You can keep your free snacks and ping pong tables. If we’ve learned one thing from the pandemic, it would be that employees really want the ability to work remotely — at least part of the time. While organizations have become more accepting of this new reality, IT departments are facing security challenges.
In this post, we’re looking at Salesforce Marketing Cloud security best practices for hybrid and remote work environments. We’ll review some of the security settings in Marketing Cloud that will allow your remote employees to work safely and take some of the stress off of your IT team.
Marketing Cloud security for remote and hybrid work models
Since the onset of the pandemic, the number of remote workers has grown exponentially and the hybrid work model is becoming the new norm. A 2021 Mckinsey & Company survey found that 52% of workers prefer a more flexible working model moving forward. And listening to those wishes is helping many employers to avoid the effects of the Great Resignation at their companies.
Luckily, Marketing Cloud is built with security in mind and it can be configured to allow your employees to work securely — wherever they may be.
Let’s take a look at some ways you can protect your data in addition to using multi-factor authentication (MFA).
Security Tip #1: Limit the Data in Salesforce Marketing Cloud
Salesforce Marketing Cloud is not a data warehouse. So don’t treat it like one.
When bringing data into SFMC, ask yourself how it will be used for segmentation. If data will not be used for segmentation, don’t import or sync it over. Data like credit card numbers should NEVER be stored in Marketing Cloud.
Special attention also needs to be applied when handling Personally Identifiable Information (PII). The Department of Homeland Security defines PII as:
As any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department.
Linked PII is information that can be used by itself to identify an individual (ex. Social Security number) and linkable PII is information that can be used in combination with other information to identify an individual. Depending on the type of data in your account and the industries you serve, additional security measures like data at rest encryption, field level encryption and tokenized sending might be necessary.
Security Tip #2: Control Access with Marketing Cloud Business Units
Even before creating users, I like to see how organizations are structured. If your organization operates in several regions, all users might not need access to all the data. The best way to secure data is to not grant access to it in the first place!
This is where business units come in. Business units in Marketing Cloud allow you to control access to information by creating a hierarchical structure. They also allow you to control branding elements including email display name, email reply address, and physical mailing address at the business unit level. You can even control the settings to allow unsubscribe at the business unit level or the enterprise.
Business units don’t have to be limited to geography. Your hierarchy can be built based on your unique needs. Building a hierarchy based on products is a great use case.
Note: Business Units are available in Enterprise and Enterprise 2.0 accounts.
Security Tip #3: Provide Users with the Correct Access Based on Need
Now that we’ve established our hierarchy and determined where users should be included, the next question is access level. Let’s start by talking about the differences between roles and permissions.
- Permissions are micro-level security.
- Example: The ability to Create, Edit in Journey Builder.
- Roles are macro-level security.
- They are a collection of permissions.
Permissions in Marketing Cloud are very granular. For this reason, the good folks at Salesforce have included default roles within Marketing Cloud based on common needs/scenarios (similar concept to the default user roles in Pardot). These are divided into Marketing Cloud and Email Studio Roles. I would highly recommend using these roles and limiting the creation of custom roles.
| Marketing Cloud Role | Description |
| Marketing Cloud Administrator | This role assigns Marketing Cloud roles to users and manages channels, apps, and tools. |
| Marketing Cloud Viewer | This role views cross-channel marketing activity results in Marketing Cloud. |
| Marketing Cloud Channel Manager | This role creates and executes cross-channel interactive marketing campaigns and administers specific channels like Email Studio. |
| Marketing Cloud Security Administrator | This role maintains security settings and manages user activity and alerts. |
| Marketing Cloud Content Editor/Publisher | This role creates and delivers messages through applicable channel apps. |
| Email Studio Role | Description |
| Administrator | Access to all Email Studio functions including Setup, email creating, and creating data extensions. |
| Content Creator | Access to all content, shared folders, and tracking in Email Studio, but no access to data or administrative features. |
| Data Manager | Access to everything in Email Studio except email content |
| Analyst | Access to tracking features in Email Studio. |
Marketing Cloud Roles and Permissions
When assigning roles to users, you should always start with the lowest level that permits the individual to do their job. I’m always amazed when I log into an account for the first time and see all users have the Marketing Cloud Administrator and Administrator roles assigned. There’s simply no reason for this. I generally like to have two admins in an organization. It’s always good to have a backup in the event of an emergency!
It’s also worth noting that SFMC defaults to the most restrictive value when multiple roles are assigned to a user. For example, if a user was assigned the Content Creator, Marketing Cloud Channel Manager, and the Marketing Cloud Viewer roles, they would not be able to send an email. This is due to the fact that the Marketing Cloud Viewer is the most restrictive of the three roles and does not permit email sending.
It’s very possible that the same user will have access to multiple business units, but perform different functions in each. That’s perfectly fine and SFMC has you covered. Roles can be assigned at the business unit level so the same user could have admin access in one and view only in another. This is very handy and should be utilized if users don’t need full access to all the BUs that they are part of.
Security Tip #4: Follow Login and Password Best Practices
Marketing Cloud allows admins to set security policies very easily within the Security Setting under setup. However, I’m really surprised by how often I see accounts where the standard Salesforce recommendations are not followed. Take a minute to audit your account to ensure that they comply with the recommended account settings from Salesforce included below.
| Field | Recommended Setting |
| Session Timeout | 20 minutes |
| Login Expires After Inactivity | 90 days or less |
| Invalid Logins Before Lockout | 3 |
| Count Invalid Logins Across Sessions | Yes |
| Minimum Username Length | 8 characters |
| Minimum Password Length | 8 characters or more |
| Enforce Password History | 8 passwords remembered |
| User Passwords Expire In | 90 days |
| Send Password Change Confirmation Email | Enable |
| Enable Audit Logging Data Collection | Enable |
Security Tip #5: Limit Logins by IP Address
The Restrict Logins by IP Address (IP Allowlisting) setting allows you to define a list of IP addresses that can access your account.
This feature is optional and is set to Off by default, but can quickly be activated under Setup > Security Setting > Username and Logins. When activating, you’ll have the option to log non-allowed IP addresses and permit access or log non-allowed IP addresses and block access. Don’t forget to add IP addresses to your allowlist under Setup > Security > Login IP Allowlist if you choose to use this feature.
Security Tip #6: Limit Exports
Ask yourself this simple question…
Does this user need to extract data from SFMC to do their job?
If the answer is “no,” then don’t allow them to export. It’s that easy!
Data extracts are a security risk that I see in most accounts. While data in the hands of a user can be risky, the real concern is data sitting on a computer that is not properly secured. Once the data leaves SFMC, all bets are off. This is a huge risk with remote workers. Let’s mitigate this risk by limiting exports.
Data can be exported from SFMC using Data Extract activities in Automation Studio, from tracking in Email Studio, and from reports in Analytics Studio. While some reports can be viewed onscreen or downloaded as PDFs, email and file transfer locations are the primary ways that data is exported.
Email Export
Your data is sent from SFMC via email. This is pretty scary, but can be controlled with Export Email Allowlists. The email allowlist includes individual email addresses or domains that are authorized to receive email exports from your account.
Export Email Allowlists must be activated in your SFMC account by first selecting the Enforce Export Allowlist in Security Setting. You will then need to specify the individual email addresses and domains that are authorized to receive email exports within your Export Email Allowlist (Setup > Security > Export Email Allowlist).
File Transfer Locations
Marketing Cloud also makes use of file transfer locations to import and export data. The most common location is the Enhanced FTP Account, but you can also add additional locations under Setup > Administration > Data Management > File Locations.
To access data from the Enhanced FTP Site, users must login. Access to the data can be controlled by limiting users and not sharing login credentials. Marketing Cloud allows up to 10 FTP users per MID, allocate them wisely! Users can be granted Read Only or Full access.
Security Tip #7: Automate and Review Audit Trails
Audit Trails in Marketing Cloud can be used to track account access and activity. Reports can be automated through Automation Studio or through REST API extracts.
Before audit trails can be exported, the following actions must be taken to enable them in your account.
- Enable Audit Trail Data Collection under Setup > Security > Security Settings
- Assign the Marketing Cloud Security Administrator role to the user who will be extracting the data
Once these requirements are met, automations can be created in Automation Studio to extract the access and activity logs. Salesforce recommends that audit trail data be retrieved periodically based on a rolling window.
There are a couple of things to keep in mind when creating your automations.
- You must create a Data Extract activity and select the desired extract type (Audit Trail Access Log or Audit Trail Activity Log).
- Data is extracted to the Marketing Cloud Safehouse, so a File Transfer activity is needed to securely transfer files to the FTP location of your choice.
The automation is pretty simple and will look like this when complete.
The Basic Audit Trails are a great place to start. They are included in your account and have a 30-day retention period. Advanced Audit Trails, which can be purchased for an additional fee, extend the retention period to 60-days and include additional data related to Email Studio, CloudPages, MobileConnect, and more. Learn more about Basic and Advanced Audit Trails.
Take Action to Secure your Marketing Cloud account
This post includes some recommendations to help secure your Marketing Cloud account with the rise in remote workers. However, it is not inclusive of all the security capabilities of SFMC.
For more information, check out the following Trailhead modules or post your questions in the comments section. We’re here to help you succeed with Marketing Cloud! You can contact us with any questions.
