Encrypt Sensitive Data in Salesforce and Comply with Security Regulations

Slava Pautaran on March 18, 2020
encrypt sensitive data in salesforce - GDPR, HIPAA, NYCRR 500, PCI DSS, CCPA

A multitude of data regulations

Nowadays, data storage and processing are heavily regulated by numerous protection laws, and businesses dealing with sensitive information are forced to comply with them. Data encryption is the most common requirement. Below are some common data types and applicable regulations, all of which require data encryption.

Financial data

Health data

Personal data online

Any platforms or tools businesses use to process data have to comply with security regulations. Salesforce, which enjoys popularity across industries such as finance, health care, e-commerce, etc., is not an exception. According to Brimit Salesforce team, nine out of ten customers have a product regulated by a data protection law. Failure to adhere to such regulations may result in legal and financial penalties, compromised data, as well as reputational damage.

Encryption available in Salesforce

Under existing regulations, organizations are required to securely store and process information such as:

  • account usernames and passwords
  • passphrases
  • security and access tokens
  • credit/debit card numbers and account data
  • personal information: name, phone number, e-mail, address, income, gender, age, ethnicity, and education
  • health data
  • media access control address, serial numbers, and IP addresses

Salesforce provides several tools for encrypting data:

  • encrypted text fields (classic encryption)
  • Salesforce Shield
    • event monitoring
    • Field Audit Trail
    • Shield Platform Encryption
  • protecting data in Apex
    • Apex encryption (Crypto class)

Table 1. Applicability of encryption tools to data protection regulations

Regulation Requirements Encryption tool fit
Encrypted Text Fields Salesforce Shield Protecting data in Apex
NYCRR 500 NIST-compliant, 256-bit Advanced Encryption Standard (AES encryption) cancel
(up to 128 bit)
check_circle check_circle
Store encryption keys apart from the encrypted financial data in a security device specifically designed for this task help1 check_circle check_circle
The Key Management Interoperability Protocol (KMIP) check_circle2 check_circle2 check_circle2
Encryption of sensitive data both in transit and at rest cancel check_circle cancel
PCI DSS AES encryption (128 bit and higher) check_circle check_circle check_circle
PGP implemented check_circle3 check_circle3 check_circle3
Keep encryption keys and data separate help1 check_circle check_circle
HIPAA End-to-end encryption (E2EE) check_circle3 check_circle3 check_circle3
AES encryption (128 bit and higher) check_circle check_circle check_circle
OpenPGP implemented check_circle3 check_circle3 check_circle3
S/MIME implemented check_circle4 check_circle4 check_circle4
GDPR5 5 End-to-end encryption (E2EE) check_circle3 check_circle3 check_circle3
AES encryption (128 bit and higher) check_circle check_circle check_circle
CCPA End-to-end encryption (E2EE) check_circle3 check_circle3 check_circle3
AES encryption (128 bit and higher) check_circle check_circle check_circle

Footnotes:

  1. Salesforce most likely stores them separately and doesn't provide control over the keys.
  2. Requires a third-party solution, which stores software on a KMIP-compliant server.
  3. Features out-of-the-box functionality to ensure regulatory compliance.
  4. Not available out of the box, but there's a workaround.
  5. There are no explicit requirements for encryption. What's required is pseudonymization. If pseudonymization is performed by means of encryption, that’s fine. The developers need to choose the most common encryption method.

Download the table: PDF, Image

Encrypted text fields (classic encryption)

Salesforce provides encrypted text fields out of the box, at no extra cost.

This classic encryption method allows for protecting a custom text field, which a user creates for a particular purpose. The encrypted text field is called Text (Encrypted).


How the encrypted text fields work in Salesforce

Encrypted custom text fields may contain letters, numbers, or symbols, which will be stored and transmitted in an encrypted format with AES 128-bit keys. The encrypted fields have value for users who have View Encrypted Data permission. We do not recommend storing authentication data in the encrypted custom fields. However, these fields are suitable for storing other types of sensitive data (credit card information, social security numbers, etc.).

Encrypted text fields have the option of “masking” parts of sensitive information, for example, showing the last four digits of a credit card number while hiding the rest.


Using encrypted text fields to mask a card number

The following masking options are available in encrypted text fields:

  • all digits
  • all digits except for the last four
  • a credit card number (as shown in the example above)
  • a national insurance number
  • a social security number
  • a social insurance number

Salesforce Shield

Salesforce Shield provides three services: event monitoring, Field Audit Trail, and Shield Platform Encryption.


Salesforce Shield comprises three major services

Event Monitoring

Event monitoring allows you to identify which type of data was viewed by a particular user, which network was used to access the data (including the IP address), and how a user interacted with the data. This enables you to have control over scenarios such as who printed a document, viewed a page, or exported data.

Field Audit Trail

Field Audit Trail does a similar job to Field History Tracking, only expanding the tracking period to 10 years and allowing 60 fields to be tracked per object. This way you can get all the information required to understand when a particular set of data was changed and who made the changes.

Shield Platform Encryption

Shield Platform Encryption enables an administrator to encrypt data on the database level of Salesforce. At the same time, users will be able to access the encrypted data if they have relevant permissions. In general, data can be masked but not encrypted, or encrypted but not masked. For example, regulators often require that only the last four digits of a credit card number be visible to users. Applications typically mask the rest of the number, meaning they replace the digits with asterisks on the user’s screen. Without encryption, you can still see the digits that are masked if you have access to the database where they are stored.

Protecting data in Apex

Apex is a proprietary, object-oriented programming language developed by Salesforce. The language is used to customize Salesforce products and encrypt data.

Apex encryption (Crypto class)

Apex gives you the flexibility to write custom cryptographic functions as well as the ability to leverage a wide range of prebuilt functions. Using this method, you can encrypt any text with the keys that you define. However, you’ll need a Salesforce developer to implement Apex properly.

Encryption and decryption can be done using the AES128, AES192, and AES256 algorithms. To ensure data integrity, the method supports such algorithms as MD5, SHA-1, SHA-2 (SHA-256 and SHA-512). RSA can be used for digital signatures.

Table 2. Apex encryption methods and supported standards.

Method Supported Standards
Encrypt()
EncryptWithManagedIv()
Decrypt()
DecryptWithManagedIv()

AES128, AES192, AES256 for encryption.
PCKS#5 padding and Cipher Block Chaining.
generateDigest()
generateMac()

MD5, SHA1, SHA256, SHA512
sign() SHA1 with RSA
With multiple encryption methods available, Salesforce ensures data security and compliance with existing regulations across the finance, healthcare, and other industries. Salesforce is a trusted platform and is used by industry giants such as AXA, Barclays, American Express, GE Capital, American Red Cross, Lilly, St John of God Health Care, Adidas, Samsonite, T-Mobile, etc.