Balance Data Security with Business Needs

Choosing to store PII, sensitive, confidential, or proprietary data with any third party often prompts customers to more closely investigate external regulatory and internal data compliance policies. Internal policies frequently rely on interpretation of external regulations.

As customers look at regulations through the lens of cloud-based service adoption, they typically take a pragmatic but conservative approach to data protection in the cloud. Examples of such regulations are the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health Act (HITECH), General Data Protection Regulation (GDPR), and Federal Risk and Authorization Management Program (FedRAMP).

This pragmatic approach includes three requirements shared by a wide variety of customers in regulated industries such as financial services, healthcare, and life sciences, as well as manufacturing, technology, and government.

1. Encrypt sensitive data when it’s stored at rest in the Salesforce cloud.
2. Support customer-controlled encryption key life cycles.
3. Preserve application and Salesforce Platform functionality.

However, there’s a tradeoff between strong security and functionality. Data encrypted at rest can make preserving Salesforce functionality difficult, if not impossible. The degree depends on where encryption and decryption occur and where the encryption keys are stored. What the business wants often differs from what security and compliance require.