Salesforce has led the industry with trust and security on our cloud platform. A new feature for Summer ‘15, Platform Encryption is now generally available* as part of Salesforce Shield. Use Platform Encryption so your company can confidently prove compliance with privacy policies, regulatory requirements, and contractual obligations for handling private data.
Platform Encryption helps address some concerns about protecting confidential information. It prevents sensitive data from residing in clear, decipherable form and allows you to manage your tenant secrets, which are used to derive the keys that protect your data. Salesforce is committed to high security standards and offers multiple data encryption options. Customers who want to adopt or extend their use of Salesforce can consider using Platform Encryption to comply with various standards.
*Note Platform Encryption and Salesforce Shield require additional licenses.
What you will learn:
Understand core concepts around the Salesforce Shield encryption as a service feature.
Hear how you can enable and manage Salesforce Shield for end users.
Learn to rotate and manage your key.
See use of Salesforce Shield with Search, Reports, and SOQL
Gain API Access to Platform Encryption Features
2. #forcewebinar
Safe Harbor
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if
any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-
looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of
product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of
management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments
and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our
service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of
growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and
any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain,
and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling
non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the
financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on
Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of
the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may
not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently
available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
4. #forcewebinar
Go Social!
Salesforce Developers
+Salesforce Developers
Salesforce Developers
Salesforce Developers The video will be posted to
YouTube & the webinar recap
page (same URL as registration).
This webinar is being recorded!
@salesforcedevs / #forcewebinar
5. #forcewebinar
▪ Don’t wait until the end to ask your question!
– Technical support will answer questions starting now.
▪ Respect Q&A etiquette
– Please don’t repeat questions. The support team is working
their way down the queue.
▪ Stick around for live Q&A at the end
– Speakers will tackle more questions at the end, time-
allowing.
▪ Head to Developer Forums
– More questions? Visit developer.salesforce.com/forums
Have Questions?
6. #forcewebinar
Agenda
▪ Overview of Platform Encryption
▪ Platform Encryption Architecture
▪ Setting Up Platform Encryption
▪ Platform Encryption and Development
7. #forcewebinar
Introducing: Salesforce Shield
Infrastructure Services
Network Services
Application Services
Secure Data
Centers
Backup and
Disaster Recovery
HTTPS
Encryption
Penetration
Testing
Advanced
Threat Detection
Identity & Single
Sign On
Two Factor
Authentication
User Roles &
Permissions
Field & Row
Level Security
Secure
Firewalls
Real-time
replication
Password
Policies
Third Party
Certifications
IP Login
Restrictions
Customer
Audits
Salesforce Shield
Platform
Encryption
Event
Monitoring
Field Audit
Trail
New services to help you build trusted apps fast
8. #forcewebinar
Encrypt Sensitive Data, Preserving Business
Functionality
Seamlessly protect data at rest
Encrypt standard & custom fields, files & attachments
Natively integrated with key
Salesforce features
E.g., Search, Chatter, Lookups work with encrypted
data
Customer managed keys
Customer-driven encryption key lifecycle management
11. #forcewebinar
Platform Encryption is Not
▪ Sharing Model
▪ Object/Field Level Security
▪ Data Residency Solution
▪ Encryption for Other Non-Salesforce Data
▪ Protection against User Credential Compromise
trust.salesforce.com
12. #forcewebinar
Platform Encryption Features
▪ Privileged Users
▪ Encrypt data “at rest”
▪ Encrypt Fields and Files
▪ Granular Control of Encrypted Data
▪ Customer Key Lifecycle Ownership
▪ Config and Maintenance is Point and Click
▪ Support for API and coding on the platform
18. #forcewebinar
Encryption Key
▪ Master Secret (Salesforce)
– Rotated each release
– Stored in the Key Derivation Servers
▪ Tenant Secret (Customer)
– Can be Rotated once per day in Prod
– Stored encrypted in DB
▪ Data Encryption Key
– Derived from Secrets
– Stored in cache
19. #forcewebinar
Features and Support
▪ GA Summer 15
▪ Feature License Required
▪ Support for
– Global Search
– Lookups
– Workflow
– Approval Processes
– Validation Rules
20. #forcewebinar
Agenda
▪ Overview of Platform Encryption
▪ Platform Encryption Architecture
▪ Setting Up Platform Encryption
▪ Platform Encryption and Development
21. #forcewebinar
Architecture Overview
Encryption
Service
Hardware
Security
Modules
Key
Derivation
• Standards based encryption built natively into the Salesforce Platform
• AES encryption using 256bit keys in CBC mode and random IV
• Data encryption and decryption actions are transparent
• Layers seamlessly with other Salesforce security features
• Hardware Security Module based key management infrastructure
• FIPS 140-2 compliant HW
• Master HSM
• Key Derivation Servers with embedded HSM card
• Multi-tenant, org-specific key management
• Customer driven key lifecycle management
• Uses PBDKF2 HMAC with SHA256
• Derive secure 256-bit keys that are never persisted in Salesforce
22. #forcewebinar
Encryption Architecture & Process Overview
1. Data is sent to the application server.
2. The application server checks if the Data
Encryption Key exists in memory.
3. a) If the data encryption key is found in the
cache, the application server retrieves it.
b) If the data encryption key is not found,
the application server reads the
organization's encrypted active tenant
secret from the database and requests a
key from the Key Derivation Server.
1. The encryption service encrypts the data on
the application server.
2. The encrypted data is stored.
28. #forcewebinar
Some Considerations
▪ Limitations
– Sharing Rules
– Person Accounts (Roadmap)
– SOQL and List Filters
– Formula Fields
– Communities and Portals
– Other Features
▪ Integration could be affected
29. #forcewebinar
Roadmap (Safe Harbor)
▪ Support additional standard/custom fields and other content
encryption (Person Account std fields, Case Subject, Description
and Case Comments, Text Area custom field type etc.)
▪ Make additional features encryption-aware and preserve more
functionality (Search via S1 mobile devices, Communities etc.)
▪ Build additional key management tooling (Customer supplied keys,
Key Brokering etc.)