Cybersecurity Protection with Salesforce Shield
Cybersecurity Protection with Salesforce Shield
May 2020


Salesforce recently introduced a cybersecurity focused offering that builds on the already formidable security capabilities of the world’s leading customer relationship management platform. With Salesforce Shield, organizations can institute better internal cybersecurity practices by developing clearer oversight of employee’s daily activities and stronger protection of their valuable data. Salesforce Shield expands on the class leading security infrastructure of Salesforce across the three key service areas of:

  • Platform Encryption
  • Event Monitoring
  • Field Auditing

Salesforce Shields’s focus on these three services allows for a more nuanced utilization of privacy functionalities and clearer oversight into the firm’s cyber activities. Of course, administrators of standard Salesforce environments could always customize their firm wide security settings through a variety of restrictions, permissions, and requirements across the platform. However, with Salesforce Shield, administrators have exponentially deeper control and granularity when establishing and maintaining their firm’s online security. This article will provide an overview of each Salesforce Shield’s services, as well as the key factors management should consider when implementing the technology.



Platform Encryption

A standard Salesforce subscription only allows for the encryption of custom fields that are less than 175 characters, which is likely insufficient for many firms that maintain large amounts of customer data. For the first time, Salesforce Shield brings encryption to a wider range of custom and standard fields, including sensitive information such as Account Names, Addresses, Phone Numbers, and Emails. Platform Encryption with Shield allows users to natively encrypt their most sensitive data such as personally identifiable information (PII), confidential, or proprietary data, while meeting internal and external compliance regulations. Salesforce Shield also allows users to adopt the latest encryption innovations, such as Bring Your Own Keys (BYOK), which allow users to provide their own tenant secret, generate their own Hardware Security Module (HSM), and ultimately increase their control over the encryption processes.



Implementation Considerations:

1) Identify Encryption Needs

    • Firms need to first identify their unique encryption needs. Encrypting every piece of data that a firm has online would slowdown workflows, leading to inefficiencies that provide little returned value. Firms should identify and evaluate the potential channels and methods of attack they face, while also classify the data types that they would like to protect. At the same time, firms can specify which fields are the truly “must encrypt” elements and evaluate the business functionality changes that may come with encrypting this information.

2) Apply Field Level Encryption

    • Because encryption can be assigned at the field level across different users, firms need to decide which fields would be accessible by different users. Shield allows firms to grant permissions to certain fields only for authorized users, while also applying encryption to these fields for an added level of security. Once these capabilities have been properly vetted, users can begin testing how their business processes would work with this newly encrypted data.

3) Define Key Management Strategy

    • Shield enables firms to take on greater ownership over their encryption key management strategy. For an effective implementation of Salesforce Shield, firms should identify who can manage the encryption keys and define the protocols for backing up, rotating, and archiving keys.

4) Maintain Organization’s Encryption Policy

    • Platform encryption requires strong policy and procedure documentation to guarantee its effectiveness. Establishing the lifecycle of keys and periodic data backups ensures that the data your firm has today is securely maintained in the future as well. Meanwhile, periodic reviews of encryption protocols ensure that these established policies remain effective as data grows and new fields are added. Regular reviews of data encryption protocols are a critical aspect of continued data security and data effectiveness with Salesforce Shield. 



Event Monitoring

Salesforce Shield allows firms to have even clearer oversight of critical business performance and user behavior data. Firms using Salesforce Shield have a deeper understanding of the underlying performance, security, and individual usage of data stored in their Salesforce ecosystem. With Event Monitoring, managers can drill deeper into their event log files in order to visualize time relevant performance and security metrics. This allows managers to understand employee behavior within Salesforce, ensuring that they are securely utilizing the platform to its fullest potential, and overseeing the storage of their sensitive data. Managers would find these capabilities especially valuable during audits, when regulators can easily drill down to see what changes were made within Salesforce, by which users, at what time. Shield allows for this Event Monitoring capability on over 40 different event types across different user activities, all of which can be displayed across 16 pre-built dashboards.



Implementation Considerations:

1) Capture Read-Only Event Log Files

    • With more than 40 event types able to be captured using Salesforce Shield, firms should first review the current list to see which would bring value to their organization. Event logs can store the granular details of how specific users are utilizing the firm’s data, as well as the corresponding timing and location of these action. Therefore, understanding what data to be capturing as well as the means of capturing this data is critical part of a successful Salesforce Shield implementation.

2) Visualize the Data to Identify Critical Insights

    • The ability to directly transfer Salesforce insights into any business intelligence or data visualization tool, such as PowerBI (click here for an earlier FinServ post on Power BI), allows managers to quickly visualize trends and develop actionable strategies. Users can also build Data Loss Prevention or Adoption & Performance dashboards with Einstein Analytics or bring this data into any of the 16 prebuilt dashboards with the Einstein Event Monitoring Analytics tool included with Shield. Additional visualizations capabilities can also be found in pre-built apps via Salesforce’s AppExchange and data can still be exported to CSV files for additional analysis and visualization methods.

3) Take Action

    • Identifying gaps in security policies and procedures, modifying governance policies, and setting up access controls as well as transaction security measure are all early management considerations for an effective implementation of the Event Monitoring service. This will support firms in driving initiatives to increase user adoption, automating workflows, and improving the overall performance of their Salesforce environment.


Field Audit Trail

As companies continue to generate and track massive quantities of data, having an effective IT governance strategy in place becomes more and more critical. Salesforce Shield Audit Trail allows users to track the history of various data fields in their Salesforce ecosystem in a far more robust manner. While the field history feature included with a standard Salesforce subscription allows users to track 20 fields for 18 months, Salesforce Shield Audit Trail allows users to track 60 fields per object for 10 years. This is a significant asset for firms operating in highly regulated industries such as financial services. Shield allows firms to extend the utilization of their audit trails while remaining compliant with data retention and audit granularity requirements.


Implementation Considerations:

1) Consult Business Units to Understand Retention and Audit Period / Depth

    • Firms should first identify their data retention and audit period on a per object basis to understand exactly where and how Audit Trails may benefit their business processes. While the maximum possibility is for 10 years and 60 objects, firms should find the ideal balance between complete oversight and operational efficiency. Additionally, firms should consider the unique regulatory guidelines they must adhere to while customizing the service to fit their needs.

2) Set Retention Policies

    • Firms should determine which fields and objects should be retained for audit purposes. Additionally, identifying when and how long this information should be archived is a crucial step in a successful implementation of Field Audit Trail.

3) Identify Practices for Retrieving and Auditing Data

    • Finally, firms should develop best practices for obtaining, maintaining, and auditing this data. Steps such as setting up audit dashboards, defining standardized queries, and providing access to auditors in the permissions settings should be taken to ensure consistent and accurate reporting of Field Audit Trails in the future as well.


Security Benefits Over Standard Salesforce

The Platform Encryption, Event Monitoring and Field Audit benefits that Salesforce Shield brings to users, beyond the basic platform capabilities, offer an effective means of protection against a wide range of cybersecurity threats. Firms can now encrypt large amounts of information in standard objects, track and visuzalize a variety of events in pre-built dashboards, and maintain an audit history of dozens of objects for a decade. Salesforce has recognized that as the cybersecurity landscape continues to evolve, robust and innovative solutions are needed to keep their customers ahead of criminal attacks.


FinServ’s Capabilities

When securing your firm’s sensitive data from increasingly sophisticated attacks, it is crucial to partner with industry experts that understand the most effective solutions available. While Salesforce Shield brings a deeper level of sophistication over classic Salesforce security capabilities, sophisticated technology is only part of the complex cybersecurity equation. FinServ can gather the development requirements and implement the detailed policies and procedures to protect your firm for years to come. An effectively led implementation of Salesforce Shield is the best way to ensure that there is lasting security for your organization as cybercrimes grow more sophisticated and prevalent.

About FinServ Consulting

FinServ Consulting is an independent experienced provider of business consulting, systems development, and integration services to alternative asset managers, global banks and their service providers. Founded in 2005, FinServ delivers customized world-class business and IT consulting services for the front, middle and back office, providing managers with optimal and first-class operating environments to support all investment styles and future asset growth. The FinServ team brings a wealth of experience from working with the largest and most complex asset management firms and global banks in the world.