Salesforce Shield Encryption Explained

Salesforce is the most widely embraced CRM platform worldwide, entrusted with handling highly sensitive data from leading global companies. Recognizing this profound responsibility, Salesforce introduced Salesforce Shield in 2015. Salesforce Shield Encryption explained. Salesforce Shield comprises a suite of compliance and regulation-focused add-ons integrated into the Salesforce platform, offering customers in heavily regulated industries enhanced data security and compliance measures.

Shield Platform Encryption relies on a unique tenant secret that you control and a master secret that’s maintained by Salesforce. By default, we combine these secrets to create your unique data encryption key. You can also supply your own final data encryption key. We use your data encryption key to encrypt data that your users put into Salesforce, and to decrypt data when your authorized users need it.

Shield Platform Encryption gives your data a whole new layer of security while preserving critical platform functionality. You can encrypt sensitive data at rest, and not just when transmitted over a network, so your company can confidently comply with privacy policies, regulatory requirements, and contractual obligations for handling private data.

Consisting of three distinct products, Salesforce Shield collaborates seamlessly to safeguard your organization’s data.

Platform Encryption:

Shield Platform Encryption facilitates the encryption of sensitive data at rest, ensuring compliance with privacy policies, regulatory mandates, and contractual obligations. This encryption extends beyond data transmission over networks, covering a wide range of fields such as standard, custom, activity, and file-related data. Salesforce also provides standard encryption tailored to industry-specific products like Health Cloud and Financial Services Cloud.

Event Monitoring:

Shield Event Monitoring captures and logs data access activities by all users, including accessed data, device information, and IP addresses. This data is made accessible in spreadsheet format for further analysis using data visualization tools. Integration with visualization or BI tools like Einstein Analytics enables organizations to derive insights from these logs effectively.

Field Audit Trail:

Similar to a digital Time Machine, Shield Field Audit Trail enables users to review historical field data for all records. This feature is particularly useful for tracking changes to contact, company, or case records over time. Users can customize data retention settings based on organizational or regulatory requirements.

To effectively implement Salesforce Shield, organizations should:

Identify encryption requirements: Conduct a thorough audit of data captured in Salesforce to determine which fields require encryption, minimizing the risk of performance degradation.
Confirm security settings: Review and adjust security settings, permissions, and access controls within Salesforce to align with organizational policies before implementing Shield.
Define key access: Establish clear guidelines for managing access to encryption keys, ensuring data security and integrity.
Choose visualization tools: Select appropriate data visualization or BI tools to analyze Event Monitoring data effectively and derive actionable insights.
Implement notifications: Set up alerts and notifications for critical system events and establish time-based thresholds to proactively monitor data access and usage.
Understand retention requirements: Determine the organization’s data retention policies and configure Field Audit Trail settings accordingly.
Monitor audit history: Utilize reports and dashboards to track adherence to data retention policies and identify trends in data usage over time.

As Salesforce Shield is available to all Salesforce customers, organizations are encouraged to rethink their data governance and security strategies. Tectonic offers consultations to discuss and tailor data strategies to meet specific organizational needs. For further information or assistance, please reach out to us to schedule a security model discussion.

Shield Platform Encryption builds on the data encryption options that Salesforce offers out of the box. Data stored in many standard and custom fields and in files and attachments is encrypted using an advanced HSM-based key derivation system. So it’s protected even when other lines of defense are compromised.

Your data encryption key material is never saved or shared across orgs. You can choose to have Salesforce generate key material for you or upload your own key material. By default, the Shield Key Management Service derives data encryption keys on demand from a master secret and your org-specific key material, and stores that derived data encryption key in an encrypted key cache.

You can also opt out of key derivation on a key-by-key basis. Or you can store your final data encryption key outside of Salesforce and have the Cache-Only Key Service fetch it on demand from a key service that you control. No matter how you choose to manage your keys, Shield Platform Encryption secures your key material at every stage of the encryption process. You can try out Shield Platform Encryption at no charge in Developer Edition orgs. It’s available in sandboxes after it is provisioned for your production org.