Salesforce Enhances Shield Security With BYOK for Regulated Industries

salesforce

The update to Salesforce Shield provides a set of integrated security services that lets companies use their own encryption keys with Shield.

While cloud computing services for consumer and business has grown immensely, there are still concerns about security, particularly in highly regulated industries such as health care and finance.

These industries are also bound by strict compliance regulations that can limit how practical it is to adopt so-called off-premise, cloud computing alternatives.

Salesforce.com aims to address these concerns with an update to Salesforce Shield that lets companies use their own encryption key system to secure their data. Typically encryption providers maintain their own encryption keys or offer a more cumbersome file vault system.

The new capabilities, described as Bring Your Own Key (BYOK) are being tested as part of a pilot or beta program with that involves customers and third party key providers. A finished version is expected to be released later this year.

Salesforce encryption

Marc Benioff Salesforce.com Dreamforce 2012“Ultimately what it is doing is giving the customer more control and offering compliance in a simple point-and-click manner to manage encryption,” Brian Goldfarb, senior vice president of app cloud marketing at Salesforce, told eWEEK. “Customers asked us for more control and now they’re in the driver’s seat.”

Forrester security analyst John Kindervag predicts the new offering will be a welcome addition to current Salesforce customers and a selling point to potential customers concerned about the security of their data. “In 2013 we coined the term ‘bring your own encryption’ to deal with sensitive data in the cloud. It shouldn’t be the service provider, you should have control of your own key,” Kindervag told eWEEK.

While highly regulated industries will be among the early adopters, Kindervag predicts the service will eventually roll out more broadly. “All companies are concerned about toxic data, in other words data that becomes outside your control when there’s a data breach,” he said. “With services like this you can control who has access and you can mitigate when there’s a breach because it allows you to revoke the encryption keys so they’re not usable by anyone, ever.

“I’d like to see a time where all data is encrypted and we can tell our grandkids tales of how we used to send unencrypted data over the Internet and how foolish that was,” he added.

BYOK

salesforce1Kindervag also contends BYOK will be welcome by companies concerned about government agencies being able to issue warrants to cloud providers when they’re seeking data in a criminal investigation. In the BYOK scenario, anyone seeking that data has to deal directly with the companies who own the data since they control the encryption key.

One of the partners working with Salesforce on the new offering is enterprise data protection company Vormetric. The company is testing what it calls Key Management-as-a-Service (KMaaS) for Salesforce Shield Platform Encryption that it says will let companies natively encrypt data at rest across their Salesforce apps. The Vormetric offering also eliminates the need to deploy, maintain and assign resources to encryption key management.

“Salesforce Shield Platform Encryption provides the robust encryption service, while Vormetric provides complementary capabilities to further address needs to meet compliance and best practices for managing of encryption key lifecycles outside of Salesforce,” Vormetric Vice President of Cloud, CJ Radford, said in a release. Furthermore enterprise can do with ” without the need for enterprises to become cryptographic experts,” Radford noted.

Goldfarb says hundreds of Salesforce customers are already testing the update and others are welcome to apply ahead of its commercial availability later this year.

Salesforce Shield customers will have a variety of options for managing tenant secrets, including open source crypto libraries such as OpenSSL to their existing HSM [Hardware Security Module] infrastructure and third­party services such as Amazon Web Services Key Management Service and AWS CloudHSM. In addition to Vormetric, Salesforce has also partnered with another encryption key broker, SkyHigh Networks.

Analyst Kindervag says he prefers Salesforce’s approach of using APIs to connect to third party brokers than a broader industry approach based on encryption standards. “With APIs things can communicate without inhibiting innovation,” he said. “In the past it was standards that helped things talk to each other. But that approach also inhibits innovation when developers are forced to comply with those standards rather than create the best solution they can.”

Quiz: What do you know about the cloud in 2016?

Originally published on eWeek