Security Settings and Tools for Marketing Cloud Engagement

Session Settings

Session Timeout controls how long the application remains open in a browser before the system automatically logs out. Setting a short session timeout makes it harder for unauthorized users to access your account. For example, if you log in and then walk away from the computer, the session times out. We recommend a timeout value of 20 minutes.

Username and Logins

The Login Expires After Inactivity setting prevents users from logging in after the number of days that you select. For example, if you select 90 days and a user tries to log in after 90 days of inactivity, the user can’t log in or reset their password. To reinstate access, reset their login information. This setting helps prevent unauthorized users from exploiting old accounts. We recommend a time period of 90 days or fewer. However, this setting isn’t recommended for accounts with API users. If you enable this account-wide setting, API users must log in to the UI to prevent their logins from expiring.

The Invalid Logins Before Lockout determines how many chances a user gets to enter the correct password for a username. Too many incorrect attempts require the user to reset the password. This setting helps prevent unauthorized users from repeatedly guessing a password. When an account is locked, the user can’t access their account or request an activation code until the administrator unlocks their account. We recommend allowing three login attempts.

The Minimum Username Length setting determines how many characters a username must include. A longer username makes guessing the value more difficult. We recommend eight characters or more.

Multi-Factor Authentication

We recommend multi-factor authentication (MFA) to simplify the login process and add another layer of protection against common security threats. These threats include phishing attacks, credential stuffing, and account takeovers. Each account user must register at least one verification method after you enable MFA.

Password Policies

The Minimum Password Length setting determines the number of characters a password must contain. The Password Complexity setting determines the types of characters that must appear in the password.

A longer password makes guessing the value more difficult due to an increased number of possibilities. For example, if a password is one letter long, there are only 52 possibilities to guess due to that number of lower-case and upper-case letters. However, a two-letter password creates 2,704 possible combinations. The longer the password, the more difficult it becomes to guess. Add in the possibilities from numbers and special characters, and the difficulty of guessing the password goes up. We recommend a minimum password length of 8 characters or more.

Tip To encourage your users to create longer passwords, ask them to develop a passphrase that includes multiple words. For example, the passphrase How_do_I_love_thee,_let_me_count_the_ways:123 includes 45 characters, including numbers and symbols, but it remains easy to remember.

The Enforce Password History setting determines how frequently a user can reuse a password. The User Passwords Expire In setting determines how often users must set a new password.

Some users include a number in their password and increment the value, but this technique doesn’t create a secure password. Setting a password expiration period that is too short can encourage this behavior and other problematic behavior. A shorter expiration provides more security only if it doesn’t cause users to compromise their passwords. We recommend setting the Enforce Password History value to 8 or more, and setting the User Passwords Expire value to 90 days.

The Exclude FTP Users from Password Expiration option lets you exempt FTP users from regular password changes. If you enable this feature, we recommend FTP users frequently change their password.

To send a user a notification email when a password change occurs, select Send Password Change Confirmation Email. The email helps alert a user if there’s any suspicious activity on their account. We recommend that you enable this feature.

Data Export Settings

The Enforce Export Email Allowlist setting forces the application to export data to only those email addresses on the export email allowlist. This allowlist allows you to precisely determine the email addresses eligible to receive export data and notifications from your account. We recommend that you enable this feature.

Connection Security

Connection Security provides visibility on the security protocols used to access Marketing Cloud Engagement. This section displays the connection types allowed to connect to the system using TLS 1.2.

Enterprise and Agency Security Settings Inheritance

Any new business unit created in an Enterprise or Enterprise 2.0 account inherits the security settings from the parent account. This inheritance also applies to child accounts created in an Agency account. All security settings continue to inherit from the parent account to the child account until you change any security setting on the child account. At that point, the inheritance ends and the child account no longer updates security settings based on changes at the parent level. You can’t reinstate the inheritance after a security change breaks it.

Audit Trail

To enable data collection for audit logging in your account, select Enable Audit Trail Data Collection. This feature collects audit logging in two separate reports available after you enable this feature. Use this information to evaluate security-related and auditable events that occur in your account. View Audit Trail records either through Automation Studio data extracts or through REST API extracts.