The three Shield pillars
- Platform Encryption — data at rest encrypted with tenant-specific keys
- Event Monitoring — every login, API call, report export streamed to your SIEM
- Field Audit Trail — 10-year retention on selected field history
Each is licensed separately; most orgs need all three for regulated workloads.
Platform Encryption: what it does and doesn't do
Does:
- Encrypts at rest with a tenant secret you rotate (or BYOK)
- Preserves standard app functionality when configured correctly
- Encrypts custom + standard fields, files, search index
Doesn't:
- Protect against a user with permission to view the record
- Encrypt formula results that reference encrypted fields (they compute in the clear)
- Play well with certain filter operators (
LIKE, ordering) on Probabilistic encryption
Rule: use Deterministic encryption for fields you filter/join on, Probabilistic for maximum entropy on free-text.
BYOK setup
1. Generate 256-bit AES key with your HSM/KMS
2. Wrap with the Salesforce-supplied public key (RSA-OAEP-SHA256)
3. Upload as a Tenant Secret (Type: BYOK)
4. Rotate quarterly; keep the last N active for historical decrypt
Rotation triggers re-encryption asynchronously. Monitor the Encryption Statistics page — a stuck job blocks new rotations.
Event Monitoring in practice
Real Event Monitoring (Streaming) delivers events to a Platform Event channel. Subscribe from your SIEM:
# CometD / EMP-Connector to /event/LoginEventStream
# Or Async Query API for historical
GET /services/data/v62.0/sobjects/EventLogFile?filter=EventType='ReportExport'
Key events to alert on:
ReportExportwith row count > 10,000ApiTotalUsagespike per userLoginAs(admin impersonation)LightningPageViewon encrypted-record pages by users outside expected roles
Field Audit Trail
Selective — you choose 60 fields per object to retain up to 10 years. Configure via Metadata API (HistoryRetentionPolicy):
<HistoryRetentionPolicy>
<archiveAfterMonths>18</archiveAfterMonths>
<archiveRetentionYears>10</archiveRetentionYears>
<gracePeriodInDays>0</gracePeriodInDays>
<description>SOX-scoped opportunity fields</description>
</HistoryRetentionPolicy>
Query via FieldHistoryArchive — Big Object semantics, indexed by ParentId + FieldHistoryType.
Transaction Security Policies
Fires synchronously during an event; can block or MFA-challenge:
Policy: BlockMassReportExport
Trigger: ReportEvent
Condition: RowsProcessed > 50000 AND User.Profile.Name != 'Analytics Admin'
Action: Block + Notify #sec-incidents
Compliance mapping cheatsheet
- HIPAA — Shield + BAA + encrypted files + full audit on PHI fields
- GDPR — Right to erasure via Data Detect +
ContactRequestobject - SOX — Field Audit Trail on financial fields + Change Sets logged in Setup Audit Trail
- PCI — do not store PANs in Salesforce; tokenize via Payment Service Provider
Cost reality
Shield is not cheap; it's usually 25–30% of net Sales/Service Cloud spend. Justify it with a specific regulatory scope, not "we might get audited."
