Salesforce Enhances Shield Security With BYOK for Regulated Industries

The update to Salesforce Shield provides a set of integrated security services that allows companies to use their own encryption keys with Shield.

Salesforce Encryption 2

Cloud computing services for consumer and business have grown immensely, but there are still concerns about security, particularly in highly regulated industries such as health care and finance.

These industries also are bound by strict compliance regulations that can limit how practical it is to adopt so-called off-premise, cloud computing alternatives. aims to address these concerns with an update to Salesforce Shield that allows companies to use their own encryption key system to secure their data. Typically, encryption providers maintain their own encryption keys or offer a more cumbersome file vault system.

The new capabilities, described as Bring Your Own Key (BYOK), are being tested as part of a pilot that involves customers and third-party key providers. A finished version is expected to be released later this year.

"Ultimately what it is doing is giving the customer more control and offering compliance in a simple point-and-click manner to manage encryption," Brian Goldfarb, senior vice president of app cloud marketing at Salesforce, told eWEEK. "Customers asked us for more control and now they're in the driver's seat."

Forrester security analyst John Kindervag predicts the new offering will be a welcome addition to current Salesforce customers and a selling point to potential customers concerned about the security of their data. "In 2013 we coined the term ‘bring your own encryption' to deal with sensitive data in the cloud. It shouldn't be the service provider; you should have control of your own key," Kindervag told eWEEK.

While highly regulated industries will be among the early adopters, Kindervag predicts the service eventually will roll out more broadly. "All companies are concerned about toxic data—in other words, data that becomes outside your control when there's a data breach," he said. "With services like this you can control who has access and you can mitigate when there's a breach because it allows you to revoke the encryption keys so they're not usable by anyone, ever.

"I'd like to see a time where all data is encrypted and we can tell our grandkids tales of how we used to send unencrypted data over the internet and how foolish that was," he added.

Kindervag also contends BYOK will be welcomed by companies concerned about government agencies issuing warrants to cloud providers when they're seeking data in a criminal investigation. In the BYOK scenario, anyone seeking that data has to deal directly with the companies that own the data, since they control the encryption key.

One of the partners working with Salesforce on the new offering is enterprise data protection company Vormetric. The company is testing what it calls Key Management-as-a-Service (KMaaS) for Salesforce Shield Platform Encryption that it says will enable companies to natively encrypt data at rest across their Salesforce apps. The Vormetric offering also eliminates the need to deploy, maintain and assign resources to encryption key management.

"Salesforce Shield Platform Encryption provides the robust encryption service, while Vormetric provides complementary capabilities to further address needs to meet compliance and best practices for managing of encryption key life cycles outside of Salesforce," Vormetric vice president of cloud, C.J. Radford, said in a release, adding that enterprises can do this "without the need for enterprises to become cryptographic experts."

Goldfarb said hundreds of Salesforce customers are already testing the update and others are welcome to apply ahead of its commercial availability later this year.

Salesforce Shield customers will have a variety of options for managing tenant secrets, including open-source crypto libraries such as OpenSSL to their existing HSM infrastructure and third-party services such as Amazon Web Services Key Management Service and AWS CloudHSM. In addition to Vormetric, Salesforce has partnered with another encryption key broker, SkyHigh Networks.

Analyst Kindervag said he prefers Salesforce's approach of using APIs to connect to third-party brokers than a broader industry approach based on encryption standards. "With APIs things can communicate without inhibiting innovation," he said. "In the past it was standards that helped things talk to each other. But that approach also inhibits innovation when developers are forced to comply with those standards rather than create the best solution they can."

David Needle

David Needle

Based in Silicon Valley, veteran technology reporter David Needle covers mobile, bi g data, and social media among other topics. He was formerly News Editor at Infoworld, Editor of Computer Currents...