Security teams should treat Salesforce as a multi-cloud data estate rather than a single application. That means discovering regulated data in standard and custom objects, extending controls to attachments and case content, and applying one policy model across Sales Cloud, Service Cloud, and Health Cloud. Without that scope, compliance becomes partial and blind spots persist.
Why This Matters for Security Teams
Salesforce governance fails when teams treat records as the whole risk surface. Regulated data also lives in attachments, case notes, exported reports, synced data, and integrations that move content across clouds and business units. That creates a compliance problem as much as a security problem, because policy gaps often show up first in audit evidence, eDiscovery, or incident response rather than in day-to-day admin review. NIST’s Cybersecurity Framework 2.0 is useful here because it frames governance, inventory, and monitoring as continuous functions rather than one-time setup tasks. For identity-driven exposures, NHI Management Group’s Regulatory and Audit Perspectives page shows how unmanaged secrets and broad access become audit findings quickly. In practice, many security teams discover Salesforce exposure only after a regulator, customer, or legal team asks where the data actually went.
How It Works in Practice
Effective governance starts by mapping Salesforce data flows, not just object permissions. Security teams should classify which fields, files, attachments, and case payloads can contain regulated data, then extend controls to the integrations that read, write, export, or archive that content. That includes connected apps, middleware, automation tools, and human and non-human accounts that can move data outside Salesforce. If service accounts or OAuth apps are involved, governance must include secret rotation, consent review, and least-privilege access, because the platform is often only as strong as the identities connected to it. The Lifecycle Processes for Managing NHIs guidance is relevant because it ties discovery, rotation, and offboarding to continuous control rather than static provisioning. NHI Management Group research in The State of Non-Human Identity Security reports that only 1.5 out of 10 organisations are highly confident in securing NHIs, which is a strong signal that identity sprawl is usually the weak point in otherwise mature SaaS programs. A practical operating model includes:
- Data classification for standard objects, custom objects, files, and case content.
- Policy mapping for each regulated dataset, including retention and legal hold requirements.
- Connected-app review for OAuth scopes, token lifetimes, and third-party visibility.
- Logging and alerting for bulk export, abnormal API usage, and privilege changes.
- Periodic access recertification across admins, integrations, and delegated workflows.
These controls tend to break down when Salesforce is heavily customised across multiple business units because ownership becomes fragmented and no single team has end-to-end visibility.
Common Variations and Edge Cases
Tighter governance often increases operational overhead, requiring organisations to balance compliance certainty against admin speed and user friction. In regulated environments, the hardest edge case is usually not standard CRM data but unstructured content, such as attachments, email threads, scanned forms, and free-text case notes that may contain PHI, PII, or payment data. Another common variation is cross-cloud workflow, where Salesforce stores the record but downstream systems perform enrichment, scoring, or archival, creating a second policy surface that must be governed separately. Best practice is evolving around whether to centralise controls in Salesforce or enforce them at the integration layer; there is no universal standard for this yet, so teams should choose the enforcement point that best matches their data flow and audit requirements. The Top 10 NHI Issues research is especially relevant when third-party apps and API keys are part of the architecture, because the most common failures are often around visibility, over-privilege, and rotation discipline. For programmes that need a formal control baseline, Regulatory and Audit Perspectives provides a useful lens for translating technical controls into evidence auditors can validate.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV | Salesforce data governance needs continuous oversight and evidence for regulated content. |
| OWASP Non-Human Identity Top 10 | NHI-03 | OAuth apps and service accounts in Salesforce depend on secure rotation and lifecycle control. |
| CSA MAESTRO | TBD | Agentic and automated Salesforce integrations need policy and identity governance at runtime. |
Inventory Salesforce-connected NHIs, rotate secrets, and revoke unused credentials on a fixed cadence.
