Since the Summer '18 release, Salesforce has provided the option to encrypt certain fields with deterministic encryption scheme. But before we dive into the difference between probabilistic and deterministic encryption, let's make sure we're all on the same page.
What’s data encryption?
Data encryption is the process of taking information in readable form and translating it to a non-readable form. It converts data into a secret code and is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.
Unencrypted data is called plain text; encrypted data is referred to as cipher text. When data is encrypted, each bit of data is turned into a fully random cipher text string. Encryption will not generally impact users who are authorized to view the data.
So how does this relate to Salesforce?
Salesforce Shield Platform Encryption
Platform Encryption is part of Salesforce Shield–Salesforce’s premium security offering. Platform Encryption builds on the data encryption options that Salesforce offers out of the box and encrypts the data at rest. Shield Platform Encryption is available as an add-on subscription in Enterprise, Performance, and Unlimited Editions and requires purchasing Salesforce Shield.
Data stored in many standard and custom fields and in files and attachments can be encrypted using an advanced Hardware Security Module-based (HSM) key derivation system, so it is protected even when other lines of defense have been compromised.
Why use Salesforce Shield Platform Encryption?
Salesforce Shield Platform Encryption centers around the idea of strengthening your data’s security. Shield Platform Encryption gives your data a whole new layer of security while preserving critical platform functionality. It enables you to encrypt sensitive data at rest, and not just when transmitted over a network, so your company can confidently comply with privacy policies, regulatory requirements, and contractual obligations for handling private data, including PII, ePHI, PCI, and more.
By default, Salesforce encrypts data using a probabilistic encryption scheme. Probabilistic encryption is the use of randomness in an encryption algorithm so that when encrypting the same text several times, it will, in general, yield different cipher texts.
Probabilistic encryption is so secure that it can often cause issues when logic is executed in the database or when encrypted values are compared to a string or to each other. When these types of configuration changes are made within a Salesforce org, filtering isn’t possible because the data has been turned into random, patternless strings.
For example, you might run a SOQL query in custom Apex code against the Contact object, where LastName = ‘Jones’. If the LastName field is encrypted with probabilistic encryption, you can’t run the query because each instance of the value ‘Jones’ represents a different text string.
It is recommended to use probabilistic encryption whenever data in a field will not need to be filtered on.
Deterministic (filter-preserving) encryption
Deterministic encryption addresses the issue with probabilistic encryption by securing the Salesforce org while retaining the benefits of filtering data.
To be able to use filters when data is encrypted, we have to allow some patterns in our data. Deterministic encryption uses a static initialization vector (IV) so that encrypted data can be matched to a particular field value. The system can’t read a piece of data that’s encrypted, but it does know how to retrieve the cipher text that stands for that piece of data because of the static IV. The IV is unique for a given field in a given org and can only be decrypted with your org-specific encryption key.
The Salesforce Shield Platform Encryption at rest approach is to expose just enough determinism to enable users to filter on encrypted data while limiting it enough to ensure that a given plain text value does not universally result in the same cipher text value across all fields, objects, or orgs. In this way, deterministic encryption only decreases encryption strength as minimally necessary to allow for filtering.
Deterministic encryption allows for the user to specify if case sensitivity on record values needs to be accounted for two types of deterministic encryption:
- Case-sensitive: Allows for the ability to filter data on a case-sensitive basis. "ACME" and "Acme" will be considered two unique values and the encryption scheme would use different cipher text strings to identify these two records.
- Case-insensitive: Allows for the ability to filter data but does not factor the case of the value. ‘ACME’ and ‘Acme’ would be considered the same value and the encryption scheme would use the same cipher text value for both (assuming the record is in the same field/object/org).
So there you have it a quick overview of the different types of encryption Salesforce Shield Platform Encryption has to offer.
Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.