Glumes ITSalesforce Ecosystem Experts
Back to Blog
Security

Locking Down Sensitive Data with Salesforce Shield

Glumes TeamDecember 05, 202511 min read

The three Shield pillars

  • Platform Encryption — data at rest encrypted with tenant-specific keys
  • Event Monitoring — every login, API call, report export streamed to your SIEM
  • Field Audit Trail — 10-year retention on selected field history

Each is licensed separately; most orgs need all three for regulated workloads.

Platform Encryption: what it does and doesn't do

Does:

  • Encrypts at rest with a tenant secret you rotate (or BYOK)
  • Preserves standard app functionality when configured correctly
  • Encrypts custom + standard fields, files, search index

Doesn't:

  • Protect against a user with permission to view the record
  • Encrypt formula results that reference encrypted fields (they compute in the clear)
  • Play well with certain filter operators (LIKE, ordering) on Probabilistic encryption

Rule: use Deterministic encryption for fields you filter/join on, Probabilistic for maximum entropy on free-text.

BYOK setup

1. Generate 256-bit AES key with your HSM/KMS
2. Wrap with the Salesforce-supplied public key (RSA-OAEP-SHA256)
3. Upload as a Tenant Secret (Type: BYOK)
4. Rotate quarterly; keep the last N active for historical decrypt

Rotation triggers re-encryption asynchronously. Monitor the Encryption Statistics page — a stuck job blocks new rotations.

Event Monitoring in practice

Real Event Monitoring (Streaming) delivers events to a Platform Event channel. Subscribe from your SIEM:

# CometD / EMP-Connector to /event/LoginEventStream
# Or Async Query API for historical
GET /services/data/v62.0/sobjects/EventLogFile?filter=EventType='ReportExport'

Key events to alert on:

  • ReportExport with row count > 10,000
  • ApiTotalUsage spike per user
  • LoginAs (admin impersonation)
  • LightningPageView on encrypted-record pages by users outside expected roles

Field Audit Trail

Selective — you choose 60 fields per object to retain up to 10 years. Configure via Metadata API (HistoryRetentionPolicy):

<HistoryRetentionPolicy>
  <archiveAfterMonths>18</archiveAfterMonths>
  <archiveRetentionYears>10</archiveRetentionYears>
  <gracePeriodInDays>0</gracePeriodInDays>
  <description>SOX-scoped opportunity fields</description>
</HistoryRetentionPolicy>

Query via FieldHistoryArchive — Big Object semantics, indexed by ParentId + FieldHistoryType.

Transaction Security Policies

Fires synchronously during an event; can block or MFA-challenge:

Policy: BlockMassReportExport
  Trigger: ReportEvent
  Condition: RowsProcessed > 50000 AND User.Profile.Name != 'Analytics Admin'
  Action: Block + Notify #sec-incidents

Compliance mapping cheatsheet

  • HIPAA — Shield + BAA + encrypted files + full audit on PHI fields
  • GDPR — Right to erasure via Data Detect + ContactRequest object
  • SOX — Field Audit Trail on financial fields + Change Sets logged in Setup Audit Trail
  • PCI — do not store PANs in Salesforce; tokenize via Payment Service Provider

Cost reality

Shield is not cheap; it's usually 25–30% of net Sales/Service Cloud spend. Justify it with a specific regulatory scope, not "we might get audited."

ShieldSecurityCompliance