Home
/
Stories
/
Solving SaaS security challenges with Salesforce: what fast-growing platforms should get right
May 16, 2025
Salesforce

Solving SaaS security challenges with Salesforce: what fast-growing platforms should get right

SaaS security doesn’t have to be overwhelming. See how Salesforce tools help you protect customer data, control access, and stay compliant.
software security

Security is one of the top concerns for SaaS teams today. You’ll find entire Reddit threads where founders and engineers discuss SaaS application security, swap advice on how to avoid costly mistakes, and protect customer data. It’s no longer just about compliance checklists, it’s about trust.

Security failures often don’t make headlines, but they show up where it hurts: in churn, stalled deals, and sleepless nights. And the numbers speak for themselves: cloud security incidents rose 154% in 2024, with most traced back to missed patches and poor configuration. It’s a clear warning sign for any cloud security SaaS team that assumes their platform is secure by default.

Salesforce can help prevent these issues if you know how to use it properly. In this article, we’ll walk through common SaaS security risks, show how Salesforce addresses them, and share what our team has learned from building secure, scalable setups for fast-moving platforms.

Five core SaaS security challenges

Knowing what to expect is the first step to avoiding trouble. The following challenges aren’t just technical issues. These patterns show up during scaling, integrations, and team growth.

1. Data access control: who sees what, and why that’s dangerous

Fast-growing SaaS platforms include dozens of roles: admins, support reps, sales teams, partners, clients, and API users. Each one expects access to the data they need. But when permissions aren’t carefully managed, that access can spiral out of control. Cloning user profiles or granting “view all” access may save time, but it also creates blind spots you can’t track.

Salesforce provides solid tools to manage this: roles, permission sets, org-wide defaults, and sharing rules. But they only work if used properly. The moment you start bypassing SaaS data security for convenience, you're putting customer data at risk.

Here’s a possible example. A customer success manager exports client data to assist with onboarding. They leave the CSV file in a shared folder without realizing it’s public. There’s no external attack, no alert, but sensitive data is now exposed. Multiply this by a few dozen users across multiple teams, and you're sitting on a compliance problem waiting to happen.

This isn’t a rare case. Research shows that 40% of all SaaS assets are unmanaged, meaning there’s no proper control over who can see or use them. Even worse, more than 157,000 sensitive records were recently found exposed on the public internet through SaaS sharing features, risking over $28 million in potential damages.

The business cost? Loss of trust, regulatory fines, and in some cases, losing clients over something as simple as a misconfigured setting. It's not always malicious. Most of the time, it's just messy. But being messy is enough to get you in trouble.

2. Auditability for compliance: you can’t prove what you can’t trace

Security isn’t just about keeping data safe. It’s about being able to prove that you did. Regulations like SOC 2, GDPR, and HIPAA require clear answers to basic questions: who accessed what, when, and why? Without proper logging, monitoring, and data lifecycle tracking, you’re flying blind.

Salesforce offers strong audit tools like Field Audit Trail and Event Monitoring. But they need to be set up and used properly. Many teams skip them or leave default settings untouched. As a result, key events like updates to sensitive fields or unexpected API calls go untracked.

Take this example. A SaaS company faces a GDPR audit. The regulator asks who accessed a specific customer record in the past six months. The team scrambles, only to realize the data isn't there. No logs, no audit trail, no way to prove anything.

This kind of gap is more common than it should be. Only 18% of top SaaS apps hold SOC 2 or ISO 27001 certifications, even though 71% claim GDPR compliance. The contrast is sharper with funding levels: 45% of companies with over $100 million raised meet SOC 2 standards, compared to just 7% of startups under $1 million.

The risk? Failing audits, facing penalties, and losing credibility. A security setup that looks good on paper won’t hold up if you can’t prove it works when it matters.

3. Third-party integrations: the risk you don’t own, but you do inherit

As SaaS platforms grow, so does the list of tools they connect to: CRMs, marketing platforms, analytics tools, payment gateways, and support systems. Each integration brings value but also adds risk. Every API is a potential doorway into your system, and most are wide open by default.

The issue is that many third-party apps ask for broad access during setup, and most teams accept without question. These permissions rarely get reviewed. Some apps store access tokens indefinitely, never rotating them or alerting you to changes in security posture.

Here’s a typical scenario. You integrate a chatbot tool to improve customer engagement. It gets full read and write access to your database. A few months later, the vendor is breached. Your platform wasn't hacked, but your customer data is still exposed. The damage is yours to handle.

85% of SaaS breaches start with a compromised identity, often through a third-party connection. Once inside, attackers don’t wait. In observed cases, they have managed to exfiltrate data in just nine minutes.

Eventually, your team might end up handling cleanup for a problem you didn’t create but are still responsible for. Legal costs, lost clients, and broken trust are all too common in these situations. Without regular audits and proper scopes for integration access, third-party risk becomes your risk.

4. Multi-org or multi-product complexity

As SaaS companies grow, it’s common to end up with more than one Salesforce org or multiple products under the same brand. Each team might need its own environment, unique configurations, or separate compliance scopes. But with every new org or product, visibility drops, and the chances of security gaps increase.

The biggest risk is inconsistency, where one product might enforce MFA and strict access controls, while another runs on legacy profiles with broad permissions. These gaps often go unnoticed without clear ownership or standardized policies until they cause problems.

Let’s imagine a situation where the product team launches in a separate Salesforce org with its own admin setup. Months later, the security team discovers that audit logs are missing, sensitive fields are exposed to support reps, and API tokens are still active for users who have left the company long ago.

This kind of fragmentation is common. The average organization now manages 33 super admin accounts, most without multi-factor authentication enabled. Those accounts collectively hold access to over 40 million unique permissions. Without consistent governance, risky configurations can easily slip through.

The result is a false sense of control. You assume security settings are in place across the board, but in reality, they vary by org, product, or even admin. For fast-scaling SaaS companies, this patchwork approach can lead to exposure that’s hard to detect until it’s too late.

5. Internal threats: not always malicious, always costly

Not every threat comes from the outside. In SaaS environments, internal risks, whether accidental or intentional, often can be just as damaging. A rushed export, a misconfigured report, or a former employee with lingering access can expose sensitive data without anyone noticing.

Most internal incidents aren’t caused by bad intentions. They happen when teams move quickly and processes fall behind. A marketer shares a link with too much visibility, or a support agent accesses a record they shouldn't. These are small mistakes with big consequences.

Salesforce provides tools to reduce this risk: audit logs, field-level security, permission set expiration, and automated deactivation. But if these tools aren't used regularly, they’re easy to overlook.

Internal access risks are more common than many teams expect. The average organization still has 33 super admin accounts, and more than half of them lack multi-factor authentication. These accounts have access to more than 40 million unique permissions. One overlooked setting or unnecessary access can expose valuable data.

Even with no malicious intent, the cost is real: customer trust, compliance violations, and time lost fixing avoidable SaaS security issues that could have been prevented. Reducing internal threats starts with basics like access policies, proper offboarding, and regular reviews of who can see what.

“In our experience, the biggest risks in SaaS security rarely come from sophisticated attacks. Instead, they come from everyday oversights. Over-permissioned API users, sandbox data exposures, misaligned access roles… These are the cracks that become breaches. So, without the right architecture and governance, even the best tools are underused. Security in your SaaS company should be about designing systems that stay secure even when people make mistakes,” shares Vlad Petrovych, our CRO.

How Salesforce can be a foundation for secure SaaS architecture

Security at the SaaS level starts with the platform you build on. Salesforce provides a hardened infrastructure that supports security for SaaS applications, compliance, data protection, and access control.

Infrastructure-layer security with Salesforce

Salesforce handles the core infrastructure, so your team doesn’t have to. This includes physical data centers, network protection, system-level patching, and encrypted storage, all maintained under strict compliance controls.

Key infrastructure security features:

  • Data encryption at rest and in transit using industry-standard protocols (AES-256, TLS 1.2+).
  • Redundant systems and disaster recovery across globally distributed data centers.
  • Regular third-party audits and certifications including ISO 27001, SOC 1/2/3, PCI DSS, and FedRAMP.
  • Automated threat detection and incident response supported by Salesforce’s dedicated Trust team.
  • Real-time event monitoring to surface suspicious behavior or access anomalies.
  • Tools for managing consent, data subject access requests (DSARs), and data residency controls to support full compliance with GDPR requirements.
  • A multi-tenant security model where each customer's data is logically separated and access is strictly enforced.

With these systems in place, engineering teams can focus on product delivery while Salesforce handles key SaaS security requirements like data encryption, compliance, and auditability.

Why it works for SaaS

SaaS companies operate under constant pressure to move fast while keeping data safe. Salesforce makes this easier with built-in controls that support typical SaaS use cases:

  • Granular access management lets you control who sees what with permission sets, profiles, and role hierarchies, perfect for platforms with many user types and internal teams.
  • Tools like Event Monitoring, Shield, and Field Audit Trail track changes, user actions, and data access to support compliance audits.
  • IP restrictions, token policies, and permission scoping keep third-party connections under control.
  • Centralized policy enforcement allows you to apply consistent access, SaaS security management, and monitoring policies even across multiple orgs and products.
  • Support for MFA, SSO, session timeouts, and device-level checks helps enforce strict access control without custom development.

“The fastest-growing SaaS companies are the ones treating security as part of product architecture, not as a fire drill after launch. Salesforce gives you the tools to do that right: encryption, visibility, and access controls. Moreover, everything is built into a platform designed to scale. This way, you can prevent risks as well as build  trust at every stage of growth, adds” Vlad Petrovych, our CRO.

Six Salesforce tools SaaS platforms can use for stronger security

Salesforce provides a comprehensive set of SaaS security solutions that go far beyond basic access control. These features give companies the building blocks to protect customer data, meet compliance standards, and stay ahead of internal and external threats.

Here’s how each tool works and how it can help secure your product.

We help SaaS teams build secure, compliant Salesforce environments without slowing down product development or go-to-market.

Salesforce Shield 2.0

Salesforce Shield 2.0 is an advanced suite of SaaS security tools designed for companies that need to monitor, encrypt, and classify sensitive data at scale. It’s essential for SaaS platforms operating in compliance-heavy industries like finance, healthcare, or legal tech, or any team deploying Agentforce.

This upgraded version of Shield goes beyond passive protection. It gives you real-time visibility into how data is accessed, helps you classify sensitive fields, blocks risky behavior before it happens, and keeps historical records for audit and rollback purposes. Here are the key components of Shield 2.0:

Platform Encryption

Encrypt data at rest, including fields, files, attachments, and indexes, without breaking functionality like search or workflow automation. You can manage key lifecycles, rotate encryption keys, and bring your own keys (BYOK), now with support for storing keys in AWS. Encryption is now also supported in Data Cloud, allowing you to extend encryption to unified profile data.

Transaction Security Policies

Create rule-based controls using clicks or code to block or alert on risky user actions automatically. For example, block users from exporting large volumes of data or trigger a notification when a login occurs outside business hours.

Field Audit Trail

Track changes to specific fields across objects for up to 10 years. You can view the full history of what was changed, by whom, and when. This is critical for compliance and data integrity, and you can also roll back accidental changes.

Data Detect

Identify sensitive data such as PII, credit card numbers, SSNs, or IP addresses hidden in unexpected places like free-text fields. Classify or reclassify fields based on sensitivity and compliance requirements. This is essential for maintaining control and preventing exposure.

How it helps SaaS companies:

Imagine you’re preparing for a SOC 2 or GDPR audit, or deploying Agentforce across your support operations. Shield 2.0 lets you:

  • Encrypt sensitive customer data like subscription info or support case details without affecting usability.
  • Track user and integration behavior in real time to detect threats like rogue scripts or accidental mass data exposure.
  • Retain and prove field-level changes for any record, useful when a customer disputes an update or during compliance checks.
  • Prevent risky actions before they happen, such as blocking a support agent from exporting a report containing PII.
  • Classify and locate untagged sensitive data across your org and correct risky configurations.

Together, these tools turn Salesforce from a secure platform into a fully monitored, compliant, and proactive security environment, ideal for fast-scaling SaaS businesses that can't afford missteps when it comes to user data.

Event Monitoring

Event Monitoring is a powerful Salesforce tool that forms the backbone of SaaS security monitoring, giving you detailed, actionable insights into user and system activity across your org.. It’s essential for SaaS companies that need to detect threats early, track usage patterns, and prove compliance during audits.

Included in Salesforce Shield and now enhanced with Real-Time Event Monitoring, this tool helps security, compliance, and operations teams stay informed and responsive.

What it tracks

Event Monitoring captures more than 50 event types across your Salesforce environment, including:

  • Logins and logouts;
  • API calls and integrations;
  • Report views and exports;
  • Dashboard access;
  • Record access and edits;
  • Apex execution;
  • Session hijacking attempts;
  • Page views and Lightning performance.

Each event includes timestamped data such as user ID, IP address, action type, and object involved. You can access this data via the EventLogFile object, export it into tools like Splunk or CRM Analytics, or visualize patterns directly in Event Monitoring Analytics dashboards.

Real-time monitoring

With Real-Time Event Monitoring, you no longer have to wait for daily log exports. You can:

  • Monitor key actions as they happen (e.g. mass report exports).
  • Trigger automated responses or alerts using Transaction Security Policies.
  • Create dashboards to flag unusual login patterns or suspicious API behavior.

How it helps SaaS companies

Let’s say your SaaS app stores sensitive customer information. With Event Monitoring, you can:

  • Detect if a user starts exporting an unusually high number of records or reports outside business hours.
  • Identify unapproved third-party tools making bulk API calls.
  • Track login anomalies, such as failed logins or access from unfamiliar IP ranges.
  • Prove during a GDPR or SOC 2 audit that you have clear logs of who accessed sensitive data and when.

You can also use Event Monitoring to improve operational insights:

  • Measure feature adoption by tracking usage across key screens or flows.
  • Identify slow-loading pages and performance bottlenecks.
  • Monitor usage of custom apps or Experience Cloud sites by partners and customers.

Salesforce Identity

Salesforce Identity provides centralized, secure authentication and access management for everyone interacting with your Salesforce environment whether they’re employees, customers, or partners. It helps SaaS companies streamline login experiences while maintaining strict security and visibility.

This service covers both internal users (employees) and external users (customers, partners, or prospects), with licensing options to support each group. It’s a critical layer for managing access across Experience Cloud portals, third-party apps, mobile interfaces, and APIs.

Identity for employees

Internal users need quick and secure access to Salesforce and related tools. Salesforce Identity for Employees gives them:

  • Single sign-on (SSO) to third-party tools like Gmail, Slack, or internal systems, reducing login friction while maintaining control.
  • Multi-factor authentication to verify user identity beyond just a password.
  • Connected app management to control which employees can access what, using OAuth scopes and access policies.
  • Monitoring and reporting to track login activity and manage SaaS security risks.

How it helps SaaS companies:

Imagine your support and sales teams each use different productivity tools (e.g. Jira for support, HubSpot for marketing). With Salesforce Identity, you can allow each group to access only the tools they need with one secure login. You reduce password fatigue and improve user adoption while meeting internal access control policies.

Customer Identity (external users)

For customers, partners, or other external users accessing your Experience Cloud sites, Customer Identity offers:

  • Self-registration and login through secure, branded flows.
  • Social sign-on via providers like Google, Facebook, and LinkedIn.
  • SSO across properties, enabling users to move between your portals, apps, and third-party services without repeated login prompts.
  • Custom identity workflows that connect logins with Salesforce records, like creating contacts or triggering onboarding journeys.

How it helps SaaS companies:

Say you’ve launched a self-service portal for users of your SaaS product. Instead of creating yet another login flow from scratch, you can let customers register using their social accounts, then automatically create or link their contact in Salesforce. From there, you can launch a welcome email, assign a support task, or add them to a product community using Salesforce's native tools.

Profiles, permission sets, and role hierarchies

Salesforce’s access control system is built on three foundational layers: profiles, permission sets, and role hierarchies. Together, they allow SaaS companies to define who can see, create, edit, or delete data, down to the object, field, and record level.

This layered model is flexible enough to handle complex orgs with many user roles, from internal teams like support and finance to external users in portals or communities.

Object-level and field-level access

  • Profiles define a user’s baseline permissions: what tabs they can see, what objects they can access, and what actions (read, create, edit, delete) they can perform.
  • Permission sets add flexibility. While a user can only have one profile, they can be assigned multiple permission sets. This makes it easier to manage exceptions or temporary access without duplicating profiles.
  • Field-level security controls visibility and edit access to specific fields within an object. For example, you can allow support agents to see a customer account but hide sensitive fields like payment method or billing history.

How it helps SaaS companies:

Imagine your SaaS platform has customer success reps, engineers, and finance staff. You can:

  • Give all reps access to account records via a shared profile.
  • Use permission sets to give specific reps access to export reports for quarterly reviews.
  • Restrict finance fields like "Annual Contract Value" from support reps using field-level security.
  • These controls apply everywhere: list views, search, reports, related lists, and more.

Record-level access with role hierarchy and sharing

Once you’ve defined what objects and fields users can access, the next layer is record-level sharing who can see which records.

  • Organization-wide defaults (OWDs) define the baseline visibility for records in each object (e.g. Private, Read-Only, Read/Write).
  • Role hierarchy ensures that users higher up in the hierarchy can access records owned by users beneath them. It’s ideal for sales or support teams where managers need visibility into their team’s data.
  • Sharing rules allow you to give access to records based on criteria like record type or user group membership.
  • Manual sharing gives record owners the option to share a record with specific users or groups when needed.

How it helps SaaS companies:

Suppose your sales reps can only view their own leads, but managers need visibility across regions. You can:

  • Set the OWD for Leads to Private.
  • Use the role hierarchy so that regional sales managers can view all leads owned by their team.
  • Apply sharing rules so that support can view certain opportunity records tagged for escalation.

Advanced access tools

Salesforce also offers advanced controls like:

  • Restriction rules to reduce data visibility based on user or record criteria, even if access is granted via roles or sharing rules.
  • Scoping rules to help users focus on relevant records without changing underlying access.
  • Apex managed sharing to programmatically control access when standard sharing isn’t enough, for example, in complex product subscription models.
  • User sharing to control which internal or external users are visible to one another, useful for communities or B2B account hierarchies.

Experience Cloud security

Experience Cloud lets you create portals, help centers, partner hubs, and customer communities, but exposing parts of your platform externally brings new security responsibilities. Experience Cloud has built-in tools to control what external users can see, do, and access.

For SaaS companies offering self-service, onboarding, or partner collaboration through Salesforce portals, these controls are essential.

Core security components

  • External sharing rules let you define which records external users (e.g. customers, partners) can access. For example, a client portal user should only see their own cases or contracts.
  • Guest user access settings allow or restrict unauthenticated users from accessing public pages, knowledge articles, or registration forms. By default, guest users have zero access unless explicitly granted.
  • With login policies and IP restrictions, you can limit portal access by IP range, enforce multi-factor authentication, or require login during certain hours.
  • Like internal users, portal users have assigned profiles and permission sets. These control what objects, fields, and tabs they can access.

How it helps SaaS companies

Let’s say your SaaS platform provides a customer onboarding or Salesforce tech support portal. With Experience Cloud security, you can:

  • Ensure each client only sees their own company’s onboarding checklist, tickets, and documentation.
  • Restrict support materials and pricing documents to logged-in users only.
  • Use sharing rules to give partner managers access to lead data submitted by their clients, without exposing other records.
  • Block access to sensitive fields like internal notes or escalations while still showing high-level case status

For larger portals with multiple user types like customers, partners, and resellers, you can assign different page access, objects, and record visibility rules without writing custom code.

API security and Named Credentials

SaaS platforms rely heavily on integrations of payment processors, analytics tools, marketing platforms, and internal services, and all of these connections typically go through APIs. Salesforce offers a secure framework to manage and protect these external connections using Named Credentials and built-in API security controls.

This is where many platforms take shortcuts (like hardcoding tokens), but Salesforce gives you the tools to do it right.

Named Credentials

Named Credentials let you securely store and manage authentication for external services. Instead of embedding credentials in Apex code or Flow logic, you define:

  • Authentication type (OAuth, password-based, AWS signature, etc.);
  • Token endpoint, scope, and refresh behavior;
  • Who in your org is allowed to use the connection.

You can also rotate or revoke access centrally without touching your integration logic. For example, your SaaS product integrates with Stripe. Instead of manually storing the API key in every flow or script, you create a Named Credential that handles the authentication and token lifecycle. This keeps secrets secure and maintainable.

API security controls

Salesforce also provides native controls to protect your org’s own APIs:

  • Control who can call your APIs and how often.
  • Restrict third-party apps to specific data and actions.
  • Reduce the risk of reusing long-lived access tokens with session timeout and refresh token policies.
  • Control what external apps can do and monitor their behavior.

You can pair these with Event Monitoring to log API activity, flag suspicious usage, and trigger alerts or automated responses.

How it helps SaaS companies

Let’s say your engineering team builds an integration layer that pulls data from external services and pushes updates into Salesforce. With Named Credentials and API security in place, you can:

  • Avoid hardcoding secrets across multiple components;
  • Prevent unauthorized tools from hitting your endpoints;
  • Monitor and audit exactly who accessed what, and when;
  • Disable a third-party integration instantly if a vendor is breached.

SaaS security best practices with Salesforce

Tools alone don’t secure your platform; how you use them matters. Here are six practical best practices for securing your SaaS product on Salesforce. These are based on common gaps we’ve seen across projects and what we recommend for fast-scaling teams.

Enforce least privilege with permission sets, not just profiles

Too many teams start by cloning a standard profile, granting admin-level access, and reusing it across departments “just to get things working.” Over time, access piles up until support agents can export billing data and marketers can edit customer records.

We help SaaS clients clean this up by:

  • Using profiles only for basic access (login, UI visibility, general object access);
  • Assigning permission sets to grant specific rights like data export, API access, or report creation;
  • Auditing permissions quarterly, especially around “Modify All” and “View All” access.

One of our clients had 14 users with full control over customer records via “Modify All” permissions. After reviewing actual usage, we dropped that number to 2. The rest received targeted permission sets based on their tasks—case resolution, subscription management, or read-only reporting. Their CISO called it the “simplest win with the biggest impact.”

Use field-level encryption for sensitive data

Some data fields shouldn’t just be hidden; they should be encrypted. We’ve seen teams hide fields in the UI but leave them exposed in APIs, reports, or exports. That’s not enough, especially with compliance requirements like GDPR or HIPAA.

We guide clients to:

  • Encrypt sensitive fields using Platform Encryption;
  • Use BYOK or key rotation when needed for compliance;
  • Combine encryption with field-level security to ensure no backdoor visibility.

We also validate that encryption doesn't interfere with:

  • Report logic;
  • Automation flows;
  • API performance.

Monitor what matters with Shield and alerts

We always encourage clients to turn on Field Audit Trail and Event Monitoring, especially before audits. But more importantly, we set up alerts for:

  • Report exports;
  • Login anomalies;
  • Permission changes;
  • API call volume spikes.

Our CRO, Vlad Petrovych, adds: “Audit logs shouldn’t be an afterthought. They’re not just for post-incident reviews, they’re how you catch small issues before they become serious risks.”

Enforce SSO and MFA everywhere with no exceptions

It’s common for teams to secure production but leave sandboxes open “for convenience.” That’s risky. Developers often use real tokens, real connections, or even real customer data in lower environments.

What we recommend:

  • Enforce SSO and MFA across all orgs (sandbox and production);
  • Integrate with your identity provider for centralized control;
  • Disable or restrict generic admin logins.

Never seed sandboxes with raw production data

We’ve seen SaaS teams copy full production databases into sandboxes to troubleshoot bugs. It’s fast, but it’s also risky. Even if the org is “test only,” the data is real and often unprotected.

To prevent that, we implement:

  • Automated data masking;
  • Disabled email delivery in test environments;
  • Reduced permissions in sandboxes by default.

One of our clients used sandbox data for training and accidentally exposed a live customer record in a demo. We helped them switch to masked data with consistent test scenarios. It kept their workflows intact and removed compliance risk.

Lock down guest access in Experience Cloud

Experience Cloud sites often start small: an FAQ page here, a case form there, but guest users can quickly gain access to more than intended if settings aren’t reviewed carefully.

How we manage it:

  • Restrict guest user object and field permissions to read-only or none;
  • Disable guest access to custom objects unless absolutely needed;
  • Use external sharing rules to tightly control record access.

Spot hidden risks in your Salesforce setup before they turn into incidents.

Common Salesforce security pitfalls to avoid

From our team’s audits, here’s a quick-hit SaaS security checklist to help companies catch the most common and costly security missteps before they turn into incidents. These issues appear across companies of all sizes, whether a startup moving fast or an enterprise scaling globally.

Not enabling Event Monitoring (or not using it properly)

We’ve seen orgs with MFA, SSO, encryption, but no visibility into actual user behavior. Without Event Monitoring, you can’t track logins, report exports, or high-volume API calls in real time. That means your org could be leaking data or suffering abuse, and you wouldn’t know until it’s too late.

What to do instead:

Enable Event Monitoring and focus on high-risk events: exports, large report views, failed logins, and API surges. Pair this with Transaction Security Policies or external tools like Splunk for alerting and dashboards.

Excessive use of System Administrator roles

This one’s classic: someone needs access fast, gets the System Administrator profile “just for now,” and they’re still walking around with full access six months later. We’ve seen orgs where over half the users had admin rights, and no one remembered why.

What to do instead:

Audit who has admin access. Replace broad roles with permission sets tied to actual job needs. Give users only the capabilities they require, and nothing more. It’s also a good practice to track when admin rights are granted, and set reminders to review or revoke temporary access..

Misconfigured guest users in Experience Cloud

Experience Cloud guest users can be a major risk if left unchecked. We’ve audited portals where unauthenticated users had access to internal records, knowledge base drafts, and even contact data, all unintentionally exposed, and in some cases indexed by Google.

What to do instead:

  • Lock down the Guest User Profile to only necessary objects and fields;
  • Regularly review external sharing rules;
  • Use the Guest User Access Report in Salesforce to identify what’s exposed;
  • Public portals should show public content—nothing more.

Forgotten secrets or stale tokens in Connected Apps

Unrotated secrets and abandoned API keys are an easy way in for attackers. We’ve heard things like, “That integration was for testing, but it might still be active.” That’s a red flag. Hardcoded tokens, leftover dev connections, and unused Named Credentials can be exploited quietly.

What to do instead:

  • Use Named Credentials to store and manage authentication centrally;
  • Rotate keys and tokens on a schedule;
  • Periodically review Connected Apps and revoke unused tokens;
  • This is basic hygiene, but often overlooked in fast-moving teams.

Overlooking API limits and abuse prevention

Most teams don’t think about API limits until things break. Integrations flood the system, governor limits are hit, and critical automation silently fails. Even if the traffic isn’t malicious, unmonitored API overuse can expose your org to both data issues and performance risks.

What to do instead:

  • Monitor API usage patterns via Event Monitoring or System Overview;
  • Set up alert thresholds for unusual spikes;
  • Apply rate limiting logic and retry strategies in your integrations;
  • APIs are your gateway, and you should treat them like production infrastructure.

Build security-first Salesforce architectures with us

We embed security into every layer of your Salesforce setup so your team can scale confidently without putting customer data or compliance at risk. Our team has supported fast-growing SaaS companies in fintech, health tech, and B2B SaaS as they prepared for SOC 2, HIPAA, and GDPR while still hitting product and go-to-market deadlines.

Why SaaS companies trust us:

  • 11 Salesforce Certified Architects;
  • 25+ Platform Developers;
  • 130+ successful projects;
  • 5.0 rating on AppExchange.

What we offer:

  • Comprehensive SaaS security assessments and Salesforce org audits to identify misconfigurations, over-permissioned roles, and data exposure.
  • Salesforce Shield setup, including encryption, audit trails, and event monitoring from end to end.
  • SSO, MFA, and identity management for secure logins for internal users, portals, and third-party tools.
  • Secure Experience Cloud portals for customers and partners with strict access controls.
  • Named Credentials & API governance to limit risk from external connections.
  • Data masking and sandbox hardening to prevent sensitive data from leaking into test environments.
  • AppExchange security review support for product teams building on Salesforce.

Get expert help without slowing down your roadmap.

FAQs

We already use MFA and SSO. Isn’t that enough for Salesforce security?

MFA and SSO are critical steps, but they only cover access at the front door. Once inside, users may still have more permissions than they need, sensitive data may be exposed via APIs or reports, and audit logs may not be enabled. True Salesforce security includes least-privilege access, event monitoring, data encryption, and ongoing credential management. MFA and SSO reduce entry risk, but they don’t control internal movement or visibility.

We rely heavily on third-party tools integrated with Salesforce. What’s the security risk there?

Each integration introduces a new potential entry point. Many third-party apps request broad access via API and store long-lived tokens that are rarely rotated or reviewed. If a vendor is breached or a key is misused, your data is at risk, even if your Salesforce org wasn’t directly compromised. We recommend using Named Credentials, restricting scopes, and setting up API monitoring to reduce exposure from forgotten or over-permissioned integrations.

Our devs need broad access for speed. How do we balance that with security?

It’s possible to give developers what they need without opening up the entire org. Use permission sets for time-bound access, scope API keys, and restrict admin roles to sandbox or scratch orgs unless absolutely necessary. For tasks that truly require elevated access, log and review usage regularly. You don’t have to slow devs down, but you do need to track and control how privileges are granted, used, and revoked.

Can we use sandbox environments for realistic testing without violating data privacy?

Yes, but only if you mask or anonymize sensitive data first. Seeding sandboxes with raw production data is one of the most common security missteps. With tools like Salesforce Data Mask or custom masking scripts, you can retain the structure and relationships needed for testing while stripping out customer names, emails, and personal identifiers. This gives your QA and dev teams realistic data without creating unnecessary compliance risk.

Share:
Vladyslav Petrovych
CRO/Co-founder
Noltic's top tech & sales guru, 18x certified Salesforce architect
Oleksandra Petrenko
Content writer
Engaging and data-driven content creator focused on Salesforce solutions.
Secure your data operations
Partner with Noltic to create customized Salesforce solutions and solve data loss issues.
Book a consultation
Talk to us about Salesforce Field Service
Optimize scheduling, empower your team, and elevate customer experiences with Noltic’s Salesforce Field Service.
Book a consultation
/ More news
March 10, 2024
Salesforce
Salesforce multi-factor authentication: security amplified
Discover how Salesforce Multi-Factor Authentication provides a new level of defense against cyber threats and keeps your information secure
Read more
Show more
Letʼs work
together
Get in touch
moc.citlon@tcatnoc
Our ProductsCase StudiesStoriesPeopleContactSalesforce CourseCareers at Noltic
© Noltic 2021 - Privacy Policy / Terms of Use
LinkedIn
Instagram
Facebook
Medium
YouTube
Cenimy Twoją prywatność

Nasza strona korzysta z plików cookie, aby poprawić wrażenia z przeglądania, dostarczać spersonalizowane treści i analizować nasz ruch. Możesz wybrać zaakceptuj wszystkie pliki cookie, dostosuj swoje preferencje lub odrzuć nieistotne pliki cookie.

Klikając „Akceptuj wszystkie” lub „Zapisz moje preferencje”, wyrażasz wyraźną zgodę na gromadzenie i przetwarzanie Twoich danych zgodnie z opisem w Polityka prywatności. Jednocześnie, klikając „Akceptuj wszystko” lub „Zapisz moje preferencje”, zgadzasz się na Warunki użytkowania naszych usług.

ZaakceptujOdrzuć wszystkoDostosuj preferencje
Cenimy Twoją prywatność

Nasza strona korzysta z plików cookie, aby poprawić wrażenia z przeglądania, dostarczać spersonalizowane treści i analizować nasz ruch. Możesz wybrać zaakceptuj wszystkie pliki cookie, dostosuj swoje preferencje lub odrzuć nieistotne pliki cookie.

Klikając „Akceptuj wszystkie” lub „Zapisz moje preferencje”, wyrażasz wyraźną zgodę na gromadzenie i przetwarzanie Twoich danych zgodnie z opisem w Polityka prywatności. Jednocześnie, klikając „Akceptuj wszystko” lub „Zapisz moje preferencje”, zgadzasz się na Warunki użytkowania naszych usług.

Odrzuć wszystko
Odblokowywanie
10
Wróć
Dziękujemy! Twoje zgłoszenie zostało odebrane!
Ups! Coś poszło nie tak podczas przesyłania formularza.
Vladyslav Petrovych
CRO/Co-founder
https://www.linkedin.com/in/vpetrovych/
Vladyslav Petrovych is Noltic's top tech guru, 18x certified Salesforce architect. Leader in driving innovation for high-load cloud solutions development.
Oleksandra Petrenko
Content writer
https://www.linkedin.com/in/aleksandra-petrenko23/
Oleksandra Petrenko is engaging and data-driven content creator focused on Salesforce solutions.