encrypt sensitive data while preserving platform functionality
TRANSCRIPT
#forcewebinar
Encrypt Sensitive Datawhile Preserving Platform FunctionalityJuly 7, 2015
#forcewebinar
Safe HarborSafe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
#forcewebinar#forcewebinar
Speakers
Peter ChittumDeveloper Evangelist
@pchittum
github.com/pchittum
Assaf Ben-GurSenior Product Manager
@assafbengur
#forcewebinar
Go Social!
Salesforce Developers
+Salesforce Developers
Salesforce Developers
Salesforce Developers The video will be posted to YouTube & the webinar recappage (same URL as registration).
This webinar is being recorded!
@salesforcedevs / #forcewebinar
#forcewebinar
▪ Don’t wait until the end to ask your question! – Technical support will answer questions starting now.
▪ Respect Q&A etiquette– Please don’t repeat questions. The support team is working
their way down the queue.
▪ Stick around for live Q&A at the end– Speakers will tackle more questions at the end, time-
allowing.
▪ Head to Developer Forums– More questions? Visit developer.salesforce.com/forums
Have Questions?
#forcewebinar
Agenda
▪ Overview of Platform Encryption
▪ Platform Encryption Architecture
▪ Setting Up Platform Encryption
▪ Platform Encryption and Development
#forcewebinar
Introducing: Salesforce Shield
Infrastructure Services
Network Services
Application Services
Secure Data Centers
Backup and Disaster Recovery
HTTPS Encryption
Penetration Testing
AdvancedThreat Detection
Identity & Single Sign On
Two Factor Authentication
User Roles & Permissions
Field & Row Level Security
Secure Firewalls
Real-time replication
Password Policies
Third Party Certifications
IP Login Restrictions
CustomerAudits
Salesforce ShieldPlatform Encryption
Event Monitoring
Field Audit Trail
New services to help you build trusted apps fast
#forcewebinar
Encrypt Sensitive Data, Preserving Business Functionality
Seamlessly protect data at restEncrypt standard & custom fields, files & attachments
Natively integrated with key Salesforce featuresE.g., Search, Chatter, Lookups work with encrypted data
Customer managed keysCustomer-driven encryption key lifecycle
management
#forcewebinar
Encryption
Authentication & SSO
Two factor Auth
Profiles/Permissions
Sharing & FLS
Setup Audit Trail
Field History Tracking
Event Monitoring
Identity
Encryption
#forcewebinar
Platform Encryption Use Cases
▪ Regulatory Compliance
▪ Unauthorized Access to Database
▪ Contractual Obligations
#forcewebinar
Platform Encryption is Not
▪ Sharing Model
▪ Object/Field Level Security
▪ Data Residency Solution
▪ Encryption for Other Non-Salesforce Data
▪ Protection against User Credential Compromise
trust.salesforce.com
#forcewebinar
Platform Encryption Features
▪ Privileged Users
▪ Encrypt data “at rest”
▪ Encrypt Fields and Files
▪ Granular Control of Encrypted Data
▪ Customer Key Lifecycle Ownership
▪ Config and Maintenance is Point and Click
▪ Support for API and coding on the platform
#forcewebinar
Users
#forcewebinar
Encrypt at Rest: Fields
Name:Darla Hood
Name:aI90xi60csICOdk
Enc
rypt
ion
Ser
viceDarla Hood
***********
#forcewebinar
Encrypt at Rest: Files
Lorem ipsum dolor E
ncry
ptio
nS
ervi
ce
Xvier0c9ghcrucjf4x21ffdqbBLorem
ipsum dolor
#forcewebinar
Granular Control: Fields
▪ Individual Fields
– Text
– Text Area Long
– Phone
– URL
– Some Standard Fields
▪ Enabled with flag
#forcewebinar
▪ Files enabled separately
– Attachments
– Chatter
– Files
– Libraries
▪ All or none
Granular Control: Files
#forcewebinar
Encryption Key
▪ Master Secret (Salesforce)
– Rotated each release
– Stored in the Key Derivation Servers
▪ Tenant Secret (Customer)
– Can be Rotated once per day in Prod
– Stored encrypted in DB
▪ Data Encryption Key
– Derived from Secrets
– Stored in cache
#forcewebinar
Features and Support
▪ GA Summer 15
▪ Feature License Required
▪ Support for
– Global Search
– Lookups
– Workflow
– Approval Processes
– Validation Rules
#forcewebinar
Agenda
▪ Overview of Platform Encryption
▪ Platform Encryption Architecture
▪ Setting Up Platform Encryption
▪ Platform Encryption and Development
#forcewebinar
Architecture Overview
Encryption Service
Hardware Security Modules
Key Derivation
• Standards based encryption built natively into the Salesforce Platform• AES encryption using 256bit keys in CBC mode and random IV• Data encryption and decryption actions are transparent• Layers seamlessly with other Salesforce security features
• Hardware Security Module based key management infrastructure• FIPS 140-2 compliant HW• Master HSM• Key Derivation Servers with embedded HSM card
• Multi-tenant, org-specific key management• Customer driven key lifecycle management• Uses PBDKF2 HMAC with SHA256• Derive secure 256-bit keys that are never persisted in Salesforce
#forcewebinar
Encryption Architecture & Process Overview
1. Data is sent to the application server.
2. The application server checks if the Data
Encryption Key exists in memory.
3. a) If the data encryption key is found in the cache, the application server retrieves it.
b) If the data encryption key is not found,
the application server reads the
organization's encrypted active tenant
secret from the database and requests a
key from the Key Derivation Server.
4. The encryption service encrypts the data on
the application server.
5. The encrypted data is stored.
#forcewebinar
Global Availability
San Jose
Chicago
London TokyoWashington
ASG
Coming Late 2015
#forcewebinar
Agenda
▪ Overview of Platform Encryption
▪ Platform Encryption Architecture
▪ Setting Up Platform Encryption
▪ Platform Encryption and Development
#forcewebinar
Demo
▪ Setup Encryption
– Enable Users
– Generate Key
– Select Fields/Files
– Manage Keys
#forcewebinar
Agenda
▪ Overview of Platform Encryption
▪ Platform Encryption Architecture
▪ Setting Up Platform Encryption
▪ Platform Encryption and Development
#forcewebinar
Demo
▪ TenantSecret sObject▪ API and Integration
–REST and SOAP Support
▪ Coding and Encryption
– SOSL
– Solving Sorting in Apex
– Apex and Key Rotation
#forcewebinar
Some Considerations
▪ Limitations
– Sharing Rules
– Person Accounts (Roadmap)
– SOQL and List Filters
– Formula Fields
– Communities and Portals
– Other Features
▪ Integration could be affected
#forcewebinar
Roadmap (Safe Harbor)
▪ Support additional standard/custom fields and other content
encryption (Person Account std fields, Case Subject, Description
and Case Comments, Text Area custom field type etc.)
▪ Make additional features encryption-aware and preserve more
functionality (Search via S1 mobile devices, Communities etc.)
▪ Build additional key management tooling (Customer supplied keys,
Key Brokering etc.)
#forcewebinar
Resources
▪ Intro to Platform Encryption
▪ Release Notes
▪ Whitepaper
▪ Best Practices
▪ Classic Encrypted Custom Fields vs Platform Encryption
▪ TenantSecret (SOAP API)
▪ Field MDAPI (Encrypted bit)
▪ Considerations
▪ Summer '15 Webinar + Demo (15min)
#forcewebinar
Read the Docs
#forcewebinar
Plan
#forcewebinar
Back Up Your Secret
#forcewebinar
Signing up for DeveloperOrg in EMEA
developer.salesforce.com/signup
Choose United States as country
#forcewebinar#forcewebinar
Q & A
Peter ChittumDeveloper Evangelist
@pchittum
github.com/pchittum
Assaf Ben-GurSenior Product Manager
@assafbengur
github.com/pchittum/platform-encryption-webinar
#forcewebinar#forcewebinar
Survey
Your feedback is crucial to the successof our webinar programs. Thank you!
http://bit.ly/1JJVGxX
#forcewebinar
Thank you