Doctor: The price of the BKV license is high for Salesforce Shield, although it provides limited protection within Salesforce and no protection for other applications.
As mentioned in our last article, cloud providers usually only offer basic protection in a general liability model. The shield of the sales team is no different. This means that your organization needs to assess potential security holes, and if something goes wrong, you’re still in trouble. There is an expression in German that, roughly translated, means Buy cheap and you buy twice. With Shield you buy expensive the first time and you end up with holes you have to buy twice and you find extra solutions to fill those holes.
To give you a better idea, here are 16 reasons why you should use third-party cloud security and not accept Salesforce Shield:
1. At Shield you are solely responsible for securing the data and secrets of the tenant.
This means that you need to understand how you want to secure your keys and bear the costs.
2. Existing data is not automatically encoded when the screen is activated.
In addition, all imported or created data is sent to Salesforce in plain text and only encoded later. This is a serious but totally unnecessary breach of the security of sensitive data.
3. Salesforce Customer Service may view your protected data in the public domain if you have access to it.
Confidential data should only be posted when absolutely necessary, which is unlikely in support operations.
4. Some user fields cannot be encrypted by Shield.
This includes fields that have the Unique or External Identifier, fields on external data objects, fields used in connection with contacts with the account, etc. There’s no reason for that. As a platform owner, Salesforce must be able to support customized field protection, whether or not it is associated with an account.
5. The shield cannot encrypt the default fields when the portals are activated.
In fact, you need to disable all customer and partner portals if you want to encrypt the standard Shield fields. Another unnecessary inconvenience. If there is access to the data stream, which happens most often, there is no reason to disable all portals.
6. The shield cannot identify duplicate accounts and contacts if they are encrypted.
If you use deterministic searching, you should have no problem finding duplicates, even if the data is secure. This is another scenario where you don’t have to compromise on security for a basic function such as a double merge.
7. Bounce processing does not work if you encrypt the default email field.
E-mail addresses are contact details and in many cases even contain the name of the person managing the account. It is not data that you want to leave unprotected, but error handling is an important part of managing the contact database. You really don’t have to choose one or the other.
8. Searching for campaign members is not supported when searching through encoded fields.
It’s the same here: If Salesforce claims to be able to perform the search with deterministic encryption, it should work anywhere.
9. Report tables and dashboard components that display encoded field values can be temporarily stored unencrypted.
As an outsider, it’s hard to say, but could it mean Salesforce is hiding data in public when creating charts and dashboards? I hope not.
10. Self-service background coding of the shield does not support description fields, long and rich text fields, or other data elements such as files and attachments.
These are standard types of data fields that every decent security solution in the cloud must cover.
11. The self-service background encryption allows data to be encrypted every seven days.
This probably means that the data can remain unprotected for up to six days. With a third-party solution, you can ensure that confidential data is only sent to Salesforce in a secure state, eliminating this and the next vulnerability:
12. Encryption does not start when statistics are collected.
Does this mean that Salesforce must be clear about sensitive data before statistics are created and Shield protects the data only after statistics are created? You want to take that risk? Otherwise, it’s best to only provide Salesforce with a secure form of confidential data.
13. Encrypted fields cannot be used in criteria-based sharing rules, external search relations or criteria for filtering management tools.
So, if you want to have a rule like the one for customers who spend more than 10,000 a year and live in the XYZ zip code while the zip code remains safe for individuals, does that mean you’re unlucky?
14. Web-to-case is supported, but the fields Web Company, Web Email, Web Name and Web Phone are not further encrypted.
They’re treated as PII, so there’s still a gap that needs to be filled.
15. Deterministic coding is not available for user data, date/time, long text area, rich text area or description fields.
Any valuable cloud-based security solution provides deterministic and/or storable encryption for this type of data.
16. With SecurDPS you don’t have to worry about the above.
SecurDPS makes Salesforce’s data only available in a secure state, without you being forced to compromise between security and functionality. For more information, download the SecurDPS Connect newsletter below or send us a message.salesforce security documentation,salesforce data center infrastructure,salesforce high availability,salesforce security diagram,salesforce iso 9001,how secure is salesforce,salesforce shield cost,salesforce shield trailhead,salesforce shield implementation guide,salesforce shield field audit trail,salesforce data mask,salesforce event monitoring,salesforce shield pricing,salesforce shield event monitoring,salesforce shield limitations,salesforce shield vs classic encryption,salesforce shield demo,heroku security,heroku data center locations,heroku web application firewall,heroku datenschutz,heroku certifications,heroku sla,salesforce perpetual license,salesforce acceptable use policy,how does salesforce security work,salesforce security standards,salesforce product security,security workbook salesforce,security in salesforce,sparc marketing cloud