Data Encription :
The process of applying a cryptographic function to data that results
in ciphertext,also known as encrypted data.
Salesforce Shield :
Salesforce Shield is a suite of products that gives you more control over your security and monitoring of sensitive data.
Platform Encription :
Platform encryption is Salesforce's product that gives you a point-and-click way to encrypt data at rest.
Platform encryption also allows you to select objects and fields that will be encrypted and what key and schema that will be used for the encryption.
Event monitoring :
Event monitoring is the counterpoint of that data security.
It enables you to monitor how that data is accessed in the platform and also taken out of that platform.
Within event monitoring, you can set up policies that will monitor specific criteria that has been met and proactively block or notify you when that data is being accessed.
Common Terms :
1.Data Encription keys :
Keys used to encrypt and decrypt data on the database.
2.Encription at Rest :
Data that is store on disk in an encrypted state.
3.Bring your Own Key :
When you're able to bring your own material to encryption.
Tenant Secret :
A piece of the encryption credential that is specific to your organization.
Note :
A tenant secret is an organization-specific secret used in conjunction with the master secret Salesforce has to generate the information needed to actually encrypt your data.
Shield Features :
1.Specify what fields & objects should be encrypted at rest.
2.Control over key permission
3.Bring your Own key.
4.Maintain most existing functionality with encryption*
5.Monitor key activities performed by your users.
Encription Schemes :
How does this encryption actually work?
Within Salesforce, they use two different types of algorithms.
1.Probabilistic schema
2.Deterministic schema
Probabilistic schema :
This is the default encryption of Salesforce, and this is where data is fully randomized and is the most secure option.
Each bit of data is turned into a fully random ciphertext string every time it's encrypted.
Encryption generally doesn't impact users who are authorized to view the data.
The exception is when logic is executed in the database or when encryption values are compared to strings or each other.
In these cases, because the data has been turned into a complete random, patternless string, filtering isn't possible.
It's recommended to use probabilistic on fields that are not going to be used for filtering or comparisons such as Social Security numbers,
phone numbers, etc.
Deterministic schema :
To be able to use filters when data is encrypted, we have to allow some type of pattern into our data.
Deterministic encryption uses a static initialization vector so that encryption data can be matched to a particular field value.
The system can't read that piece of data that's encrypted, but it does know how to retrieve the ciphertext that can stand for that piece of data.
The IV is unique to a given field in a given org and can be only decrypted with an org-specific encryption key.
Classic Encryption vs Shield Encryption :
Features Classic Encryption Shield Encryption
Encryption at Rest Y Y
Native Solution Y Y
Masking Y -
Encrypt Standard Fields - Y
Encrypt Custom Fields Only in special field Y
Encrypt Files - Y
Encrypt Search & Events - Y
Tenant secret :
Generate tenant secret is where Salesforce generates everything for you on your behalf and manages everything inside of a protected encrypted schema.
Bring your Own Key :
Bring your own key, however, is the opposite of that where you come to the table with more information and manage that yourself and give Salesforce enough information to be able to encrypt the data with your own key.
Tenant secret Type :
1.Data in Salesforce
2.Search Index
3.Event Bus
Note :
1.Probabilistic algorithm
Probabilistic algorithm is the default encryption of Salesforce.
This is where data is fully randomized and is the most secure option.
Each bit of data is turned into a fully randomized cipher text string every time it's encrypted.
Encryption within Salesforce generally doesn't impact users who are authorized to view the data.
The exceptions are when logic is executed in the database or when encryption values are compared to a string or to each other.
In these cases because the data has been turned into a random patternless string, filtering is not possible.
2.Deterministic algorithm
To be able to use filtering when data is encrypted, we have to allow some patterns into our data.
Deterministic encryption uses a static initialization vector, or also known as IV, so that encryption data can be matched to a particular field value.
The system can't read a piece of data that's been encrypted, but it does know how to retrieve the cipher text that stands for that piece of data.
The IV is unique for each given field in a given org and can only be decrypted with your org‑specific encryption key.
Within deterministic, there's two subtypes.
1.case-sensitive deterministic
2.case-insensitive deterministic
Note : This is very important when you're using deterministic that you choose this correctly. Otherwise, you will not get the results you're expecting within your filters.
Event Monitoring :
Event Monitoring within the Salesforce Platform is a granular detail view of how users and how the system is performing at an event level.
Every time an action is placed or a record has changed, what Salesforce called as an event is created within the platform.
Within the Salesforce Shield, you have a granular view of being able to monitor what's happening within the platform.
1.monitoring activity
2.Increase Adoption
3.Optimize Performance
within Event Monitoring, they have something called transaction security policies.
These are the policies that allow you to monitor or take actions on certain types of data interaction with the system.
1.Condition Builder
Condition Builder actually allows you to apply these rules with no code and with the interface.
2.Apex
The second is you can apply Apex to your transaction security policies to get a fine-grained way of controlling what notifications on what field and objects these Event Monitoring events are actually occurring.
Within the transaction security policy, there are four types of notifications.
1.Block
This block allows you to block a user's interaction completely when they've done a specific thing, such as try to load a report that has more records than you've allowed.
2.multi-factor authentication
The second is require a multi-factor authentication so that a user can prove that they are actually who they say they are.
3.Email Notification
A simple notification to your system admins or a group of individuals so you can understand what's happening in real time.
4.In-app notification
An In-app notification back to that system admin or a group of admins to make sure you understand what's happening.
Tableau CRM for Event Monitoring :
This platform gives sales, service, and the other core applications inside of CRM the ability to have advanced analytics and gives you the ability to slice and dice and create tables and visualizations that are above and beyond the standard reporting and dashboarding tools inside of core.
Benefits of the Event monitoring App
1.Easy Access
2.Visual
3.Filter & Facet
4.Shareability
