Plan for Shield Platform Encryption
Learning Objectives
After completing this unit, you’ll be able to:
- Identify the main features of Shield Platform Encryption.
- Identify the requirements and prerequisites for Shield Platform Encryption.
- Identify the permissions needed to set up Shield Platform Encryption in an org.
- Describe how Shield Platform Encryption affects the way users access information in your org.
- Match the encryption features available with Classic Encryption and Shield Platform Encryption.
Review the Security Needs
Calvin reads Ernesto’s security review and scans the list of the recommended requirements.
- Set up limited access to the rights and keys to set up encryption.
- Apply encryption at rest with AES-256 to all sensitive data fields, files, logs, and Search.
- Limited or no change to customer experience.
With these requirements in mind, he rolls up his sleeves and cracks the books on Shield Platform Encryption.
Learn About Shield Platform Encryption
A couple of days later, Calvin meets with Carolyn and reports on what he’s learned about Shield Platform Encryption.
With Shield Platform Encryption, you can encrypt all kinds of confidential and sensitive data at rest on the Salesforce Platform. “At rest” means any data that’s inactive or stored in files, spreadsheets, standard and custom fields, event data, and even databases and data warehouses. You can even choose to encrypt every data element that’s stored in the transactional database with a single setting.
Shield Platform Encryption gives you an encryption advantage. It lets you show compliance with regulatory and industry requirements and prove that you meet contractual obligations for securing private data in the cloud. Your company specifies its general encryption policies, and Shield Platform Encryption helps you comply with those policies.
Calvin is excited about the added encryption features that Shield Platform Encryption provides, and is thrilled to let Carolyn know about it.
Compare Salesforce Classic Encryption with Shield Platform Encryption
Calvin discovers that with Shield Platform Encryption, he can use Database Encryption to encrypt the entire transactional database: every change to every standard or custom field is encrypted. With field-level encryption, he can encrypt a variety of widely used standard fields, along with some custom fields, and many kinds of files. Shield Platform Encryption also supports encryption of person accounts, cases, search, approval processes, large files, attachments, and other key Salesforce features. And Shield Platform Encryption can encrypt more data across more storage areas within Salesforce. In contrast, Classic encryption lets you protect only a special type of custom text field, which you create just for that purpose. Check out Differences Between Classic Encryption and Shield Platform Encryption in Salesforce Help for a full comparison.
Review the Features of Shield Platform Encryption
The differences between Classic and Shield Platform Encryption are significant. Calvin can’t wait to set up a Developer Edition org to try out everything. Help Calvin assemble a set of feature definitions to review with the team later. In this table, which feature has which description?
Get Ready for Shield Platform Encryption
There are no hardware requirements for Shield Platform Encryption. The crypto functions run natively on the Salesforce Platform, and no custom code is required.
It’s important for you to review your company requirements, industry laws, and customer obligations so that you can determine what to encrypt. How long this takes depends on the size of your org and the complexity of your app. You should also plan early on how to manage your encryption keys—how often to rotate them, where to keep backup copies, and how to distinguish between them. If there’s ever an issue, having the appropriate encryption key available is vital.
To use Shield Platform Encryption in production, you must have a valid Shield license. (But Calvin suspected that he could try it out for free in a Developer Edition org, and he was right!). Note that if you want to have Shield Platform Encryption in a sandbox, Shield must already be installed in the production org. In the next unit, you learn how to create your own Developer Edition org that has Shield Platform Encryption. For now, let’s look at the requirements.
Enable Shield Platform Encryption: The Short Story
Turning on Shield Platform Encryption is as easy as 1-2-3.
-
Provision your license. Contact Salesforce to get one. (Shield Platform Encryption is automatically available in Developer Edition orgs.)
-
Assign permissions. Grant the Customize Application and Manage Encryption Keys permissions to the appropriate admins. (More on permissions in the next section.)
-
Enable Shield Platform Encryption for your org. When you have your license and permissions set up, you can enable the various Shield Platform Encryption features on your orgs. You then create org-specific tenant secrets and customize your encryption settings for each org.
You’ll get hands-on practice enabling Shield Platform Encryption in the next unit.
Learn the Permissions Required to Set Up Shield Platform Encryption
To enable Shield Platform Encryption, you need the Customize Application and Manage Encryption Keys permissions. After you enable encryption, you can give others permission to complete administration tasks on the Encryption Policy page. However, you likely don’t want everyone managing encryption keys. Assign permissions with scenarios from this table in mind. For example, as an admin, assign yourself the View Setup and Configuration permission. This lets you enable encryption features for fields, files, attachments, and apps.
Actions |
Permissions |
|---|---|
View Platform Encryption Setup pages |
Customize Application, View Setup and Configuration |
Edit Encryption Policy page settings |
Manage Encryption Keys, Customize Application |
Generate, destroy, export, import, and upload tenant secrets and customer-supplied key material |
Manage Encryption Keys |
Query the TenantSecret object via the API |
Manage Encryption Keys |
Edit, upload, and download HSM-protected certificates with the Shield Platform Encryption Bring Your Own Key service |
Manage Encryption Keys, Customize Application, Manage Certificates |
Enable features on the Advanced Settings page |
Manage Encryption Keys, Customize Application |
Explore the Effects of the User Experience with Shield Platform Encryption
Calvin knows from experience that his users are sensitive to new features being added to their app. He looks into this and discovers these four points.
-
Data Visibility: Users with the appropriate permissions can still view and interact with encrypted data, but it appears as encrypted text (a string of random characters) to unauthorized users.
-
Searching and Reporting: Encrypted fields can still be searched and included in reports. Database encryption does not affect these actions. But for field-level encryption, depending on your encryption settings, the search and reporting performance might be slightly affected due to the encryption process.
-
Compliance and Security: Users benefit from enhanced security and compliance, knowing that sensitive data at rest is protected with AES 256-bit encryption.
-
User Interface: The overall user interface remains largely unchanged, but users might notice very slight delays when accessing or processing encrypted data due to the additional encryption and decryption steps.
Calvin intends to run alpha and beta test groups to see how users react to any changes.
Resources
- Video: Tighten Your Security with Salesforce Shield Platform Encryption
- Salesforce Help: Which Fields Can I Encrypt?
- Salesforce Help: Why Isn’t My Encrypted Data Masked?
- Salesforce Help: Encrypt Files and Attachments
- Salesforce Help: Platform Encryption Q&A