Share
As Salesforce consultants, it is easy to be often so focused on implementing new features and customizations that security can become an afterthought. The harsh reality, however, is that every organization will face a data breach at some point.
If you are not factoring data security threats and mitigation into your consulting strategy, you are not only putting your client’s business reputation on the line, but your’s as consultants too. Your job isn’t just building functionality, but also helping clients understand risk and like medieval castle designers, proactively preparing for data sieges – not hoping that they never come. And once you do have a plan, it is still not a checkbox. You must constantly monitor for new security threats and constantly improve your security.
But if you are not knowledgeable about Salesforce data security – fear not! This guide outlines proven methods to strengthen your clients’ Salesforce environments, focusing on architectural decisions that enhance security while maintaining functionality. Use this as a roadmap when discussing security with clients or when performing security assessments of existing implementations. Let’s get into it.
Building the Foundation Walls
Salesforce Health Check as a Foundation
Every castle begins with strong foundation walls and Salesforce consultants must establish core security controls before adding additional defenses. Health Check provides an excellent baseline for identifying security vulnerabilities, but too many consultants treat it as a “set it and forget it” tool.
Instead, begin by using Health Check as your initial diagnostic tool rather than your final solution. Then customize risk thresholds specifically for your client’s industry and compliance requirements. Finally, establish at a minimum quarterly review cycles with clients to systematically address emerging security concerns. 
Security Gateway and Session Security Settings
Session security settings are often overlooked but function like a castle’s drawbridge—controlling who enters and for how long. To improve security, first, enable IP restrictions on every request, not just at login, as this critical setting is frequently missed by implementers. Next, configure appropriate session timeout lengths based on the sensitivity of data and specific user roles. Finally, implement secure browser caching policies that prevent credential theft and unauthorized access. Remember that by default, Salesforce only checks IPs at login.
Raising the Multi-Factor Authentication Drawbridge
While MFA is now enforced by Salesforce, implementation details matter. Start by prioritizing enhanced protection for high-risk user profiles, particularly system administrators and users with extensive data access privileges. Then create fallback authentication protocols for emergency access scenarios that maintain security while allowing business continuity, which are essential for reducing harm when your data breach does occur. Finally, integrate seamlessly with existing enterprise authentication systems to provide a frictionless user experience without sacrificing security.
Consultant Pro-Tip: Help your clients create a risk matrix of their Salesforce user base to determine appropriate authentication requirements based on access levels and data sensitivity, just as a castle would have different identification procedures for nobles versus merchants.
Fortifying Core Data Protection
Understanding the Object-Level Security Model
Your client’s Salesforce data are their crown jewels, and it is essential to secure their precious assets within through careful data access controls. Object-level security is where many Salesforce implementations become vulnerable over time.
Rigorously apply the principle of least privilege by ensuring users can only access what they specifically need to perform their job functions. Create a modular approach to permissions by using permission sets instead of profiles for specific functional access requirements. Salesforce consultants can prevent security drift by recommending a regular audit schedule that identifies and remediation permission creep before it creates serious vulnerabilities.
Consultant Pro-Tip: Create a “security debt” tracker for your clients, documenting shortcuts taken during implementation that should be revisited and properly secured later.
Data Boundaries for Digital Castles
Overly permissive sharing rules are a common source of data exposure. Salesforce users must exercise particular caution with criteria-based sharing rules, which can unintentionally expose sensitive data to unauthorized users when configured imprecisely.
We recommend conducting regular assessments using the Guest User Access Report to verify and monitor public exposure points throughout your Salesforce instance. Validate security effectiveness by testing sharing rules while logged in as lower-level users to confirm that proper restrictions are functioning as intended.
Consultant Pro-Tip: When implementing sharing rules, always document your rationale. This will help future administrators understand why certain decisions were made and prevent inadvertent security gaps when rules are modified. 
Vigilant Monitoring with Salesforce Shield
Salesforce Shield components provide critical security capabilities, and as Salesforce consultants, your knowledge of these solutions will make you an essential part of your next implementation project.
Make Event Monitoring your first Salesforce Shield 2.0 investment priority to establish a baseline of normal activity and detect unusual patterns that may indicate security threats. Use this monitoring data to create intelligent alerts for suspicious activities based on historical usage patterns specific to your client’s organization.
Next, implement Field Audit Trail for sensitive information fields, particularly those subject to compliance requirements. This way, you can maintain a complete record of all changes for investigation if needed. Remember that 74% of all breaches include human involvement, whether through error, privilege misuse, stolen credentials, or social engineering. This means that often, your own users are the reason for a breach and why future audit protocols are essential for digital protections.
Consultant Pro-Tip: Many clients purchase Shield, but don’t fully utilize its capabilities. Create a Shield implementation roadmap that starts with immediate security wins before tackling more complex encryption configurations, similar to how fortress defenses would be prioritized based on vulnerability.
Securing External Access Points
Guest User Access Control and Limiting Exposure to Your Enemies
The most vulnerable points in your client’s Salesforce castle are where it connects with the outside world. Public-facing components like Experience Cloud sites, APIs, and self-registration portals are the gates and bridges that attackers will target first.
Guest user vulnerabilities are among the most exploited Salesforce security gaps—like a castle’s main gate left inadequately protected. We recommend first beginning with a security-first approach by applying the absolute minimum permissions necessary for guest functionality and removing any access that isn’t critical for operations.
Salesforce consultants must understand that Lightning APIs can bypass UI restrictions even for guest users, creating hidden passageways that require special attention beyond what’s visible in the interface. Implement regular security assessments by using the Guest User Access Report before and after implementing any community changes to verify proper configuration.
Consultant Pro-Tip: Create a separate test community environment where you can safely verify guest access configurations before applying changes to production. 
Public-Facing APIs Are Security Tunnels to Future Breaches
Just like hidden tunnels under a castle, APIs represent significant risk vectors that can bypass many security controls. But how do you reduce risk?
First, know that Lightning API access cannot be completely disabled via standard settings, requiring additional security measures to protect sensitive data. Salesforce users must implement comprehensive logging and monitoring specifically for API transactions to maintain visibility into how these services are being accessed. Additionally, we recommend developing effective rate limiting strategies to prevent automated attacks that could overwhelm your client’s defenses through rapid, repeated requests. Your future digital lords and clients will thank you for it.
Consultant Pro-Tip: Use tools like Burp Suite during testing to attempt to access data via APIs with minimal permissions, simulating potential attacker techniques.
Verified Entry and Self-Registration User Security
Self-registration users pose greater risks than guest users because they receive license-based capabilities. This is why when working with your team, you must develop strong validation rules to prevent malicious inputs during registration. This means effectively screening visitors before granting them access to your client’s Salesforce environment.
Be particularly vigilant about file upload capabilities, as licensed users cannot be prevented from uploading files—creating a significant attack vector like merchants bringing in carts that aren’t fully inspected. We recommend risk mitigation by implementing progressive privilege increases based on verification milestones, gradually allowing more access as users prove their legitimacy.
Advanced Defense Strategies
Digital Fortress Development Security Best Practices
The way custom development is structured has profound security implications. Even a strong castle needs well-designed weapons to withstand attacks, remember that your client’s custom code and defensive tools must be carefully constructed to repel modern digital threats.
Guide developers to organize Apex classes by security role (who should access them) rather than by business function. You will want to work with development teams to limit access to only the specific methods required instead of exposing entire classes, effectively restricting access to powerful capabilities. When possible, recommend Lightning Web Components over Aura components because they provide better security controls through their modern architecture.
Consultant Pro-Tip: You don’t need to be a developer to protect your clients. Create a simple security requirements document that developers must address before you’ll approve their work, focusing on data access patterns and input validation. 
Malware Defense Against Digital Threats
A critical and often overlooked vulnerability in Salesforce is the lack of built-in file scanning. That’s right – Salesforce doesn’t automatically scan uploaded files or static resources for viruses or malware, creating a significant security gap—like a castle with no inspection for disease-carrying goods. It is no surprise that worldwide, Gartner cites spending on security and risk management is projected to total $215 billion, an increase of 14.3% from last year.
As data breach rates continue to rise, be proactive and help clients understand that once infected files are uploaded, they can rapidly spread throughout your org like a plague, affecting multiple users and systems. Emphasize that malicious files can trigger serious consequences including data theft, legal exposure through lawsuits, and compliance violations that could threaten the organization’s operations.
Work with your client’s technical teams to implement proper attachment and file upload validation strategies, with particular attention to Experience Cloud sites where external users may upload content.
Remind your clients that Salesforce does not scan uploaded files or static resources for viruses and without a virus-scanning solution, you are leaving your own reputation (including your clients) on the line to legal fees. Read our recent data security resource for what you should be looking for in a virus scanning solution for your Salesforce instances.
Consultant Pro-Tip: Explain to clients that even a single infected file can lead to widespread damage. Many organizations don’t realize that Salesforce has no native protection against malicious file uploads, leaving them exposed.
Building A Comprehensive Salesforce Data Security Strategy
As Salesforce consultants, you want to help your clients to think holistically about their data security posture. Just like building a security strategy, constructing multiple security walls will help contain the data breach plagues when—not if—they occur, limiting damage to specific areas rather than compromising the entire system.
Address digital threats by implementing specialized solutions for URL and file scanning that prevent phishing attacks and malware distribution before they can penetrate the organization’s defenses. Creating a security-first culture transforms every team member into an essential guardian at their post on the castle walls, actively protecting the organization’s most important asset – your client’s data.
Consultant Pro-Tip: Remind clients that security is never “done” and while a data breach will inevitably happen, you don’t have to wait for this outcome to start mitigating risks and data exposure today (and every day).
Conclusion
As consultants, we have a responsibility to ensure our clients’ Salesforce implementations are not just functional but fortified like well-designed castles. While no one wants to talk about preventive and recurring security measures, with the average data breach now costing U.S. organizations $9 million and taking over 200 days to detect, security needs to a central part of your early client conversations.
By following our recommended security methods and adopting a security-first mindset into your consulting practice, you will deliver significantly more value to your clients while protecting their most valuable assets—their data. This process is ongoing and will require you and your clients to remain vigilant against emerging data sieges, malware pestilence, and digital threats against your prosperous digital kingdom.
Your role as a consultant isn’t to make an impenetrable fortress—it’s to help clients construct layered defenses that minimize damage when breaches inevitably occur, while delivering functionality your users will love.
By implementing proper security controls, including protection against digital plagues through malicious file scanning solutions like EzProtect, you ensure that when—not if—an attack succeeds, your client’s digital castle remains standing.
Contact our Salesforce data security experts to learn how to protect your Salesforce environment and data today.
Share
Did you love this blog and wish there could be more?
It is our goal to keep you informed about everything you need to know about Salesforce security to keep your Salesforce data and company safe and secure by providing you with the highest quality of original content.
If this sounds good to you, then sign-up below to be one of the first to know when the next super awesome Salesforce security blog has been released.
