Protect Salesforce and your backups with BYOK encryption | The complete Salesforce DevOps solution

Salesforce goes a long way towards protecting your information, by providing robust data encryption features and promoting security best practices among your team. But organizations need to translate this same scrutiny to their backups, so that Salesforce data is equally secure everywhere it’s being stored.

In this article, we’ll give an overview of Salesforce’s data security and encryption features, and explain how you can apply the same protection to your backup data with Gearset.

How does Salesforce encrypt your data?

Salesforce secures your data with a variety of features, from multi-factor authentication (MFA) to permission sets, which prevent unauthorized access to your orgs via a user account. It also encrypts your data with some out-of-the-box security features, alongside some additional safeguards you might choose to adopt.

Salesforce encryption out of the box

Salesforce encryption keeps your data secure, even in the event of a network or hardware breach. For all orgs, Salesforce encrypts your data in two ways:

  • At rest. When your data is stored in Salesforce’s servers, AES256 encryption mitigates the damage of data being exposed were someone to illicitly gain direct access to the server.
  • In transit. When your data is being accessed, Salesforce uses both Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to encrypt data and prevent it from being exposed to someone that has hacked your network. With digital certificates, you can authenticate the connection between your orgs and third-party applications.

Salesforce’s encryption and security measures protect your orgs from unauthorized access, but it’s also possible to introduce more tailored encryption practices that secure certain types of data.

What additional encryption does Salesforce offer?

Salesforce’s Classic Encryption lets you protect specific text fields in your Salesforce orgs. It’s an out-of-the-box solution that prevents internal Salesforce users from seeing specific data. You can set it up for fields, such as credit card numbers, that you’d only want certain Salesforce users accessing. Setting up Salesforce’s Classic Encryption is simple because it’s a type of profile or permission set. You simply select which users you want to view the custom text and grant them the “View Encrypted Data” permission.

Salesforce Shield Platform Encryption provides a more comprehensive approach, allowing you to encrypt common standard fields, alongside some custom fields and file types. You can use the Shield Platform to protect a wide range of data in your orgs, including Workflow Rules, Attachments, and SOSL Queries.

Shield Platform Encryption comes free in Developer Edition orgs, but for Enterprise, Performance and Unlimited Edition orgs customers need to purchase it as an add-on. Shield Platform Encryption settings are built with custom code, which can make deploying them quite tricky.

When to use Salesforce BYOK

Data encryption keys are needed to decrypt your data. By default, Salesforce’s Shield key management service (Shield KMS) generates your encryption keys for you. However, Shield Platform Encryption allows you to opt out of Salesforce’s key derivation and Bring Your Own Key (BYOK) instead. As you’re responsible for this key, this model is also known as a customer-managed key.

BYOK gives you an extra level of control over your data. It requires extra work, as you’re responsible for setting up, managing and securing your key, but your organization might view it as a necessity for its security.

Glaziers Hall, London

DevOps Dreamin’ London 2024

Find out more

Keep your Salesforce backups just as secure

While Salesforce works to protect your data on its platform, it can’t fully protect you from the risks of data loss. In fact, 67% of Salesforce teams reported that they had experienced data or metadata loss in the last year.

Salesforce’s “shared responsibility model” means that your organization and Salesforce split the responsibility for protecting your data. Though Salesforce is responsible for the security and integrity of its own platform, you’re responsible for all the information and customizations in your own orgs and backing up your data and metadata.

Security and encryption for backups need to be at least as strong as the security and encryption on-platform, and you alone are responsible for making sure your backups are secure. You need to check your backups are in line with your organization’s compliance and encryption standards.

If you’re using a self-built backup process, perhaps downloading CSV files using Salesforce’s Data Export, you need to think about where and how those files are stored, as storing them without secure encryption leaves your Salesforce data vulnerable and goes against best practice.

Your Salesforce data should be made more, not less, secure by your backup solution. Proper backup solutions should encrypt your data, and some will support BYOK.

How Gearset encrypts your backups

Gearset’s backup solution provides additional security to your existing Salesforce workflow, with our robust data protection and encryption practices.

All Gearset backups are stored with Amazon Web Services (AWS) — the same data centers trusted by Salesforce and which are accredited with SOC1, SOC2, SOC3, ISO 27001, HIPAA, and more.

Any data handled by Gearset is encrypted in transit by the latest SSL standards according to the highest SSL labs security report. At rest, your data is protected by AES-256, which is one of the strongest block ciphers.

By default, Gearset provides self-service key management for all backups. Gearset will look after your encryption key for you so that you don’t need to worry about managing or securing your key, but you can still delete it whenever you need.

Depending on your organization’s encryption requirements, you may also want to BYOK to Gearset’s backup solution using an Amazon Web Service Key Management System (AWS KMS). You control how your AWS key is rotated.

Keep control of your data

You should be in control of your data at all times, allowing you to protect your organization’s and customers’ critical information. With Gearset’s backup solution, you can make sure your backups are equally or more securely encrypted than the data you hold in Salesforce. If you want to find out more about Gearset’s Salesforce backup solution or you’re ready to take control of your data security, book a consultation today to discuss your security requirements with our dedicated backup team.