As the volume, variety and velocity of Salesforce data continues to increase at unprecedented rates, the importance of securing this data has grown as well. One particularly important aspect of data security is data classification, which tends to be a complex challenge that many organizations struggle to fully complete. How do we know? Of all of our customers who completed a Risk Assessment for Salesforce last year, none had successfully completed data classification on all fields.
So, to help you conquer the challenge of data classification in Salesforce, let's take a closer look at what data classification is, its role in your overall security and governance strategy, and how to get started classifying your data.
At its core, data classification allows you to better understand the data that your business stores. This information includes not only sensitivity levels and compliance categories, but descriptive details: the type of data, the business owner, what it will be used for, and how it’s shared between systems.
Having a crystal-clear understanding of the kind of data that exists in each of your systems—such as your Salesforce org—is critical to protecting that data and using it in an effective way.
For example, if there’s a breach of sensitive, high-value data, are there associated notification requirements? Do you need to encrypt at rest? Do you know all the downstream systems that touch that piece of data? Conversely, if it’s a breach of low-value, public information, InfoSec teams can immediately reassure stakeholders that the fallout will be minimal.
In addition to the obvious security benefits, data classification is that it can help you better leverage your company’s valuable data. Good data management and retrieval processes will always make it easier to identify helpful insights.
So what are some other benefits of classifying your data?
By providing a quick view of what data you have and where you have it, data classification can benefit you several ways:
Now that you’ve bought into the benefits of data classification, how do you actually do it?
In Salesforce, you can manually record data sensitivity and compliance categorization at the field level. Salesforce also provides the ability to enable default data sensitivity levels for fields. Once enabled, it is updated on most of the fields on standard and custom objects. You can then create a report on data classification and analyze the data.
Here’s a breakdown of the four metadata fields in Salesforce related to data classification and the default values for each, as outlined on Salesforce’s Help page. Note that picklist values for Compliance Categorization and Data Sensitivity Level can be customized at the org level.
The compliance acts, definitions, or regulations that are related to the field’s data. Default values:
NOTE: The field corresponds to the ComplianceGroup field on the FieldDefinition Tooling API.
The person or group associated with this field. The data owner understands the importance of the field’s data to your company and might be responsible for determining the minimum data sensitivity level.
NOTE: The field corresponds to the BusinessOwnerId field on the FieldDefinition Tooling API.
The sensitivity of the data contained in this field. Default values:
Tracks whether the field is in use. Default values:
The field corresponds to the BusinessStatus field on the FieldDefinition Tooling API.
While it certainly is helpful and better than not classifying at all, manual data classification in Salesforce will undoubtedly pose several challenges, as it can be:
The other option you have to classify your data is to use an automated data classification tool. Using software to automate data discovery and classification in Salesforce simplifies and accelerates these manual processes. By using an automated tool, you can quickly and easily search through and filter your data, identify fields that aren’t classified, and assign classification levels directly – all in real time.
Also, since platforms like Salesforce are easy to modify to support business objectives, development teams are always deploying new data models to their production system. So automating the data classification process can help ensure that your classification efforts keep pace with your ever changing database.
With OwnBackup Secure, you can find exactly where sensitive information exists in Salesforce and apply the correct compliance and sensitivity categories down to the field level. All this is done within a single view, providing search, filtering, and bulk selection functionality for an efficient user experience.
Knowing if and how certain fields are being used is another important component of data classification. Secure’s Fill Rates Calculator provides a percentage of records that have entries in each field, so you can prioritize which data is more critical to classify and protect. Once data classification is complete, Secure leverages this information to inform other Salesforce security controls – like profiles and permission settings, encryption, and alerting.
Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.