As mentioned in our intro blog, Salesforce Shield: Bringing Compliance to the Cloud, customer information security is critical to Salesforce’s success. In this blog, we’re going to take a look at another part of Salesforce Shield Platform Encryption.
When regulations require more protection
Your data is already very secure. But to meet the increasingly demanding requests of information regulations, your organization needs to demonstrate further efforts to lock down certain specific data values. Salesforce now provides Platform Encryption to customers that require that additional layer of protection. For example, healthcare organizations with service groups may need to encrypt case fields such as subject, comments, details, any contact info. What is important to note about Platform Encryption is that it is not intended to solve for who can see what within an org. Platform Encryption is intended to encrypt data written to disk.
What Shield Platform Encryption is and what it is not
What Shield Platform Encryption solves
- Regulatory Compliance
- GDPR does not mandate you encrypt data
- It suggests it today, but does not mandate it
- Customers with GDPR needs should understand that encryption alone does not make them GDPR compliant
- Internal Policies
- Contractual Obligations
- Unauthorized Access to the DB
- This is the very unlikely scenario that Salesforce would be hacked. This ensures that the customer’s data does not leak out.
- GDPR does not mandate you encrypt data
What Shield Platform Encryption does not solve
- Sharing model
- Object or Field Level security
- Data residency Solutions
- Encryption for non-Salesforce Data
- Protection against Social Engineering
- Masking
Before investing in Platform Encryption, you’ll want to make sure you’ve solved all of these use cases with existing functionality. More often than not, the needs evolve around access control. This is not encryption!
Benefits of Platform Encryption
Platform Encryption encrypts sensitive data at rest while allowing customers to control the lifecycle of their encryption keys.
Key strengths of Platform Encryption include:
- Strong full probabilistic encryption schemes
- No hardware, no software, no integrations – it is 100% native
- Transparent encryption and encryption services
- Mobile-ready, natively
- Seamless release upgrades
- Scalability and resilience
- Negligible performance impact
- Most of the critical business functionality is preserved
- Leverage native search
- Minimal impact on field length
Shield Platform Encryption for Compliance
Whether you’ve been working with Salesforce for years or you’re new to Salesforce, your Audit team is asking for information regarding the security and compliance of the information stored in your Salesforce environment. Right out the gate, Salesforce meets the rigorous demands of various industry certifications including:
- ISO 27001/27017/27018 Certifications
- EU-U.S. and Swiss-U.S. Privacy Shield Certification
- TRUSTe
- Payment Card Industry (PCI)
- And much more.
You can read more about Salesforce’s continuous efforts around Trust and Compliance here.
How to set up Platform Encryption
Setting up Platform Encryption does not require that you are a security expert or a developer even. You don’t need to write any code or have a background in information security — everything is metadata-driven.
There are, however, some important limitations to be aware of before enabling Platform Encryption.
Platform Encryption limitations
Performance
When enabling Platform Encryption customers may see some performance degradation, particularly during night time batch jobs where the data needs to be decrypted and encrypted.
Encrypting Historical Data
Data going forward would be encrypted, but prior to enabling Platform Encryption, historical data would need to be handled a little differently.
Salesforce can help here. Open a ticket with Support and they can quickly process large amounts of data as needed.
Filtering Fields (Reports and List Views)
Filtering encrypted fields with probabilistic encryption is not supported. Use Deterministic instead (Exact Match and Case Sensitive only).
SOQL
Referencing encrypted fields in SOQL/WHERE clause is not supported. Encrypted fields cannot be sorted.
Portal
Encrypted standard fields cannot be set up on the legacy portal orgs.
Cloud Limits
Shield Platform Encryption is not extended to other clouds such as marketing cloud, Pardot, SalesforceIQ, Heroku, and Thunder at this time.
Trial Orgs
Not available in customers’ trial org type.
Shield Platform Encryption Best Practices 
Before taking on Platform Encryption there are recommended best practices to follow to ensure a successful implementation.
Define a Threat Model
Be sure to understand what it is you are solving for. Quite often, existing functionality will be sufficient.
Encrypt only where necessary
You’ll want to run through a proper data classification exercise to understand what the specific needs are.
Read the Platform Encryption Considerations
Read through this document for more detail about the limitations and considerations to better understand the impact to your org.
Create a strategy for backing up and archiving key data
Salesforce provides weekly backup functionality that allows its customers to fully backup their Salesforce data. There are also other options to help customers ensure their information is backed up. Make sure you explore these options and have a clear strategy before proceeding.
Communicate to your users
Make sure your users are aware of these changes and the impact to your org so you’re not flooded with support requests.
Analyze and test AppExchange apps before deploying
Work with the vendors you use (or plan to use) to make sure they are going to support what you are encrypting.
Getting started with Platform Encryption for your business
As you can see, Platform Encryption is not a quick fix to data security. It is designed to solve for very specific needs around encryption and brings along quite a few considerations that may have significant impacts on your org.
Before taking on Platform Encryption, it is highly encouraged that you reach out to Perficient to further discuss your needs and how we can help provide expert guidance during your implementation.
