Today on the Salesforce Admins Podcast, we talk to Laura Pelkey, Director of Customer Security Communications and Engagement, and Sabrina Simeroth, Product Manager for Security Center at Salesforce.

Join us as we chat about security essentials for the summer and how Salesforce is helping admins protect their data.

You should subscribe for the full episode, but here are a few takeaways from our conversation with Laura Pelkey and Sabrina Simeroth.

Why admins are a target

Security doesn’t take a summer vacation. And while AI is helping all of us do more things faster than ever before, it’s also helping hackers deliver new types of targeted attacks at scale. And as privileged users, admins are finding themselves in the crosshairs.

Luckily, Salesforce is rolling out key security enhancements over the summer to help you protect your org. I sat down with Laura Pelkey and Sabrina Simeroth to talk about what threats are out there and how you can be prepared.

MFA requirements to protect your credentials

Because AI makes it easier than ever to imitate someone’s writing style or even their voice, the biggest threats that Laura and her team are seeing are different variations of phishing attacks. In the end, it’s all about getting someone’s credentials and then using that access to do damage.

That’s why Salesforce is requiring all customers to use multi-factor authentication (MFA), as opposed to the gentle nudging we’ve done in the past. However, MFA can still be vulnerable to man-in-the-middle attacks, so admins and other privileged users will need to use a stronger phishing resistant MFA. Finally, Salesforce will require step-up authentication for users attempting a sensitive or unusual action, like exporting a large file.

I don’t have to tell you that these kinds of changes can often be met with resistance. Laura recommends framing things in terms of what they protect your users from. Does a salesperson really want a hacker to email everyone on their contact list from their account? It’s not about making you jump through hoops—it’s about protecting you from real risks.

Security Center Essentials and Health Check give admins a central view

We also checked in with Sabrina about how her team is trying to make it easier to get a handle on essential security configurations across the platform and what settings are most critical. Coming in July, the new Security Center Essentials will let you see everything in one place instead of having to wade through a bunch of permissions and toggles.

Health Check will help you prioritize which changes will get you the biggest bang for your buck, and help you track your security posture over time. “It’s all about allowing admins to navigate the security space in a way that helps to reduce the complexity and provide some guidance,” Sabrina says.

There’s a lot more from Laura and Sabrina about security on Salesforce and what’s coming next, so make sure to listen to the full episode. And don’t forget to subscribe to the Salesforce Admins Podcast to catch us every Thursday.

Podcast swag

• Salesforce Admins on the Trailhead Store

Learn more

• Salesforce Help: Security-Related Product Updates to the Salesforce Platform: User Identity, Data Protection, and Access Controls

• Trailhead: Use Health Check to Scan Your Security Configurations

Admin Trailblazers Group

• Admin Trailblazers Community Group

Social

• Laura on LinkedIn

• Sabrina on LinkedIn

• Salesforce Admins on LinkedIn

• Salesforce Admins on X

• Mike on Bluesky social

• Mike on Threads

• Mike on X

Full show transcript

Mike Gerholdt:
This week on the Salesforce Admins Podcast, we're talking security with Laura Pelkey and Sabrina Simeroth. The threat landscape is moving fast and with AI in the mix, attackers are getting better at targeting privileged users like Salesforce Admins. But in this episode, it isn't about fear, it's about readiness, trust, and the systems admins can put in place to protect our orgs. We'll cover MFA enforcement, phishing-resistant MFA, step-up authentication, and how Security Center Essentials gives admins a clearer view of the settings that matter most because today's admin isn't just managing features. They're designing secure, trusted systems that help businesses move forward. So, let's move forward with this podcast and get Laura and Sabrina on.
So, Laura and Sabrina, welcome to the podcast.

Laura Pelkey:
Hello?

Sabrina Simeroth:
Thank you. Thanks for having us.

Mike Gerholdt:
Absolutely. Well, it's always good to talk security. I feel like I was watching the news the other day and they talk about kids when they go to school and then they have the summer off and there's that summer slump of information. I feel like maybe over the summer we kind of have a security slump because we're taking time off and we're going to water slides and watching tornadoes in the Midwest, but maybe I'm just crazy thinking about that. Laura, why don't you catch us up and tell us what's going on with security and some of the newest things in summer 26?

Laura Pelkey:
I would love to. And I was just going to say our catchphrase, which I feel like I repeat every time we do a podcast together and that security never sleeps even in the summer.

Mike Gerholdt:
Oh, yes. Right. That could also be a fun summer action film.

Laura Pelkey:
Yes. I would see it.

Mike Gerholdt:
I would.

Laura Pelkey:
Yeah. So, I mean, we're halfway through the year, which is crazy already. And I'd say in the last year we have seen the security landscape and the threat landscape shift tremendously. And especially, I mean, I think a lot of people at Salesforce and a lot of people who are listening are very aware of and use on a day-to-day basis, AI nowadays, which is great. It's a very powerful tool. But what we're seeing in the security landscape is that AI-driven cyber threats have emerged and hackers have really up-leveled their ability to create and execute targeted cyber attacks faster than ever before. So, it's kind of crazy the speed at which this is happening. And unfortunately, I think we're going to see their capabilities get better and better as these tools evolve.

Mike Gerholdt:
Well, that's not fair. We're supposed to use AI for good.

Laura Pelkey:
Yeah. Well, the good news is, so yes, I agree. The good news is that providers are now using the same AI models or better AI models if you're in the lucky groups to enhance the security of their platforms and products. So, now the playing field has really been evened out.

Mike Gerholdt:
Well, that's good.

Laura Pelkey:
Yeah. But we're in a really interesting time right now with cybersecurity and AI.

Mike Gerholdt:
I mean, I feel like everybody's trying to figure out AI and now that kind of only muddies the water of impersonating other people or the speed at which it can replicate good or bad effective use of, I don't know, text messages or different spoofing. Can you walk us through how does Salesforce leverage AI to proactively block the type of threats that you're seeing today?

Laura Pelkey:
Yeah. So, there are some really common threats that just across the industry we're seeing that AI is being used for. So, account takeovers and this is a really common one. This is where attacker might use AI to create a phishing campaign, which targets users and tries to get access to their account. And then once they're inside a user account, they can then utilize all of the privileges that that user has to continue carrying out their attack. So, it's really about getting credentials, finding creative ways to get around our existing solutions to get those and then get that user profile and exploit it.

Mike Gerholdt:
Yeah. I think one thing that you've pointed out in the past is identity-based social engineering. So, I'd love for you to kind of expand on what makes admins and some privileged users such high-value targets for that.

Laura Pelkey:
Yeah, that's a great question. So, identity-based social engineering is when attackers create very highly personalized phishing campaigns and this can be phishing. Traditionally, we saw that with email five years ago it was primarily email. Now we're seeing phishing campaigns and especially with the help of AI, attackers are conducting these campaigns over voice calls. So that's called vishing or voice phishing. And admins are such a appealing target for these attackers because they're privileged users, they have such a high level of privilege and they can do almost anything within their Salesforce org. And so, that persona in general is highly targeted by attackers because of their level of access.

Mike Gerholdt:
What would you suggest an admin listening to this do today to start just being ready for if that phone were to ring and it was a malicious actor on the other end?

Laura Pelkey:
Well, I mean, we always say use common sense. So, there are a lot of built-in protections that I can talk about within the Salesforce platform that will help protect admins, which is great and I'll talk about those in a minute. But if that ever happens, if you are an admin and you get a call from a number that you don't know, from a person that you don't know claiming to be your help desk or claiming to be even Salesforce in some cases and they're asking you to log into your Salesforce account for them so that they can help you do something, that's typically how these things are positioned, that kind of scenario is never going to legitimately happen. No one's going to call you or email you and send you a link and ask you to log into your Salesforce account ever. That's just not something that we do.
So, look for red flags like that. And in general, whenever you're suspicious about something from a cybersecurity perspective, the best thing to do is disengage with whoever is trying to speak with you or engage with you and get you to do something and then hang up the phone, don't email back whatever it is and then call your help desk line or call your Salesforce account person in a number that you already have and that you are already confident in and that way you can verify if that interaction was real or not.

Mike Gerholdt:
Yeah. I think the thing that always struck me when you would bring it up or somebody from your team, Laura, would bring it up is it's that human nature side that they try to take advantage of like, "Oh, you want to be helpful and you don't want to cause a problem." And so, you just kind of go along with it and it's like, yeah, you're not causing a problem if you just say, "Let me call back the number that I trust and talk to somebody there."

Laura Pelkey:
Yeah. Yeah. And you can do that in any scenario. If it's like your bank, someone calls and says they're from your bank and they're reaching out to you, that probably isn't going to happen. So, what you said, Mike, is exactly right. The reason that people are exploited is because we have these human behaviors, which human behaviors are great. They make us who we are, but false urgency is one of these tactics that attackers will use and they'll try to get you to do things quickly without really thinking about it. So, if we feel like goosebumps or we kind of have a weird feeling about why is someone calling me and asking me to log into my account, we can just stop and think and that's the best thing you can do to break this cycle.

Mike Gerholdt:
Yeah, absolutely. Well, let's talk about some of the security enhancements that has come out over the last few years. I mean, we have MFA and we have a whole bunch of other things.

Laura Pelkey:
Yeah. Yeah. So, we're very aware that this threat landscape has shifted and that it's our duty to protect our customer's data as it always has been at Salesforce. We take that super seriously, trust. Trust is our number one value. And so, to better help our customers protect themselves against these quickly evolving threats, we have some new enhancements and some new requirements in our platform that will help harden our customer security posture against these kinds of attacks. So, one thing, I'll only talk about a few, but one thing, and everyone really should be using this because it's been around for a while, is MFA, like you said, Mike. And I think we had started requiring customers to use MFA back in early 2022, I think. So, it's been quite a while, but we're actually going to be enforcing that. So, rather than being contractually required, it's going to be enforced in the product, meaning you may not be able to log in if you are not using MFA.
So, this is going to happen starting in June. There's a phase rollout based on sandboxes and production environments. So definitely check out the documentation for the exact dates, but it is starting now. So, soon all Salesforce customers will need to use MFA to log in.

Mike Gerholdt:
And I know we've done security workshops. I've seen you present a lot. One of the questions, and inevitably the person that is listening to this is like, "Yes, Mike's going to ask this question." That comes up in all of the security workshops is, "Well, we use SSO to sign in. Do I still need to use MFA?" And we just threw out a whole lot of acronyms there, so I'll have you explain them too.

Laura Pelkey:
Yes. So, SSO-

Mike Gerholdt:
Alphabet soup.

Laura Pelkey:
SSO is single sign-on. That's a great question, Mike. So, if you do use SSO to access your Salesforce instance, then that does satisfy the requirement, but we ask that you also use MFA on top of your SSO. SSO is great. It's a great tool to make it possible so that you don't have to remember a million passwords for all of your work apps. It's awesome. Just have to remember one, but as long as you are using MFA to access your SSO, you are satisfying this requirement as well.

Mike Gerholdt:
Awesome. You explained it and you used all the alphabets too.

Laura Pelkey:
All the letters in the alphabet. Yeah.

Mike Gerholdt:
It's like MFA is like bacon and SSO is like a cheeseburger. It makes it better.

Laura Pelkey:
Yeah, exactly. Yes, I love that.

Mike Gerholdt:
Because MFA is also just good on its own. I mean, I'll just eat some bacon.

Laura Pelkey:
Yeah. So you can either use MFA for direct logins directly into the UI or with your SSO login.

Mike Gerholdt:
So, this makes me think of, you talked about phishing. Oh, boy, this is where audio doesn't serve me well. Phishing and vishing, which there's the PH and the V, but because I'm from the Midwest, you can't hear the difference. Could you explain the difference between standard MFA and phishing-resistant MFA?

Laura Pelkey:
Yes. So, yeah, this is actually kind of a newer... Think of it as a supercharged form of MFA. So, what traditional MFA, you have two layers of verification before you can log into an account. With phishing-resistant MFA, you are actually bound to a specific site when you're logging in, which makes it harder for attackers who are trying to get you to log into those fake websites that might look real. It actually helps prevent that. So, that's why we call it phishing-resistant MFAs because that is a really common thing for phishing attacks to leverage is these man in the middle fake websites where you think you're logging into your actual tool or product, but you're logging into a fake version of it. And another thing that's great about phishing-resistant MFA is most users of this use biometrics as their second form, so like a fingerprint or a retina scan depending on the device that you're using to log in.
So, that just makes it, again, harder to fake and harder to intercept. So, this is most companies are moving towards phishing-resistant MFA as it's so effective, and which is why we're actually also starting in June, so this month, we are requiring system administrators and privileged users to log in with phishing-resistant MFA.

Mike Gerholdt:
And why is that?

Laura Pelkey:
Because those are privileged users like we talked about, they're highly targeted. They're more targeted than their regular user and they have such a high level of access that if their account, especially were to get compromised like an admin, it could cause a lot more damage. And so, we want those folks to be extra, extra protected. So, phishing-resistant MFA we feel is the best thing to ensure that those accounts and those users stay safe.

Mike Gerholdt:
I like that. Now I know I've had to roll out different features to users and sometimes you can't do it fast enough because they love it and other times it's getting them to eat their vegetables. For admins that are worried about user friction with MFA, what would your advice be?

Laura Pelkey:
Well, hopefully your users are already using MFA. If they're not, we often find that if an admin holds a training, some informational sessions with their users, some kind of enablement before this change happens and also talk to them about the value that this provides to them. The last thing a salesperson, for example, would want is if their account got hacked and then their clients are getting emails that are sent from them, which are actually malicious. They don't want that to happen. No one wants that to happen. So, just there's some enablement materials that exist on the help portal that could be helpful, but really it's admins explaining and enabling their users why this is so important and helpful.

Mike Gerholdt:
One last thing, admins love reports and I feel like isn't Salesforce doing something to help admins set up different kind of reports or report actions to understand maybe when a user would log in that's outside of the normal behavior?

Laura Pelkey:
Yes. Yeah, I love that. Yeah. So, this is another enhancement that's coming this summer and it's called Step-Up Authentication and we're doing it for report actions and for anomalous report behavior. So, let's say one of your users all of a sudden wants to export a very large file or something. There's something kind of unusual about this. Anomalous is the word we use in the security community. Our platform is now able to flag that and will cause a step-up authentication toggle to happen. And if you're not familiar what step-up authentication is, it's basically like having to re-log in after you've logged in, which I know might sound annoying, but there is a really good reason for this. So, I always think of it as like the airport analogy. So, when you go to an airport, you have to show your boarding pass and your ID to get through the security line, right?

Mike Gerholdt:
Mm-hmm.

Laura Pelkey:
And then once you're through security in the airport, you have the freedom to kind of walk around, go get a coffee, go get some food, maybe go to the bathroom and you have freedom of movement because these are not sensitive actions, what we would call in security. But when you get in line at your gate and you're trying to board the plane, you have to again, show your boarding pass in order to get on the plane. And that's actually a step-up authentication. You can think of it like that. This is because getting on the plane is considered a highly sensitive action and requires additional identity verification. And so, that's what we're trying to do within the product. So, say an adversary or an attacker did get access to your Salesforce instance through a user and now they're inside and they're trying to do sensitive things or they're trying to do things that are very bad, we are now able to force them to verify their identity again, which would likely stop that action.

Mike Gerholdt:
Nice. Well, here's your Starbucks, but you can't board the plane.

Laura Pelkey:
Yeah, exactly.

Mike Gerholdt:
I like it.

Laura Pelkey:
I mean, if you lose your boarding pass in the airport, you can't get on the plane, right?

Mike Gerholdt:
I mean, you should-

Laura Pelkey:
Oh, wow.

Mike Gerholdt:
It also probably means I've lost my phone and the whole day is just going downhill from there.

Laura Pelkey:
That's a big problem. Yeah.

Mike Gerholdt:
I know.

Laura Pelkey:
But that's the thought behind that.

Mike Gerholdt:
Sabrina, we didn't forget about you. It's usually Laura has a long laundry list of things to talk about, but I'd love to bring you into the conversation. First of all, I think this is your first time on the podcast, so tell us a little bit about what you do at Salesforce.

Sabrina Simeroth:
Yeah, thanks so much for having me again. I am a product manager in our trusted services space for a product many of our admins may have heard of Security Center.

Mike Gerholdt:
Oh, yes, we've heard that. We like that. Yep. You should put it on T-shirts. We'd wear it.

Sabrina Simeroth:
Yes. And then also a lot of folks don't know that this team also actually owns the Health Check, which is available for all admins as well.

Mike Gerholdt:
We like Health Check too. That's a fun one to demo. You've created good demoing products. You know that?

Sabrina Simeroth:
Thanks. Well, we've got more actually.

Mike Gerholdt:
Well, let's talk about those because I think there's a Security Center Essentials launching in early July. Am I correct?

Sabrina Simeroth:
Yes. Yes. So, we are launching a version that will be of Security Center that will be made available in all orgs this summer and you are absolutely correct, that is going to be starting in July. So, a very fast follow to some of these changes that Laura has been talking about and really, hopefully this product will actually help alleviate some of those concerns and worries of admins who are looking to comply with some of these changes that are coming out in the security space.

Mike Gerholdt:
Can you just bring us up to speed on what some of those core problems or pain points were that this is going to help?

Sabrina Simeroth:
Yeah, absolutely. So, for admins, security configurations can kind of be really hard to navigate. They're found all across the platform and it's really kind of hard to know what is most critical. So, Laura was talking about things like MFA enabled. These are configurations that you can actually enable through certain permissions as well as toggles and setup. So, these types of security configurations is exactly what we are trying to provide visibility to admins so that they have a single place to see critical security configurations like their session settings, their MFA enablement, how are they set up to allow their users to actually enter the system, whether they're restricting it through login IP addresses and how do they have installed packages, external connected apps set up in their org. All of these things can impact their security and what information bad actors could get to depending on how they have their users configured.

Mike Gerholdt:
Yeah. I know you listed... This is going to be so cool, by the way. I loved when we had Health Check and we still do, and I love that this is getting available to everybody. You mentioned some of those metrics. I know there's about seven of them, I believe. If you're a Salesforce admin who's listening to this podcast and you're like, "I don't know where to start." Of the metrics that will be provided in Security Center Essentials, what do you think the biggest bang for the buck is in terms of improving their security posture?

Sabrina Simeroth:
Yeah, a great question. So, we're initially launching with a curated set of seven metrics. That's kind of our MVP for our rollout. We're going to have a very fast follow-on where we're expanding the number of metrics that will be very curated, very targeted to the things that they need to look at and that are probably most critical. The first one of the seven that I would say is really essential is that Health Check. So, on important thing is when we say Health Check is going to now be made visible in Security Center Essentials, Health Check contains about 44 configurations that are critical for your security. And with those configurations, Salesforce actually takes a stance on here's what we recommend is the way to configure those settings and have that set up so customers can actually take action and see if they're in compliance with that.
So, the Health Check is going to probably be the biggest bang for the buck. And the great thing about pulling this into Essentials is now you can kind of track as these configurations change over time, you can see when those changes happened, how those changes occurred, and then you can take action to remediate that. So, Health Check contains those configurations around identity that we were just talking about enabling MFA, enabling SSO, how those are set up, what are your password policies and all of that information will be contained into this metric that they can monitor changes to those configurations.

Mike Gerholdt:
We'll play devil's advocate here for a second because I know some admins are listening and they think, "Well, that sounds cool." And the big organizations that have all the fancy bells and whistles will probably really benefit from this." Do you think smaller organizations will find value in some of these features as well?

Sabrina Simeroth:
Absolutely, because the things that we are talking about are the configurations, the critical items that actually impact every organization. It shouldn't really matter the size. These are the most critical things that administrators need to be aware of in order to ensure that they have an appropriate level of security, that there aren't gaps in their security posture. So, these are definitely things that impact all orgs of all sizes. And it really is allowing admins to navigate the security space in a way that helps to reduce the complexity and provide some guidance. And again, this kind of transcends whether you are in a very small environment, very few users because this is more configuration based, or you have a very large environment and many environments to manage.

Mike Gerholdt:
Yeah, no, that's really good. I think sometimes you forget how much there is out there and the best security is the stuff you never see because everything just works properly. So, this is great. I'm excited for it. I think come July, admins will be coming back from some PTO and have fancy new dashboards and things to look at.

Sabrina Simeroth:
Absolutely.

Laura Pelkey:
I can't wait. Also, I don't know if we can talk about this, but there's a couple of things on the roadmap that might be really interesting to admins too.

Sabrina Simeroth:
Yeah, absolutely. Yeah. So, like I mentioned, this isn't the end. So, the initial launch is just getting us started. As kind of a fast follow to the July launch, we will be incorporating even more metrics around providing visibility. Laura, you were talking about those privileged users and specifically there are certain permissions that are associated with administrative level permissioning. Those are kind of the targets for any users that have those permissions. That's where we want to try to find the weak spots and get in there. So, we are actually going to be pulling in our permission metrics, some related to this like export exfiltration, modify all data, those administrative permissions, exactly what's called out in this new phishing-resistant MFA enablement required for those types of users. We will have permission metrics so that admins can now monitor when there are changes to those access, who's granting that access, when is it being granted and they can take action to make sure that those permissions are limited to only the users that need those.
And we'll continue to produce more metrics and visibility into some of these critical configurations and expanding that information in the months to come following the initial launch.

Laura Pelkey:
That's amazing.

Mike Gerholdt:
So there will be even more fun stuff to see at Dreamforce this year.

Sabrina Simeroth:
Yes, absolutely.

Mike Gerholdt:
I think in closing, because I could probably sit around all day and talk security, Laura knows that, but I'll start with you, Laura. And this question's for both of you. If everybody listening took only one action after listening to this podcast to prepare their orgs for the upcoming security changes, what should that single step be?

Laura Pelkey:
So, I would recommend immediately after listening to this going over to the help portal, help.salesforce.com and looking at our documentation where we're outlining all of the enhancements happening this summer. And there's a full list. It's going to give you all of the dates, all of the enforcement details, all of the pre-work, if there is any, to get your org ready for these enforcements that are coming out and we'll get you all set up so that it's a really seamless transition.

Mike Gerholdt:
That's great. Sabrina, do you have anything to add to that?

Sabrina Simeroth:
Yeah. No, I think Laura, her answer is perfect. I think gathering information ahead of time is so critical to ensure that you have a smooth rollout. So, definitely take a look at the help articles and then also leverage resources if there are questions around what these things are. There are so many resources on our help documents to help guide admins around what is this, what are the impacts and how do you implement these critical configurations? And I think that that's the first step.

Mike Gerholdt:
I know I've worked a world tour before and this leads me into my last question because I pointed out our trust and help services and where we used to have release notes. But if admins had a specific question about these enforcement changes and how they'll impact their unique org configuration, where would you suggest they go?

Laura Pelkey:
If they have a account success person, definitely ask them. They can also go to the Trailblazer community and we're engaging with customers there on these things. So, that's my recommendation.

Sabrina Simeroth:
Yeah. And I think Laura, you mentioned there are a couple of articles that have come out to help them prepare for the MFA enforcement and the specific things that we are enhancing. So, those are really great resources and those can also be found on the help.salesforce.com website.

Mike Gerholdt:
Yeah. And I can go ahead and link those in the show notes.

Sabrina Simeroth:
Awesome.

Mike Gerholdt:
So people can click on those.

Sabrina Simeroth:
That'd be great.

Mike Gerholdt:
Laura, Sabrina, thank you so much for coming on. I know there was a lot to cover and we could do this every month, I'm sure, and have a new fresh topic, but admins always need to be security minded.

Laura Pelkey:
Yes, we love that.

Sabrina Simeroth:
Yes, absolutely.

Laura Pelkey:
Always great chatting security with you, Mike.

Mike Gerholdt:
Absolutely. Well, I'm sure we'll do this again for the winter release or sometime before Dreamforce to get admins ready for that as well. So, thanks for coming on the pod.

Laura Pelkey:
Thank you.

Sabrina Simeroth:
Thanks for having us.

Mike Gerholdt:
Huge thanks to Laura and Sabrina for making security feel less scary and maybe even a little fun. We covered AI threats, MFA, suspicious phone calls, airport analogies, and why admins should absolutely know what's happening inside Security Center Essentials. Now be sure to check out the show notes for the resources we mentioned. Subscribe so you don't miss an episode. And then finally, share this with an admin who enjoys trust, dashboards, and keeping bad actors off the plane. Until next time, we'll see you in the cloud.