-level overview of these security layers around your data.

Access to Platform/marketing cloud instance

One of the key components of data security is controlling user access. Salesforce Marketing Cloud provides robust tools and features to manage user permissions and access rights effectively. By implementing the following practices, you can enhance access control and protect your data:

1. Multi-Factor Authentication (MFA)

Multi-Factor Authentication is an added layer of security that helps prevent unauthorized access in case user credentials are compromised. With MFA, users are required to provide additional verification, such as a code from a mobile app or a physical security key, along with their username and password. Salesforce Marketing Cloud supports various MFA options, including Salesforce, Google, and Microsoft Authenticator apps, as well as YubiKey. By enabling MFA, you significantly reduce the risk of unauthorized access to your marketing cloud instance.

Refer to Salesforce help documentation here for further details.

2. Single Sign-On (SSO)

Single Sign-On not only improves the user experience but also enhances security. Salesforce Marketing Cloud supports the setup of any identity provider that can communicate via SAML 2.0. With SSO, users can use their existing credentials to log in to the marketing cloud, reducing the need for multiple sets of usernames and passwords. This centralizes user access management and ensures that authentication is handled securely by trusted identity providers.

Refer to Salesforce help documentation here for further details. 

3. Login IP Whitelisting

Restricting user access to the marketing cloud based on IP whitelisting adds an extra layer of protection. By specifying approved IP ranges, you can limit access to your instance from trusted networks only. This prevents unauthorized access attempts from unknown or untrusted locations. Any attempts to access the platform from non-whitelisted IP addresses can be denied or logged for further investigation.

 Refer to Salesforce help documentation here for further details.

4. Password Policies

Implementing strong password policies is crucial to prevent unauthorized access. Salesforce Marketing Cloud allows you to set password complexity requirements, including minimum length, complexity history, and expiration periods. By enforcing strong password practices, such as requiring a mix of alphanumeric characters and special symbols, you can reduce the risk of password-related security breaches.

 

Refer to Salesforce help documentation here for further details.

5. Identity Validation

Identity validation adds an additional layer of security by requiring users to verify their browsers before logging in. This helps ensure that only authorized users can access the marketing cloud. By validating the identity of the user's browser, you can mitigate the risk of fraudulent login attempts and protect against unauthorized access.

 

Refer to Salesforce help documentation here for further details

6. Session Settings

Controlling session duration is vital for data security. Salesforce Marketing Cloud allows you to set session settings, determining how long a session remains active without any activity. It is recommended to set a session timeout period, such as 20 minutes, to automatically log users out of the platform after a period of inactivity. This reduces the risk of unauthorized access if a user forgets to log out or leaves their session unattended.

Refer to Salesforce help documentation here for further details.

7. Basic/OAuth Authentication for API Access

For accessing the marketing cloud via APIs, Salesforce supports both OAuth 2.0 and basic authentication methods. OAuth 2.0 is the recommended approach for secure API access, providing authorization without the need to expose user credentials. However, the platform also supports the traditional username/password flow for SOAP API requests. By utilizing these authentication mechanisms, you can ensure that API access to your marketing cloud is secure and controlled.

Refer to Salesforce help documentation here for further details.

 

8. Audit Trail

Maintaining an audit trail is essential for monitoring and analyzing user activity on the platform. Salesforce Marketing Cloud provides two types of audit logs: Activity and Access audit logs. These logs capture user actions and access attempts at the parent-level Business Unit. By regularly reviewing audit logs, administrators can identify any suspicious activity or potential security breaches. You can access these logs either through automation or the REST API.

Refer to Salesforce help documentation here for further details. 

This concludes Part 1 of our blog series on securing your data on Salesforce Marketing Cloud. In the next post, we will explore controlling access to data for logged-in users, ensuring that your valuable information remains protected here.