Org Security Fundamentals

Org Security Fundamentals

It is no doubt that your org contains essential data which obviously you do not want to share with anyone. Ever imagined what can happen if your important information is leaked to the third party. They can play around with confidential information stored in your Salesforce org. It’s always better to take precautions in advance before it gets too late. So it’s high time to take precautions and make your org safe and avoid leaking of any important information. What we should make sure on our end is:

  1. User Access
  2. Connected Apps
  3. Custom Code
  4. Compromised Accounts


We should set some security principles to ensure the safety of your org. We can opt for following strategies:

  • Defense In Depth: It’s always good to have multiple layers of defense, since using any one layer has potential to fail. Therefore, if we have more layers then it is less likely that all the layers fail at same time. This principle should always be kept in mind.
  • Principle of least privilege: As word suggests, each entity should have the least number of privileges which they need to do their job. It helps to limit the damage.


(I) User and Access management

There is always need to make sure that users who need access to org only has access.

Here are different layers of access management:

  • Organization Access:
    This deals with organization access as a whole. We should make sure that whenever a person leaves a company, then he is de-provisioned. All access should be removed or taken away from him. To remove provision one can freeze user or deactivate them so org access can’t be misused.
  • Profiles:
    To remove the mess and for security purposes, we can grant access to users on the basis of their profiles. Also, we can give different permission to each object according to profiles. Field Level Security (FLS) controls the access of fields. While creating profiles assign them the specific set of roles.
    To set object level permission one should go to
    Quick Find Search >> Profiles >> Select a Profile >> Object level Permission
    Now you can provide read access or write access to the objects you want to give access of to that specific profile.

  • Sharing Default: It is a record level access.
    • Public vs. Private:  Public refers that if someone has access to all the objects in the org. Then automatically he has access to all the records for that object. The principle is to keep access to private, i.e.; a user has access to the objects according to role hierarchy.
    • Internal vs. external: By internal we mean that people who have the direct login to the org and external refer to the people coming through public facing communities, portals or external chatter users. If access is set to public and we have logged in through any portal, then there are high chances of any mishap.

(II) Health Check:

What if a user has access to the objects which are required by him but has very weak password? Ever thought??.. Yup, password plays a great role for providing security. We can protect this since Salesforce provides a way to make your org secure and safe. To perform health check:
Quick Search >> Health Check

Health check provides the following info:

Password length
Password history
Max invalid login attempts
Session timeouts, etc…
Health Check in a way or the other helps you to know the recommendations which Salesforce provides you in general.

(III) Two-factor authentication:

Many times passwords have proved to be very weak links which can easily be stolen. They act as a single point of failure. They can often be guessable. Some of us have tendency to use the same password for all the accounts which can be fatal sometimes.

One can use even Salesforce Authenticator to provide security. This app can be installed quickly. Once user logs in, they have to provide their password and one-time security token that is displayed on the app. This authenticator is not limited to only Salesforce.
Here are the steps to set up 2FA:

  1. Create 2FA permission set
  2. Assign to profiles
  3. At login, users will be invited to use 2FA

Hence, 2FA is perfect defense and proves a lot useful when it comes to providing security to the org.

(IV) IP whitelisting:

It is a very good practice to adopt. This is next level of defense. It is useful when we have scenarios such as where person don’t have device which provides 2FA or the security token. We can whitelist our static IP ranges in the org. We can set it for all the profiles including API users and integrations. To whitelist IP we can go to
Setup >> Network Access >> Put your static IP

By doing so, whenever you log in next time it will not demand any security token.

Now it’s a lot to help you, keeping your org safe and secure. Make sure always to follow best practices of defense before you get engrossed and start working. There is always someone who spies and just need that single chance to get all your information. It can be easy for him if you leave any loopholes in between. So please don’t give that single chance to anyone and take precautions before something fatal occurs. BE PROTECTIVE!!!….

How do I encrypt and decrypt the data stored in salesforce marketing cloud?

How do I encrypt and decrypt the data stored in salesforce marketing cloud?

First of all we should understand why we need of encryption in salesforce marketing cloud.Take the time to identify the most likely threats to your organization. This will help you distinguish data that needs encryption from data that doesn’t, so that you can encrypt only what you need to. Make sure your tenant secret and keys are backed up, and be careful who you allow to manage your secrets and keys.

  1. Outline a threat model for your organization. rehearse a proper threat modeling exercise to spot the threats that area unit possibly to have an effect on your organization. Use your findings to make an information classification theme, which may assist you decide what knowledge to encode.
  2. Encode solely wherever necessary.
  • Not all knowledge is sensitive. target data that needs coding to satisfy your regulative, security, compliance, and privacy needs. Unnecessarily encrypting knowledge impacts practicality and performance.
  • Judge your knowledge classification theme early and work with stakeholders in security, compliance, and business IT departments to outline needs. Balance business-critical practicality against security and risk measures and challenge your assumptions sporadically.
  1. Produce a technique early for backing up and archiving keys and knowledge. If your tenant secrets area unit destroyed, reimport them to access your knowledge. entirely accountable for ensuring your knowledge and tenant secrets are secured and keep in a very safe place. Salesforce cannot assist you with deleted, destroyed or misplaced tenant secrets.
  2. Perceive that coding applies to all or any users, despite their permissions.
  • You management World Health Organization reads encrypted field values in plaintext mistreatment the “View Encrypted Data” permission. However, the information keep in these fields is encrypted at rest, despite user permissions.
  • Useful limitations area unit obligatory on users World Health Organization act with encrypted knowledge. contemplate whether or not coding will be applied to a little of your business users and the way this application affects different users interacting with the information.
  1. Scan the protected Platform coding issues and perceive their implications in your organization.
  • Judge the impact of the issues on your business answer and implementation.
  • Check protect Platform coding in a very sandbox atmosphere before deploying to a production atmosphere.
  • Before sanctioning coding, fix any violations that you just uncover. for instance, referencing encrypted fields in a very SOQL wherever clause triggers a violation. Similarly, if you reference encrypted fields in a very SOQL ORDER BY clause, a violation happens. In each cases, fix the violation by removing references to the encrypted fields.
  1. Analyze and take a look at AppExchange apps before deploying them.
  • If you utilize Associate in Nursing app from the AppExchange, take a look at however it interacts with encrypted information in your organization and value whether or not its practicality is affected.
  • If Associate in Nursing app interacts with encrypted information that’s hold on outside of Salesforce, investigate however and wherever processing happens and the way data is protected..
  • If you think defend Platform secret writing may affect the practicality of an app, raise the supplier for facilitate with analysis. conjointly discuss any custom solutions that has got to be compatible with defend Platform secret writing.
  • Apps on the AppExchange that square measure designed solely mistreatment inherit defend Platform secret writing capabilities and limitations.
  1. Remember, platform secret writing isn’t a user authentication or authorization tool.
  • Use field-level security settings, page layout settings, and validation rules, not Platform secret writing, to regulate that users will see that information.
  • Ensure that a user unknowingly granted the “View Encrypted Data” permission would still see solely applicable information. By default, any user will edit encrypted fields, even users while not the “View Encrypted Data” permission.
  1. Grant the “Manage secret writing Keys” user permission to licensed users solely. Users with the “Manage secret writing Keys” permission will generate, export, import, and destroy organization-specific keys. Monitor the key management activities of those users frequently with the setup audit path.
  1. Grant the “View Encrypted Data” user permission to licensed users solely. Grant the “View Encrypted Data” permission to users United Nations agency should read encrypted fields in plaintext, as well as integration users United Nations agency should scan sensitive information in plaintext. Encrypted files square measure visible to any or all users United Nations agency have access to the files, despite the “View Encrypted Data” permission.
  1. Mass-encrypt your existing information. Existing field and file information isn’t mechanically encrypted after you activate defend Platform secret writing. To write in code existing field information, update the records related to the sector information. This action triggers secret writing for these records so your existing information is encrypted at rest. To write in code existing files, contact Salesforce.
  1. Do not use Currency and range fields for sensitive information. you’ll be able to typically keep non-public, sensitive, or regulated information safe while not encrypting associated Currency or range fields. Encrypting these fields may have broad practical consequences across the platform, like disruptions to roll-up outline reports, report timeframes, and calculations, so that they aren’t encryptable.
  1. Communicate to your users concerning the impact of secret writing. Before you modify defend Platform secret writing during a production atmosphere, inform users concerning however it affects your business answer. as an example, share the data delineated in defend Platform secret writing issues, wherever it’s relevant to your business processes.
  1. Use discretion once granting login access. If a user with the “View Encrypted Data” permission grants login access to a different user, the opposite user is in a position to look at encrypted fields in plaintext.
  1. Write in code your information mistreatment the foremost current key. After you generate a replacement tenant secret, any new information is encrypted mistreatment this key. However, existing sensitive information remains encrypted mistreatment previous keys. During this scenario, Salesforce powerfully recommends re-encrypting these fields mistreatment the newest key. Contact Salesforce for facilitate with this.

To encrypt some value we have to use some key value that can be hard coded or we can generate key also by using this:

Blob cryptoKey = Crypto.generateAesKey(256);

We have to use same key to decrypt that value.

Here I am going to share some code.Hope it will help you. I have created one visualforce page and one controller. In the page only one field(Name) is there and two button(Save & Update). When some value is entered in the name field and clicked on save button that value will be stored in the object encrypted format. Now record id in the url and click on update button encrypted value will be converted in to original format.

Visualforce  Page:

<span style="font-weight: 400;"><apex:page standardController="EnCrypt_Decrypt__c" extensions="EncryptExtensioncls"></span><span style="font-weight: 400;">
</span><span style="font-weight: 400;">    <apex:form ></span><span style="font-weight: 400;">
</span><span style="font-weight: 400;">        <apex:pageBlock ></span><span style="font-weight: 400;">
</span><span style="font-weight: 400;">            <apex:pageBlockSection ></span><span style="font-weight: 400;">
</span><span style="font-weight: 400;">                <apex:inputField value="{!encrypt.Name}"/></span><span style="font-weight: 400;">
</span><span style="font-weight: 400;">                <apex:commandButton value="Save" action="{!Save}"/></span><span style="font-weight: 400;">
</span><span style="font-weight: 400;">                <apex:commandButton value="Update" action="{!test}"/></span><span style="font-weight: 400;">
</span><span style="font-weight: 400;">            </apex:pageBlockSection></span><span style="font-weight: 400;">
</span><span style="font-weight: 400;">        </apex:pageBlock></span><span style="font-weight: 400;">
</span><span style="font-weight: 400;">    </apex:form> </span><span style="font-weight: 400;">
</span><span style="font-weight: 400;"></apex:page></span>


public class EncryptExtensioncls{
public EnCrypt_Decrypt__c encrypt{get;set;}
 //Blob cryptoKey;
Blob cryptoKey = Blob.valueOf('380db410e8b11fa9');
public Id recordId{get;set;}
public EncryptExtensioncls(ApexPages.StandardController controller){
//cryptoKey = Crypto.generateAesKey(256);
recordId = Apexpages.CurrentPage().getParameters().get('id');
if(recordId !=null){
encrypt = [SELECT id,Name From EnCrypt_Decrypt__c WHERE id=:recordId];
encrypt = new EnCrypt_Decrypt__c();
public PageReference Save(){
Blob data = Blob.valueOf(encrypt.Name);
Blob encryptedData = Crypto.encryptWithManagedIV('AES128',cryptoKey,data);
String b64Data = EncodingUtil.base64Encode(encryptedData); = b64Data;
 insert encrypt;
 return null; 
public PageReference test(){
 //Blob cryptoKey = Crypto.generateAesKey(256);
 //Blob data = Blob.valueOf(encrypt.Name);
Blob data = EncodingUtil.base64Decode(encrypt.Name);
Blob decryptedData = Crypto.decryptWithManagedIV('AES128',cryptoKey,data);
String dryptData = decryptedData.toString();
System.debug('Printing dryptData '+dryptData); = dryptData;
 update encrypt;
 return null;




Salesforce CRM aims at giving its customer a quality data. In this real time, world Data Quality matters a lot. It helps to keep your org clean and tidy. No one wants to see the bulk of data having the same information. Just imagine a library having same types of books and same story concepts. Would you prefer to go there again? A big NO. Similarly, it is a best practice to remove duplicate data from time to time and keep your free from having the bulk of unwanted data.

According to my experience with several duplication tools, I found some to be just awesome and worth using them. To be short and precise here are the tools worth spending your time:


It is a cloud-based app and helps to clean your database. It provides a dashboard to show duplicates. It has its own filters and we can create it on our own too. Its user interface (being drag n drop) is very simple to work with. It offers the tool to stop insertion of duplicate records. One can easily configure multiple filters in it. It is cheap and priced on an organization level. It can mass update and mass delete records. It allows you to merge data according to the filter applied. It has the capability to Auto-Merge and Mass Merge your data. The best part of using this tool is to customize it in our own way. You can create filters and merge your records. This tool has so much buzz because of mass and automatic merges based on present features and that keeps duplication notices upon entry off by default. It has a good batch dedupe feature which clean accounts, contacts, and leads


It is a desktop tool and designed for system administrators to provide data quality. It provides data cleansing, data maintenance, data verification for import, export, and duplication of data. It features drag n drop functionality and provides a detailed success and error log file. It compares an external file with salesforce data. It mass update fields, performs a mass merge of duplicate records, mass backup data. It is robust if learned right as knowing it takes time. It uses inbuilt logic to deduce according to the company name, address, zip codes and phones. It dupes contacts only. It can dedupe high volume of data due to desktop infrastructure. If your data volume is high and you perform data loads on a regular basis then this is perfect for you.


It is a fantastic free tool for preventing duplicates from being entered in the system in real time. It acts as a shield for duplicate data and identifies, block and dedupe leads, accounts, contacts and person accounts. This won’t let you check bulk records as it does not support bulk deduping. It can only stop insertion of duplicate records but we can’t do anything for the existing duplicate records. It first identifies and then blocks duplicate leads, contacts, accounts and person accounts. It uses standard and custom salesforce fields to remove duplicates. It helps to merge and convert duplicate records into single records. It retains full control on blocking and merging of records thus eliminating any fear of loss.


DupeBlocker stops the users from being able to create duplicates in REAL time, as well as web lead dupes, SFDC to SFDC dupes and more. It supports all salesforce objects including opportunities and custom objects. Along with custom object, it supports custom fields too to remove duplicates. It has a dual filter option which allows specification of which object should be compared against which object. The Auto-Merge Auto-Convert features allow scenarios to automatically merge new incoming records with existing records that match and the merge is based upon customizable mappings. It has built in “bypass and insert” option.


It is a web-based tool and very easy to use. It has great merge features. If there is a problem with a merge, it has an undo feature which would fix the merge issues. If your data volume is medium and you want to handle everything in the cloud with not much desktop support, ring leads can be a good fit. It saves time as “Unique Entry” alerts you to existing duplicates as you type them in. This app shows a preemptive warning once you’ve entered a small portion of the record, allowing you to pause and work with the existing record rather than creating a duplicate, resolving, and finally moving forward.

Each of the duplication tools has its own pros and cons. Let’s understand them more clearly and try to compare each other according to its features provided.

CRITERIA CLOUDINGO Demand Tools DupeCatcher DupeBlocker Ring Lead
Type Of Application Web-based Desktop tool Web-based Web-based Web-based
Paid Yes Yes Free Yes Yes
Objects Supported Account, contact, leads and person Accounts and custom objects Account, contact, leads and person Accounts and custom objects Account, contact, leads and person Accounts Account, Contact, Opportunity, Lead and custom objects Account, contact, leads and person Accounts and custom objects
Unique Feature Dedupe imports prior to insertion of data. Dedupe high volume of data in less time One can stop insertion of duplicate records but allows only merging of existing records It has Auto merge and auto convert feature. It has dual filter option. It has an undo feature if merge is done wrong
Speed to set up and run Medium Fast Medium Medium Medium
Ease of use Easy to use Takes time to load but is robust if learnt Easy to use Easy to use Easy to use
Volume of data supported Medium Large Medium Medium Medium
Salesforce Shield

Salesforce Shield

On daily basis, we share so much information on the internet whether your bank details, medical information, filling your personal details in forms and so much more. Ever thought what if your receptionist in office get to know your bank details or your health issues open up in front of your friends. Sometimes they can lead to complications. In simple words with this e-commerce and enterprise software enhanced world, you would definitely not want your personal things to come in front of anyone. Advancement in technologies is always welcomed by everyone but not at the cost of your privacy.

Salesforce shield is a concept brought to you by Salesforce to enhance security and assure privacy to their customers. The only idea behind doing this is to build trust with their customers. Salesforce act as a shield or a firewall to prevent any kind of glimpse to sensitive data. It is a point and click the tool and can be setup anytime. It has three core services:

Event Monitoring
It provides customers with the visibility to see salesforce apps and see who has last changed the records, refreshed a list, what one is accessing and from which IP address. It provides a CSV file via API and pulls the data into any number of visualization tools. In it, you get a tracking feature which is very helpful for your organization.

Field Audit Trail
It provides customers with the advantage of auditing. With help of it can go back in time and see their data and have an audit trail. It provides up to 10 years of data for up to 60 fields per object. It is a good option for data backup and can be accessed in just under two minutes.

Platform Encryption
It helps customers encrypt their sensitive data while working on other functionalities. This can be setup in just a few minutes. It is built natively on the platform. Key salesforce functionalities can be made “encryption aware” and one can work despite data being encrypted.


Check your profile has “API Enabled” and “View Event Log Files” permission assigned
Now go to workbench and login to production if you have dev edition
Select queries as “SOQL Query” and Object as “EventLog File”

Upon selection, editor populates with some query text

Now go under Info >> Standard and Custom object >> select Event Log File from the drop-down. Expand attributes and fields menu. The log file shows you the content stored in files.

Rest Explorer gives you the access to Rest API. In top menu select Utilities >> Rest Explorer.Add below line after “?”


Click execute
If size is 0 then no files have been exported within 24 hours.
Once you see the files then export them. You can export it using:
Direct Download
cURL Script
Python Script
To see the files you can take help of visualization tools like Event Monitoring Wave App, Splunk App etc. if you want them to look somewhat fancy.


Create new permission set.
Go to “System Permissions” and enable “Customise Application” and “Manage Encryption Key” permission.
Now go to User >> Edit Assignments and then Select Key Manager
From setup >> Platform Encryption >> Generate Tenant Secret

Now you have this tenant secret and now you can easily encrypt your data. It is needed to have a backup or store it somewhere.
It is always a good practice to change this secret on a weekly basis or monthly to have more security. Whenever a new key is generated the status of old key turns to Archive. Export your key and save it somewhere.
Select Encrypt fields option

Now select the fields you want to encrypt and save them.

Similarly, you can encrypt files and attachments too.

Salesforce shield provides you with strong encryption and security. It assures you to protect your data along with simple and easy steps. Ever thought this could be so much fun. Now you can keep track of each and everything happens in your organization. Go and smartly say that now you know what Salesforce Shield is and how you can get benefit from it.

If you think we can work out on something cool project.

Let’s be in touch!