Salesforce Adds 'Bring Your Own Key' to Its Platform Encryption Service

Salesforce is adding Bring Your Own Key functionality to the platform encryption service within Salesforce Shield, a set of integrated security services built natively into the Salesforce platform. 

Salesforce Shield rolled out last year. Its Platform Encryption is built into its metadata platform, which means customers can encrypt data while still preserving workflows, search and validation rules. Until now, Salesforce encrypted the key to the platform as part of the service.

Now comes Shield Platform Encryption BYOK (Bring Your Own Key) and it does just what the name suggests: it allows users to create their own key to the encryption service outside of Salesforce, making the platform that much more secure and private.

Stranded by Compliance

With hackers infiltrating just about every seemingly secure network out there, any addition to security is welcome. But the real point of Platform Encryption BYOK is that it will allow companies in highly-regulated industries to join the cloud.

Certain sectors such as financial services, healthcare and defense must follow rigid security and privacy regulations especially when using cloud technology, Seema Kumar, vice president of product marketing at the San Francisco-based software giant, told CMSWire.

One of these is that the user needs to be able to encrypt its own key, she said, adding, "We wanted to help customers that have been stranded in the cloud by compliance requirements."

The Path to Key Encryption

Essentially what Salesforce did with Shield Platform Encryption BYOK was extend its existing key management architecture via an API service, Brian Goldfarb, senior vice president of App Cloud Marketing at Salesforce, wrote in a blog post announcing the new feature.

Companies have a number of choices for managing their key encryption, he wrote.

Learning Opportunities

Webinar

May

30

ChatGPT and the Future of Conversational AI

This discussion explores various aspects of AI implementation, ethical considerations, and challenges for your organization.

Webinar

May

31

The Evolution of Employee Listening - 2023 Trends & Best Practices

Learn proven effective methods and solutions to supporting an inspirational future of Employee Voice

Webinar

Jun

1

How organizations can design, build and run Generative AI into the Customer Experience

Discover how to drive enhanced CX through Generative AI

Webinar

Jun

6

The Future of Social Media: Emerging Trends and How to Stay Ahead of the Curve

The impact of emerging technologies like AI on social media

Webinar

Jun

7

The Building Blocks of Personalization

This webinar will explore how personalization can create powerful ecommerce shopping experience.

Webinar

Jun

13

The Future of Contact Centers with AI at the Helm

Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX

Webinar

May

30

ChatGPT and the Future of Conversational AI

This discussion explores various aspects of AI implementation, ethical considerations, and challenges for your organization.

Webinar

May

31

The Evolution of Employee Listening - 2023 Trends & Best Practices

Learn proven effective methods and solutions to supporting an inspirational future of Employee Voice

Webinar

May

30

ChatGPT and the Future of Conversational AI

This discussion explores various aspects of AI implementation, ethical considerations, and challenges for your organization.

Webinar

May

31

The Evolution of Employee Listening - 2023 Trends & Best Practices

Learn proven effective methods and solutions to supporting an inspirational future of Employee Voice

Webinar

Jun

1

How organizations can design, build and run Generative AI into the Customer Experience

Discover how to drive enhanced CX through Generative AI

Webinar

May

30

ChatGPT and the Future of Conversational AI

This discussion explores various aspects of AI implementation, ethical considerations, and challenges for your organization.

View all

They can turn to open source crypto libraries such as OpenSSL or use their existing HSM [Hardware Security Module] infrastructure or tap a third­ party service, such as AWS Key Management Service or AWS CloudHSM.

Salesforce has also partnered with two key brokering companies, Vormetric  and ​Skyhigh Networks, for companies that want to outsource the administration and governance efforts.

How It Works

This is how it works for the customer, Goldfarb wrote.

1. Customers generate a secure certificate from Salesforce’s setup menu. They can choose to generate either a self-­signed or Certificate Authority signed certificate, depending on their own security and compliance requirements.
2. The certificate’s private key is protected with an org­ specific derived key in the HSM box, ensuring it can be only unwrapped by the HSM embedded within special purpose security hardware called a Key Derivation Server.
3. Customers then use that certificate’s public key to wrap their on­-prem generated tenant secret before uploading it to Salesforce. This allows for a secure transport of keys back to the Salesforce environment.
4. T​he tenant secret is then paired with a master secret in Salesforce to derive the org­ specific data encryption key used to encrypt sensitive data stored in standard and custom fields, files, and attachments. The derived keys are never persisted to disc, ensuring maximum security for encryption keys.
5. Once a customer has supplied their tenant secret, they can use Platform Encryption as they normally would to strongly encrypt data at rest in Salesforce. Each time they supply a new tenant secret using BYOK, the data encryption key is rotated and that new key is derived and used to encrypt and decrypt data.

"This straightforward process allows customers to have both control and a greater role in managing keys, while reducing the burden of involved key management," Goldfarb concluded.

Title image by Daryn Bartlett