As gatekeepers to valuable client data, wealth management firms are attractive targets for cyberattacks. Our Practifi Protect platform add-on provides comprehensive protection so your firm can protect client data, improve oversight and proactively prepare for audits as you continue to scale.
Please note: Practifi Protect is an add-on service. If you'd like to learn more, please reach out to your Client Success Manager.
- Understanding Practifi Protect
- Platform Encryption
- Event Monitoring
- Field Audit Trail
Understanding Practifi Protect
Practifi Protect gives your firm access to enhanced features to safeguard your data and meet stricter cybersecurity regulations. With the comprehensive protection Practifi Protect provides, your firm can enforce governance, strengthen compliance and increase transparency across departments, branches and networks.
Practifi Protect provides three main tools for Practifi Administrators:
- Shield Platform Encryption - This allows firms to define encryption policies for fields on standard and custom objects. These fields are encrypted at rest and not just when transmitted over a network. This means that even if Salesforce’s data centers were compromised, fields that have been encrypted would be very difficult for bad actors to access. For more information, please see this documentation on Salesforce Shield Platform Encryption.
- Event Monitoring Analytics - This gives firms access to Event Logs and several pre-built dataflows and dashboards (see below) to make the Event Logs accessible for business users to view and analyze. To learn more, please see this Salesforce documentation.
- Enhanced Field Audit Trail - This tool enhances the default field audit trail feature within Salesforce and extends the number of trackable fields per object from 20 to 60. Additionally, it gives firms the option to retain changes to audited fields for 10 years. Without this, firms can only view field history for 18 months. You can learn more here.
To effectively implement Practifi Protect, you want to understand exactly what it is that you're protecting your organization from and how you can combine Protect's tools with the existing capabilities of Practifi to achieve it. We've provided some examples below to get you started.
|A rogue agent breaches the Salesforce platform and obtains copies of the personally-identifying information of your clients.||
|An employee has resigned and may export lists of records, such as clients, to take with them to a competitor.||
|An inexperienced employee has altered important client data, increasing compliance risk.||
Platform Encryption allows your firm to define a set of fields to be encrypted at rest, i.e. while sitting in Salesforce's data centers. This is in addition to the encryption in transit Salesforce provides by default when transferring data from those data centers to devices. Used together, they provide your firm with a comprehensive encryption solution that makes the defined fields unreadable by anyone who obtains the information through a data breach without any impact on your users.
Standard fields on standard objects used by Practifi, such as Entity, Contact, Task & Event, are listed by name in Salesforce Help and can be encrypted. Custom fields - whether on standard or custom objects - can be encrypted if they are any of the following field types:
- Text Area
- Text Area (Long)
- Text Area (Rich)
Formula fields cannot be included in Platform Encryption due to them being only calculated upon request, which means these fields aren't stored in the data center and thus aren't included in the feature's scope. Outside of fields in the Practifi data model, Files, Notes and Feed posts can be encrypted as well. For additional information, please consult this Salesforce Help article.
Two types of encryption are available for use, both with different benefits and trade-offs to consider. Encryption methods can be chosen on a field-by-field basis, providing flexibility when determining your approach.
- Deterministic encryption is the more permissive option. It supports fields such as External IDs and allows fields to be used as filter criteria in the queries performed by Practifi components like tiles and record lists, as well as Salesforce reports. The downside is that the encryption method used is more likely to be compromised, as the encrypted version of a field's value needs to be identical between records for filtering to work. This means that if one record's encryption is compromised for a specific value, so too are all the others.
- Probabilistic encryption avoids the risk described above by encrypting every field value in a unique way. However, this comes at a cost, as the fields are unusable as filter criteria.
The limitations imposed by the Salesforce platform are documented in detail in Salesforce Help. Major considerations are exclusions from criteria-based record sharing rules and limited support for formula field operators. There is also a limitation imposed by the Practifi product, specifically that encrypted fields cannot be used for sorting in record lists. In cases when they're used by default, such as the Name field in the Directory, the Last Modified Date field value is used for default sorting instead.
We recommend encrypting all personally identifiable information (PII) your firm stores due to its sensitive nature and the regulatory burdens associated with it. The US government defines PII as the following:
"Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.".
The elements of the Practifi data model that are generally considered to be PII are listed in the following table.
Please note: The fields listed in italics below support only deterministic encryption. All other fields support both deterministic and probabilistic encryption.
|Country of Citizenship|
|Country of Origin|
|Country of Residence|
|Date of Marriage|
|Phone (Stores the person's preferred phone number)|
|Tax ID Number|
|Contact Point Address||Address|
|Contact Point Email||Email Address|
|Contact Point Phone||Phone Number|
|Email Message Relation||Relation Address|
||Date of Incorporation|
|Entity Number 1|
|Entity Number 2|
|Replace Mailing Name With|
|Tax ID Number|
|Feed Posts||Enabled (Check the "Encrypt Chatter" checkbox on the Encryption Policy page in Setup)|
Enabled (Check the "Encrypt Files and Attachments" checkbox on the Encryption Policy page in Setup)
Reply to Address
Your employees use Practifi to succeed in their roles by engaging in hundreds, perhaps even thousands, of individual interactions with the platform. These interactions are known as "events", and the Event Monitoring feature allows administrators to access detailed statistics on event history. Over 50 different event types are included within Event Monitoring, all of which are cataloged here by Salesforce. These event types span the breadth of the Practifi platform and include login activity, report generation and export, execution of automation and actions and more.
Event Monitoring includes a dedicated analytics experience as part of the feature, which visualizes all the events addressed by the feature in a variety of ways. It includes a setup wizard to help you tailor the experience to show only the events you care about monitoring. You can learn more about the setup process and see these visualizations in action here.
In the following table, we've included some examples of events that you'll want to keep an eye on while scanning through the analytics app. This is not an exhaustive list but is intended to provide you with a starting point.
|Are employees logging in outside of office hours or via networks not controlled by the company?||
Use the Logins dashboard to see login times & IP addresses for each login event filtered by dimensions such as date ranges and employee names.
|Which users are downloading copies of reports to their devices?||Use the Report Downloads dashboard to see which users are performing downloads and from which IP addresses.|
|Are unapproved changes being made to the configuration of your Practifi instance?||Use the Setup Audit Trail dashboard to see which changes are being made and by whom.|
Enhanced Transaction Security
Certain events that can occur in your Practifi instance might be considered too risky to allow beyond a certain threshold, or perhaps at all. In those cases, you can use enhanced transaction security to define policies for how to handle those behaviors: either to block them completely, require additional authentication or simply notify certain Practifi users that it happened.
To set up a transaction security policy, use the Condition Builder in Salesforce Setup to point and click your way to successful security policies. Detailed instructions for this enablement can be found here. Enhanced transaction security policies support the handling of reports (such as when they contain a certain field, number of records or are exported), logins (such as when users log in from a non-work IP address or device) and attack vectors such as credential stuffing and session hijacking. Other types are also supported, and the full range of policies can be viewed here.
Some of the events supported by enhanced transaction security benefit from proactive monitoring regardless of any policies that are set, such as those related to attacks by rogue agents. Threat detection uses machine learning algorithms to identify key threats to your Salesforce instance and surface them to administrators. See the feature in action here.
Supported threat types are described below. Detailed information on each threat type can be found here.
Practifi Protect detects the following types of threats:
- If a user session is hijacked.
- When a user successfully logs in during an identified credential stuffing attack. Credential stuffing occurs when large-scale automated login requests use stolen user credentials to gain access to Salesforce.
- Anomalies in a user's report views or exports.
- Anomalies in how users make API calls.
Event Monitoring Dashboards
Practifi Protect ships with the following pre-built dashboards to help you delve into your data:
|Analytics Adoption||Corresponds to Event Monitoring Analytics usage and performance.|
|Apex Executions||This dashboard lets you track trends in code execution and performance of your Practifi org. Corresponds to the Apex Execution event type.|
|API||This dashboard gives you information about both your users’ API usage and API performance in your Practifi organization. You can see how often each object is being used, how fast each object is being processed and what methods are being invoked on that object. Corresponds to the API Event event type.|
|Dashboards||This dashboard helps you track dashboard adoption and performance. Corresponds to the Dashboard event type.|
|Files||When users in your organization perform content transfers (downloads, uploads or previews), they show up on this dashboard. You can also track file adoption. Corresponds to the Content Transfer event type.|
|Lightning Adoption||Many of Practifi's components are built on the Lightning framework, and as such, you can use this dashboard to see how users interact with Practifi on desktop and mobile devices. Corresponds to the Lightning Interaction and Lightning Page View event types.|
|Lightning Performance||Use this dashboard to view performance and user interactions with Practifi. Corresponds to the Lightning Error, Lightning Interaction, Lightning Page View and Lightning Performance event types.|
|Login-As||This dashboard lets you see which admins are using the login-as feature and on which user accounts. Corresponds to the Login As event type.|
The My Trust dashboard gives you an overall idea of what kind of events are taking place in your Practifi organization over time. It also shows the average speed of these transactions. The dashboard corresponds to the following event types, correlated by User IDs:
|Page Views (URIs)||
This dashboard lets you see which pages users are accessing in Practifi. Corresponds to the URI event type.
This dashboard lets you see which users are downloading your reports and where they’re downloading them from. Corresponds to the Report Export event type.
This dashboard shows you trends in reporting as well as which users are running specific reports. Corresponds to the Report event type.
This dashboard shows you trends in REST API usage and which endpoints are seeing the most traffic. You can also view information about the IP ranges issuing the requests and which methods are being called. Corresponds to REST API event type.
|Setup Audit Trail||
Use this dashboard to see the changes your users are making in the Setup area. Corresponds to the Setup Audit Trail page in Setup.
This dashboard shows login trends by user and information about where and how users are accessing your Practifi organization. Corresponds to the Login event type.
Here you can see trends in Visualforce adoption and page performance. Corresponds to the Visualforce Request event type.
Field Audit Trail
The Salesforce platform natively provides monitoring of field-level changes made to records—for example, changes made to a Task record's Due Date information—with its field history tracking feature. To preserve performance, it comes with the limitation that only 20 fields are supported per object and the history is only retained for 18 months.
With Field Audit Trail as part of Practifi Protect, your firm can track up to 60 fields per object and store the changes for 10 years. The majority of objects and fields in the Practifi data model are supported. However, there are some limitations. These include the Task and Event objects, multi-select picklists, formula fields and the Created By and Last Modified By fields. These fields do not benefit from being tracked in this way. Formula fields are the calculated output of fields tracked elsewhere. Created By field values will never change during a record's lifespan. The Last Modified By field value is updated based on a change rather than representing a change to the record itself.
Collecting data with Field Audit Trail requires a retention policy to be defined, which specifies which objects and fields are to be tracked. Currently, this policy can only be created using an API rather than point-and-click tools in Salesforce Setup. Practifi includes a standard policy based on our standard data model. If you wish to make changes to this policy, please contact your firm's Client Success Manager to arrange a professional services engagement.
By default, the history retained by Field Audit Trail is accessible using software like Salesforce Data Loader to export its contents as a CSV. Users can download these fields for investigation using tools like Microsoft Excel. Alternatively, third-party apps are available for surfacing Field Audit Trail natively within Practifi.
Standard Field Retention Policy
As we can track up to 60 fields per object, the majority of compatible fields have been included. Only our Contact and Entity objects contain more than 60 fields eligible for tracking. We've listed the fields we include in our standard policy in the following table: