Hi Salesforce Expert,
You’re an amazing technologist and you’ve finally convinced the Business and CISO to buy the right solution for encryption within Salesforce – Shield Platform Encryption. Now what?
Well now it’s time to partner up with your coworker(s) in Information Security (InfoSec) and/or the business. You’ll need to help them understand what’s possible and what’s right from a technical perspective. But before you begin, it’s important to keep in mind a few things that your coworker really cares about:
- Security of the information stored in the system
- Reassurance that policies are being enforced consistently
- Limiting risk of inadvertently exposing information to the wrong parties
Why not just encrypt everything?
The easy answer to InfoSec’s concerns is to encrypt everything. Nice idea… but it’s not optimal. Encrypting data causes the following possible issues:
- Decrease in System Performance: When you encrypt a field, the system must work harder to display the data every time you look at it. This decreases user satisfaction and adoption. The more fields you encrypt, the harder the system will be working to show the right people the right information at the right time.
- System Limitations: Certain types of fields cannot be encrypted at all (i.e. checkboxes, formulas, etc.) and encrypted fields cannot be used with certain aspects of Salesforce.com (i.e. report filters, list view sort orders/filters, certain types of clauses in SOQL Queries, etc.)
So how do you determine what to encrypt and what not to encrypt?
A Data Classification exercise will help you determine what data types are available, where it’s located and what needs to be encrypted. Start by working with InfoSec to review your environment and identify which fields you should encrypt based on the data stored, your industry, and other internal or regulatory requirements. Bucket your data into different categories from highly sensitive customer data to data that may be freely disclosed with the public. For example, you could classify by:
- Restricted data (i.e. social security numbers)
- Private data (i.e. sales procedures, performance reviews)
- Public data (i.e. event information)
Once you’ve categorized the data, select the fields you wish to encrypt to help guide the rest of the Platform Encryption implementation. Okay, so now what?
Business Impact Assessment:
Now you’ll need to conduct a Business Impact Assessment to identify and evaluate the potential effects encrypting certain data will have on the business.
First, you need to evaluate all your fields and understand how they’re used in business processes / org configuration to determine what happens if you were to encrypt at rest with Salesforce Shield Platform Encryption. Don’t forget to check all your formula fields, reports, list views and Apex code to find any possible breakage. These rules change from time to time as Salesforce is working hard to reduce the limitations of Platform Encryption, so be sure to consult the latest Platform Encryption Implementation Guide for the latest and greatest rule set.
Next, discuss mitigation steps and determine whether security concerns outweigh business impact or vice versa. For example, you may decide certain reports are needed, code needs to be rewritten and a formula field is essential to keep.
Use this Platform Encryption Implementation checklist to help with this process by better understanding which fields you should encrypt and how to avoid unexpected business impact.
As you’ll see from the checklist, Salesforce has a large rule set that makes this process very time consuming. After conducting many implementations and ongoing PE maintenance for clients, we decided to build a solution – Shield Security Cockpit. Our app simplifies the data classification and business impact analysis process, making encrypting salesforce data a piece of cake (see demo video below)!
Technical Implementation within Salesforce Shield Platform Encryption:
- Based on your business impact assessment, execute the mitigation steps you’ve decided on
- Encrypt the fields you want to encrypt in Platform Encryption
- Ensure that all existing data is encrypted by contacting Salesforce directly (open a case)
*Stay tuned – we will be adding tutorial videos for these steps soon (subscribe to our blog).
And now you’re done! …No, not really. It’s essential to continuously monitor and update your Shield Platform Encryption configuration to ensure regulatory compliance. Check out my other blog, “Salesforce Shield – 3 ways to ensure ongoing compliance” to learn more.
Demo: How Shield Security Cockpit simplifies the encryption process:
Demo Part II: Results & Business Impact Assessment