User Activity Monitoring in Salesforce: 5 Lessons Learned for a Stronger Data Governance Program

Salesforce is a mission-critical application for thousands of major enterprises across many industries. A single Salesforce org can store vast amounts of regulated, confidential, and proprietary information accessible by hundreds or even thousands of CRM users. With all this sensitive data in the cloud and the ability to access it anywhere, anytime, anyplace, Salesforce user activity monitoring is necessary. But for years, Salesforce data security solutions lacked rapid forensic investigations on users, continuous user monitoring, and proactive alerts. This was because Salesforce audit trails were manual, time-consuming, and expensive to obtain.

The release of Salesforce Shield – a suite of platform tools that includes Event Monitoring, Field Audit Trail, and Platform Encryption – gives users more in-depth ability to protect and monitor data access. Event Monitoring allows users to access application audit logs, enabling user activity monitoring and more robust data protection strategies for any Salesforce org. But is Event Monitoring alone enough for a truly proactive user activity monitoring program?

Here, we present five lessons that you can learn from user activity monitoring in Salesforce and what to keep in mind when creating a comprehensive data protection program for Salesforce and other mission-critical cloud applications.

1) Non-filtered alerts can be overwhelming

User activity monitoring and accompanying alerts provide peace of mind and visibility into potentially suspicious behaviors. For example, monitoring for the export of a customer report and exports in general is the most common scenario. However, it should be noted that monitoring and alerting on any and all exports is insufficient for most enterprises because it’s too generic and can lead to false positives. In fact, unless an organization enables more details regarding an export and fine-tuned filtering, export alerts will simply add noise. Target monitoring carefully and tailor alerts so when they occur, they’re meaningful enough to trigger legitimate investigations.

2) Reports and filters should work with standard and custom fields/objects

Every Salesforce org contains standard fields and objects such as Accounts, Contacts, Opportunities, Leads, and Cases. And virtually all major enterprises have customized their Salesforce instance by adding custom fields to support the specifics of their business. Customers also add custom objects, which enable workflows and applications supporting the business. Reporting and filtering must be capable of reaching salient information rapidly, which includes the ability to support standard Salesforce fields and objects as well as custom ones.

3) Forensic investigations are an essential component of a data governance program

There are myriad reasons why you may need to conduct a forensic investigation on Salesforce user access activity. For many enterprises, reviewing the access of a departing employee is a mandatory step in the offboarding process and is often done by running a forensics report. In addition to offboarding, multiple other scenarios may require forensic investigation – for example, investigating how a price book was deleted that led to errors in hundreds or thousands of Salesforce opportunities. Salesforce Shield: Event Monitoring makes forensic investigations possible, with a couple of limitations – which brings us to our next two lessons.

4) Event Monitoring files in their raw form are difficult to interpret

Event Monitoring files are clear text, but they’re not human readable without detailed API calls or meticulous, lengthy manual intervention. In short, the log files arrive as a long, confusing string of letters, numbers, and symbols – not very reader-friendly. A robust user activity monitoring platform can automatically decode the files so that any business user can easily interpret the results, meaning you aren’t reliant on a team of full-time data scientists to translate the complex log files.

5) Audit log retention is essential to legally defensible investigations and regulatory compliance

Event Monitoring files are produced by Salesforce and retained for a very short time, usually only 30 days. Salesforce customers should have a strategy for capturing, encrypting, and archiving the Event Monitoring files if they want to meet the most basic requirements of a data protection and governance strategy for Salesforce. Most regulatory bodies require organizations to maintain application log files for a minimum of two years, which is longer than Salesforce’s native storage limit. To resolve this, identify a user activity monitoring platform that stores data for a minimum of two years.

Gaining peace of mind and simplifying data governance

The responsibility for a data protection program most likely falls on the Director of Salesforce/CRM and supporting Salesforce administrators. This means that the tools and platforms needed to support Salesforce data protection must be straightforward, time saving, and support multi-field filtering in order to rapidly gain access to relevant information. In addition, these tools and platforms must be extremely flexible, supporting Salesforce standard fields and objects, as well as custom fields and objects that are part of nearly every Salesforce org.

A comprehensive data protection program for Salesforce gives organizations the peace of mind needed to store sensitive information in the application, therefore enabling greater business velocity through central data views and improved workflows. Additionally, Salesforce customers expand their reputation for trust by protecting shareholders and customers against theft of proprietary information and by improving their privacy, security, and compliance posture. Salesforce Shield is a great start, but organizations can take their security features to the next level with a user activity monitoring solution that incorporates data governance, privacy, security, and compliance.