Salesforce is adding Bring Your Own Key functionality to the platform encryption service within Salesforce Shield, a set of integrated security services built natively into the Salesforce platform. 

Salesforce Shield rolled out last year. Its Platform Encryption is built into its metadata platform, which means customers can encrypt data while still preserving workflows, search and validation rules. Until now, Salesforce encrypted the key to the platform as part of the service.

Now comes Shield Platform Encryption BYOK (Bring Your Own Key) and it does just what the name suggests: it allows users to create their own key to the encryption service outside of Salesforce, making the platform that much more secure and private.

Stranded by Compliance

With hackers infiltrating just about every seemingly secure network out there, any addition to security is welcome. But the real point of Platform Encryption BYOK is that it will allow companies in highly-regulated industries to join the cloud.

Certain sectors such as financial services, healthcare and defense must follow rigid security and privacy regulations especially when using cloud technology, Seema Kumar, vice president of product marketing at the San Francisco-based software giant, told CMSWire.

One of these is that the user needs to be able to encrypt its own key, she said, adding, "We wanted to help customers that have been stranded in the cloud by compliance requirements."

The Path to Key Encryption

Essentially what Salesforce did with Shield Platform Encryption BYOK was extend its existing key management architecture via an API service, Brian Goldfarb, senior vice president of App Cloud Marketing at Salesforce, wrote in a blog post announcing the new feature.

Companies have a number of choices for managing their key encryption, he wrote.

Learning Opportunities

They can turn to open source crypto libraries such as OpenSSL or use their existing HSM [Hardware Security Module] infrastructure or tap a third­ party service, such as AWS Key Management Service or AWS CloudHSM.

Salesforce has also partnered with two key brokering companies, Vormetric  and ​Skyhigh Networks, for companies that want to outsource the administration and governance efforts.

How It Works

This is how it works for the customer, Goldfarb wrote.

  1. Customers generate a secure certificate from Salesforce’s setup menu. They can choose to generate either a self-­signed or Certificate Authority signed certificate, depending on their own security and compliance requirements.
  2. The certificate’s private key is protected with an org­ specific derived key in the HSM box, ensuring it can be only unwrapped by the HSM embedded within special purpose security hardware called a Key Derivation Server.
  3. Customers then use that certificate’s public key to wrap their on­-prem generated tenant secret before uploading it to Salesforce. This allows for a secure transport of keys back to the Salesforce environment.
  4. T​he tenant secret is then paired with a master secret in Salesforce to derive the org­ specific data encryption key used to encrypt sensitive data stored in standard and custom fields, files, and attachments. The derived keys are never persisted to disc, ensuring maximum security for encryption keys.
  5. Once a customer has supplied their tenant secret, they can use Platform Encryption as they normally would to strongly encrypt data at rest in Salesforce. Each time they supply a new tenant secret using BYOK, the data encryption key is rotated and that new key is derived and used to encrypt and decrypt data.

"This straightforward process allows customers to have both control and a greater role in managing keys, while reducing the burden of involved key management," Goldfarb concluded.

Title image by Daryn Bartlett