- Salesforce Shield is an important part of risk mitigation, but it’s not a silver bullet. Understanding its functionalities is the first step toward protecting your organization’s most sensitive data.
- Salesforce Shield offers four key elements to prevent data breaches and loss: Platform Encryption, Field Audit Trail, Event Monitoring, and Einstein Data Detect.
- A key success measure is to ensure all relevant parties are involved, not just the Salesforce team members.
Salesforce is way more than just a customer relationship management tool: it’s a robust platform that has seen substantial growth in the past 20+ years. More growth means more users, and having more users means more sensitive information — all of which results in an increased risk surface.
Salesforce Shield is one of the most important tools for mitigating risk in Salesforce. But many companies who purchase Salesforce Shield don’t implement it properly due to its complexities. Using each of Shield’s features is your first step toward a comprehensive security strategy.
We will show you step-by-step how to configure Shield correctly and efficiently. Read on for the four key elements of Salesforce Shield and how to implement them. And to learn more, be sure to check out this webinar Own recently hosted.
1. Platform Encryption: encrypt sensitive data at rest
The first element of Salesforce Shield is platform encryption. One of Own Secure’s core features is simplifying and accelerating the Shield Platform Encryption process by 80% through field classification, business impact analysis, and easy encryption.
The first step to encrypting your data is identifying what data you have. Work with InfoSec and compliance to understand your security posture and internal or regulatory requirements. This will help inform how fields should be categorized.
Own Secure allows users to quickly scan the organization’s data fields, surface possible high-risk candidates, and assign classification levels to those fields. For example, you could classify by:
- Restricted data (i.e., social security numbers)
- Private data (i.e., sales procedures, performance reviews)
- Public data (i.e., event information)
Once you’ve created a wishlist, you’re ready to run your business impact analysis. Own’s Platform Encryption Analyzer allows you to instantly see which fields will cause downstream business impacts if you encrypt the field, before you encrypt them. This tool runs an analysis report of each field you select and determines one of four categories:
- Ready to be encrypted. No further action is needed, and you can start the job to encrypt the field.
- Blocked by configuration. For these fields, encryption will cause you to lose some functionality. (For example, a field used in sort criteria will lose that ability if you encrypt it.) Be sure to tell any affected users that they will lose this function.
- Needs remediation work. Encryption for these fields may be blocked in a SOQL query or apex clause. After completing the needed remediation work, you will run the business impact analysis again to confirm that the field is ready to be encrypted.
- Blocked by Platform. Not supported by Platform Encryption.
One additional step: While running the business impact analysis report, ensure your platform encryption is set up correctly. Using system permissions, give the appropriate user the ability to create a tenant secret (the Salesforce term for an encryption key) via the “Manage Encryption Keys” permission.
You can either encrypt the key within Salesforce or bring your own key. Salesforce allows you to use either a traditional probabilistic encryption method or a deterministic method, which offers slightly more flexibility in which fields can be encrypted without losing protection.
“What I find talking to customers is that … they don’t really know where to start. Where do you start with your encryption? Which field should be encrypted? … Helping customers get through those first few stages and understand what they’re going to encrypt and the impact of encrypting it: That’s where we can help.”
– John Whitehead, Lead Solution Engineer, Own
2. Field history tracking with Field Audit Trail
The next element of Salesforce Shield is Field Audit Trail. An extension of standard field history tracking, Field Audit Trail lets you track fields of up to 60 objects and keep that data for up to 10 years.
Using the Own Retention Policy Manager, you can implement field tracking object by object, particularly for high-risk fields. By tracking changes to each field in the back end, you can see who made changes to the fields and use that information to understand any risks and vulnerabilities.
Compliance standards for your company may dictate a different timeframe for data retention than the 10 years offered out of the box and the 18-month timeline for archiving front-end data.
You should work with your risk and compliance team to assess policies for data retention and archiving.
3. Robust Event Monitoring
Once you’ve purchased Salesforce Shield, event monitoring is already taking place in the background of your organization. But analyzing those results gives you the greatest chance of organizational impact.
The prefabricated Event Monitoring Analytics app in Einstein Analytics pulls data from your organization’s Salesforce event logs and provides dashboards for both admins and users. Using these automatically created dashboards, you can quickly drill into your data and identify suspicious behavior, poor page performance, and poor user adoption.
At a glance, the reports dashboard lets you see who is doing what, and where the reports are being downloaded the most. This is critical data to support forensics efforts when investigating suspicious behavior and determining who is accessing and exporting information from Salesforce.
For example, the “Report Trends By User” chart helps you see how many reports different users downloaded over the past 30 days. It lets you quickly detect patterns, such as a user repeatedly downloading high-net-worth contact data.
In addition to forensics data, the Event Monitoring Analytics app also provides a Report Performance dashboard. As your organization and its data grow, the queries powering reports continue to take longer to process. For managers who regularly review reports, slow performance can be detrimental to productivity.
One quick way to combat these slowdowns is to enable notifications. Set your report loading time alert, and you’ll be notified when the load time exceeds the threshold set. When you receive the alert, you can log in and begin the analysis.
*Important Note: Event Monitoring can be overwhelming with the nearly-endless amount of activity it can provide. This is why the data classification step is so important. Classifying your data will help you focus on monitoring the more important fields.
4. High-risk pattern scans with Einstein Data Detect
The final pillar of Salesforce Shield is also its newest functionality. Einstein Data Detect combs through your data to find instances of five predefined patterns: credit card, email, URL, IP address, and Social Security number.
Through this functionality, you can create policies to scan certain objects for those high-risk patterns. Your data classifications for platform encryption can also help you choose which fields to scan based on sensitivity levels and classification levels.
After running the scan, you can quickly assess patterns of high-risk data within your organization. By partnering Einstein Data Detect with Own’s Platform Encryption Analyzer, you can carefully target your field encryption approach within Salesforce.
Getting started with Salesforce Shield
What sets apart successful Salesforce Shield users from less-successful users? Senior Solution Engineer Varun Prabhakar says that it’s involvement across teams from the start. “When you embark on any Salesforce initiative, traditionally it’s just the Salesforce team that’s spearheading the initiative,” he says. “But with Shield, you need to also involve your InfoSec team [and business users].”
New Salesforce Shield users may not be sure where to start, whether they’re on a trial basis or have licensed the tool. Possible questions that come up might include: What fields should I encrypt? What is the impact of encrypting those fields? More urgently, Am I going to break something?
But that’s where tools like Secure can help. Through assistance with field classifications and sensitivity levels, Salesforce administrators can take the first steps toward holistic risk mitigation with Salesforce Shield.