Demo Request
Take a personalized product tour with a member of our team to see how we can help make your existing security teams and tools more effective within minutes.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Learn

What is Salesforce Shield? Features and Pros & Cons

Reco Security Experts
Updated
August 12, 2024
November 29, 2024
7 min read

What is Salesforce Shield?

Salesforce Shield is an advanced security suite designed to provide enhanced protection, monitoring, and data retention for organizations using Salesforce. It is specifically tailored to meet the complex security and compliance requirements of businesses handling sensitive data in the cloud. It includes features such as encryption, detailed event monitoring, field audit trails, and data detection capabilities, making it a comprehensive solution for securing critical information and maintaining regulatory compliance.

Designed to work seamlessly across various Salesforce cloud products, Salesforce Shield enables organizations to implement robust security measures without compromising the functionality or user experience of their Salesforce applications. It supports the shared responsibility model of cloud security, where Salesforce ensures the security of the infrastructure, and the customer is responsible for securing their data and configurations.

Shield Platform Encryption

Salesforce Shield Platform Encryption provides advanced encryption capabilities to protect sensitive data stored in Salesforce. Unlike classic encryption methods, Shield Platform Encryption allows for robust, field-level encryption while maintaining critical app functionality such as search, workflow, and validation rules.

Classic Encryption vs Shield Platform Encryption

Understanding the differences between classic encryption and Shield Platform Encryption is important for companies aiming to enhance their data security. Below is a comparison of the two:

Feature Classic Encryption Shield Platform Encryption
Encryption Level Basic field-level encryption AES 256-bit field-level encryption
Data at Rest Limited encryption capabilities Comprehensive encryption of data at rest
Search and Functionality Impact May disrupt app functionality Preserves search and app functionality
Key Management Limited Customer-managed encryption keys
Regulatory Compliance Basic compliance Advanced compliance support
Data Types Supported Limited Extensive, including files and attachments

How It Works

  • AES 256-bit Encryption: Shield Platform Encryption uses AES 256-bit encryption to protect data at rest within Salesforce's data centers. The encryption process converts plain text into cipher text, ensuring that even if data is accessed without authorization, it remains unreadable.
  • Bring Your Own Key (BYOK): The encryption keys can be managed by the customer, offering options such as Salesforce-generated keys or "Bring Your Own Key" (BYOK). This flexibility ensures that organizations can maintain control over their encryption processes, catering to specific security requirements.
  • Supports Probabilistic and Deterministic Encryption Schemes: Shield Platform Encryption supports both probabilistic and deterministic encryption schemes. Probabilistic encryption offers higher security by randomizing the initialization vector, while deterministic encryption allows for filtering capabilities without compromising security. This dual approach ensures robust encryption while maintaining the functionality necessary for business operations.

Salesforce Shield Event Monitoring

Salesforce Shield Event Monitoring provides detailed insights into user activity and application performance within Salesforce, enhancing your overall SaaS security. This tool is essential for identifying and mitigating potential security threats, ensuring compliance, and optimizing the performance of your Salesforce environment. By tracking user actions and monitoring various events, organizations can proactively address issues before they escalate.

To further enhance the security and monitoring capabilities of Salesforce Shield, integrating with Reco's SaaS Detection & Response solutions can provide comprehensive visibility and automated threat detection. Reco's platform offers advanced monitoring and response capabilities, ensuring that any suspicious activities are quickly identified and mitigated.

How It Works

Salesforce Shield Event Monitoring works by capturing and logging detailed event data from various user interactions and system processes. These logs include information on logins, data exports, report executions, API calls, and more. The event data is stored in Event Log Files, which can be accessed via the Event Monitoring API for analysis and reporting.

Key Features of Event Monitoring:

  • Real-Time Monitoring: Event Monitoring provides real-time visibility into user activities and system performance. Administrators can set up transaction security policies to detect and respond to anomalous behavior immediately.
  • Detailed Logs: Logs capture granular details about user actions, enabling thorough analysis and forensic investigations. This helps in understanding the context of activities and identifying potential security breaches.
  • Customizable Alerts: Administrators can define specific events and conditions that trigger alerts. These alerts can be configured to notify relevant personnel or trigger automated responses to mitigate risks.
  • Integration with Threat Detection & Response: Event data can be integrated with threat detection and response platforms like Reco's SaaS Detection & Response, allowing for advanced analysis and visualization. This integration enhances the ability to detect patterns and anomalies, providing a robust layer of security.
  • Performance Monitoring: In addition to security, Event Monitoring helps in tracking application performance metrics. This includes monitoring page load times, API performance, and other key indicators to optimize the user experience.

Salesforce Shield Field Audit Trail

Salesforce Shield Field Audit Trail is designed to enhance the visibility and accountability of changes made to data within Salesforce. This feature extends the standard field history tracking capabilities, enabling organizations to retain a comprehensive audit trail of field changes over an extended period. This is crucial for compliance, forensic analysis, and maintaining the integrity of critical business data.

How It Works

Salesforce Shield Field Audit Trail works by recording detailed information about changes to specified fields within Salesforce objects. This information includes what changes were made, who made them, and when they were made. The Field Audit Trail ensures that this data is retained for up to 10 years, compared to the standard retention period of 18-24 months.

Key Features of Field Audit Trail:

  • Extended Data Retention: Field Audit Trail extends the retention period for field history data up to 10 years, ensuring long-term visibility and compliance with regulatory requirements.
  • Comprehensive Tracking: The tool allows tracking changes for up to 60 fields per object, compared to the standard 20 fields. This enables organizations to maintain a detailed record of changes for critical data points.
  • Customizable Policies: Administrators can define retention policies tailored to their specific compliance and business needs. This includes setting up retention periods and determining which fields to track.
  • Field History Archive: After the initial retention period, the field history data is archived. This archived data remains accessible for audits and investigations, providing a robust audit trail for compliance purposes.
  • Integration with Metadata API: Field tracking policies and retention settings can be configured using Salesforce's Metadata API, allowing for automated and scalable management of audit trail settings.
  • Enhanced Visibility: The Field Audit Trail provides administrators with a clear view of historical changes, supporting your Salesforce security best practices.

Data Detection by Einstein

Einstein Data Detect identifies and manages sensitive information within your Salesforce environment, aligning with SaaS security best practices. Using artificial intelligence and machine learning, it scans your data for patterns indicating the presence of sensitive information, such as personally identifiable information (PII) and financial data. This proactive detection helps organizations ensure that sensitive data is properly protected, thus enhancing data security and regulatory compliance.

Key benefits include enhanced data security, support for regulatory compliance, improved data governance, and effective risk mitigation. By continuously monitoring and identifying sensitive data, organizations can avoid costly data breaches and maintain robust data protection practices.

Salesforce Shield: Pros and Cons

As mentioned already, Salesforce Shield offers a powerful suite of security features tailored for organizations with stringent security and compliance requirements. However, like any technology solution, it has its strengths and limitations. Below is a detailed examination of the pros and cons of Salesforce Shield:

Pros Cons
Enhanced Security: Salesforce Shield provides advanced security features like AES 256-bit encryption and comprehensive event monitoring, ensuring sensitive data is protected from unauthorized access and potential breaches. Cost: Salesforce Shield is an add-on product and can be expensive, especially for small to medium-sized businesses, as its pricing is calculated as a percentage of your total Salesforce spend.
Regulatory Compliance: Helps organizations comply with various regulatory requirements such as GDPR, HIPAA, and PCI DSS by providing tools for encryption, audit trails, and data monitoring. Complex Implementation: Implementing Salesforce Shield can be complex and time-consuming, requiring significant planning and resources to ensure it is set up correctly and integrates smoothly with existing systems.
Granular Control: Offers detailed control over data access and modifications, allowing administrators to set specific policies for field history tracking, data retention, and user activities, which enhances overall data governance. Limited Native Backup and Recovery: While Salesforce Shield provides extensive security and monitoring features, it lacks robust native backup and recovery options, necessitating additional solutions or third-party tools for comprehensive data protection.

How to Implement Salesforce Shield

Implementing Salesforce Shield involves several steps, from initial assessment to configuration and ongoing management. By following the steps outlined below, companies can effectively enhance their data security and compliance posture while leveraging the full capabilities of the Salesforce platform.

  1. Initial Assessment and Planning
    • Conduct a security assessment
    • Identify sensitive data
    • Understand compliance requirements
    • Allocate resources
    • Set objectives
  2. Setting Up Shield Platform Encryption
    • Enable encryption in Salesforce Setup
    • Generate/manage encryption keys
    • Define encryption policies
    • Choose encryption schemes
  3. Configuring Event Monitoring
    • Enable Event Monitoring
    • Define security policies
    • Integrate analytics tools (e.g., Reco)
    • Set up alerts and notifications
  4. Implementing Field Audit Trail
    • Enable Field Audit Trail
    • Define tracking policies
    • Configure archival processes
    • Use Metadata API
  5. Using Einstein Data Detect
    • Run initial scans
    • Define detection policies
    • Review scan results
    • Integrate with encryption
  6. Ongoing Management and Maintenance
    • Conduct regular audits
    • Rotate encryption keys
    • Monitor user activities
    • Train employees

Salesforce Shield Pricing

Salesforce Shield pricing is structured as a percentage of your total Salesforce spend, offering a flexible pricing model that scales with your Salesforce investment. The pricing includes several components, each designed to enhance your Salesforce environment's security and compliance capabilities.

  • Platform Encryption, a key feature of Salesforce Shield, is priced at 20% of your total Salesforce spend. This component includes AES 256-bit encryption for data at rest, allowing organizations to encrypt data at the field level while maintaining essential functionality such as search and workflow.
  • Event Monitoring, another integral feature, costs 10% of your total Salesforce spend. This service provides detailed logs of user activity and system performance, enabling organizations to monitor security, track application performance, and gain valuable insights into user behavior.
  • Field Audit Trail extends the retention of field history tracking up to 10 years, compared to the standard 18-24 months. Priced at 10% of your total Salesforce spend, this feature allows for detailed auditing and compliance tracking, ensuring organizations can meet regulatory requirements and maintain data integrity.

For those seeking a comprehensive security solution, the complete Salesforce Shield bundle is available for 30% of your total Salesforce spend. This package includes all the features of Platform Encryption, Event Monitoring, and Field Audit Trail, providing a robust security framework for your Salesforce environment.

For the most accurate and up-to-date pricing, it's recommended to contact a Salesforce sales representative, as pricing may vary based on specific business requirements and negotiated terms​.

Getting Started with Salesforce Shield and Reco

Integrating Salesforce Shield with Reco’s SaaS Detection & Response solutions creates a powerful combination for enhancing your company’s security and compliance posture. Salesforce Shield offers strong protection through features like Platform Encryption, Event Monitoring, and Field Audit Trail, which are necessary for securing sensitive data, monitoring user activity, and ensuring regulatory compliance. Reco enhances these capabilities by providing real-time threat detection, automated responses, and comprehensive monitoring.

When you combine Salesforce Shield with Reco, you use advanced machine learning and behavioral analytics to identify and mitigate potential security threats proactively. Reco’s continuous monitoring and automated response mechanisms ensure that any suspicious activities are quickly detected and addressed, minimizing the risk of data breaches. This integration allows businesses to maintain a high level of data protection, meet compliance requirements, and create a scalable, flexible security framework that grows with their needs. Implementing both solutions signals a strong commitment to data security, fostering a security-first culture that enhances trust and confidence among employees, customers, and stakeholders.

Conclusion

As cyber threats evolve, integrating advanced security measures like Salesforce Shield and maintaining a proactive security strategy are essential steps for any company. By doing so, businesses not only protect their critical data but also build a foundation of trust and compliance that supports long-term success. Adopting powerful tools and continuously improving security practices ensures resilience against potential breaches, positioning companies to explore the complexities of data protection with confidence and integrity.

Table of Contents
Get the Latest SaaS Security Insights
Subscribe to receive weekly updates, the latest attacks, and new trends in SaaS Security
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Request a demo