Get Started with Shield Platform Encryption
- Define encryption and describe how it protects data.
- Describe the difference between Classic Encryption and Shield Platform Encryption.
- Explain the relationship between tenant secrets, keys, and master secrets.
- Identify the permissions needed to set up Shield Platform Encryption in an org.
Crash Course: Encryption 101
When you hear the word encryption, do you think of war-time spies writing down strings of numbers to smuggle troop maneuvers across the border? Or perhaps you think about tech-savvy criminals hacking into a corporation’s secure accounting system to skim millions of dollars into a getaway fund. Or maybe you think of your own online accounts and how your password turns into little dots that hide what you type. Does that count as encryption?
Yep, all these scenarios involve encryption. So let’s look at how encryption works, and see how Shield Platform Encryption can help you keep the information in your Salesforce org safe and secure.
What Is Encryption?
At its most basic level, encryption scrambles information so that only those people with the right decoder key can unscramble it. These scrambling mechanisms vary in complexity. Some use simple substitution, like exchanging a number for a letter. For example, if we used this method with the encryption key in the graphic below, “Trailhead” would look like “Xvemplieh”.
Other systems use complex algorithms that use multiple keys to scramble and unscramble data. In this way, encryption helps prevent unauthorized people from accessing your data.
What Kind of Data Can I Encrypt?
You can encrypt all kinds of data. Phone numbers, dates, names, text files, images, you name it. If it’s recorded digitally, you can encrypt it. Shield Platform Encryption encrypts data at rest, meaning that we encrypt it when it’s being stored within Salesforce.
Should I Encrypt My Data?
There are many factors to consider before deciding if you should encrypt your data at rest. Shield Platform Encryption should only be implemented after careful consideration, including an analysis of the kinds of threats your organization should protect against, and which Salesforce security controls can best help you protect against those threats.
Most Salesforce customers secure their data very effectively using the host of other available security features that Salesforce offers. For example, field-level security allows you control over who can access and edit certain fields on specific records. Authentication and authorization techniques also allow you to control not only who sees what data, but at what time, and from which locations and devices. You can even monitor these activities using tools like the Security Health Check and Event Monitoring.
But do you need to go the extra mile and encrypt your data? That depends on your industry, its regulatory requirements, and the kind of data you work with. Most companies and organizations are subject to some kind of regulation when keeping customer data secure. Also, contractual obligations and internal compliance policies often emphasize protecting client and customer data. While most data protection regulations don't require that businesses encrypt data at rest, most mention encryption as another access control tool for securing data at rest.
For some customers, Shield Platform Encryption can be an effective additional layer of compliance.
For an answer that's specific to your circumstances, check with a security, legal, and regulatory specialist. They can take your organization through a formal security evaluation and help you find the best solution.
The Salesforce Solution: Shield Platform Encryption
Let’s dig into how Shield Platform Encryption secures data at rest using an advanced key derivation system.
Whoa, whoa, whoa, you might be saying. This sounds pretty complex. Can we start with the basics?
What Are Keys and Secrets?
The basis of encryption is scrambling and unscrambling. Keys do the scrambling and unscrambling, and secrets keep your keys safe and working properly.
A key is a string of bits that scramble and unscramble data. Just like a physical key can lock and unlock a door, encryption keys lock and unlock data to make it unreadable or readable. Some information can be accessed with only one key. Other keys work in pairs, with one key dedicated to the scrambling task and the other to the unscrambling task.
Secrets are pieces of keys. That is, they work together in a variety of ways to secure your data. Secrets combine to create encryption keys, allow servers to double-check and verify that a key is up to date, and verify that requests for access to your data are from authorized key holders.
A Strong Chain: Keys, Tenant Secrets, and Master Secrets
Keys and secrets work together to provide layers of security. Think of what makes safety deposit boxes so secure. You have one of the keys that opens your deposit box, but first you have to get inside the bank vault. To do that, you have to go through some additional layers of security. For example, you have to show your ID to a bank teller, who needs to confirm your signature, and then wait for guards to unlock the vault.
Tenant secrets and master secrets are keys for keys, or that extra layer of protection like the bank teller and vault guard. If hackers get your key, they also must navigate the secret decryption process controlled by the master and tenant secrets before they can use your key.
And we make it exceptionally difficult for anyone to access these secrets.
Salesforce generates a new master secret three times a year, with each release. Here’s how secret this secret is: It’s created by a dedicated processor called a hardware security module (HSM) specially designed for creating strong and secure cryptographic keys. The HSM, which is on a USB stick, is then stored securely in a bank safety deposit box. During each release, only designated Salesforce security officers can access the HSM stored in this safety deposit box. They then use the HSM to generate a new master secret, which is stored in a secure area of our servers.
When you create your own tenant secret on demand in Salesforce, we store it securely in the database. Your tenant secret partners with the master secret in what’s called a key derivation process to create keys that encrypt and decrypt your data.
We update the master secret once per release, but you can update your tenant secrets as often as you want.
Enable Shield Platform Encryption
Salesforce offers you two ways to encrypt data. Classic encryption is included in the base price of your Salesforce license. With classic encryption, you can protect a special type of custom text field that you create for data you want to encrypt. The custom field is protected with industry-standard 128-bit Advanced Encryption Standard (AES) keys.
Shield Platform Encryption is available for free in Developer Edition orgs. All other editions require you to purchase a license. With Shield Platform Encryption, you can encrypt all kinds of confidential and sensitive data at rest on the Salesforce Platform. “At rest” means any data that’s inactive or stored in files, spreadsheets, standard and custom fields, and even databases and data warehouses. The data is encrypted with a stronger 256-bit AES key, and subscribers can manage access to their data with a wider range of keys and permissions. Shield Platform Encryption even allows you to search for encrypted data in databases.
Shield Platform Encryption gives customers an encryption advantage because it allows you to prove compliance with regulatory and industry requirements and show that you meet contractual obligations for securing private data in the cloud.
- Provision your license. Contact Salesforce to get one. Shield Platform Encryption is automatically available in Developer Edition orgs created on or after the Summer of 2015.
- Assign permissions. To enable Shield Platform Encryption, you need the Customize Application and Manage Encryption Keys permissions. After you enable encryption, you can give others permission to complete administration tasks on the Encryption Policy page. However, you likely don’t want everyone managing encryption keys. Assign permissions with scenarios from the table below in mind. For example, as an admin, assign yourself the View Setup and Configuration permission. This lets you enable encryption features for fields, files, attachments, and apps.
- Enable Shield Platform Encryption for your org. When you have your license and permissions set up, you can enable Shield Platform Encryption on your orgs. You then create org-specific tenant secrets and customize your encryption settings for each org.
Manage Encryption Keys
View Setup and Configuration
|View Platform Encryption Setup pages
|Edit Encryption Policy page settings
|Generate, destroy, export, import, and upload tenant secrets and customer-supplied key material
|Query the TenantSecret object via the API
|Edit, upload, and download HSM-protected certificates with the Shield Platform Encryption Bring Your Own Key service
|Enable features on the Advanced Settings page
(for BYOK features)
In the next unit, we get into the details of which data you can encrypt. But first, ready for a review?