Skip to main content

Salesforce Shield Platform Encryption

This article provides a quick starter guide to implement Salesforce Shield Platform Encryption. Using this guide one will be able to roll-out Encryption Solution within a day or two, assuming one is able to understand the basic concepts of encryption.

Use Case

  • Encrypt Standard and Custom fields
  • Search on Encrypted Field
  • Encrypted field to be visible/Read/Write by selected Users
E.g. Let's say the requirement is to
  1. Encrypt Contact.ssn__c field and make it searchable.
  2. Encrypt Contact.Phone field

Solution Approach

  • Enable and Configure Shield Platform Encryption in Salesforce Environment
    • Generate Tenant Keys
    • Enable Deterministic Encryption Scheme
    • Other relevant configuration 
  • Enable Standard Field Encryption for Contact.Phone
    • Enable Probabilistic Encryption Scheme because this field is not searchable
  • Enable Custom Field Encryption for Contact.ssn__c
    • Enable Deterministic Encryption Scheme because this field is searchable
  • Enable FLS (Field Level Security) for encrypted fields

Recommendations

  • Do not go crazy on encryption large number of fields. Encryption inhibits few features and functionalities of the field.
  • Not all Standard fields can be Encrypted.
  • Identify features and functionality that would be lost due to encryption, thus making sure that doesn't breaks the Business Rule
  • Probabilistic Encryption Scheme: Provides full randomized encryption. In other words, these fields are not indexable or searchable.
  • Deterministic Encryption Scheme: Choose this option if field is searchable.
  • In order for an encrypted field to be searchable it should be encrypted through 'Data in Salesforce (Deterministic)' key.
  • Deterministic encryption only supports exact, case-sensitive matches. - Entire content of the Field is searched, but not the partial content. E.g. If Field = 'Mukesh Kumar', then, Search Field = '%kesh%ma%' is not searchable.
  • Based on above concept, only "equal" and "not equal to" keywords work with search fields.
  • Values are case-sensitive
  • Concatenated values, such as compound names, aren’t the same as the separate values.

 Follow below instructions in sequence to encrypt Contact.ssn__c and Contact.Phone.

Users -> Permission Sets

  • Create a Permission Set named  'Shield Encryption Key Management' and enable permission 'Manage Encryption Key'
  • Assign this permission set to the user/admin who would perform the Shield setup

Security -> Platform Encryption -> Key Management

Generate following Tenant Keys. This step is not mandatory but a good practice to enable another layer of Security to tenant key. 'Bring Your Own Key' option lets user bring their own key.
  • Generate Tenant Secret for 'Data in Salesforce'
  • Generate Tenant Secret for 'Search Index'
  • Generate Tenant Secret for 'Data in Salesforce (Deterministic)'
  • Export Key and store in a secured place.
Key looks something like this
CgMyMTgSELil9Tlb+7iUxwZ9dhjesfcaME5qYBSCLAPT8Eqcm7JSawg+h1C6cMleiEaKU0M6W0HBD99OyW08mkslfDtM1YcEnQ==

Security -> Platform Encryption -> Advance Settings

  • Enable Deterministic Encryption.
Note: To enable Deterministic Encryption Key must be provided or generated.

Security -> Platform Encryption -> Encryption Policy

  • Enable (Optional) Encrypt Files and Attachments
  • Enable (Optional) Encrypt Chatter
  • Enable (Optional) Encrypt Search Indexes

Enable Encryption of Standard Field

Security -> Platform Encryption -> Encryption Policy-> Encrypt Fields

Chose this option to Encrypt Standard Fields. Note that not all Standard fields can be encrypted.

Enable Encryption of Custom Field

For custom fields, encryption option is available on field edit screen.

Field Level Security / view encrypted field permission

  • Implement standard FLS as you would for any Field in the system as the first level of defence to protect the data.
  • Open the Field access to selected Users through FLS on Permission Set
Note: Permission "View Encrypted Fields" is not applicable anymore for Salesforce Summer 17 Release and beyond. In other words, FLS would control the visibility of the encrypted field. This change decouples Masking and Encryption.

Question: If 'View Encrypted Fields' permission is not used to grant permission to view Encrypted data, then how would System Admin check, if the field is Encrypted or Not.
Answer: Security -> Platform Encryption -> Encryption Statistics

Testing

How do you test if encryption is working?

Method - 1: Encrypted fields access behavior rolls into Salesforce Field Level Security (FLS). In other words,  Profile-Agent NOT having READ permission on Contact.ssn__c field will NOT be able to view the field. Profile-Supervisor having READ permission on Contact.ssn__c field will be able to view the field normally as they would.

Method - 2: Security -> Platform Encryption -> Encryption Statistics


Terminology

Probabilistic Encryption Scheme
Deterministic Encryption Scheme
FLS (Field Level Security)
HSM (Key Material Source)
Tenant Key
Server Key



Real Life Implementation Scenarios

Question: How can I show masked SSN in the format of ***-**-**** on the Contact Page? 
Answer: No you can't. SSN field is Shield Platform Encrypted and does not support masking.  Masking of field is supported in Classic Encryption but not in Shield Platform Encryption.

Question: How can I show last 4 digits SSN on the screen?
Answer:
  1. Create a Custom Field named SSNLast4__c [Text(4)]. 
  2. Create a trigger on Contact (before Insert, before Update) to update last 4 digits of SSN into SSNLast4 field. 
Caution:
  1. SSNLast4__c can not be a Formula field to copy last 4 digits of SSN, because none of the Text based functions in Formula field works for Shield Platform Encryption field.

Appendix - Important Relevant Links

Salesforce Security & Compliance Document Portal
What’s the Difference Between Classic Encryption and Shield Platform Encryption?
Which Standard Fields and Data Elements Can I Encrypt?




Labels:

Comments

Post a Comment

Popular posts from this blog

Product Evaluation - MuleSoft Anypoint Platform one day workshop

People, Business Executives, Enterprise Architects, Solution/System/Application Architects, Tech Leads, Developers,  who are looking for and want to know more about MuleSoft Integration offering which is compared to other key providers like Software AG WebMethods, Oracle SOA Suite, WSO2, Informatica, etc. Recently I attended a one day Workshop on MuleSoft Anypoint platform . The overall goal of this workshop was to evaluate MuleSoft integration technology offering for a mid-size integration environment which is currently supported through Software AG WebMethods and Oracle SOA Suite. So, if you are in process of evaluating MuleSoft Anypoint Platform for your integration needs, this write up will give you a good high level executive summary overview. MuleSoft Product Offering falls under following category of market offering: iPaaS (Integration Platform as a Service) Hybrid Integration On-Premise Integration Platform Internet of Things (#IOT) Integration Mule
20 comments
Read more

Salesforce - Scheduling a Schedule Job

Following are the different ways to schedule a Schedule Job through a script. Run the given code in Execute Anonymous window and then you could see in Setting -> 'Scheduled Job' that your Job is waiting to be executed. Run a Schedule Job NOW Method - 1 ScheduleSalesTargets c = new ScheduleSalesTargets(); c.execute(null); Method - 2  (This one I prefer, whenever I need to run a job) Check the current Time. If it is, let's say 10:39 AM, in your clock, then set the minute to 41. This will schedule the job for 10:41 AM just two minutes from now. But, if you set minute value to 38, then it will schedule to next hour 11:38 AM ScheduleSales c = new ScheduleSales(); String sch = '0 0 * * * ?'; System.schedule('Sales Job Name - 1',  '0 41 * * * ?', c); You could repeat following, so that job keeps running every 5 minutes while you debug and change the Apex code behind the scene. ScheduleSales c = new ScheduleSales(); String sch = &#
11 comments
Read more

Salesforce - Microsoft Power BI

This document outlines basic steps to install and configure Power BI with Salesforce. Usage / Highlights Retrieve User Data from Salesforce Retrieve Reports from Salesforce Read Only Access to Salesforce Connection to Salesforce is made on behalf of User. In other words, Login Session belongs to the User. Power BI utilises Salesforce OAuth security framework to connect to Salesforce Previous version of Power BI used to be Power Query, but not supported for TLS 1.1 or higher, thus could not connect to Salesforce after TLS 1.1 Security upgrade. Find details on Power Query Installation  here . Installation - Power BI Publisher for Excel Download Link  Download Power BI publisher for Excel Download for Office 64 Bit ( or 32 Bit) as needed. Close Microsoft Office Application Double click the installer file named "PowerBIpublisher_[64bit][en-us].msi" Installation - Power BI Desktop  Follow the guide as provide on this site -  https://powerbi.microsoft.com/e
14 comments
Read more