Encrypt Sensitive Data in Salesforce and Comply with Security Regulations
A Multitude of Data Regulations
Nowadays, data storage and processing are heavily regulated by numerous protection laws, and businesses dealing with sensitive information are forced to comply with them. Data encryption is the most common requirement. Below are some common data types and applicable regulations, all of which require data encryption.
Financial Data
- NYCRR 500 Cybersecurity
- PCI DSS
- GLBA
Health Data
- HIPAA
Personal Data Online
- GDPR
- CCPA
- PIPEDA
Any platforms or tools businesses use to process data have to comply with security regulations. Salesforce, which enjoys popularity across industries such as finance, health care, e-commerce, etc., is not an exception. According to the Brimit Salesforce team, nine out of ten customers have a product regulated by a data protection law. Failure to adhere to such regulations may result in legal and financial penalties, compromised data, as well as reputational damage.
Don't forget to check out: Data Security in Salesforce
Encryption Available in Salesforce
Under existing regulations, organizations are required to securely store and process information such as:
- Account usernames and passwords
- Passphrases
- Security and access tokens
- Credit/debit card numbers and account data
- Personal information: name, phone number, e-mail, address, income, gender, age, ethnicity, and education
- Health data
- Media access control address, serial numbers, and IP addresses
Salesforce provides several tools for encrypting data:
- Encrypted text fields (classic encryption)
- Salesforce Shield
- Event monitoring
- Field Audit Trail
- Shield Platform Encryption
- Protecting data in Apex
- Apex encryption (Crypto class)
Footnotes:
- Salesforce most likely stores them separately and doesn't provide control over the keys.
- Requires a third-party solution, which stores software on a 0.
- Features out-of-the-box functionality to ensure regulatory compliance.
- Not available out of the box, but there's a workaround.
- There are no explicit requirements for encryption. What's required is pseudonymization. If pseudonymization is performed by means of encryption, that’s fine. The developers need to choose the most common encryption method.
Encrypted Text Fields (Classic Encryption)
Salesforce provides encrypted text fields out of the box, at no extra cost.
This classic encryption method allows for protecting a custom text field, which a user creates for a particular purpose. The encrypted text field is called Text (Encrypted).
Check out another amazing blog by Brimit here: How Salesforce Work.com Can Help Your Business Reopen Safely After or During the Pandemic
How the encrypted text fields work in Salesforce
Encrypted custom text fields may contain letters, numbers, or symbols, which will be stored and transmitted in an encrypted format with AES 128-bit keys. The encrypted fields have value for users who have View Encrypted Data permission. We do not recommend storing authentication data in the encrypted custom fields. However, these fields are suitable for storing other types of sensitive data (credit card information, social security numbers, etc.).
Encrypted text fields have the option of “masking” parts of sensitive information, for example, showing the last four digits of a credit card number while hiding the rest.
Using encrypted text fields to mask a card number
The following masking options are available in encrypted text fields:
- All digits
- All digits except for the last four
- A credit card number (as shown in the example above)
- A national insurance number
- A social security number
- A social insurance number
Reference: Brimit
Responses