Marketo and Marketing Automation Security
In this How To, I’ll review the principles and settings you should use to secure your Marketo or Marketing Automation Platform’s instance.
Why Secure Your Instance?
While every Marketing Automation Platform (MAP) vendor will build their system to minimize the potential for system break-ins, the reality is no service is 100% secure, 100% of the time. It is incumbent upon the MAP Admin working with IT policies to help secure an instance.
Surprisingly, I haven’t heard of any breaches or data losses from an ESP or MAP. That doesn’t mean it hasn’t occurred! Many teams are slow to disable old users. Networks could have been breached for years. Sometimes you may never know!
The good news is you can apply system administrator principles to you marketing technology to minimize the risk to your organization. You can minimize people mistakes as well as system flaws that a criminal could leverage. As a MOPS leader, here is how to think about security.
Principles of System Administration
Back in the day, I was in tech support and dabbled in system administration, setting up Unix, Linux, and Exchange boxes. I learned from some of the crusty admins you imagine run these data centers (they are real) and they are very smart.
While a marketer doesn’t have to be a sysadmin first, anyone who is an Admin of a Marketo instance in Marketing Operations has to think a little bit about system administration. This is YOUR baby now and you have to be responsible. If IT isn’t going to own or run your martech stack, then it’s up to you to learn some how how the IT pros handle their systems.
System administrators first emerged in the 1960s as mainframes took over back office functions at large firms and governments. The culture of the sysadmin (and the grumpy tech support guy) coalesced around a group of Unix administrators and programmers in the 1970s. Their culture and programming security concepts became dominant.
This short history is important because administration of any software tool is a key task that can make or break an implementation in milliseconds. Your approach as the administrator also sets the tone for how people respect and use the tool as non-Admins. I believe this is crucial for marketers who own the MAP to understand and why I believe the sales, marketing, and technology background makes the most successful SMB admin.
As the Administrator, you have the power to do anything, including grant new users access. Use this power wisely, especially if you are new to being an Admin.
How to be a Marketing SysAdmin
More likely, you will be called a Marketing Operations Manager or Director, laying out the rules of the system and coordinating business needs against the realities of the tool.
- Know your system.
- Understand the interconnection points between the MAP, CRM, Website, and other databases. [Martech Stack Map]
- Keep a record of vendors, active, inactive, connection points, permissions.
- Grant access on a need to know or access method – least permissions possible. Even executives who need reports should only receive access to reports, or be sent them securely, without system access.
- Regularly question the need for changes to ensure the right changes are made.
- Modularize marketing programs and centralized data processing to reduce the need for future work when changes are needed.
- Fiercely protect the system, but avoid being obstructionist to business needs. Offer solutions.
A business is not a democracy, neither is the running of a top-down marketing automation system.
This is a hierarchy and you set the rules from the top down; you are granted the highest level of access you need to do your job. None may receive any access unless you trust that person at each level of access and skill.
If you are coming from marketing, this may be a bit of a shock to you: you are used to sharing and being open. The reality is a MAP is a real server that is now mission critical to your ability to generate leads, nurture leads, and keep the sales funnel full. If that system breaks, it breaks the front end of your business very quickly.
Thus, you must be protective of access to the MAP and of access to key workflows like Lifecycle and Routing. You must also consider that an untrained marketer who can send 1,000,000 emails without supervision can cause huge damage to your brand’s reputation in seconds.
You must treat a MAP as you would your bank account – because it is your organization’s database with the personal information of thousands or millions of trusting clients. Your MAP contains precious data on the health of your business, which if released inappropriately could move a stock price or damage your brand.
Now that I’ve made you paranoid, the principle is you should treat your system like a sysadmin; and your audience like a marketer.
Each marketing automation platform has a unique view of the world and a unique setup, so please be sure to read all of the documentation before attempting a change.
How to Secure a Marketo Instance
Whether you have a brand-new instance today or an older instance, you can still lock it down to comply with your organization’s IT policies or go further. As GDPR goes live on May 25, you need to further consider security because your followed policies will be looked at in case of an incident. Failure to have a policy or enforce it never looks good during a government audit. At the very least, consider the damage to you and your brand if a hacker stole your customer information because your MAP was the weak point in your firm’s infrastructure.
Users and Role Security
Understanding how Roles and Users work together is important to maintaining the security and integrity of your database.
If you have a Creative vendor, perhaps you want to let them upload HTML code. But do you really want them to have access to your valuable contact database? Do you really want the new guy or your intern to have the power to delete campaigns or data?
No, you don’t.
So assign them to a limited role until you are comfortable with their skills.
Your system may treat users and roles differently than how I show them here. Since access to the system is restricted, you should make careful choices about the level of access provided to each user and which users can receive a username.
Enterprise Admins should establish a process before granting access to other staff members. I receive requests all the time to add Users and a simple question ends most requests: “What do you need the access for?”
|Role Name||Access Level||Assign to This Kind of Person|
|Admin||Admin, default||CRM Administrator, Power Marketer or lead marketing automation person.|
|Marketing User – Limited||Do not use the default Marketing User
Restrict certain things like list uploads, Forms, Templates
|Web designer, graphic designer, external vendor.
Consider restricting approvals
|Marketing Super User||Run campaigns, approve assets||Marketing Managers, Marketing Operations
Limit list uploads, Forms, Templates
|List Uploader||Limited to importing lists and running campaign flow actions.||If you have a database manager who does this for everyone, use this.|
Initially, you can rely on user permissions and Role based permissions to secure your instance. However, this means having an understanding of the access permissions and the types of people you want to have in the instance. This responsibility also means saying No to people who “just need a little more access…” While I want to trust my colleagues, the reality is untrained Marketo users can easily destroy data or send out the wrong email.
Things to know:
- Unique email address forever and throughout all Marketo instances, including Sandboxes. This means you can only have firstname.lastname@example.org in a single instance as the login.
- Gmail and some other providers allow email@example.com to create an alias that is tied to your box.
Smaller firms tend to have looser policies when adding users. However, I strongly recommend considering basic policies to reduce errors:
- Minimize Admins. Not everyone needs Admin access.
- New Users get the lowest permissions possible. Usually this is “New User” until they are trained in your firm’s ways.
- Marketo Users or Marketo Certified Users can have higher access, however, I usually conduct training first before allowing someone the ability to activate batch or triggers.
- Train each user in your organization’s specific nuances.
- Conduct Quarterly or Monthly reviews of the User list.
- Real People Users who haven’t logged in within 2-3 months should be asked if they still need access. Otherwise expire them.
- API Users – make sure those systems are still paid up and needed. Disable old tools quickly.
Larger firms should review IT policies and attempt to comply with User Management and security levels below.
Keep track of active users in a table and check it monthly and whenever staff leave. Since your vendor may charge for the number of marketing users, keep an eye on this count.
Use this handy table to keep track of your active and inactive accounts.
|No.||Name||Username||Role||Workspace||Assigned On||Deactivated On|
Encryption and SSL
Many marketers will ignore things like SSL and encryption until their SEO tells them about how HTTPS is standard now and traffic is down. That’s funny because you’d never go to an ecommerce site without a lock on the browser, right?
Marketo Landing Pages
Marketo Forms are secure back to the instance, but Pages are not by default.
To resolve this situation and ensure your landing pages are seen by Google kindly, you must migrate to HTTPS. It is better to do this with a fresh instance, however, it is very possible with a host of landing pages as well. I’ve done it before. There are several steps, so I recommend working with your web team, SEO, and Marketo Support.
Encryption of Database
Marketo offers disk level and instance encryption, however, there is a fee, which is a percentage of the total contract. Over a weekend, Engineering will move your instance to an Encrypted Pod. There are a set of steps to follow to ensure a successful migration. I recommend this to anyone who can pay because the risk to your business is tremendous if a criminal breaks in through other means and can download your database. The advent of GDPR will be a catalyst for increased encryption beyond just transfer points.
Should you do this? If you can pay for it, yes. At some point your business (hopefully) will be high profile enough to be a target. You owe it to your audience because wouldn’t you want to know that a data breach was limited because the database was encrypted?
However, most MAPs and Marketo are not PCI Compliant, so even encryption won’t be enough for sensitive personal information such as Social Security Numbers, Passport Numbers, TINs, EINs, and Credit Cards. Please, do not ever attempt to sync this kind of data to Marketo or a MAP. Don’t ask for it on a Marketo Form or Page either.
Marketo Security Settings
Login Security Level 1: Increase Complexity
When you first login, conduct a Marketo Audit, or want to lock down the system, visit the Login Settings panel in Admin first. If you aren’t using High Security or at least the following settings, plan to do so.
- 8 characters
- Lower and uppercase
- Special Character
- Expires every 90 days
If you have lots of users, changing the Settings will mean that at the next login, each user must change their settings to comply. You should communicate this change clearly and to everyone at the same time.
Marketo uses two-factor authentication by default.
Also, some API login users may be affected, so you should prepare a list of API logins to update and monitor to avoid downtime or lost data.
Login Security Level 2: SSO
With the advent of Identity Management and Identiy-as-a-Service, your organization may use an SSO provider. The primary reason to consider adding SSO to Marketo is to allow IT to manage leavers. When someone departs the firm, you may not always know about it for several weeks, especially in a large firm. An open login from someone who was fired is a high-risk situation where they could access the database and download it, delete it, or send embarrassing emails. Sure, it’s illegal, but that won’t matter to the disgruntled employee or your customers. A secondary reason is it helps your team focus on one login-password which means they won’t keep their password pasted to their monitor (we hope).
SSO is surprisingly easy to setup. However, there are some caveats even if you follow the steps.
- Test this using your Sandbox first with your SSO Admin. Understand the steps.
- Existing Users should be told that the new SSO Tile is available. They will no longer be able to login via normal login.marketo.com.
- New Users: you must setup a new user and apply a Role before adding them to SSO. In the SSO Tool, provide that same email address access to Marketo. No invitation email will be sent.
- Admins are exempt from SSO.
- Bypass SSO by Role: you can check a box on a Role to allow Role Members to bypass SSO and use login.marketo.com. Strongly suggest you only do this for API Users and special situations where SSO is not feasible.
- API Users
- External Consultants
Login Security Level 3: IP and VPN
To users, this is the most annoying thing you can do because remote users will need to use your organization’s VPN first and then login via the VPN. The VPN will likely have SSO and two-factor authentication and only then will the user be permitted to access IP only applications.
Essentially, you can ask IT for the IP Numbers that are considered “on-site” and safe. That is, those IPs are accessible only from an onsite or VPN user who has additional physical or other security measures to act like you are “on-site.” Your Marketo instance would then only accept connections originating from that IP number list.
I consider this the final layer of security for direct access to the system.
While this won’t prevent a hacking attempt, it reduces dramatically the ability of nefarious users to gain access to Marketo because they would then need to access not only a Marketo User, but also an SSO user, a VPN user, and the two-factor to gain access to your instance. Or gain access to the physical organization network or building.
Of course, it’s entirely possible for a criminal to use malware to enter your organization through other means or through Marketo’s network. A user could be a phishing victim as well and with several layers of authentication, a phishing attack could be thwarted.
But as the MOPS Admin, you can rest knowing you locked down the system within the means you control.
Users and Special Situations
Marketo Consultants struggle because we have to login to multiple instances and quickly accumulate dozens of logins since Marketo restricts access to one email address across all Marketo instances. Normally, there are two tricks to use:
- Alias Username: firstname.lastname@example.org [used with Gmail mostly]
- Group Alias: email@example.com [insecure – too many can use]
Whenever you permit a consultant in your instance, you should insist on Universal ID or the Alias Username because it is vital to know who is doing what in the instance. This also reduces the chances of an authorized consultant from entering your instance.
But to be secure and follow audit rules, you really want the Alias Username or a Universal ID.
Universal ID is usually used by consultants or agencies; however, you can use it to access Production and Sandboxes if desired. Some caveats:
- Most strict password rules apply across instances
- Must select one ID to be your Community Profile
Using Audit Trail
Ever have a weird thing occur – why did that email go out wrong? Who changed the name of that page? Why did that smart list get deleted? With the Audit Trail, you can usually find out who did what, when!
I find this a little cumbersome to use and it works most effectively within a 24 hour or 7 day window for a specific Asset or range of asset types.
It’s really great for an Admin to go check on weird issues or perhaps a nefarious user. Not every item is logged perfectly, but I have been able to track down who mistakenly edited an email From Name after we all thought it was ok to go. Mistakes happen and so do deliberate actions.
Ideally, you can use the Audit Trail as a teaching moment with users. It also beats having to post a Support Ticket for simple investigations such as “Why did this asset change?” or “Who changed this email?”
Reducing Access Through Workspaces
Recently, quite a few people posted questions on the Nation about using Workspaces to restrict access by Business Unit or even to specific fields. Workspace and Lead Partitions can help you lock down parts of your instance, however, they work best in certain situations. I wrote extensively about how to approach Workspace Setup. Best situations for Workspaces are:
- Multi-Country or Region
- Business Unit
- Customer vs. Prospect Data vs. Partners
- Multi-Product that are mutually exclusive
For example, if Channel Marketing has separate needs than Demand Generation, it could make sense to wall them off using Workspaces, reducing the risk one team will affect the other’s efforts. Walling off teams can also reduce security risk since a breach in one Workspace may not spill over to others.
Other Privacy and Authentication Settings
You can help your audience and users with additional settings such as
- Browser Do Not Track
- Privacy Do Not Track & Munchkin Opt Out
- Require User Login to download data from Subscribed Reports
- DKIM and SPF and Branded Tracking so the internet knows it’s you.
No system will ever be 100% secure. As the MAP Owner, the MOPS leader, you need to set the tone for security among your team and the wider Marketing Organization. Marketers are not experts on internet security (nor would I expect them to be), and they often need to get things done fast. They prefer more access and more communication than most system admins would like. It’s a balance of getting it done, empowerment, and minimizing risk.
Building in security through the steps above will help you sleep well at night and focused on supporting the customer experience, not fighting fires.