1. Practifi Success
  2. System Administrator
  3. Practifi Add-On Features

Understanding Practifi Protect

Follow
Avatar
Learning Team

Overview

As gatekeepers to valuable client data, wealth management firms are attractive targets for cyberattacks. Our Practifi Protect add-on helps your firm protect client data, improve oversight, and proactively prepare for audits as your firm continues to grow.

Please note: Practifi Protect is an add-on service. If you'd like to learn more, please get in touch with your Client Success Manager.

Understanding Practifi Protect

Practifi Protect gives your firm access to enhanced features that safeguard your data and help you meet stricter cybersecurity regulations. With Practifi Protect, your firm can enforce governance, strengthen compliance, and increase transparency across departments, branches, and networks.

Practifi Protect provides three main tools for Practifi Administrators:

  • Shield Platform Encryption - This allows firms to define encryption policies for fields on standard and custom objects. These fields are encrypted at rest and not just when transmitted over a network. This means that even if Salesforce’s data centers were compromised, encrypted fields would be very difficult for bad actors to access. For more information, please see this documentation on Salesforce Shield Platform Encryption.
  • Event Monitoring Analytics - This gives firms access to Event Logs and several pre-built dataflows and dashboards (see below) to make the Event Logs accessible for business users to view and analyze. To learn more, please see this Salesforce documentation.
  • Field Audit Trail - This tool enhances the default Field History Tracking feature within Salesforce and extends the number of trackable fields per object from 20 to 60. Additionally, it allows firms to retain changes to audited fields indefinitely until they are manually deleted. Without Field Audit Trail, firms can only view field history for 18 months. You can learn more here.

To effectively implement Practifi Protect, you need to understand what you're protecting your organization from and how to combine Protect's tools with Practifi's existing capabilities. We've provided some examples below to get you started.
 

Threat Control/s
A rogue agent breaches the Salesforce platform and obtains copies of your clients' personally identifiable information.
  • Protect those fields using encryption at rest with Platform Encryption, making the data that the agent obtains indecipherable to them while remaining the same to your internal users.
An employee has resigned and may export lists of records, such as clients, to take with them to a competitor.
  • Remove access to the Export function found in reports and record lists using permission sets.
  • Review activity retroactively using the Event Monitoring analytics app and take action accordingly. 
An inexperienced employee has altered important client data, increasing compliance risk.
  • Review a comprehensive history of field-by-field changes made to each of the client's records with Field Audit Trail.

Platform Encryption

Platform Encryption allows your firm to define a set of fields to be encrypted at rest, i.e., while sitting in Salesforce's data centers. This is in addition to the encryption in transit that Salesforce provides by default when transferring data from those data centers to devices. Together, they provide your firm with a comprehensive encryption solution that renders the defined fields unreadable to anyone who obtains the information in the event of a data breach, without impacting your users.

Available Encryption

Standard fields on standard objects used by Practifi, such as Entity, Contact, Task, & Event, are listed by name in Salesforce Help and can be encrypted. Custom fields, whether on standard or custom objects, can be encrypted if they are any of the following field types:

  • Email
  • Phone
  • Text
  • Text Area
  • Text Area (Long)
  • Text Area (Rich)
  • URL
  • Date
  • Date/Time

Formula fields cannot be included in Platform Encryption because they are only calculated upon request. This means they aren't stored in the data center and therefore aren't within the feature's scope. Outside of fields in the Practifi data model, Files, Notes, and Feed posts can also be encrypted. For additional information, please consult this Salesforce Help article.

Encryption Types

Two types of encryption are available, with different benefits and trade-offs to consider. Encryption methods can be chosen field by field, providing flexibility in determining your approach. 

  • Deterministic encryption is the more permissive option. It supports fields such as External IDs and allows them to be used as filter criteria in queries executed by Practifi components like tiles, record lists, and Salesforce reports. The downside is that the encryption method is more likely to be compromised, because the encrypted value of a field must be identical across records for filtering to work. This means that if one record's encryption for a specific value is compromised, so are all the others.
  • Probabilistic encryption avoids the risk described above by uniquely encrypting every field value. However, this comes at a cost, as the fields are unusable as filter criteria.

The limitations imposed by the Salesforce platform are documented in detail in Salesforce Help. Major considerations are exclusions from criteria-based record-sharing rules and limited support for formula field operators. The Practifi product also imposes a limitation: encrypted fields cannot be used for sorting in record lists. When such fields are used for default sorting, such as the Name field in the Directory, the Last Modified Date field value is used instead.

Recommended Encryption

We recommend encrypting all personally identifiable information (PII) your firm stores, given its sensitive nature and the associated regulatory burdens. The US government defines PII as the following:

"Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.".

The following table lists the elements of the Practifi data model generally considered PII. 

Please note: The fields listed in italics below support only deterministic encryption. All other fields support both deterministic and probabilistic encryption.

Object Fields
Asset/Liability

 		 Account Number
Asset/Liability Name
Contact


 		 Alternate Email
Birth Name
Birth Place
Country of Citizenship
Country of Origin
Country of Residence
Date of Marriage
Email
Email (Preferred)
Employer
Home Phone
Location Address
Mailing Label
Middle Name
Mobile
Name
Other Phone
Phone (Stores the person's preferred phone number)
Postal Address
Preferred Name
SSN
Tax ID Number
Contact Point Address Address
Contact Point Email Email Address
Contact Point Phone Phone Number
Email Message







 		 BCC Address
CC Address
From Address
From Name
Headers
HTML Body
Subject
Text Body
To Address
Email Message Relation Relation Address
Entity 














 		 Date of Incorporation
Description
Email
Entity Name
Entity Number 1
Entity Number 2
Formal Name
Mailing Label
Member Names
Phone
Replace Mailing Name With
Servicing Team
Tax ID Number
Tax Number
Website
Event

 		 Description
Subject
Feed Posts Enabled (Check the Encrypt Chatter checkbox on the Encryption Policy page in Setup)
Files Enabled (Check the Encrypt Files and Attachments checkbox on the Encryption Policy page in Setup)
List Email


 		 From Address
From Name
Reply to Address
Notes Description
Noticeboard Post
Policy Policy Number
Policy Coverage Policy Number
Reference Document


 		 Description
Document Number
Document URL
Task

 		 Description
Subject
User Email

Event Monitoring

Your employees use Practifi to succeed in their roles by engaging in hundreds, perhaps thousands, of individual interactions with the platform. These interactions are known as "events," and the Event Monitoring feature allows administrators to access detailed statistics on event history, providing your firm with the oversight needed to identify risks and act quickly. Over 50 different event types are included within Event Monitoring, all cataloged here by Salesforce. These event types span the breadth of the Practifi platform and include login activity, report generation and export, execution of automation and actions, and more.

Event Monitoring includes a dedicated analytics experience that visualizes all the events in various ways. It includes a setup wizard to help you tailor the experience to show only the events you care about monitoring. You can learn more about the setup process and see these visualizations here

In the following table, we've included examples of events to keep an eye on while scanning the analytics app. This is not an exhaustive list but is intended to provide a starting point. 
 

Scenario Solution
Are employees logging in outside of office hours or via networks not controlled by the company? Use the Logins dashboard to see login times and IP addresses for each login event filtered by dimensions such as date ranges and employee names.
Which users are downloading copies of reports to their devices? Use the Report Downloads dashboard to see which users are performing downloads and from which IP addresses.
Are unapproved changes being made to the configuration of your Practifi instance? Use the Setup Audit Trail dashboard to see which changes are being made and by whom.

 

Enhanced Transaction Security

Certain events in your Practifi instance might be considered too risky to allow beyond a certain threshold, or perhaps at all. In those cases, you can use enhanced transaction security to define policies for handling those behaviors: either to block them completely, require additional authentication, or notify certain Practifi users when the events occur. 

To set up a transaction security policy, use the Condition Builder in Salesforce Setup to configure policies through a point-and-click interface. Detailed setup instructions can be found here. Enhanced transaction security policies support handling reports (such as when they contain a certain field or number of records or are exported), logins (such as when users log in from a non-work IP address or device), and attack vectors such as credential stuffing and session hijacking. Other types are also supported, and the full range of policies can be viewed here

Threat Detection

Some events supported by enhanced transaction security benefit from proactive monitoring, regardless of any policies in place, such as those related to attacks by rogue agents. Threat detection uses machine learning algorithms to identify key threats to your Salesforce instance and surface them to administrators. See the feature in action here

Supported threat types are described below. Detailed information on each threat type can be found here

Practifi Protect detects the following types of threats:

  • If a user session is hijacked.
  • When a user successfully logs in during an identified credential-stuffing attack. Credential stuffing occurs when large-scale automated login requests use stolen user credentials to gain access to Salesforce.
  • Anomalies in a user's report views or exports.
  • Anomalies in how users make API calls.

Event Monitoring Dashboards

Practifi Protect ships with the following pre-built dashboards to help you delve into your data:
 

Title Description
Analytics Adoption Corresponds to Event Monitoring Analytics usage and performance.
Apex Executions This dashboard lets you track trends in code execution and performance of your Practifi org. Corresponds to the Apex Execution event type.
API This dashboard gives you information about both your users’ API usage and API performance in your Practifi organization. You can see how often each object is being used, how fast each object is being processed, and what methods are being invoked on that object. Corresponds to the API Event event type.
Dashboards This dashboard helps you track dashboard adoption and performance. Corresponds to the Dashboard event type.
Files When users in your organization perform content transfers (downloads, uploads, or previews), they show up on this dashboard. You can also track file adoption. Corresponds to the Content Transfer event type.
Lightning Adoption Many of Practifi's components are built on the Lightning framework, so you can use this dashboard to see how users interact with Practifi on desktop and mobile devices. Corresponds to the Lightning Interaction and Lightning Page View event types.
Lightning Performance Use this dashboard to view performance and user interactions with Practifi. Corresponds to the Lightning Error, Lightning Interaction, Lightning Page View, and Lightning Performance event types.
Login-As This dashboard lets you see which admins are using the login-as feature and on which user accounts. Corresponds to the Login As event type.
My Trust

The My Trust dashboard gives you an overall view of the types of events occurring in your Practifi organization over time. It also shows the average speed of these transactions. The dashboard corresponds to the following event types, correlated by User IDs:

  • Apex Execution
  • API
  • Content Transfer
  • Dashboard
  • Lightning Page View
  • Login As
  • Login
  • Report
  • Report Export
  • REST API
  • Visualforce
Page Views (URIs) This dashboard lets you see which pages users are accessing in Practifi. Corresponds to the URI event type.
Report Downloads This dashboard lets you see which users are downloading your reports and where they’re downloading them from. Corresponds to the Report Export event type.
Reports This dashboard shows you reporting trends and which users are running specific reports. Corresponds to the Report event type.
RestAPI This dashboard shows you trends in REST API usage and which endpoints are seeing the most traffic. You can also view information about the IP ranges issuing the requests and which methods are being called. Corresponds to REST API event type.
Setup Audit Trail Use this dashboard to see the changes your users are making in the Setup area. Corresponds to the Setup Audit Trail page in Setup.
User Logins This dashboard shows login trends by user and information about where and how users are accessing your Practifi organization. Corresponds to the Login event type.
Visualforce Requests Here you can see trends in Visualforce adoption and page performance. Corresponds to the Visualforce Request event type.

Field Audit Trail

The Salesforce platform natively provides monitoring of field-level changes to records (for example, changes to a Task record's Due Date) through its Field History Tracking feature. To preserve performance, it has the limitation that only 20 fields are supported per object, and history is retained for only 18 months. 

With Field Audit Trail as part of Practifi Protect, your firm can track up to 60 fields per object and store the changes indefinitely until they are manually deleted, supporting long-term audit and compliance reviews. The majority of objects and fields in the Practifi data model are supported. However, there are some limitations. These include the Task and Event objects, multi-select picklists, formula fields, and the Created By and Last Modified By fields. These fields do not benefit from being tracked in this way. Formula fields are the calculated output of fields tracked elsewhere. Created By field values will never change during a record's lifespan. The Last Modified By field value is updated based on a change rather than representing a change to the record itself. 

Collecting data with Field Audit Trail requires defining a retention policy that specifies which objects and fields are tracked. Currently, this policy can only be created using an API rather than point-and-click tools in Salesforce Setup. Practifi includes a standard policy based on our standard data model. If you wish to make changes to this policy, please get in touch with your firm's Client Success Manager to arrange a professional services engagement.

By default, the history retained by Field Audit Trail is accessible via software such as Salesforce Data Loader, which can export its contents as a CSV. Users can download these fields for investigation using tools like Microsoft Excel. Alternatively, third-party apps are available to surface the Field Audit Trail natively within Practifi.

Running a Field History Tracking Query

Once Field Audit Trail is enabled in your Practifi organization, you can use Salesforce Inspector Reloaded to export an up-to-date report on which fields are being tracked. For instructions on installing and using this browser extension, please see our article on Using Salesforce Inspector Reloaded in Practifi.

To export field tracking data using Salesforce Inspector Reloaded:

  1. In Practifi, open Salesforce Inspector Reloaded using the keyboard shortcut (Ctrl + Shift + I) or (Cmd + Shift + I).
  2. Select the Data Export option.

  3. Paste the following SOQL query into the Export Query box:

    SELECT DeveloperName, IsFieldHistoryTracked, DataType, EntityDefinition.QualifiedApiName, DurableId
    FROM FieldDefinition
    WHERE EntityDefinition.QualifiedApiName = 'Account' or EntityDefinition.QualifiedApiName = 'Contact' or EntityDefinition.QualifiedApiName = 'practifi__Service__c' or EntityDefinition.QualifiedApiName = 'practifi__Relationship__c' or EntityDefinition.QualifiedApiName = 'practifi__Deal__c' or EntityDefinition.QualifiedApiName = 'practifi__Asset_Liability__c' or EntityDefinition.QualifiedApiName = 'Task' or EntityDefinition.QualifiedApiName = 'Event'

    Please note: The above query includes the most commonly used objects in Practifi, but it can be expanded to encompass more objects. For additional information about SOQL queries, please consult this Salesforce Help article.

  4. Click Run Export.

  5. The results are displayed in the Export Result box below. You can then either copy and paste the information into Excel or click the download option to save it as a CSV file locally. 

Standard Field Retention Policy

As we can track up to 60 fields per object, the majority of compatible fields have been included. Only our Contact and Entity objects contain more than 60 fields eligible for tracking. We've listed the fields we include in our standard policy in the following table:
 

Object Fields
 
Contact
  • Alternate Email
  • Anticipated Retirement Date
  • Batch
  • Birth Name
  • Birth Place
  • Birthdate
  • Citizenship Status
  • Contact Owner
  • Contact Record Type
  • Country of Citizenship
  • Country of Origin
  • Country of Residence
  • Date of Death
  • Date of Marriage
  • Department
  • Dependant Until Age
  • Display Country
  • Display Employer & Title
  • Do Not Call
  • Email
  • Email (Preferred)
  • Email Opt Out
  • Employer
  • Employment Status
  • Entity Name
  • Exclude Location Address from Sync
  • Exclude Postal Address from Sync
  • External Id
  • External Id 1
  • External Id 2
  • External Id 3
  • External Id 4
  • Gender
  • General Health
  • Home Phone
  • Location Address
  • Location Phone
  • Mailing Label
  • Marital Status
  • Middle Name
  • Mobile
  • Name
  • Occupation
  • Phone
  • Postal Address
  • Preferred Name
  • Preferred Phone
  • Primary Entity
  • Related Division
  • Smoking Status
  • SSN
  • State of Residence
  • Suffix
  • Tax ID Number
  • Tax Resident Status
  • Title
  • Will Date
  • Will Location
Entity


 
  • Account Type
  • Annual Revenue
  • AUM
  • Client Segment
  • Client Stage
  • Contributing Employer
  • Date of First Contact
  • Date of Incorporation
  • Date of Last Disclosures
  • Display Country
  • Email
  • Employer Segment
  • Employer Stage
  • Entity Name
  • Entity Number 1
  • Entity Number 2
  • Entity Owner
  • Entity Record Type
  • Entity Source
  • First Contact Date
  • First Event Date
  • Formal Name
  • Housing Status
  • Influencer Segment
  • Last Call Date
  • Last Event Date
  • Location Address
  • Loss Reason Notification
  • Member Stage
  • Organization Type
  • Parent Entity
  • Participating Fund
  • Phone
  • Postal Address
  • Potential Annual Revenue
  • Potential AUM
  • Potential Revenue
  • Preferred Email
  • Preferred Phone
  • Primary Contact
  • Primary Entity
  • Primary Member
  • Reason for Loss
  • Referred AUM
  • Referrer
  • Related Division
  • Replace Mailing Name With
  • Servicing Team
  • Source
  • Spouse
  • State of Residence
  • Sync Location Address with Members
  • Sync Postal Address with Members
  • Tax ID Number
  • Tax Number
  • Topics
  • Trust Type
  • Type
  • Valuation Website

Disabling Practifi Protect

If your firm no longer wants to use Practifi Protect, reach out to your Client Success Manager or Practifi Support to request deactivation.

Please note: Disabling Practifi Protect without following the proper protocols can result in data obfuscation. Please contact the Practifi team before taking any steps to remove Practifi Protect functionality from your organization. 
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section