salesforce data migration services



Encryption – Choosing between Salesforce Platform Shield and other Products

Salesforce Shield Platform encryption,Appexchange products,Classic Encryption - posted by Dazeworks

Salesforce has expanded the territories of its customer, way beyond the CRM. Adoption and success of Salesforce has increased by leaps and bounds in less than a couple of years. The customer base of Salesforce is enterprise, IT, IoT and other healthcare domains which is much greater than that of sales CRM. The new sector has brought changes to the need and type of functionality and capability. One of the most on-demand solutions for healthcare customers is Encryption. Here, we will look into the pros and cons of some of the existing solutions for Encryption.

Classic Encryption
We have a Salesforce classic encryption solution where we can define a custom field as encrypted and control its visibility using permission sets and profile. These fields are encrypted with 128 bit master keys and use the Advanced Encryption Standard(AES) algorithm. However, it has a huge drawback. The field size can only be up to 175 characters and only custom fields can be encrypted. And hence, we can arrive at the conclusion that classic encryption is not the solution for every customer. So what could be the next option?

Appexchange products
Recently, Salesforce celebrated the  10th birthday of Appexchange. Appexchange is a unique way to distribute products demanded by customers. There are thousands of ISV partners who create one-of-a-kind products and sell them via Appexchange. Appexchange provides you with countless number of products to choose from.

For encryption, we have a lot of high-rated products like Skyhigh, Ciphercloud etc.

The product architecture is almost equivalent. A server is brought in between the end user and Salesforce and later on the server URL is used in place of the Salesforce URL. Every request is routed through this server and the data is stored in an encrypted format.

appexchange encryption

Architect of AppExchange products for encryption

As shown in the above image, if someone tries to access Salesforce directly, encrypted information will be displayed. Only way to see valid Salesforce information is to route through these servers.


  • Inexpensive encryption solution
  • Encryption server could be hosted behind a firewall if compliance is a concern?
  • Many products support KMIP protocol for encryption key management
  • As every request is routed through intermediate server, a lot of reporting can be built around adoptability


  • All integrating applications, API like dataloaders need to use the new URL instead of the standard Salesforce URL
  • Workflow, validation rules, report filters, SOQL filters need to be handled explicitly as data inside Salesforce is encrypted
  • Exit strategy from Salesforce encryption will not be easier. As everything is encrypted, we will need to export everything in the decrypted format and then reload it.
  • Even though products claim that there are minor performance issues, we are talking about the introduction of one more system and the possibilities of performance degradation are very high.

Even though Appexchange products have drawbacks, the advantages supersede them mainly on the price. However, if price is not a key criteria  to the customer then, the next option is recommended.

Salesforce Shield Platform encryption
It’s been more than a year since the initial launch of the Platform Shield product by Salesforce.What makes this product stand out from Appexchange products is the factor ” Encryption at Rest”. Every field that is marked for encryption is encrypted using two keys where one is generated by Salesforce and the other is known as the tenant key. Tenant keys can be generated every four hours and these are not familiar to Salesforce and are exported by clients and then deleted from Salesforce. If it’s deleted from Salesforce, then any data encrypted using that key cannot be decrypted unless the same key is imported. It is always best for the client to generate the key every 24 hours to avoid this problem. Recently, Salesforce brought in the BYOK( Bring Your Own Key) factor, where clients can generate keys and supply it to Salesforce for encryption purpose.


  • Since the encryption is done within Salesforce, performance degradation is low.
  • Event monitoring is a full suite of product, which can be used to perform various analysis around Apex, visualforce performance and user adaptability reporting
  • Monitor user activity providing visibility
  • Track application usage
  • Custom policies can be defined to enforce customer’s compliance need
  • Retain field history for 10 years, 60 fields per object
  • No impact on integrations or workflow, validation as data is encrypted at Rest
  • Like all other Salesforce products, it gets updated and becomes better with each release


  • Expensive
  • There are many data types which are not yet supported
  • Not all standard fields and objects are supported

If you have any questions on how this can be used for your need, please don’t hesitate to contact us to get a free consultation.



Get latest Blog updates into your email inbox

Popular Tag's

Connect with Dazeworks