Your organization has just acquired a great solution to encrypt the data stored within Salesforce - Shield Platform Encryption. Okay, so now what?
Now is the time to partner with your Salesforce Admin/Developer and help them understand what’s necessary to be secured from a regulatory/compliance perspective. But before you start, it's important to know where they're coming from. Their top priorities are:
- The Salesforce user experience: All areas of your business might touch the Salesforce platform; there’s a lot of pressure to keep things moving smoothly for everyone!
- Ease of encryption maintenance: Salesforce is an ever-changing platform; how can they be sure to keep up with the changes?
- Understanding your compliance reporting needs: What do you need to see to know that your requirements have been properly enforced?
Admins/Developers may have concerns that encryption is overly complicated or could slow down the business. Therefore, it’s helpful to illustrate the importance of encryption from a business impact perspective by explaining:
- The risks, fines and penalties that could be associated with improperly secured data
- Recent examples of how insecure data has destroyed companies’ financials and brand reputation
- Regulatory requirements that drive these conversations from InfoSec
Once you're both on the same page, how do you make sure you’re secure AND keeping the system moving at the pace of business?
Data classification
Determine what type of data is being stored, where it’s located and what needs to be encrypted with a Data Classification exercise. Work with the Salesforce Admin/Developer to review your environment and identify which fields should be encrypted based on the data stored, your industry, and other internal or regulatory requirements. Bucket your data into different categories from highly sensitive customer data to data that may be freely disclosed with the public. For example, you could classify by:
- Restricted data (i.e. social security numbers)
- Private data (i.e. sales procedures, performance reviews)
- Public data (i.e. event information)
Once you’ve categorized the data, select the fields you wish to encrypt to help guide the rest of the Platform Encryption implementation.
Tips for the InfoSec team:
- Tip #1: Be patient. Some things may take longer than expected. For example, without the right tools, obtaining the list of fields in a given org can be a complicated process and take the Salesforce admin/developer a significant amount of time.
- Tip #2: Don’t take field names for granted. Data types don't always tell you everything. You may overlook a field that has the information stored in the text but not the data type. For example, a field may be called "SSN" but when you actually look what's in there, it could be blank or have something completely different. If your admin doesn’t know how, check out Field Trip – this app allows an admin to run a job that analyzes fields and find how often it’s populated so you don’t spend too much time analyzing something that’s not even being used.
Business impact assessment
Next, your Salesforce Admin/Development team will need to identify and evaluate the potential effects encrypting certain data will have on the business by performing a Businesses Impact Assessment.
First, they’ll evaluate all the fields you’d like to encrypt at rest and understand how they’re used in business processes / org configuration to determine what might happen if you were to encrypt the data with Salesforce Shield Platform Encryption. They’ll need to check all of the formula fields, reports, list views and Apex code to find any possible breakage. These rules change from time to time as Salesforce is working hard to reduce the limitations of Platform Encryption, so be sure to consult the latest Platform Encryption Implementation Guide for the latest and greatest rule set. If this sounds complex and time-consuming – it definitely can be!
Next, discuss mitigation steps and determine whether security concerns outweigh business impact or vice versa. For example, you may decide certain reports are needed, code needs to be rewritten and a formula field is essential to keep. Your admin might use our Platform Encryption Implementation checklist to better understand which fields you can encrypt and how to avoid unexpected business impact.
As you’ll see from the checklist, Salesforce has a large (ever-evolving) set of rules that makes this process very time consuming. After conducting many implementations and ongoing PE maintenance for clients, we decided to build a solution – Own Secure. Our app simplifies the data classification and business impact analysis process, making understanding the impacts of encrypting Salesforce data a piece of cake (see demo videos below)!
Tip #3: Don't rush. Deciding whether or not to encrypt a certain field can be a big decision. Give your Salesforce experts enough time so they don’t overlook a negative downstream impact to the business.
Technical implementation within Salesforce Shield Platform Encryption
- Based on your business impact assessment, execute the mitigation steps you’ve decided on
- Encrypt the fields you want to encrypt in Platform Encryption
- Ensure that all existing data is encrypted by contacting Salesforce directly (open a case)
- TEST, TEST, TEST before deploying to production (as you would with any major changes, right?)
And you’re done… for now. As your specific implementation of Salesforce evolves (and so does the Salesforce platform itself), make sure you continuously monitor and update your Shield Platform Encryption configuration to ensure regulatory compliance.
Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.