Deploy Shield Platform Encryption the Smart Way
Learning Objectives
After completing this unit, you’ll be able to:
- Identify best practices when setting up Shield Platform Encryption.
- Describe how Shield Platform Encryption affects apps and sandboxes.
- Understand how Shield Platform Encryption affects the way users access information in your org.
Deploy Shield Platform Encryption with Processes in Mind
So far you’ve learned what encryption is, how Shield Platform Encryption secures data, how to set it up in an org, and how to control the lifecycle of that key. But what does this process look like for a company that already has a lot of existing data? Doc’s practice was small and just getting off the ground. What about something more established?
Shield Platform Encryption works for all kinds of customers. Understandably, deploying Shield Platform Encryption in larger or more complex orgs requires some research and planning.
During your work with Doc and other Salesforce customers, you’ve seen several ways that companies use Shield Platform Encryption to provide extra protection for their data. Let’s see how you can help Mayberry Security Bank. They’re the bank that Doc uses. They’re expanding across the county and need some help deploying Shield Platform Encryption with minimal disruption to their business operations.
Mayberry Security Bank wants you to help them avoid the hiccups that other companies encountered when they deployed Shield Platform Encryption.
Encrypt Only Where Necessary
Your first bit of advice for Mayberry Security Bank is to figure out what they do and don’t need to encrypt.
Encryption is a process, and additional processes can slow down services, especially when those services grow in size and complexity. You advise Mayberry Security Bank to take a few steps to target what they absolutely need to encrypt.
- Define a threat model for the organization. Walk through a formal threat-modeling exercise to identify which threats are most likely to affect the organization. Use these findings to create a data classification scheme and to decide which data to encrypt. For example, certain kinds of threats might be specific to the financial sector or to the particular services that Mayberry Security Bank offers.
- Not all data is sensitive. Focus on information that requires encryption to meet regulatory, security, compliance, and privacy requirements. Unnecessarily encrypting data can slow down performance and affect employees’ day-to-day activities. Mayberry Security Bank reads through the list of regulatory requirements they need to meet. These requirements define the kinds of customer data that require extra security. The bank decides to apply Shield Platform Encryption only to those areas.
- Create a data classification scheme early. Work with stakeholders in security, compliance, and business IT departments to define requirements. Balance business-critical functionality against security and risk measures, and challenge your assumptions periodically. Mayberry Security Bank looks at the results of its threat model exercise and regulation review. The bank realizes that it needs to update its security and compliance policy to match. That way, everyone understands why the deployment team decides to encrypt some data types and not others.
Assign Permissions and Key Access Judiciously
Now that Mayberry Security Bank knows which data to encrypt, the bank needs to know how to do it securely and sustainably.
- Create a strategy early for backing up and archiving keys and data. Unlike passwords, you can’t reset a tenant secret. Salesforce can’t help with deleted, destroyed, or misplaced tenant secrets. Always back up tenant secrets. We’ve seen cases where businesses encrypt data with a tenant secret and accidentally destroy that tenant secret without archiving it in Salesforce. Thankfully, those customers made a backup. If an administrator for Mayberry Security Bank winds up in that situation, the admin can re-import the backed-up tenant secret and access the data.
- Grant the “Manage Encryption Keys” permission to authorized users only. Users with this permission can generate, export, import, and destroy org-specific keys. That’s quite a bit of authority and responsibility. You recommend that Mayberry Security Bank choose carefully who they grant this permission to. You also recommend that they monitor the key management activities of these users regularly with the setup audit trail.
- Understand that encryption applies to all users, regardless of permissions. The data stored in encrypted fields is encrypted at rest, regardless of user permissions. You reassure Mayberry Security Bank that even when their employees need to access encrypted data in the course of their work, their data is still encrypted at rest. They should use field-level access controls to limit who can access sensitive data.
Your advice helps Mayberry Security Bank think in broad terms about who’s going to access the encrypted information and how encryption will become a part of Mayberry Security Bank’s employees’ day-to-day activities.
Using Shield Platform Encryption with Other Security Features
Mayberry Security Bank is feeling good about the implementation process, and they’re ready to deploy. Before they dig in, you remind them to review the other security features that Salesforce offers.
Salesforce offers a range of tools to help protect data. Even though Mayberry Security Bank is now using Shield Platform Encryption as an additional layer of protection for data stored at rest, the bank still needs to take other steps to secure who has access to data from within their org.
- Assign non-encryption related permissions to control who sees what information.
- Use roles and profiles to control access to sensitive data, just like you would without encryption enabled.
- Use field-level security settings, and page layout settings, not Shield Platform Encryption, to control which users can see which data.
Apps and Shield Platform Encryption
Mayberry Security Bank loves the AppExchange and has even created a few apps of its own. They want to confirm that they can still use these apps after they enable Shield Platform Encryption.
You have good news with a word of caution: Many apps support or are not affected by Shield Platform Encryption. So Mayberry Security Bank can enable encryption without affecting many apps and can even encrypt data in some of their favorites.
However, some apps aren’t compatible with encryption and a few can prevent you from enabling Shield Platform Encryption. Mayberry Security Bank’s IT department checks the Shield Platform Encryption Implementation Guide for the list of supported and unsupported apps.
Sandboxes: Your Best Friend
Because every company is different, you recommend that Mayberry Security Bank use a sandbox org to test encryption before enabling it in production orgs. That way, Mayberry Security Bank can see how Shield Platform Encryption works with their unique configuration and setup.
Think of it this way. We don’t buy cars without first taking them for a test drive. And few of us are probably daring enough to strut out on to the beach in a new swimsuit without first trying it on. As it is with cars and bathing suits, it’s best to try out Shield Platform Encryption before taking it on the road.
You help Mayberry Security Bank set up a sandbox that mirrors the structure of their production org. From there, they can enable Shield Platform Encryption and experiment with how it does and doesn’t change the way their employees access information in their org.
When they turn on encryption in their sandbox org, Salesforce checks for potential side effects. Mayberry Security Bank’s deployment team gets an email if existing settings could pose a risk to data access or the normal operation of their Salesforce org. For example, if Mayberry Security Bank wants to encrypt data stored in an app that isn’t compatible with Shield Platform Encryption, they’ll get an email notifying them of the problem and how to solve it.
After the company’s deployment team gets a feel for how Shield Platform Encryption interacts with preferred apps and org settings, they can deploy it on production orgs.
You remind them that if they want to test how new apps, fields, or settings interact with Shield Platform Encryption after they enabled it in a production org, they can refresh a sandbox from a production org to create an exact copy of that production org. They can then try out updates without affecting active users.
Mayberry Security Bank couldn’t be happier with the help you’ve given them. Now they’re confident that they can make their data even more secure and meet their regulatory requirements in an effective and sustainable way.
Resources