Start tracking your progress
Trailhead Home
Trailhead Home

Protect Apps with Shield

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain how Shield protects business-critical apps.
  • Describe Event Monitoring best practices.

Salesforce Shield

Salesforce Shield is a set of security tools that admins and developers can use to protect business-critical apps with capabilities like enhanced encryption and event monitoring. Shield allows you to build a new level of trust, transparency, compliance, and governance with a set of simple point-and-click tools. Those tools include Platform Encryption, Event Monitoring, and Field Audit Trail. 

As more customers use Salesforce to store personally identifiable information, including sensitive, confidential, or proprietary data, it’s critical to ensure the privacy and confidentiality of that data. The tools included in Shield allow you to meet both external and internal data compliance policies. 

A man with a shield bearing the Salesforce cloud, surrounded by icons representing Platform Encryption, Event Monitoring, and Field Audit Trail.

Platform Encryption

Platform Encryption is designed to let you retain critical app functionality—like search, workflow, and validation rules—so you maintain full control over encryption keys and can set encrypted data permissions to protect sensitive data from unauthorized users. Platform encryption allows you to natively encrypt your most sensitive data at rest across all of your Salesforce apps.

Shield Platform Encryption builds on the data encryption options that Salesforce offers out of the box. Data stored in many standard and custom fields and in files and attachments is encrypted using an advanced key derivation system based on a hardware security module. So your data is protected even when other lines of defense have been compromised.

Your data encryption key material is never saved or shared across orgs. You can choose to have Salesforce generate key material for you or upload your own key material. By default, the Shield Key Management Service derives data encryption keys on demand from a master secret and your org-specific key material, and stores that derived data encryption key in an encrypted key cache. You can also opt out of key derivation on a key-by-key basis, or store your final data encryption key outside of Salesforce and have the Cache-Only Key Service fetch it on demand from a key service that you control. No matter how you choose to manage your keys, Shield Platform Encryption secures your key material at every stage of the encryption process.

Event Monitoring

Event Monitoring gives you access to detailed performance, security, and usage data on all of your Salesforce apps. 

Event Monitoring is like a window that shows all the granular details of user activity in your organization. We refer to these user activities as events, which are captured in something called an event log. You can view information about individual events or track trends in events to swiftly identify abnormal behavior and safeguard your company’s data.

So, what are some of the events you can track? Event Monitoring provides tracking for many types of events, including:

  • Who viewed what data and when.
  • Where data was accessed.
  • When a user makes a change to a record by using the UI.
  • Who is logging in and from where.
  • Who in your org is performing actions related to Platform Encryption administration.
  • Which admins logged in as another user and the actions the admin took as that user.
  • How long it takes a Lightning page to load.

All of these events are tracked and accessible via the API, so you can view them in the data visualization app of your choice. See who is accessing critical business data, both when and from where. Event Monitoring data can be easily imported into any data visualization or application monitoring tool, like Tableau, Einstein Analytics, Splunk, or New Relic. 

Setting up monitoring and your API connection can be complicated. Luckily, the Event Monitoring module walks you through that process. 

Field Audit Trail

Field Audit Trail lets you know the state and value of your data for any date, at any time. You can use it for regulatory compliance, internal governance, audits, or customer service. 

Field Audit Trail lets you define a policy to retain archived field history data for up to 10 years from the time the data was archived. This feature helps you comply with industry regulations related to audit capability and data retention.

You can use the Salesforce Metadata API to define a retention policy for your field history. You can enable tracking for specific fields and then use REST API, SOAP API, and Tooling API to work with your archived data. 

When enabled, field history data is copied from the History-related list into the FieldHistoryArchive big object. To specify the Field Audit Trail retention policies for the objects you want to archive, you need to define a HistoryRetentionPolicy for your related history lists, such as Account History. Then, you use the Metadata API to deploy the big object. 

You can update the retention policy on an object as often as you like. Field Audit Trail allows you to track up to 60 fields per object in contrast to the 20 fields per object tracking that comes standard with Salesforce. 

Field Audit Trail also allows you to retain archived field history data for up to 10 years from the time the data was archived. Without it, you retain archived data for only 18 months.

Implementing Health Check and Shield into your Salesforce app development workflow will help you develop securely. Secure app development processes are the best way to protect your company and customer data.  

Resources