Marketing Cloud Security part 2: Controlling User Access to Data

August 07, 2020
Read

This post is second in the series of Securing your data on Salesforce marketing cloud. The first post here is about securing access to the marketing cloud. Once users have access to the Salesforce Marketing Cloud, it is important to restrict their access to data to ensure data security. There are several factors that can be controlled to restrict data access:

  1. Business Units
  2. Studios they have access to
  3. The features they have access to
  4. Roles and permissions of users
  5. Data shared across business units
  6. Data retention
  7. Access to FTP folders
  8. Export email whitelisting

Business Units

Salesforce Business Units are organizational containers within the Salesforce Marketing Cloud that allow for the separation and management of data, assets, and settings. Each Business Unit operates as a standalone entity with its own set of users, data extensions, email templates, automation workflows, and other components. Business Units provide a way to segment and organize marketing activities, particularly in scenarios where multiple brands, regions, or business divisions are involved.

Here are some key points about Salesforce Business Units:

  1. Isolation and Segmentation: Business Units offer isolation between different marketing entities, allowing them to operate independently within a single Marketing Cloud account. This separation ensures that data, configurations, and activities within one Business Unit do not affect others.
  2. User Access Control: Each Business Unit has its own set of users with assigned roles and permissions, enabling fine-grained control over who can access and manage the data and assets within that specific unit.
  3. Data Management: Data extensions, which are used to store and manage customer data, reside within Business Units. This allows for distinct data sets to be maintained separately across different Business Units. However, data sharing and synchronization between Business Units are also possible when required.
  4. Asset Management: Email templates, content blocks, images, and other marketing assets can be stored and managed separately within each Business Unit. This ensures that assets are specific to the needs and branding of that particular unit.
  5. Reporting and Analysis: Business Units have their own reporting and analytics capabilities, allowing marketers to gain insights and track performance within their specific units.
  6. Integration and APIs: Salesforce Business Units can be integrated with external systems, allowing for seamless data exchange and integration with other business applications.
Business Units provide a scalable and flexible structure within Salesforce Marketing Cloud, enabling businesses to effectively manage their marketing operations across different entities while maintaining data separation and control.

Studios: 

Access to different studios within the Marketing Cloud can be controlled. Users can be granted access to specific studios based on their roles and responsibilities.

Features: 

Users can be given access to specific features within the Marketing Cloud based on their job requirements. Granular level permissions can be set to control access to features such as Email Studio or access to subscriber data.

Roles and Permissions: 

The Marketing Cloud provides a robust system for managing roles and permissions. Roles can be assigned at the user level or the business unit level, allowing for fine-grained control over data access.

Here are some of the key standard roles in Salesforce Marketing Cloud: 
  1. Administrator: Administrators have full access to all features and settings within the Marketing Cloud. They can manage users, set up business units, configure account settings, and perform administrative tasks.
  2. Marketing Cloud Administrator: This role is specific to the Marketing Cloud and provides administrative access to all Marketing Cloud features and settings. Users with this role can manage users, business units, data, and content, and perform other administrative functions within the Marketing Cloud.
  3. Content Editor: Content Editors have permission to create and edit content within the Marketing Cloud. They can work on email templates, content blocks, landing pages, and other content-related assets.
  4. Email Specialist: Email Specialists focus on creating and managing email campaigns. They have permission to create and send emails, manage subscriber lists, and work with email-related features such as A/B testing and deliverability.
  5. Data Manager: Data Managers have permission to manage data within the Marketing Cloud. They can create and manage data extensions, import and export data, perform data cleansing and segmentation, and utilize data-related features and tools.
  6. Analytics User: Analytics Users have access to reporting and analytics features within the Marketing Cloud. They can generate reports, create dashboards, and analyze campaign performance and customer data.
  7. Automation Studio User: Automation Studio Users have permission to create and manage automation workflows within the Marketing Cloud. They can set up scheduled or triggered automation, define workflow steps, and automate marketing processes.
Though you can create your own roles, it is not recommended to do so until it's absolutely necessary.

Data Sharing: 

Data extensions and lists within the Marketing Cloud reside in business units and can be shared if necessary. However, access levels can be controlled when sharing data extensions across business units, ensuring that only authorized users can access the shared data.

Data Retention: 

Implementing a data retention policy is not only crucial for mitigating security risks but also for improving performance. Each data extension can have its own access policy or data retention policy, allowing for the removal of unnecessary data based on specified criteria

FTP Folder Access: 

Individual user access to FTP (File Transfer Protocol) folders can be controlled to restrict access to files. This helps prevent unauthorized users from accessing sensitive data stored in FTP folders.

Export Email Whitelisting: 

The Marketing Cloud allows whitelisting of specific email addresses that can receive exports via email. This ensures that sensitive data is only sent to authorized recipients.

To effectively secure your data on the Salesforce Marketing Cloud, it is important to plan your marketing data strategy carefully. Understand the data model, including concepts such as subscribers, contacts, and data extensions. Bring in only the necessary data and utilize the data that is generated. Plan ahead for different campaigns, channels, and studios. Consider the duration for which data is needed and implement a data retention policy accordingly. Understand your data and the legal requirements associated with it, such as PII (Personally Identifiable Information) or PHI (Protected Health Information). Comply with security standards and regulations such as CAN-SPAM or GDPR. It is crucial to consider legal and government policies before moving user data into the cloud.

In conclusion, the Salesforce Marketing Cloud provides various features and controls to ensure data access is restricted and data security is maintained. By understanding the data model, planning your data strategy, and utilizing the available features, you can effectively secure your data on the Marketing Cloud.

In the next post here in this series, we will discuss options for controlling data visibility to users.

Tags :

No comments:

Post a Comment

Powered by Blogger.