Mike Schuricht wrote an interesting post about Where does Salesforce platform encryption fall short? that I would like to share.
“Salesforce Shield (Salesforce’s platform encryption product) has now been on the market for about a year and a half. The goal is to encrypt data at rest in Salesforce with a bring your own key (BYOK) approach which was introduced in July. The solution sounds great, but doesn’t deliver on the main reasons you would want to encrypt cloud data in the first place.
One reason to encrypt is to maintain ownership of keys and not allow the SaaS app to see your sensitive data at all. BYOK allows you to control the keys with your own key management system (KMS), but Salesforce can decrypt data on the fly at any time, exposing data in clear text in the app. What have you really gained?
A blind subpoena by the government could result in data turnover without your knowledge. You would not have the opportunity to deny or disconnect access from your KMS unless Salesforce explicitly asked you if it was ok. Most cloud app vendors have been fighting the government for some time on these requests, but it is definitely a possibility.
Another issue is the App Marketplace where other apps can be installed on top of Salesforce or connect your Salesforce instance to their own cloud infrastructures. Cloud apps which connect using Salesforce APIs get access to the decrypted version of the data. This is a major flaw with cloud encryption provided by an app vendor: data is encrypted and protected in that app, but what about all of the other apps connected to Salesforce? If sensitive data is encrypted in Salesforce, then synced and store in another cloud app unencrypted, you are not meeting your goal.
Yet another challenge is protecting data wherever it resides. Protection of data downloaded or synced to endpoints connecting to the apps is important too. If data is encrypted in Salesforce and a user runs a report to export all Contact records, download those unencrypted records as a spreadsheet, and then leaves the company, what have you achieved? The protection of data in the cloud “worked” but data was exfiltrated and not protected in any way after export.
SaaS security has always been an interesting area to follow since app vendors continue to add various features to increase support for cloud access controls, cloud data loss prevention (DLP), and cloud encryption, to name a few key features. This is great for customers since increased security options allow for better data protection and an opportunity to avoid having to cobble together a makeshift solution from existing technologies. The main problem with the approach is each app supports different things, in differing degrees of maturity, and this leads to fragmented security.
For consistent security, across control, and encryption, you really need a third-party cloud security platform. This agnostic approach allows admins to configure policies across multiple apps to provide holistic total data protection.