Salesforce is way more than just a customer relationship management tool: it’s a robust platform that has seen substantial growth in the past 20+ years. More growth means more users, and having more users means more sensitive information — all of which results in an increased risk surface.
Salesforce Shield is one of the most important tools for mitigating risk in Salesforce. But many companies who purchase Salesforce Shield don’t implement it properly due to its complexities. Using each of Shield’s features is your first step toward a comprehensive security strategy.
We will show you step-by-step how to configure Shield correctly and efficiently. Read on for the four key elements of Salesforce Shield and how to implement them. And to learn more, be sure to check out this webinar OwnBackup recently hosted.
The first element of Salesforce Shield is platform encryption. One of OwnBackup Secure’s core features is simplifying and accelerating the Shield Platform Encryption process by 80% through field classification, business impact analysis, and easy encryption.
The first step to encrypting your data is identifying what data you have. Work with InfoSec and compliance to understand your security posture and internal or regulatory requirements. This will help inform how fields should be categorized.
OwnBackup Secure allows users to quickly scan the organization’s data fields, surface possible high-risk candidates, and assign classification levels to those fields. For example, you could classify by:
Once you’ve created a wishlist, you’re ready to run your business impact analysis. OwnBackup’s Platform Encryption Analyzer allows you to instantly see which fields will cause downstream business impacts if you encrypt the field, before you encrypt them. This tool runs an analysis report of each field you select and determines one of four categories:
One additional step: While running the business impact analysis report, ensure your platform encryption is set up correctly. Using system permissions, give the appropriate user the ability to create a tenant secret (the Salesforce term for an encryption key) via the “Manage Encryption Keys” permission.
You can either encrypt the key within Salesforce or bring your own key. Salesforce allows you to use either a traditional probabilistic encryption method or a deterministic method, which offers slightly more flexibility in which fields can be encrypted without losing protection.
“What I find talking to customers is that … they don’t really know where to start. Where do you start with your encryption? Which field should be encrypted? … Helping customers get through those first few stages and understand what they’re going to encrypt and the impact of encrypting it: That’s where we can help.”
– John Whitehead, Lead Solution Engineer, OwnBackup
The next element of Salesforce Shield is Field Audit Trail. An extension of standard field history tracking, Field Audit Trail lets you track fields of up to 60 objects and keep that data for up to 10 years.
Using the OwnBackup Retention Policy Manager, you can implement field tracking object by object, particularly for high-risk fields. By tracking changes to each field in the back end, you can see who made changes to the fields and use that information to understand any risks and vulnerabilities.
Compliance standards for your company may dictate a different timeframe for data retention than the 10 years offered out of the box and the 18-month timeline for archiving front-end data.
You should work with your risk and compliance team to assess policies for data retention and archiving.
Once you’ve purchased Salesforce Shield, event monitoring is already taking place in the background of your organization. But analyzing those results gives you the greatest chance of organizational impact.
The prefabricated Event Monitoring Analytics app in Einstein Analytics pulls data from your organization’s Salesforce event logs and provides dashboards for both admins and users. Using these automatically created dashboards, you can quickly drill into your data and identify suspicious behavior, poor page performance, and poor user adoption.
At a glance, the reports dashboard lets you see who is doing what, and where the reports are being downloaded the most. This is critical data to support forensics efforts when investigating suspicious behavior and determining who is accessing and exporting information from Salesforce.
For example, the “Report Trends By User” chart helps you see how many reports different users downloaded over the past 30 days. It lets you quickly detect patterns, such as a user repeatedly downloading high-net-worth contact data.
In addition to forensics data, the Event Monitoring Analytics app also provides a Report Performance dashboard. As your organization and its data grow, the queries powering reports continue to take longer to process. For managers who regularly review reports, slow performance can be detrimental to productivity.
One quick way to combat these slowdowns is to enable notifications. Set your report loading time alert, and you’ll be notified when the load time exceeds the threshold set. When you receive the alert, you can log in and begin the analysis.
*Important Note: Event Monitoring can be overwhelming with the nearly-endless amount of activity it can provide. This is why the data classification step is so important. Classifying your data will help you focus on monitoring the more important fields.
The final pillar of Salesforce Shield is also its newest functionality. Einstein Data Detect combs through your data to find instances of five predefined patterns: credit card, email, URL, IP address, and Social Security number.
Through this functionality, you can create policies to scan certain objects for those high-risk patterns. Your data classifications for platform encryption can also help you choose which fields to scan based on sensitivity levels and classification levels.
After running the scan, you can quickly assess patterns of high-risk data within your organization. By partnering Einstein Data Detect with OwnBackup’s Platform Encryption Analyzer, you can carefully target your field encryption approach within Salesforce.
What sets apart successful Salesforce Shield users from less-successful users? Senior Solution Engineer Varun Prabhakar says that it’s involvement across teams from the start. “When you embark on any Salesforce initiative, traditionally it’s just the Salesforce team that’s spearheading the initiative,” he says. “But with Shield, you need to also involve your InfoSec team [and business users].”
New Salesforce Shield users may not be sure where to start, whether they’re on a trial basis or have licensed the tool. Possible questions that come up might include: What fields should I encrypt? What is the impact of encrypting those fields? More urgently, Am I going to break something?
But that’s where tools like Secure can help. Through assistance with field classifications and sensitivity levels, Salesforce administrators can take the first steps toward holistic risk mitigation with Salesforce Shield.
This article is based on a webinar hosted by OwnBackup. Watch the full recording here, and click here to see how OwnBackup can help you implement Salesforce Shield 80% faster with OwnBackup Secure for Shield.