Salesforce Shield Implementation | Securing Your Sensitive Data

Secure Your Most Sensitive Data With Salesforce Shield

Salesforce is the most widely adopted CRM platform in the world. With this, comes the responsibility of transmitting and storing very sensitive data from the world’s top companies. Salesforce takes this very seriously and released Salesforce Shield back in 2015. Salesforce Shield introduces a suite of compliance and regulation-focused add-ons to the Salesforce platform to help their customers in heavily regulated industries rest easy knowing that an additional layer of security is protecting their data.

Salesforce Shield consists of three separate products that work together to secure your org’s data.

Platform Encryption

Shield Platform Encryption enables you to encrypt sensitive data at rest, and not just when transmitted over a network, so your company can confidently comply with privacy policies, regulatory requirements, and contractual obligations for handling private data. Salesforce gives you a huge array of fields that you can encrypt including standard fields, custom fields, activity fields, files, chat transcripts, email messages, and more. Salesforce also includes standard encryption for their industry products like Health Cloud and Financial Services Cloud based on industry requirements.

Standard Salesforce Encryption vs Shield Platform Encryption:

Getting Started with Platform Encryption

1. Identify your organization’s encryption requirements. For this, it’s important to note that the more fields you encrypt, the higher the risk is that your Salesforce org can be impacted by performance degradation. This is why we always advise our clients to conduct an audit of all data they capture in Salesforce to understand which data actually must be encrypted. Going through with broad strokes and encrypting everything will not be in any company’s best interest.
2. Confirm your security and permissions settings. A common misconception when clients are evaluating Shield is that it is required to restrict internal access to field-level data. In reality, Salesforce offers robust and best-in-class security customization down to the field level. We recommend controlling all internal access through Salesforce profiles, roles, and permission sets prior to implementing Shield.
3. Define your “Key-Keepers”. Note that platform encryption requires keys to access the data. Be careful about who you assign access to this, as well as how long the keys are active to ensure that your information stays secure.

Event Monitoring

Shield Event Monitoring captures information on what data is being accessed by all users. It captures the accessed data as well as the device and IP address of that device at the time of viewing. Salesforce makes this data accessible as a spreadsheet file that can be downloaded and viewed with any data visualization tool of the client’s choice. To learn more about our opinion on commonly used data visualization tools, read this post.

Getting Started with Event Monitoring

1. Choose your visualization tool. Event Monitoring provides you with a daily log of data that can be loaded into your visualization or BI tool to allow you to uncover insights that you won’t find just by loading up in Excel. Einstein Analytics is a popular and recommended tool for the job.
2. Get notified. Set up gates and alerts for system events like exporting records or running a report with a certain number of records. You can also set up time-based gates like notifying a system administrator if any single user exports over a set amount of records within a certain period of time.
3. Think about Splunk. Splunk is a widely-adopted solution to detect security threats, data loss, and monitor jobs.

Field Audit Trail

Shield Field Audit Trail functions similar to Time Machine for Mac or versions for Office. That is, users can go back in time to see the field history of all of their records. This is beneficial for a lot of reasons, but the most common use cases are to look back in time to see the history of fields within a contact, company, or case record to see the history of these fields. You can also choose how long you keep this information on file. Many of our clients are required by law to keep information on file for 6+ years, but your governance may vary based on your industry.

Getting Started with Field Audit Trail

1. Understand your organization’s retention requirements. Before you get started, you will want to understand how long you are required by a governing body to keep your field audit history on file. For many financial institutions, this can be 4-6 years. We’ve seen other organizations that require audit history up to 10 years which is the limit that Field Audit Trail imposes.
2. Monitor your audit history. Once Field Audit Trail is configured, you can create reports and dashboards to show how your organization is trending towards its data retention policy.

Rethink your data governance and security strategy

With Salesforce Shield being publicly available to all Salesforce customers, we would advise discussing your current data strategy and further informing you how our clients are addressing this. If you’re interested in learning more, please reach out to us to set up a security model discussion!