Salesforce Security Made Simple with Invisibles, Configurables and Enhanceables

Today on the Salesforce Admins Podcast, we talk to Laura Pelkey, Director of Customer Security Communications & Engagement, and Kylie McKlveen, Director of Product Marketing at Salesforce.

Join us as we chat about a simple framework for thinking about security in Salesforce and what you can do to protect your org.

You should subscribe for the full episode, but here are a few takeaways from our conversation with Laura Pelkey and Kylie McKlveen.

The evolving security landscape in the age of AI

With Agentforce and the rise of AI, protecting your data is more important than ever before. Remember, the bad guys have access to these tools too, and that means phishing and deep fake attacks are becoming more sophisticated by the day.

That’s why I wanted to bring Laura and Kylie on the pod to talk about security. They’re here to help explain how Salesforce is already hard at work to help you protect your data, and what simple steps you can take to beef up security for your org.

A simple Salesforce security framework

Laura and Kylie have a simple framework for the security available to you on Salesforce. There are three layers to think about:

1. Invisibles: The things that Salesforce already does to watch your back. This includes a global, 24/7 threat hunting team that is constantly scanning the network for anomalous events.
2. Configurables: These are actions you as a Salesforce Admin can take to make your org more secure. Taking the time to configure your security settings and think through your permission sets can go a long way towards protecting your org.
3. Enhanceables: If you work in a heavily regulated industry or have sensitive data, you may need to take extra steps to enhance your security. Tools like Salesforce Shield and Security Center can give you an extra layer of protection.

Most admins will want to focus on the configurables, and the security team has put together a handy video series to walk you through your next steps.

The importance of data continuity

One important piece of the security puzzle is continuity. Protecting against attacks is important, but you also need to account for human error—sometimes users make mistakes. If someone’s delete key gets stuck, tools like Backup & Restore and Field Audit Trail can help you save the day.

If you want to learn more, be sure to check out the Dreamforce Security Keynote on Salesforce+. And don’t forget to subscribe to the Salesforce Admins Podcast so you never miss an episode.

Podcast swag

• Salesforce Admins on the Trailhead Store

Learn more

• Security Keynote: Protecting the Agentic Enterprise
• The 360 Blog: Laura on security
• YouTube series: Trusted Enterprise Security: Built on Salesforce
• Meet the Long-Lost Fourth Member of Snap, Crackle and Pop

Admin Trailblazers Group

• Admin Trailblazers Community Group

Social

• Laura on LinkedIn
• Kylie on LinkedIn
• Salesforce Admins on LinkedIn
• Salesforce Admins on X
• Mike on Bluesky social
• Mike on Threads
• Mike on X

Full show transcript

Mike:
This week on the Salesforce Admins Podcast, we’re diving into some security framework that you’ve either seen online or at Dreamforce, specifically wrapping your head around invisibles, configurables, and enhanceables. So this week I am joined by longtime podcaster and security champion Laura Pelkey and new voice and new to the Salesforce Trusted Services Team, Kylie McKlveen. They are both here to help us unpack how we can think about the security layers baked into the platform, the settings they control, and the tools available for us to go even further. Plus we also jump into a little bit about what AI means for keeping your org secure. This is a fun podcast, and we also bring in a little bit of pop culture. I won’t ruin it, but Sylvester Stallone does make an appearance in this episode. So with that, let’s get Laura and Kylie on the podcast. So Kylie and Laura, welcome to the podcast.

Laura Pelkey:
Hey, Mike.

Kylie McKlveen:
Hey, thanks for having us.

Mike:
I know. This is going to be fun, even though… Well Laura’s a long time podcaster, so she makes security fun, but Kylie’s a new voice. So Laura, let’s start with you. Refresh everybody, what you’ve been up to at Salesforce since we’ve last chatted.

Laura Pelkey:
Yeah, I know it’s been a little while. I’m very happy to be back on the pod. Thank you for having me. So I’m actually coming up on my nine-year anniversary at Salesforce, which is crazy. Can’t believe it’s been that long. And lately I’ve been at Dreamforce speaking, writing a lot of blogs about security, and still just trying to get the word out there to our customers about how to be secure with their Salesforce data.

Mike:
Yep, absolutely. And Kylie, you’re a new voice to the podcast, so welcome. Tell us a little bit about how you got started at Salesforce and what you do.

Kylie McKlveen:
Thanks, yeah, what do they say, long time listener, first time caller? So yeah, I work on our product marketing team for our trusted services products. I’ve actually just joined this team within the last year when Salesforce acquired Own or formerly Own Backups. So loving my new role and really excited to work with Laura and yourself working with customers on helping them with their security.

Mike:
Now, trusted services sounds big and massive and like a lot of stuff. What are some of the products that maybe Salesforce admins are familiar with that fall under that umbrella?

Kylie McKlveen:
Yeah, that’s a great question. So Shield, Salesforce Shield, which consists of event monitoring, data detect, platform encryption, and field audit trail. It’s also security center. And then with the acquisition of Own, we also added backup and recover, archive, data mask and seed, so that was enhanced with seeding capabilities. We also have privacy center. So those are some of the products admins would be familiar with.

Mike:
Yeah, no, I think we saw a few of those in the admin keynote. So Laura, you’re still on the mission and I’m with you on security-minded admins.

Laura Pelkey:
Yes.

Mike:
Let’s talk about what being a security-minded admin is to get us in that security mode.

Laura Pelkey:
Yeah. You know Mike, I was actually just thinking about this. I think we did a podcast with that name, and I think two months after I started at Salesforce, we did a podcast together, which is-

Mike:
I mean, we don’t mess around. Lynn was like, “We’re doing a podcast right away.”

Laura Pelkey:
Yeah, yeah, the security-minded admins, love that topic. So a security-minded admin is just someone who understands that securing their data in Salesforce and their organization’s data in Salesforce is an admin’s responsibility. Admins have many responsibilities. There’s really not enough time in the day to do all of the stuff that an admin needs to do. But security is one of the most important ones. And it’s often one of the most overlooked ones. So yeah, really, really passionate about that topic, and I feel my role is to help admins focus on the top things that they can do. Because there’s a lot of stuff that can be kind of confusing, but really if you’re doing a handful of things, best practices, using the right controls, you’re doing most of what you can to protect your organization.

Mike:
Yeah. Now I know Laura, at Dreamforce, you gave a presentation that took that security-minded admin up a notch because, I mean, pre-AI, we were just talking about making sure people didn’t put sticky notes on monitors and strong passwords. Oh, we got MFA. Remember, MFA was like… That was going to save the world. And now we have AI, which I saw your presentation in Dreamforce. What is security like now in the world of AI?

Laura Pelkey:
And first of all, MFA is still very important, so definitely still do that.

Mike:
Right, absolutely. It still saves the world, it just there’s more to it.

Laura Pelkey:
Still saves the world. There’s just more more things now. Yeah, we’re seeing a huge rise in adoption of AI. I mean, look at how many people listening to this call use LLMs like ChatGPT on a regular basis. I mean, I know I do. Of course, Agentforce, we all love Agentforce. There’s a lot of amazing AI technology out there now. But unfortunately what we’re seeing is the attackers or hackers, bad guys, whatever you want to call them, are also leveraging this technology, and they’re doing so in ways that make it harder to spot when malware is happening. They might be creating a deepfake, that’s kind of advanced, but it’s actually… It’s pretty easy to do nowadays, in order to get your user credentials and to take over your user account.

It could even just be maybe a really well phrased phishing text message. I think we all probably get those too nowadays, it’s super common. And before it would be kind of easy to spot them. There might be some spelling errors or just language related errors that would be easy to guess that maybe this isn’t really from somebody that I know, but nowadays with AI, it’s actually… The AI can craft these messages that sound much more realistic and believable. So that’s had an effect on how successful bad actors are when they’re trying to take over a user account or get user credentials or get sensitive information and data.

Mike:
I mean, the good news is a lot of people have access to AI, and unfortunately sometimes the people you want access to shouldn’t. It also burst my bubble, so it means you’re telling me that Bob Ross video of him wrestling Mr. Rogers wasn’t real that I just watched the other day?

Laura Pelkey:
Yeah, yeah, probably not.

Mike:
Because it was awesome.

Laura Pelkey:
Probably not. Just logistically, I think that would be pretty difficult. But we are seeing… If anyone watched the security keynote, we shared a really interesting video, it’s on Salesforce+ now, of one of our executives, we said, “Hey, can we have a professional ethical hacker demonstrate how easy it is to hack somebody at your level? Can we do this live?” And he was like, “Yeah.” So there’s actually a really cool video of that in the security keynote.

Mike:
Ooh, I’ll put a link to that in the show notes so you can watch that.

Laura Pelkey:
Oh, thank you, we would love that. Kylie and I would really appreciate that.

Mike:
Yeah, no, absolutely. Well, and speaking of videos, Kylie, I think you worked with Laura. You put out a whole series of videos around security, talking about invisibles, configurables, and what was the third one? It’s always the third. It’s like Snap, Crackle… Who’s that third one? Pop.

Laura Pelkey:
The third child, I forget as well.

Mike:
I heard there was actually four at one time. You should Google that. The Snap, Crackle, Pop, there was four. Totally not on topic of talking security, but you know… So Kylie, let’s talk about that. I mean, it’s an interesting concept to think about. There’s invisible things that Salesforce does, there’s configurable things, and then there’s things that I guess we can put frosting on, right?

Kylie McKlveen:
Yeah, the pop. I think this framework is just a really easy way to understand the security that’s available to you. The invisibles are the things that we do, that Salesforce does kind of invisible to you, hence the name. The configurables things customers can do to make their org more secure, but it’s up to them to configure them. And then the enhanceables, so things they can go above and beyond what’s provided to them to really enhance their security. So the names are a bit obvious by design.

Mike:
So tell me a little bit about some of the invisible stuff that goes on behind the scenes that helps admins sleep at night.

Kylie McKlveen:
Yeah, I hope admins are familiar with things like network level security, our secure infrastructure, application level security, things like that. Those are really table stakes for SaaS platforms. But there’s a lot of really cool things that our cybersecurity operations center does proactively protecting our customers. And I’m actually going to throw it over to Laura to give some of those examples. I know we’ve had multiple conversations about some of the examples of the things they do and it’s really cool.

Laura Pelkey:
Yeah, so our team, our cybersecurity operations center team, they are incredible. Actually, when I started working in cybersecurity, which I’ve always worked in cybersecurity, my very first job, which I won’t say how many years ago that was anymore-

Mike:
Well two, because you’re 27, right?

Laura Pelkey:
Exactly, exactly, correct. But when I first started working in security, I was learning about all of the really cool things that my company at the time, we had a social engineering team, and the things that other companies would hire us to do, and they would literally go into companies and attempt to hack them by physically gaining access to a structure, their networks in their building. And this was part of something that our clients would pay for. It was so cool to me. And basically it would just reveal where the holes were in their security so that the client could then fix those. So things like that, that’s called social engineering. So at Salesforce we do things like that, we’re constantly hunting for vulnerabilities in the platform, in our networks, we call that threat hunting.

We have a global team that is working 24 7, literally just scanning all the networks for anomalies we call them, anomalous events. Does something look weird in one of our networks? Does something look weird in one of our customer’s networks? And then we have a massive team of people who, as soon as they spot something, they jump on it. And if it’s a customer issue, they’ll contact the customer right away and actually work with them to resolve it. I don’t know, it reminded me when I was first learning about this many years ago, it just was very cool work and it’s always behind the scenes and you don’t know that it’s going on, but it actually does so much to shore up the security of your organization. So we do stuff like that.

Mike:
No, that sounds really cool. When you were mentioning that, I was thinking of… I think it’s like an early 2000s B-level Sylvester Stallone movie where he’s like a guy that gets paid to break out a prisons to find their vulnerability.

Laura Pelkey:
Yes, it’s exactly like that, yes.

Mike:
That’s what I was thinking of. So that’s how I envision your whole team is.

Laura Pelkey:
I would actually love to do that kind of work. No one has asked me to, but if anyone at Salesforce is listening, I’m open to doing that, that sounds fun.

Mike:
Okay, all right, look at that. Laura, while we have you, can we… I mean the invisible stuff’s really cool, but it’s behind the scenes. Admins love to get their hands on stuff. Let’s talk about what we can configure.

Laura Pelkey:
So as Kylie was saying, the second piece or second pillar of this are the configurables. And the configurables are… The easiest way to think of it is the things that are within the customer’s control. So this is security settings, controls, and features that actually need to be set up properly by the customer. And Salesforce is a very robust platform, and we do provide a level of flexibility to make sure that our customer’s needs are being met, but it’s also part of our shared responsibility model where when a customer has control over these things, that they really spend the time to properly configure them to best protect their data. A couple of examples. The principle of least privilege. It’s not a setting, but it’s a principle that in cyber security is the defining principle for when you’re talking about user permissions.

So admins set up users all the time. Every day, maybe. So when an admin is setting up a user, it’s really important that they’re paying attention to the permission sets and the level of permissions that they’re granting to this user. So we still say layering permission sets and permission set groups on top of profiles is the best practice, and when you are setting up a user, make sure that the permissions you’re granting them are only what’s necessary for them to do their job. So that’s that that least privilege part. And by limiting them to only what’s necessary, it actually helps limit the exposure if in… Hopefully this doesn’t happen, but in the chance that a user account is compromised. And especially when we’re looking at people who have admin level permissions, and what are those, Mike? Modify all data, view all data.

Mike:
Everything’s scary.

Laura Pelkey:
Yes. So those are incredibly powerful permissions, and admins know they can do everything in their Salesforce org. But would you give, for example, okay, say like a Salesforce admin is the owner of a house. Let’s just create that metaphor. Would you give all of your keys to your mail carrier? Why would they need access to the inside of your house? Maybe they need access to the gate for the pathway that walks to your front door, so you leave that unlocked for them, but they don’t need to get inside your house. It’s kind of like the same thing when you’re setting up users. You don’t want all of your users to be able to do every single thing in your Salesforce org.

And again, it’s because users make mistakes so they could accidentally and unintentionally do something that could cause a security issue. That happens all the time, or in the off chance that a user is compromised, you don’t want the bad actor that has compromised and taken over that user account to be able to do all the things that an admin does. So yes, very long spiel about principle of least privilege and why it’s important, but basically the configurable part of this is setting up users and making sure that they only have the level of permissions that they need.

Mike:
And to run with your metaphor, Laura, I think even the delivery companies now, I have a code from my garage door and you can drop a package off in my garage door. So in theory, you’re only getting into my garage unless I forget to lock the door to my house from my garage. Now you have access to the whole house. And that plays into the same… They should only have access to the things they should have access to.

Laura Pelkey:
Yeah, exactly.

Mike:
Laura, I think this falls into maybe a product that you oversee, which is Security Center.

Laura Pelkey:
I don’t oversee it, I wish I did.

Mike:
Or Kylie, sorry.

Laura Pelkey:
It’s an amazing… Yes, Kylie’s team does that. And you can actually, with Security Center, see the number of people exactly who in your organization has admin-level permissions? Kylie, correct me if I’m wrong, but I think in Security Center you can actually change those permissions within Security Center itself or apply policies across all of your orgs within Security Center to limit that, is that correct?

Kylie McKlveen:
That’s correct. Absolutely, you can apply policies. And I think especially for admins who have multiple orgs that they’re managing, being able to view their security posture across and then have a sense of consistency and control, Security Center is a great product for that.

Laura Pelkey:
Yeah, we love that product.

Mike:
Yeah, and we saw a lot of this in the admin keynote where Kate and Lisa did a demo of Lisa just needing additional permissions to edit a field, not the entire object. And I think what was nice is we saw Agentforce double-checking with the admin to say, “I’ve set this up, but is this correct?” Which is a huge step, the human in the loop for a lot of security and AI things that we work on.

Laura Pelkey:
Yes, it’s so important that you’re working with… And now that Security Center is enhanced with Agentforce, it’s like admins have kind of a partner, but still the admin’s responsibility to validate everything and to oversee everything. But it’s now easier to do that, which is great.

Mike:
Great. Especially when it goes GA. I think admins will be excited for the new setup. Kylie, Laura set you up perfectly. She mentioned enhanceables. Let’s talk about some of those security enhanceables that admins can get their hands on or help set up that take security even farther.

Kylie McKlveen:
As we talked about earlier, we have Shield and Security Center. These are the products that fall within the trusted services portfolio. Is that what you were asking, Mike?

Mike:
Yeah, just I would love to learn more about what we consider enhanceables.

Kylie McKlveen:
Yeah, so these are the products that go above and beyond to help you enhance your security. And when we talk about enhancing our security, there’s really many reasons why customers are choosing to enhance their security. A couple of years ago, when we were talking to customers, it was really those in regulated industries that had specific requirements that they needed to meet in platform encryption or things like that. But now there’s a variety of reasons, so some of these customers who are in high threat industries and need an additional layer of protection.

Or scale, we talk about scale a lot. So whether you’re resource constraint because you’re an admin of one, but you need the security power, or if your company is growing and you need something to help you scale with that. These products can really help with that. And then another thing I’ll mention is if you have a lot of sensitive data in your org, I think there’s a lot of important data in Salesforce that customers need to protect in different ways, but sensitive data, if you really need to add additional layers or prevent people from seeing certain data, we have products within this portfolio to help with those specific scenarios.

Mike:
I think one thing that’s interesting to me in the discussions I’ve had with Laura and Lynn over the few years that we’ve worked together is security isn’t only just keeping the bad actors out, it’s also making sure the right people have the right access at the right time. I would love to know, because in my mind, backing up data, and you came from own backup, how is backing up data really part of a security posture?

Kylie McKlveen:
This is really about continuity. So being able to ensure that if you were talking about bad actors or malicious intent, but there’s human error. If one of your users accidentally made a mistake and corrupted the data or deleted the data, being able to have a backup that you can quickly and easily restore that data in your environment is really important. That data is there and needs to be restored. So you need a tool to help you quickly respond to that. And that’s how backup is part of that.

Mike:
Yeah, no, I never really thought of that. It’s one thing to have the data, make sure the right people have the right access to it, but it’s also having the history of the data and making sure… I guess it would be a paper trail of what’s happened to it and when it’s happened.

Kylie McKlveen:
We do have products. Field Audit Trail is great for understanding how your data has changed over time. But there are some cool things about backup where you can look back into the past and see how the data has changed. You can actually look up in backup to look at the signals to see if the data might’ve been corrupted. So it’s a really cool product.

Mike:
Now, the idea of invisibles, configurables and enhanceables isn’t something we just thought up one day. It’s actually a series of videos that I believe are out on YouTube, if I’m not correct… And this is for you, Kylie or Laura, whoever was the most involved, what are some of the things that we’re going to see in those videos, because I’ll definitely link to those videos in the show notes.

Laura Pelkey:
I could take that one. So this is something actually our Chief Trust Officer came up with. He’s so smart, his brain is just constantly working. He just explained it one day, “Invisibles, configurables, and enhanceables,” and we were like, “That is brilliant.” And really what these videos are talking about, and they’re also available on security.salesforce.com as well as YouTube, but basically he and our SMEs who are on the video series as well go into these layers. So invisibles is the bottom layer, and you can think of it’s the strong foundation. Salesforce handles this for you. We’re always working to keep our networks and our products secure and our infrastructure secure, and customers don’t need to do anything to take advantage of this. I mean Hyperforce is an example of how we are creating secure infrastructure for our customers. So we talk about the invisibles.

And then we talk about the configurables. Rachel Beard, who is featured in this video series, she’s amazing, she’s one of our security architects at Salesforce, she talks about specific things that customers can do, and these are like… If you watch these videos and just do everything she says, that’s going to be hugely impactful to the security of your Salesforce org. One of the things she goes over is login IP ranges, which is when a Salesforce admin restricts the login IP ranges so that only people within the company’s network can actually access your Salesforce org. And that’s really one of the best things. So things like that. She talks about principle of least privilege as well.
And then there’s the enhanceables where, as Kylie said, we have a suite of amazing security and privacy products that are really designed to help our customers grow and scale. Like Kylie mentioned, a lot of admins might be struggling to keep up with their growth at their company, and these products can help you do that. And then there’s actually a really cool… The last video in this series is our Chief Trust Officer speaking with a CEO and a CISO from one of our friend companies. And you just get the… From folks at that level, from these executives who think about cybersecurity all the time. You get to hear their perspective on what’s next in the cybersecurity industry. So it’s a really awesome video series. I would definitely encourage people to watch it.

Mike:
Yeah, no, absolutely. Well, as we wrap up, Kylie, we’re fresh off of Dreamforce. What was some of the exciting things that you’re getting ready to work on heading into the coming year?

Kylie McKlveen:
Yeah, we had two really big announcements, multiple big announcements in the security keynote, but two that I just want to call out I’m so excited about. We talked at the beginning of this podcast about how AI is changing everything, but now we’re seeing AI in our security and compliance products, which is really cool. So AI is actually helping you be more secure. So we have Agentforce in Security Center, which can detect threats, and you can conversationally investigate the threats and remediate them. It will give you suggestions on how to quickly resolve those issues. And then we have Agentforce in Privacy Center too. So automating some of that hard work around complying with these constantly evolving regulations. You can tell it what’s applicable to your business and it will give you suggestions around some risks you may have, some gaps, and it can suggest policies that you may want to deploy in your org. So really just making security and compliance a lot more accessible and a lot more easier, faster. It’s just really cool how AI is actually helping us with security in this scenario.

Mike:
And with a lot of those centers, I mean, there’s a lot of data and to have AI comprehensively look at all of that, it might find things that you just didn’t know to look for.

Kylie McKlveen:
Oh, definitely. I think that’s the struggle. Sometimes you’re looking at this data and you don’t even know what you’re looking for, and AI can really just take the pain out of that. It can look across multiple data points and tell you what’s out of the ordinary. So saving a ton of time.

Mike:
Laura, similar question. We’re fresh off Dreamforce. As you help admins in the coming year become more secure, more AI proficient, what would your advice be for admins for the upcoming year?

Laura Pelkey:
Well, definitely the couple things that I mentioned when we’re looking at configuring, I think just broadly, look at your security configuration in your Salesforce org. That’s the broad thing I want all admins doing right now. And then within that the things that I think are the most important for admins to be focusing on are that setting up login IP ranges, that’s super important. Following the principle of least privilege when setting up users. And that also means doing an audit of the permissions that your users already have, that’s super important, and taking away unnecessary permissions. Admins should also be talking to their Salesforce users about things like phishing, like the security threats that are out there. They should be educating their users about that and setting them up for success so that if they ever get into a situation where they might be targeted, then they know at least to stop, think, and then disengage.

So those three things are super important. And then MFA, as we said, saving the world. That’s already required for all user logins in Salesforce, but I would also encourage everyone to set up MFA for their personal accounts. If you watch the hacking video in the security keynote, you can actually see that if you reuse your passwords across multiple user accounts, which everyone does, that’s just natural, we all have a lot of credentials to keep track of, they can possibly be leveraged… Something from your personal account can possibly be leveraged to gain access to another personal account or even a business account. So you want to make sure you’re using MFA on every account.

And then if you can do this, if it’s available to you, add a security contact in your Salesforce org so that in the event that Salesforce needs to contact you about something, like I was talking about our amazing CISOC team at the beginning of this podcast, how they’re working 24/7, they never sleep, they’re just staring at a computer looking for security things. If they need to get in touch with you, they will reach out to your security contact that’s listed in Salesforce. So it’s important that that’s up to date. So that’s my advice to admins.

Mike:
That’s good advice. I would also add, watch the 2013 movie Escape Plan. That’s what that movie’s called. Where Sylvester Stallone, AKA Laura, breaks out of prison. Well, Kylie, Laura, thanks for coming on and talking security. I mean, you know as well as I have since the moment I started at Salesforce, I think it’s the most important thing because we’re protecting our company’s data. So what else you got better to do besides make the data better and more secure, in my opinion. So thanks for coming on. I look forward to seeing some of the new stuff that we have coming out from your area, Kylie, and the advice that you continue to give, Laura.

Laura Pelkey:
Yeah, we’ve got a lot in store, so this will not be the last you hear from Kylie and I, I promise.

Kylie McKlveen:
I love it.

Mike:
Well, we’re going to hold you to that, though.

Laura Pelkey:
No pressure, Kylie.

Mike:
We’ll be back.

Laura Pelkey:
We’ll be back.

Mike:
Big thanks to Laura and Kylie for walking us through the security stack that every Salesforce admin should know. Now whether it’s understanding what Salesforce has your back on, tightening up your permission sets, or leveling up with tools like Shield and Security Center, there is something here for all of us. Make sure to check out the full video series on security.Salesforce.com. Don’t worry, I’ll link to that in the show notes. And until next time, we’ll see you in the cloud.

The post Salesforce Security Made Simple with Invisibles, Configurables and Enhanceables appeared first on Salesforce Admins.