Overview of Salesforce Platform Encryption solution with specific discussion of developer use of the feature. Overview of the Salesforce Shield compliance toolset features with special focus on encrypting data at rest, natively on Salesforce App Cloud, and strategies developers can use to make the most of this feature.
2. Safe Harbor
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize
or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by
the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any
projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding
strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or
technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality
for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and
rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with
completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our
ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment,
our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on
potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent
fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important
disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and
may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are
currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
4. Agenda
▪ Overview of Platform Encryption
▪ Features and Architecture
▪ Managing Platform Encryption
▪ Developing in a Platform Encryption Environment
5. NEW
Quick Setup with Clicks, Not Code
Designed for anyone to build and deploy
Native in Salesforce
Integrated directly, everything works
Build Compliance into your Apps
Encrypt, monitor and audit everything
Encryption - Event Monitoring - Field Audit Trail
Salesforce Shield
A new level of trust and compliance for
Salesforce
Introducing
6. Salesforce Shield
New services to help you build trusted apps fast
EncryptAuditMonitor
Platform EncryptionField Audit TrailEvent Monitoring
7. Monitor User Activity
Know who is accessing data from where
Optimize Performance
Troubleshoot application performance to
improve end user experience
Track Application Usage
Understand application usage to increase
adoption
Gain Visibility Into User Actions with Event Monitoring
8. Retain Field History for Up to 10 Years with Field Audit Trail
Establish Data Retention Policies
Know the state and value of data at any time
Access Retained Data at Scale
Normalize on big data back-end for performance
Comply with Industry Regulations
Secure data archive with the highest trust standards
9. Encrypt Sensitive Data While Preserving Business Functionality
Seamlessly protect data at rest
Encrypt standard & custom fields, files & attachments
Natively integrated with key Salesforce features
E.g. Search, Chatter, Lookups work with encrypted data
Customer managed keys
Customer-driven encryption key lifecycle management
10. Platform Encryption Use Cases
▪ Regulatory Compliance
▪ Unauthorized Access to Database
▪ Contractual Obligations
11. Platform Encryption is Not
▪ Sharing Model
▪ Object/Field Level Security
▪ Data Residency Solution
▪ Encryption for Other Non-Salesforce Data
▪ Protection against Social Engineering
trust.salesforce.com
12. Encryption
Authentication & SSO
Two factor Auth
Profiles/Permissions
Sharing & FLS
Setup Audit Trail
Field History Tracking
Event Monitoring
Identity
Encryption
13. Platform Encryption Is Unique
▪ Quickly Seamlessly interact and protect sensitive data
▪ Setup takes minutes - No Software! No Hardware!
▪ Makes the App Cloud ‘encryption aware’ (metadata driven)
▪ Salesforce1 Mobile-ready, natively
14. Agenda
▪ Overview of Platform Encryption
▪ Features and Architecture
▪ Managing Platform Encryption
▪ Developing in a Platform Encryption Environment
16. Encrypt at Rest: Fields
Name:
Darla Hood
Name:
aI90xi60csICOdk
Encryption
Service
Darla Hood
***********
17. Encrypt at Rest: Files
Lorem
ipsum
dolor
Encryption
Service
Xvier0c
9ghcru
cjf4x21f
fdqbBLorem
ipsum
dolor
18. Granular Control: Fields
▪ Individual Custom Fields
– Text
– Text Area
– Text Area (Long)
– Email
– Phone
– URL
– Selected Standard Fields
▪ Enabled with flag
19. Granular Control: Files
▪ Files enabled separately
– Attachments
– Chatter
– Files
– Libraries
▪ All or none
20. Encryption Key
▪ Master Secret (Salesforce)
– Rotated each release
– Stored in the Key Derivation Servers
▪ Tenant Secret (Customer)
– Can be Rotated once per day in Prod
– Stored encrypted in DB
▪ Data Encryption Key
– Derived from Secrets
– Stored in cache, never persisted
21. Features and Support
▪ Feature License Required
▪ Available to evaluate in Developer Edition orgs
▪ Support for
– Search
– Workflow Rules
– Validation Rules
– Apex and VF Pages
– And A LOT MORE...
22. Architecture & Encryption Process Flow
Customer driven key lifecycle
management
FIPS140-2 Hardware Security
Module based key management
infrastructure
AES encryption using 256bit keys
in CBC mode and random IV
Uses PBKDF2 HMAC with
SHA256 deriving secure 256-bit
keys that are never persisted in
Salesforce
Data encryption and decryption
actions are transparent
23. Agenda
▪ Overview of Platform Encryption
▪ Features and Architecture
▪ Managing Platform Encryption
▪ Developing in a Platform Encryption Environment
25. The Tenant Secret sObject
//Rotate your secret by creating a new TenantSecret record
String descText = UserInfo.getName() + ' new secret via Lightning';
TenantSecret newSecret = new TenantSecret(Description=descText);
insert newSecret;
1
2
3
4
5
6
26. Agenda
▪ Overview of Platform Encryption
▪ Features and Architecture
▪ Managing Platform Encryption
▪ Developing in a Platform Encryption Environment
27. Building Apps with Platform Encryption
SOQL Where Clauses/Filters
SOQL Order By/Sorting
Formula Fields
SOSL Search
Sort in Apex
Workflow/Apex Trigger
Instead of… Use this feature…
33. Building Apps with Platform Encryption
SOSL Search
Sort in Apex
Workflow/Apex Trigger
SOSL is not SOQL
Search First
Text Data Type Field
Feature Considerations