Shield Platform Encryption can help you keep the information in your Salesforce org safe and secure. We can encrypt all kinds of data. Phone numbers, dates, names, text files, images, you name it. If it’s recorded digitally, we can encrypt it. Shield Platform Encryption encrypts data at rest, meaning that we encrypt it when it’s being stored within Salesforce.
Generally in salesforce, we use FLS and Authorization techniques to secure data but to go an extra mile shield encryption will be used.
Salesforce offers you two ways to encrypt data. Classic encryption is included in the base price of your Salesforce license. With classic encryption, you can protect a special type of custom text field that you create for data you want to encrypt. The custom field is protected with industry-standard 128-bit Advanced Encryption Standard (AES) keys.
Contact Salesforce to get one. Shield Platform Encryption is automatically available in Developer Edition orgs created on or after the Summer of 2015.
To enable Shield Platform Encryption, you need the Customize Application and Manage Encryption Keys permissions. After you enable encryption, you can give others permission to complete administration tasks on the Encryption Policy page. However, you likely don’t want everyone managing encryption keys. Assign permissions with these scenarios in mind.
For example, as an admin, assign yourself the View Setup and Configuration permission. This lets you enable encryption features for fields, files, attachments, and apps.
When you have your license and permissions set up, you can enable Shield Platform Encryption on your orgs. You then create org-specific tenant secrets and customize your encryption settings for each org.
Before you can start encrypting patient data, you’ll need to create a tenant secret.
Generating a new tenant secret and archiving the old one is called key rotation, because your new tenant secret generates new encryption keys. Your organization’s regulatory bodies and security policies often recommend that you rotate your tenant secrets (and keys) at specific intervals.
You can update your tenant secret in just a few steps.
The Status column in the Key Management view identifies tenant secrets as either Active, Archived, or Destroyed.
Archived tenant secrets can’t encrypt new data, but the app uses these archived keys to decrypt the data that was previously encrypted with it.
Now that you have an active tenant secret, you can start encrypting data, which might include standard fields, like Description and Email, or custom Text fields.
The automatic validation process checks all your org settings and sends you an email. If any settings block or prevent encryption, you receive instructions for fixing them.
Note: encryption doesn’t take the place of field-level access controls.
You’ve done your homework and know how to help Doc: file and attachment encryption.
For encryption policy tasks, also require that admins have the Manage Encryption Keys permission.
Use deterministic encryption when you want to filter encrypted data. Apply this scheme to specific fields from the Encryption Policy page.
You disable Salesforce’s key derivation process and use your uploaded key material as the final data encryption key.
Let’s encrypt custom fields in installed managed packages.
Includes field history and feed tracking changes in data encrypted during the synchronization process.
To identify the most likely threats to affect your organization, walk through a formal threat modeling exercise. Use your findings to create a data classification scheme, which can help you decide what data to encrypt.
If your tenant secrets are destroyed, reimport them to access your data. You are solely responsible for making sure that your data and tenant secrets are backed up and stored in a safe place. Salesforce cannot help you with deleted, destroyed, or misplaced tenant secrets.
Shield Platform Encryption is not a user authentication or authorization tool. To control which users can see which data, use out-of-the-box tools such as field-level security settings, page layout settings, and sharing rules, rather than Shield Platform Encryption.
Existing field and file data are not automatically encrypted when you turn on Shield Platform Encryption. To encrypt existing field data, update the records associated with the field data. This action triggers encryption for these records so that your existing data is encrypted at rest. To encrypt existing files or get help updating other encrypted data, contact Salesforce. We can encrypt existing file data in the background to ensure data alignment with the latest encryption policy and key material.
When you contact Salesforce support to request the background encryption service, allow at least a week before you need the background encryption completed. The time to complete the process varies based on the volume of data involved. It could take several days.
Under certain conditions, encrypting a field can impose limits on the values that you store in that field.
And Salesforce features work as expected when you work with data that’s encrypted with Shield Platform Encryption.
Thanks for Reading..