Understanding Practifi Protect

Follow

Overview

As gatekeepers to valuable client data, wealth management firms are attractive targets for cyberattacks. Our Practifi Protect platform add-on provides comprehensive protection so your firm can protect client data, improve oversight and proactively prepare for audits as you continue to scale.

Please note: Practifi Protect is an add-on service. If you'd like to learn more, please contact your Client Success Manager.

Understanding Practifi Protect

Practifi Protect gives your firm access to enhanced features to safeguard your data and meet stricter cybersecurity regulations. With the comprehensive protection Practifi Protect provides, your firm can enforce governance, strengthen compliance and increase transparency across departments, branches and networks.

Practifi Protect provides three main tools for Practifi Administrators:

  • Shield Platform Encryption - This allows firms to define encryption policies for fields on standard and custom objects. These fields are encrypted at rest and not just when transmitted over a network. This means that even if Salesforce’s data centers were compromised, fields that have been encrypted would be very difficult for bad actors to access. For more information, please see this documentation on Salesforce Shield Platform Encryption.
  • Event Monitoring Analytics - This gives firms access to Event Logs and several pre-built dataflows and dashboards (see below) to make the Event Logs accessible for business users to view and analyze. To learn more, please see this Salesforce documentation.
  • Enhanced Field Audit Trail - This tool enhances the default field audit trail feature within Salesforce and extends the number of trackable fields per object from 20 to 60. Additionally, it gives firms the option to retain changes to audited fields for 10 years. Without this, firms can only view field history for 18 months. You can learn more here.

To effectively implement Practifi Protect, you want to understand exactly what it is that you're protecting your organization from and how you can combine Protect's tools with the existing capabilities of Practifi to achieve it. We've provided some examples below to get you started.

Threat Control/s
A rogue agent breaches the Salesforce platform and obtains copies of the personally-identifying information of your clients.
  • Protect those fields using encryption at rest with Platform Encryption, making the data that the agent obtains indecipherable to them while remaining the same to your internal users.
An employee has resigned and may export lists of records, such as clients, to take with them to a competitor.
  • Remove access to the Export function found in reports and record lists using permission sets. 
  • Review activity retroactively using the Event Monitoring analytics app and take action accordingly. 
An inexperienced employee has altered important client data, increasing compliance risk.
  • Review a comprehensive history of field-by-field changes made to each of the client's records in the last decade with Field Audit Trail.


Platform Encryption

Platform Encryption allows your firm to define a set of fields to be encrypted at rest, i.e., while sitting in Salesforce's data centers. This is in addition to the encryption in transit Salesforce provides by default when transferring data from those data centers to devices. Together, they provide your firm with a comprehensive encryption solution that makes the defined fields unreadable by anyone who obtains the information through a data breach without any impact on your users.

Available Encryption

Standard fields on standard objects used by Practifi, such as Entity, Contact, Task & Event, are listed by name in Salesforce Help and can be encrypted. Custom fields - whether on standard or custom objects - can be encrypted if they are any of the following field types:

  • Email
  • Phone
  • Text
  • Text Area
  • Text Area (Long)
  • Text Area (Rich)
  • URL
  • Date
  • Date/Time

Formula fields cannot be included in Platform Encryption because they are only calculated upon request. This means they aren't stored in the data center and thus aren't included in the feature's scope. Outside of fields in the Practifi data model, Files, Notes and Feed posts can also be encrypted. For additional information, please consult this Salesforce Help article.

Encryption Types

Two types of encryption are available, with different benefits and trade-offs to consider. Encryption methods can be chosen field-by-field, providing flexibility when determining your approach. 

  • Deterministic encryption is the more permissive option. It supports fields such as External IDs and allows fields to be used as filter criteria in the queries performed by Practifi components like tiles, record lists and Salesforce reports. The downside is that the encryption method is more likely to be compromised, as the encrypted version of a field's value needs to be identical between records for filtering to work. This means that if one record's encryption is compromised for a specific value, so are all the others. 
  • Probabilistic encryption avoids the risk described above by uniquely encrypting every field value. However, this comes at a cost, as the fields are unusable as filter criteria.

The limitations imposed by the Salesforce platform are documented in detail in Salesforce Help. Major considerations are exclusions from criteria-based record-sharing rules and limited support for formula field operators. The Practifi product also imposes a limitation, specifically that encrypted fields cannot be used for sorting in record lists. In cases when they're used by default, such as the Name field in the Directory, the Last Modified Date field value is used for default sorting instead.

Recommended Encryption

We recommend encrypting all personally identifiable information (PII) your firm stores due to its sensitive nature and associated regulatory burdens. The US government defines PII as the following:

"Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.".

The following table lists the elements of the Practifi data model that are generally considered to be PII. 

Please note: The fields listed in italics below support only deterministic encryption. All other fields support both deterministic and probabilistic encryption.

Object Fields
Asset/Liability

Account Number
Asset/Liability Name
Contact


Alternate Email
Birth Name
Birth Place
Country of Citizenship
Country of Origin
Country of Residence
Date of Marriage
Email
Email (Preferred)
Employer
Home Phone
Location Address
Mailing Label
Middle Name
Mobile
Name
Other Phone
Phone (Stores the person's preferred phone number)
Postal Address
Preferred Name
SSN
Tax ID Number
Contact Point Address Address
Contact Point Email Email Address
Contact Point Phone Phone Number
Email Message







BCC Address
CC Address
From Address
From Name
Headers
HTML Body
Subject
Text Body
To Address
Email Message Relation Relation Address
Entity 














Date of Incorporation
Description
Email
Entity Name
Entity Number 1
Entity Number 2
Formal Name
Mailing Label
Member Names
Phone
Replace Mailing Name With
Servicing Team
Tax ID Number
Tax Number
Website
Event

Description
Subject
Feed Posts Enabled (Check the "Encrypt Chatter" checkbox on the Encryption Policy page in Setup)
Files

Enabled (Check the "Encrypt Files and Attachments" checkbox on the Encryption Policy page in Setup)

List Email


From Address

From Name

Reply to Address

Notes

Description

Noticeboard

Post

Policy

Policy Number

Policy Coverage

Policy Number

Reference Document


Description

Document Number

Document URL

Task

Description

Subject

User

Email


Event Monitoring

Your employees use Practifi to succeed in their roles by engaging in hundreds, perhaps thousands, of individual interactions with the platform. These interactions are known as "events," and the Event Monitoring feature allows administrators to access detailed statistics on event history. Over 50 different event types are included within Event Monitoring, all cataloged here by Salesforce. These event types span the breadth of the Practifi platform and include login activity, report generation and export, execution of automation and actions and more.

Event Monitoring includes a dedicated analytics experience as part of the feature, which visualizes all the events the feature addresses in various ways. It includes a setup wizard to help you tailor the experience to show only the events you care about monitoring. You can learn more about the setup process and see these visualizations here

In the following table, we've included some examples of events that you'll want to keep an eye on while scanning through the analytics app. This is not an exhaustive list but is intended to provide a starting point. 

Scenario Solution
Are employees logging in outside of office hours or via networks not controlled by the company?

Use the Logins dashboard to see login times & IP addresses for each login event filtered by dimensions such as date ranges and employee names.

Which users are downloading copies of reports to their devices? Use the Report Downloads dashboard to see which users are performing downloads and from which IP addresses.
Are unapproved changes being made to the configuration of your Practifi instance? Use the Setup Audit Trail dashboard to see which changes are being made and by whom.

 

Enhanced Transaction Security

Certain events in your Practifi instance might be considered too risky to allow beyond a certain threshold, or perhaps at all. In those cases, you can use enhanced transaction security to define policies for handling those behaviors: either to block them completely, require additional authentication or notify certain Practifi users that it happened. 

To set up a transaction security policy, use the Condition Builder in Salesforce Setup to point and click your way to successful security policies. Detailed instructions for this enablement can be found here. Enhanced transaction security policies support handling reports (such as when they contain a certain field or number of records or are exported), logins (such as when users log in from a non-work IP address or device) and attack vectors such as credential stuffing and session hijacking. Other types are also supported, and the full range of policies can be viewed here

Threat Detection

Some events supported by enhanced transaction security benefit from proactive monitoring regardless of any policies set, such as those related to attacks by rogue agents. Threat detection uses machine learning algorithms to identify key threats to your Salesforce instance and surface them to administrators. See the feature in action here

Supported threat types are described below. Detailed information on each threat type can be found here

Practifi Protect detects the following types of threats:

  • If a user session is hijacked.
  • When a user successfully logs in during an identified credential-stuffing attack. Credential stuffing occurs when large-scale automated login requests use stolen user credentials to gain access to Salesforce.
  • Anomalies in a user's report views or exports. 
  • Anomalies in how users make API calls.

Event Monitoring Dashboards

Practifi Protect ships with the following pre-built dashboards to help you delve into your data:

Title Description
Analytics Adoption Corresponds to Event Monitoring Analytics usage and performance.
Apex Executions This dashboard lets you track trends in code execution and performance of your Practifi org. Corresponds to the Apex Execution event type.
API This dashboard gives you information about both your users’ API usage and API performance in your Practifi organization. You can see how often each object is being used, how fast each object is being processed and what methods are being invoked on that object. Corresponds to the API Event event type.
Dashboards This dashboard helps you track dashboard adoption and performance. Corresponds to the Dashboard event type.
Files When users in your organization perform content transfers (downloads, uploads or previews), they show up on this dashboard. You can also track file adoption. Corresponds to the Content Transfer event type.
Lightning Adoption Many of Practifi's components are built on the Lightning framework, and as such, you can use this dashboard to see how users interact with Practifi on desktop and mobile devices. Corresponds to the Lightning Interaction and Lightning Page View event types.
Lightning Performance Use this dashboard to view performance and user interactions with Practifi. Corresponds to the Lightning Error, Lightning Interaction, Lightning Page View and Lightning Performance event types.
Login-As This dashboard lets you see which admins are using the login-as feature and on which user accounts. Corresponds to the Login As event type.
My Trust

The My Trust dashboard gives you an overall idea of what kind of events are taking place in your Practifi organization over time. It also shows the average speed of these transactions. The dashboard corresponds to the following event types, correlated by User IDs:

  • Apex Execution
  • API
  • Content Transfer
  • Dashboard
  • Lightning Page View
  • Login As
  • Login
  • Report
  • Report Export
  • REST API
  • Visualforce
Page Views (URIs)

This dashboard lets you see which pages users are accessing in Practifi. Corresponds to the URI event type.

Report Downloads

This dashboard lets you see which users are downloading your reports and where they’re downloading them from. Corresponds to the Report Export event type.

Reports

This dashboard shows you trends in reporting as well as which users are running specific reports. Corresponds to the Report event type.

RestAPI

This dashboard shows you trends in REST API usage and which endpoints are seeing the most traffic. You can also view information about the IP ranges issuing the requests and which methods are being called. Corresponds to REST API event type.

Setup Audit Trail

Use this dashboard to see the changes your users are making in the Setup area. Corresponds to the Setup Audit Trail page in Setup.

User Logins

This dashboard shows login trends by user and information about where and how users are accessing your Practifi organization. Corresponds to the Login event type.

Visualforce Requests

Here you can see trends in Visualforce adoption and page performance. Corresponds to the Visualforce Request event type.

 

Field Audit Trail

The Salesforce platform natively provides monitoring of field-level changes made to records—for example, changes made to a Task record's Due Date information—with its field history tracking feature. To preserve performance, it comes with the limitation that only 20 fields are supported per object and the history is only retained for 18 months. 

With Field Audit Trail as part of Practifi Protect, your firm can track up to 60 fields per object and store the changes for 10 years. The majority of objects and fields in the Practifi data model are supported. However, there are some limitations. These include the Task and Event objects, multi-select picklists, formula fields and the Created By and Last Modified By fields. These fields do not benefit from being tracked in this way. Formula fields are the calculated output of fields tracked elsewhere. Created By field values will never change during a record's lifespan. The Last Modified By field value is updated based on a change rather than representing a change to the record itself. 

Collecting data with Field Audit Trail requires a retention policy to be defined, which specifies which objects and fields are to be tracked. Currently, this policy can only be created using an API rather than point-and-click tools in Salesforce Setup. Practifi includes a standard policy based on our standard data model. If you wish to make changes to this policy, please contact your firm's Client Success Manager to arrange a professional services engagement.

By default, the history retained by Field Audit Trail is accessible using software like Salesforce Data Loader to export its contents as a CSV. Users can download these fields for investigation using tools like Microsoft Excel. Alternatively, third-party apps are available for surfacing Field Audit Trail natively within Practifi.

Standard Field Retention Policy

As we can track up to 60 fields per object, the majority of compatible fields have been included. Only our Contact and Entity objects contain more than 60 fields eligible for tracking. We've listed the fields we include in our standard policy in the following table:

Object Fields
Contact
  • Alternate Email
  • Anticipated Retirement Date
  • Batch
  • Birth Name
  • Birth Place
  • Birthdate
  • Citizenship Status
  • Contact Owner
  • Contact Record Type
  • Country of Citizenship
  • Country of Origin
  • Country of Residence
  • Date of Death
  • Date of Marriage
  • Department
  • Dependant Until Age
  • Display Country
  • Display Employer & Title
  • Do Not Call
  • Email 
  • Email (Preferred)
  • Email Opt Out
  • Employer
  • Employment Status
  • Entity Name
  • Exclude Location Address from Sync
  • Exclude Postal Address from Sync
  • External Id
  • External Id 1
  • External Id 2
  • External Id 3
  • External Id 4
  • Gender
  • General Health
  • Home Phone
  • Location Address
  • Location Phone
  • Mailing Label
  • Marital Status
  • Middle Name
  • Mobile 
  • Name
  • Occupation
  • Phone
  • Postal Address
  • Preferred Name
  • Preferred Phone
  • Primary Entity
  • Related Division
  • Smoking Status
  • SSN
  • State of Residence
  • Suffix
  • Tax ID Number
  • Tax Resident Status
  • Title
  • Will Date
  • Will Location
Entity


  • Account Type
  • Annual Revenue
  • AUM
  • Client Segment
  • Client Stage
  • Contributing Employer
  • Date of First Contact
  • Date of Incorporation
  • Date of Last Disclosures
  • Display Country
  • Email
  • Employer Segment
  • Employer Stage
  • Entity Name
  • Entity Number 1
  • Entity Number 2
  • Entity Owner
  • Entity Record Type
  • Entity Source
  • First Contact Date
  • First Event Date
  • Formal Name
  • Housing Status
  • Influencer Segment
  • Last Call Date
  • Last Event Date
  • Location Address
  • Loss Reason Notification
  • Member Stage
  • Organization Type
  • Parent Entity
  • Participating Fund
  • Phone
  • Postal Address
  • Potential Annual Revenue
  • Potential AUM
  • Potential Revenue
  • Preferred Email
  • Preferred Phone
  • Primary Contact
  • Primary Entity
  • Primary Member
  • Reason for Loss
  • Referred AUM
  • Referrer
  • Related Division
  • Replace Mailing Name With
  • Servicing Team
  • Source
  • Spouse
  • State of Residence
  • Sync Location Address with Members
  • Sync Postal Address with Members
  • Tax ID Number
  • Tax Number
  • Topics
  • Trust Type
  • Type
  • Valuation Website
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.