Overview of Salesforce Platform Encryption solution with specific discussion of developer use of the feature. Overview of the Salesforce Shield compliance toolset features with special focus on encrypting data at rest, natively on Salesforce App Cloud, and strategies developers can use to make the most of this feature.

1. Platform Encryption
Enhanced Native Encryption in the App Cloud
​ Peter Chittum
​ Developer Evangelist
​ @pchittum
​ github.com/pchittum
​

2. Safe Harbor
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize
or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by
the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any
projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding
strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or
technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality
for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and
rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with
completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our
ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment,
our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on
potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent
fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important
disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and
may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are
currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

3. Peter Chittum
Developer Evangelist
@pchittum
github.com/pchittum
Speakers

4. Agenda
▪ Overview of Platform Encryption
▪ Features and Architecture
▪ Managing Platform Encryption
▪ Developing in a Platform Encryption Environment

5. NEW
Quick Setup with Clicks, Not Code
Designed for anyone to build and deploy
Native in Salesforce
Integrated directly, everything works
Build Compliance into your Apps
Encrypt, monitor and audit everything
Encryption - Event Monitoring - Field Audit Trail
Salesforce Shield
​ A new level of trust and compliance for
Salesforce
Introducing

6. Salesforce Shield
​ New services to help you build trusted apps fast
EncryptAuditMonitor
Platform EncryptionField Audit TrailEvent Monitoring

7. ​ Monitor User Activity
​ Know who is accessing data from where
Optimize Performance
​ Troubleshoot application performance to
improve end user experience
​ Track Application Usage
​ Understand application usage to increase
adoption
Gain Visibility Into User Actions with Event Monitoring

8. Retain Field History for Up to 10 Years with Field Audit Trail
​
​ Establish Data Retention Policies
​ Know the state and value of data at any time
Access Retained Data at Scale
​ Normalize on big data back-end for performance
​ Comply with Industry Regulations
​ Secure data archive with the highest trust standards

9. Encrypt Sensitive Data While Preserving Business Functionality
​
​ Seamlessly protect data at rest
​ Encrypt standard & custom fields, files & attachments
​
Natively integrated with key Salesforce features
​ E.g. Search, Chatter, Lookups work with encrypted data
​ Customer managed keys
​ Customer-driven encryption key lifecycle management

10. Platform Encryption Use Cases
▪ Regulatory Compliance
▪ Unauthorized Access to Database
▪ Contractual Obligations

11. Platform Encryption is Not
▪ Sharing Model
▪ Object/Field Level Security
▪ Data Residency Solution
▪ Encryption for Other Non-Salesforce Data
▪ Protection against Social Engineering
trust.salesforce.com

12. Encryption
Authentication & SSO
Two factor Auth
Profiles/Permissions
Sharing & FLS
Setup Audit Trail
Field History Tracking
Event Monitoring
Identity
Encryption

13. Platform Encryption Is Unique
▪ Quickly Seamlessly interact and protect sensitive data
▪ Setup takes minutes - No Software! No Hardware!
▪ Makes the App Cloud ‘encryption aware’ (metadata driven)
▪ Salesforce1 Mobile-ready, natively

14. Agenda
▪ Overview of Platform Encryption
▪ Features and Architecture
▪ Managing Platform Encryption
▪ Developing in a Platform Encryption Environment

15. Users

16. Encrypt at Rest: Fields
Name:
Darla Hood
Name:
aI90xi60csICOdk
Encryption
Service
Darla Hood
***********

17. Encrypt at Rest: Files
Lorem
ipsum
dolor
Encryption
Service
Xvier0c
9ghcru
cjf4x21f
fdqbBLorem
ipsum
dolor

18. Granular Control: Fields
▪ Individual Custom Fields
– Text
– Text Area
– Text Area (Long)
– Email
– Phone
– URL
– Selected Standard Fields
▪ Enabled with flag

19. Granular Control: Files
▪ Files enabled separately
– Attachments
– Chatter
– Files
– Libraries
▪ All or none

20. Encryption Key
▪ Master Secret (Salesforce)
– Rotated each release
– Stored in the Key Derivation Servers
▪ Tenant Secret (Customer)
– Can be Rotated once per day in Prod
– Stored encrypted in DB
▪ Data Encryption Key
– Derived from Secrets
– Stored in cache, never persisted

21. Features and Support
▪ Feature License Required
▪ Available to evaluate in Developer Edition orgs
▪ Support for
– Search
– Workflow Rules
– Validation Rules
– Apex and VF Pages
– And A LOT MORE...

22. Architecture & Encryption Process Flow
Customer driven key lifecycle
management
FIPS140-2 Hardware Security
Module based key management
infrastructure
AES encryption using 256bit keys
in CBC mode and random IV
Uses PBKDF2 HMAC with
SHA256 deriving secure 256-bit
keys that are never persisted in
Salesforce
Data encryption and decryption
actions are transparent

23. Agenda
▪ Overview of Platform Encryption
▪ Features and Architecture
▪ Managing Platform Encryption
▪ Developing in a Platform Encryption Environment

24. Demo
▪ Managing Encryption
– Select Fields/Files
– Audit Encrypted Fields
– Setup Audit Trail platform encryption events
– Rotate Your Key
– The TenantSecret sObject

25. The Tenant Secret sObject
​ //Rotate your secret by creating a new TenantSecret record
​ String descText = UserInfo.getName() + ' new secret via Lightning';
​ TenantSecret newSecret = new TenantSecret(Description=descText);
​ insert newSecret;
​ 1
​ 2
​ 3
​ 4
​ 5
​ 6

26. Agenda
▪ Overview of Platform Encryption
▪ Features and Architecture
▪ Managing Platform Encryption
▪ Developing in a Platform Encryption Environment

27. Building Apps with Platform Encryption
​ SOQL Where Clauses/Filters
​ SOQL Order By/Sorting
​ Formula Fields
​ SOSL Search
​ Sort in Apex
​ Workflow/Apex Trigger
​ Instead of… ​ Use this feature…

28. Demo
▪ Customizing with Encryption
– Searching with SOSL
– Sorting in Apex

29. Searching with SOSL
​ 'FIND '' + searchStr1 + ''
​ IN ALL FIELDS
​ RETURNING
​ Account (Id, Name, type),
​ Contact (name,email, DLN__c, SSN__c)'
​ 1
​ 2
​ 3
​ 4
​ 5

30. Sorting with Apex: Wrapper with Comparable Interface
​ public class AccountSortable implements Comparable {
​ public Account acct;
​ AccountSortable(Account acctParam){
​ acct = acctParam;
​ }
​ public Integer compareTo(Object compareTo){
​ AccountSortable compareToAcct = (AccountSortable) compareTo;
​ return acct.Name.compareTo(compareToAcct.acct.Name);
​ }
​ }
​ //invoked like:
​ List<AccountSortable> listWithCustomSort = new List<AccountSortable>();
​ //...fill list with Accounts
​ listWithCustomSort.sort();
​ 1
​ 2
​ 3
​ 4
​ 5
​ 6
​ 7
​ 8
​ 9
​ 10
​ 11
​ 12
​ 13
​ 14
​ 15

31. Searching with SOSL: Handling Descending in Controller
​ //invoke your sort
​ listWithCustomSort.sort();
​ //
​ List<AccountSortable> listToReturn = new List<AccountSortable>();
​ if (order.toLowerCase() == 'desc’) {
​ for(integer i = resultList.size()-1; i >= 0; i--){
​ items.add(resultList[i].obj);
​ }
​ } else {
​ listToReturn.addAll(listWithCustomSort);
​ }
​ return listToReturn;
​ 1
​ 2
​ 3
​ 4
​ 5
​ 6
​ 7
​ 8
​ 9
​ 10
​ 11
​ 12
​ 13
​ 14

32. Workflow Field Update
Day__c Month__c Year__c
Birthday__c

33. Building Apps with Platform Encryption
​ SOSL Search
​ Sort in Apex
​ Workflow/Apex Trigger
​ SOSL is not SOQL
​ Search First
​ Text Data Type Field
​ Feature ​ Considerations

34. Read the Docs

35. Plan

36. Back Up Your Secret

37. Q & A
​ Resources:
​ Webinar:
​ https://developer.salesforce.com/events/webinars/
platform_encryption
​ DF15 Talk:
​ https://youtu.be/u0VxwyzU52w
​ Key Lifecycle Video:
​ https://youtu.be/LdPC7xT98Hg
Peter Chittum
Developer Evangelist
@pchittum
github.com/pchittum

38. Thank you