Before You Encrypt

Before you encrypt data in Salesforce, or in any cloud service, first make sure that you’re matching the right security solution to the type of threats that you face.

For example, if you’re concerned about protecting against end-user or administrative account takeover attacks, it’s possible that data encryption isn’t an appropriate control against such a threat. Takeover attacks usually occur through social engineering and malware infection. Instead, consider malware detection and activity monitoring as ways to identify when users could have been compromised and a malicious outsider is attempting to gain access to data.

Salesforce Shield Platform Encryption protects data at rest. Don’t confuse it with a control that encrypts data in transit, such as Transport Layer Security (TLS), which Salesforce provides for your org by default.

Shield Platform Encryption is best suited for:

• Protecting against data compromise due to unauthorized database access
• Bolstering compliance with regulatory requirements or internal security policies
• Satisfying contractual obligations to handle sensitive and private data on behalf of customers

The best approach is to adopt a defense-in-depth strategy that takes advantage of all the security features Salesforce offers. To learn about the available customer-controlled security capabilities, take the Security Basics Trail.

After completing a threat modeling exercise, use the outcome to inform a granular data classification. Identify data elements that are sensitive, private, or confidential. Your best strategy is to encrypt only the most sensitive of those data elements. Doing so can help balance stronger data protection controls against the need to build and preserve critical business functionality on the Salesforce Platform.