Happy Cybersecurity Awareness Month (CSAM)! Did you know that the loss of critical, and often sensitive, information can severely impact the profitability and innovation of your organization? And with consumer awareness of data protection on the rise, it’s no surprise that data security has become a mandatory responsibility for organizations running Salesforce.
What is data classification?
To protect your most sensitive data, you need to know where to find it. And that's where data classification comes in. In Salesforce, data classification provides a solid foundation for security, giving you a high-level overview of what's in your Org, and where IT resources should be deployed.
So, what is data classification? It's simply the process of organizing your data into defined categories according to its sensitivity level. Each category corresponds to an impact level and a recommended security/access protocol; public data, for example, can be viewed by anyone, but requires controls to prevent unauthorized editing. Sensitive or confidential data, on the other hand, needs to be more tightly protected, especially if regulations like HIPAA or GDPR are in scope.
By understanding where different types of data are stored, enterprises are able to build effective and precise controls to protect it. To learn how to create an effective data classification strategy, check out this template.
What does data classification look like in Salesforce?
Your Salesforce Org is home to hundreds of different types of information, from customer names and email addresses to business-critical financial records. To help keep track of this information, Salesforce introduced data classification metadata fields as part of its ‘19 summer release. This feature allows you to add data classification tags to any field in a standard or custom Object.
Salesforce data classification gives you four fields to categorize and classify data in your Org: Compliance Categorization, Data Owner, Field Usage and Data Sensitivity Level. Here's a look at what each of these mean.
The first question you'll want to ask about a field is 'how sensitive is it?' Who should be able to see it? Who should be able to edit it? Salesforce gives you several default values for this classification:
- Public: available to the public to view but not alter
- Internal: available to company employees and contractors; must not be shared publicly, but can be shared with customers, partners and others under a non-disclosure agreement (NDA)
- Confidential: available to an approved group of employees and contractors; not restricted by law, regulation or a master service agreement (MSA), and can be shared with customers, partners and others under an NDA
- Restricted: available only to an approved group of employees and contractors; likely restricted by law, regulation, an NDA or MSA
- MissionCritical: available only to a small group of approved employees and contractors; third parties who are given access could be subject to heightened contractual requirements, and almost always restricted by law, regulation or an NDA/MSA
Highly sensitive data may be subject to regulatory scrutiny; the Compliance Categorization field gives you a way to identify data with special privacy requirements that will require additional security controls. Out of the box, Salesforce comes with data classification tabs for the following regulatory standards:
- CCPA (California Consumer Privacy Act)
- COPPA: (Children's Online Privacy Protection Act)
- GDPR: (General Data Protection Regulation)
- HIPAA: (Health Insurance Portability and Accountability Act)
- PCI: (Payment Card Industry)
- PII: (Personally Identifiable Information)
Organizations in highly regulated industries — healthcare, life sciences and finance are three common examples — can benefit from using these fields to identify and track data that will be of concern to auditors.
This classification specifies the group or person associated with the field — ie. the person who can answer the questions, 'Is this important?' and 'Can I change this?' As a result, the data owner should be someone who understands the importance of the field’s data to your company; they will likely also be responsible for determining the minimum data sensitivity level and any relevant controls around it.
Finally the Field Usage classification tracks whether the field is in use, which can be useful when conducting a clean up project. The available categories include:
- Active: In use and visible
- DeprecateCandidate: Planned for deprecation and no longer in use
- Hidden: Not visible and possibly planned for deprecation — use with caution
Regularly cleaning up unused customizations is key to both user adoption and overall Org performance. By using this field, you can flag potential candidates for deprecation (and if you check the data owner classification, you'll know who to talk to next) and streamline your Org.
Strongpoint offers a set of tools and a proposed cadence for safe, effective Org cleanup. With or without data classification enabled, we can help you identify unused customizations and other candidates for deprecation, run impact analysis and route approvals to the appropriate authority. Learn more about our clean up tools here.
Why Use Salesforce's Data Classification Feature?
While many organizations create their own data classification model (learn more about data classification for compliance), starting with Salesforce’s native data classification capabilities can be the perfect baseline for your business.
This strategy goes beyond improving data organization — from data protection and risk management to improving user productivity, there are multiple benefits to properly categorizing your data. It is an invaluable component of your security strategy that also helps to ease some of the uncertainty around understanding the information in your system.
To learn more about data classification and how you can start implementing a better security strategy for your organization, check out Netwrix, a leading expert in data security and compliance.
Want to learn more about the specifics of data security in Salesforce? Download our Salesforce Data Security Checklist for an in-depth understanding of how you can protect your Org — and team — against threats.