Getting Datorama Security Right!

User Management in Marketing Cloud Intelligence

We’ve often spoken about automating reports, building APIs (Application Programming Interface) and customizing ‘Dashboards’ in Datorama, now known as Marketing Cloud Intelligence. This time, we’ll talk about improving Datorama Security and managing user permissions at scale. Whether you are an end user or an IT Lead, security is everyone’s responsibility. Data breaches can prove very costly, in more than a few ways. Fortunately, Datorama offers security features that create stronger controls for platform Admins and IT professionals.

Adding Users to the Platform

Adding users to your organization’s specific Datorama setup is easy and requires few steps to accomplish. As an admin, login to the platform, navigate to the manage users tab, select ‘add new’ and invite users through the Access Invitation tab.

Manually changing user roles, adding and removing users within the platform can be time consuming, but smaller numbers are easily managed. However, as you expand as a company, mistakes are made, and security breaches can occur due to remote access vulnerabilities, shared accounts, externally shared links and default (weak) passwords.

To further protect the security of your Datorama platform, administrators should consider measures such as Single Sign-on. This is encouraged as a standard procedure for mid to large enterprise companies, but security of your Datorama data should be taken seriously, regardless of the size of your organization. It only takes one incident.

“Datorama offers significant support in managing security through password reset, user management and multi-factor authentication. However, less than 1% of our clients enable Datorama SSO. We think everyone should have a plan to do so”.

Improving Data Security with Datorama Single-Sign-On

Single-Sign-On (SSO) providers are used by companies to increase security, maintain compliance and reduce the frustration of employees from having to manage multiple usernames and passwords.

Single sign-on or SSO is defined as a session and authentication service that commits a user to one set of login credentials. A single username and password are all that will be required to access multiple applications governed by your organization. This places security in the hands of the professionals and these efforts are typically led by Information and Security Services, using authentication providers like Okta, Azure Activity Director, RSA and Last Pass. Note: DF is not a Security company. We are neither offering legal advice, nor providing recommendations related to your security strategy. Talk to your Salesforce Account Executive and your Head of Information Security for details.

Take Datorama Security Seriously

When you set up SSO, your identity and authentication provider (e.g. Okta) authenticates every user in the system across your organization. When a user wants to access Marketing Cloud Intelligence, Slack, or Outlook, all processes, policies, and security features that were set up with your identity provider are applied and any previous access rules established by single platforms like MCI are overridden, including MFA (Multi-Factor Authentication), and password resets.

If you’re considering the use of SSO for your Datorama access, speak with your Datorama Admin and your Security Lead before taking action, but for “Intelligence” providers managing automated reports and Datorama dashboards, read on.

Adding 2,000+ Users to Datorama, No Problem

Decision Foundry provides client specific strategies for further safeguarding your Datorama data, reducing disruptions and speeding up your SSO user migration process.

Adding and Transitioning 2,000 Datorama Users at Scale

As a Salesforce MSP (Managed Service Provider), Decision Foundry is often brought in for training, maintenance, troubleshooting and growing client’s use of Marketing Cloud Intelligence. For example, two well-known companies recently merged, forcing the change of email ID domains for all employees. In order to streamline this, Datorama Single Sign-On was enacted to increase security for the new company after the merger.

Company X previously used an email ID of user1@companyx.com. Datorama stored this ID and password and governed the profile access accordingly.

However, when the merger occurred, the companies became one and a revised email ID for all employees was necessary. User1@companyx.com became User1@combinedcompany.com while the previous email ID continued to be stored by Datorama. Just so you are aware, Datorama contracts allow for a certain number of profiles that can maintain direct access to view, filter, and edit data. Anything above that license threshold will create pricing discussions, unless the previous email IDs are purged. See your Account Executives for details.

In this instance, many organizations force the platform user to create a new Datorama profile ID. Then, the original IDs are removed and what follows is a series of unfortunate misadventures with unintended consequences.

Employees leave organizations leaving Datorama Admins with no official separation records.
Profiles are inadvertently removed, and legacy roles and permission are difficult to understand or maintain particularly for larger organizations where hundreds or even thousands of users are involved.
Employees go on vacation and return with no access and/or existing Datorama users log in and quickly find themselves locked out.
Previously set passwords are weak creating remote access vulnerabilities.

Many of these issues can be mitigated by implementing SSO, making system administrators responsible for authentication and access without Datorama. Salesforce provides high level instructions for helping you with this process. Regardless of whether you use SSO, a careful set of documented processes and procedures should be followed to avoid user frustration, unnecessarily burdening IT and Admin technical support, addressing persistent Datorama licensing questions and reducing or removing, potential business disruption.

Improving Datorama Security with SSO

Here’s how Decision Foundry managed the migration of 2,000+ users of Datorama requiring SSO, within a single day, with no updates and/or changes from any users and zero disruptions.

Due to the scale and limited time available in making the updates on Datorama, manually updating the settings of each user account was not an option and we decided that automating all the processes involved would be the most efficient approach.

This was achieved by making efficient use of the ‘Platform API’ feature on Datorama that allows special coding to perform large scale changes across multiple accounts on the platform. The Platform API was created to allow partners to build tools on top of the Intelligence application that automate processes or add customization, in an expandable format. We used Platform API to create permissions for, remove and update new users, using a custom ‘Python’ script, which a form of computer coding.

Once our script was developed and tested, it facilitated updating the email ID domains of all 2,000+ users, spread across multiple accounts and business groups within 2 hours. Then, the new email IDs were fed into a process created within the platform which maintains a record of all user accounts. This was accessed by the company’s Security teams to have a common repository of all accounts onboarded on Datorama.

In the next step of the process, each of these users were required to log into Datorama via an SSO application. Although the email IDs were updated by the organization’s IT team on this portal, the email ID associated to the Datorama application had not been changed. The custom Python script, the internal process mentioned above, was combined with inputs from the client’s IT team to enable changing the email IDs on the SSO portal with no manual intervention.

The entire process was carefully designed and tested in advance, so rapid deployment was possible. Datorama users faced no disruptions with accessing their workspace and the migration was successfully completed.

Below is the process flow of the steps involved:

Summary

Whether you’re storing 10,000 campaign records within Datorama or servicing multiple agencies and brands across the globe, the security of your data is critical. It only takes one breach to undo everything your organization has accomplished. Fortunately, Marketing Cloud Intelligence provides strong capabilities using a variety of security technologies to help protect your information from unauthorized access, use, or disclosure. However, applying technology is only part of the solution.

Take data security personally. We recommend 6 steps to better safeguarding your data.

Educate your employees on security, constantly.
If you are managing large systems of records like Datorama, meet with your CISO (Chief Information Security Officer) and familiarize yourself with critical processes, procedures, and updates.
Consider organizational certifications such as ISO (International Organization of Standardization), and SOC (Security Operation Center), to name a few.
Review your policies around data partners closely.
Strongly discourage or prohibit account and external links sharing. If you have to share links, consider tools such as MD5 to hash your URLs. It only takes one incident!
Hire MSPs that respect and understand security. It only takes one breach of security to undo everything.

About Decision Foundry

Decision Foundry is a Salesforce, independent software vendor, managed services provider, and a certified award-winning Salesforce Marketing Cloud integration partner. Decision Foundry closes the gap between data accessibility, platform adoption and business impact. Our consulting services include the integration of Data Cloud, Account, Engagement, Personalization, Tableau, and Intelligence.