remedyforce - bmc software · built on a big data backend for massive scalability, field audit...
TRANSCRIPT
Frequently Asked Questions
Remedyforce Frequently Asked Questions regarding Remedyforce & Salesforce Platform Encryption
(Confidential – For Internal and Partner Use Only)
09 August 2017
Frequently Asked Questions regarding Salesforce Shield & Platform Encryption
PAGE 1 OF 12 CONFIDENTIAL
Table of Contents Salesforce Platform Encryption ___________________________________________________________________________ 3 Features of Salesforce Platform Encryption _________________________________________________________________ 3 Defense in Depth Strategy _______________________________________________________________________________ 3
Platform Encryption Facilitates .............................................................................................................................................................. 3 Does NOT replace ................................................................................................................................................................................. 3
Salesforce Driving Principles in Designing Platform Encryption ________________________________________________ 3 Salesforce Shield _______________________________________________________________________________________ 1
Platform Encryption ............................................................................................................................................................................... 1 Event Monitoring .................................................................................................................................................................................... 1 Field Audit Trail ...................................................................................................................................................................................... 1
Remedyforce and Salesforce Platform Encryption ___________________________________________________________ 1 Frequently Asked Questions _____________________________________________________________________________ 2
1. Is Salesforce Platform Encryption an additional cost? .................................................................................................................... 2 2. Can I buy Salesforce Platform Encryption from BMC? ................................................................................................................... 2 3. Can I buy Salesforce Shield from BMC? .......................................................................................................................................... 2 4. Can I buy each of the point products that make up Shield individually? For example, I only want to purchase Event Monitoring? ............................................................................................................................................................................................ 2 5. Why would a customer need Platform Encryption or encrypt data at rest? ................................................................................... 3 6. Can I encrypt everything?................................................................................................................................................................. 3 7. Can I encrypt managed package fields? ......................................................................................................................................... 4 8. I have Platform Encryption enabled but I still cannot encrypt a managed package field. What’s going on? ............................... 4 9. I see that I can have Salesforce generate a Key for me, but can I bring and manage my own Keys? ......................................... 4 10. I encrypted a field, why can my staff still see the data? ................................................................................................................ 4 11. Are there limitations? ...................................................................................................................................................................... 4 12. What is the order of enabling encryption in my Org? .................................................................................................................... 5 13. How do I encrypt the fields that hold the data provided in Service Requests? ............................................................................ 5 14. Can I encrypt Rich Text Fields? ..................................................................................................................................................... 5 15. So if I use Rich Text Fields in Service Requests what can I do? .................................................................................................. 6 16. What about Rich Text Email (incoming and outgoing)? ................................................................................................................ 6 17. I encrypted a field and now I’m getting an error when I try and use the Remedyforce Console! It says something about “Object type not accessible. Please check permissions and make sure the object is not in development mode: SELECT <field> FROM <object> WHERE <field=data>……” ........................................................................................................................................ 6 18. I elected to encrypt a field. Is my data automatically encrypted? ................................................................................................. 6 19. Are there resources available to learn more around Salesforce Platform Encryption? ............................................................... 7 20. Do I need to back up my Platform Encryption Key?...................................................................................................................... 7 21. Are there any resources we can refer to? ...................................................................................................................................... 7 22. If WHERE clause is not supported for encrypted fields, then how does this impact search for things like Knowledge Articles? .................................................................................................................................................................................................. 7 23. How does Platform Encryption work with Sandboxes? ................................................................................................................ 7
Frequently Asked Questions regarding Salesforce Shield & Platform Encryption
PAGE 2 OF 12 CONFIDENTIAL
Document Information
Version: 6.0
Created by: Virginia Leandro
Last Modified on: 9 August 2017
Modified by: Virginia Leandro
Frequently Asked Questions regarding Salesforce Shield & Platform Encryption
PAGE 3 OF 12 CONFIDENTIAL
Salesforce Platform Encryption Salesforce Platform Encryption gives data a new layer of security while preserving critical platform functionality. If
enables customers to encrypt sensitive data at rest, and not just when transmitted over a network so companies can
confidently comply with privacy policies, regulatory requirements, and contractual obligations for handling private data.
Features of Salesforce Platform Encryption Strong encryption of data at rest.
Preserve critical business functionality.
Control the lifecycle of encryption keys.
Defense in Depth Strategy
Platform Encryption Facilitates Regulatory Compliance
Prevention of unauthorized access to
database
Contractual obligations
PII & Data privacy
Does NOT replace Sharing Model
Object/Field Level Security
Data Residency Solution
Encryption for Non-Salesforce Data
Protection against Social Engineering
Salesforce Driving Principles in Designing Platform Encryption Salesforce needed to balance security demands with customers’ functional requirements so a set of principles drove
their solution design and architecture:
Encrypt data at rest.
Natively integrate encryption at rest with key Salesforce features.
Use strong encryption.
Enable customers to drive key lifecycle.
Protect keys from unauthorized access
Encrypt as little as possible.
Frequently Asked Questions regarding Salesforce Shield & Platform Encryption
PAGE 1 OF 12 CONFIDENTIAL
Salesforce Shield You will sometimes here Salesforce Shield in the same conversation as Salesforce Platform Encryption. That is
because Salesforce Shield is a bundle of point and click tools that includes Platform Encryption. Shield includes:
Platform Encryption
Event Monitoring
Field Audit Trail
Platform Encryption Platform Encryption allows you to natively encrypt your most sensitive data at rest across all your Salesforce apps.
This helps you protect PII, sensitive, confidential, or proprietary data and meet both external and internal data
compliance policies while keeping critical app functionality — like search, workflow, and validation rules. You keep full
control over encryption keys and can set encrypted data permissions to protect sensitive data from unauthorized users.
Event Monitoring Event Monitoring gives you access to detailed performance, security, and usage data on all your Salesforce apps.
Every interaction is tracked and accessible via API, so you can view it in the data visualization app of your choice. See
who is accessing critical business data when, and from where. Understand user adoption across your apps.
Troubleshoot and optimize performance to improve end-user experience. Event Monitoring data can be easily imported
into any data visualization or application monitoring tool like Wave Analytics, Splunk, or New Relic.
Field Audit Trail Field Audit Trail lets you know the state and value of your data for any date, at any time. You can use it for regulatory
compliance, internal governance, audit, or customer service. Built on a big data backend for massive scalability, Field
Audit Trail helps companies create a forensic data-level audit trail with up to 10 years of history, and set triggers for
when data is deleted. Salesforce Shield (the three components) and the individual components can all be purchased
separately. BMC has the ability to resell Platform Encryption. Customers wanting Shield, Event Monitor, or Field Audit
will need to purchase from Salesforce.
Remedyforce and Salesforce Platform Encryption With our Remedyforce Summer 17 release we now actively support Salesforce Platform Encryption. Customers who
opt to purchase Salesforce Platform Encryption or Salesforce Shield with Platform Encryption should be able to use
Remedyforce and encrypt select fields within Remedyforce. Additional features such as Email Conversation, Service
Level Agreements, Service Requests, etc. will work within the new encryption environment.
Frequently Asked Questions regarding Salesforce Shield & Platform Encryption
PAGE 2 OF 12 CONFIDENTIAL
Frequently Asked Questions
1. Is Salesforce Platform Encryption an additional cost? Yes.
2. Can I buy Salesforce Platform Encryption from BMC? Yes. If you or a customer are interested in Salesforce Platform Encryption, you will need to contact your Remedyforce
Business Relationship Manager or a Salesforce Account Executive for guidance and pricing.
3. Can I buy Salesforce Shield from BMC? No. We are only authorized to resell Salesforce Platform Encryption. If you are interested in Salesforce Shield, please
reach out to your Remedyforce Business Relationship Manager who can provide guidance and get you in touch with a
Salesforce Account Executive to provide you a quote on Salesforce Shield.
4. Can I buy each of the point products that make up Shield individually? For example, I only want to purchase Event Monitoring? Yes. If you want to purchase Salesforce Shield Event Monitoring, or Field Audit Trail please reach out to your
Remedyforce Business Relationship Manager who can provide guidance and get you in touch with a Salesforce
Account Executive to provide you a quote on those point products.
Frequently Asked Questions regarding Salesforce Shield & Platform Encryption
PAGE 3 OF 12 CONFIDENTIAL
5. Why would a customer need Platform Encryption or encrypt data at rest? Salesforce is the World’s #1 trusted customer success platform. They provide a full set of tools to ensure reliability as
well as security.
The Platform Encryption solution is typically adopted by enterprise organizations in highly regulated industries such as
financial, insurance, healthcare, and government. Platform Encryption adds an extra layer of security to their private,
sensitive and proprietary data.
6. Can I encrypt everything? The approach Salesforce has taken is that you should encrypt as little data as possible. Salesforce gives customers
control over what data they encrypt. Your organization’s security officer or administrator chooses whether to turn on
encryption for standard fields, customer fields, files, and attachments. Customers also choose which specific fields to
encrypt at rest. The driving principle is to encrypt as little as possible to preserve functionality while keeping private,
sensitive, confidential, and regulated data safe.
Frequently Asked Questions regarding Salesforce Shield & Platform Encryption
PAGE 4 OF 12 CONFIDENTIAL
7. Can I encrypt managed package fields? Remedyforce managed packaged fields can be encrypted. The data types supported for encryption are:
Date
Date/Time
Phone
Text
Text area
Text area (long)
URL
As Salesforce supports more data types, we’ll make sure that Remedyforce is kept up to date and support any added
types.
8. I have Platform Encryption enabled but I still cannot encrypt a managed package field. What’s going on? Once you purchase Platform Encryption and Salesforce enables it for your Org, you will need to contact Remedyforce
Support who can submit a case to Salesforce on your behalf to enable Encryption of Managed Package Fields.
9. I see that I can have Salesforce generate a Key for me, but can I bring and manage my own Keys? Absolutely. Salesforce supports both Self-Signed Certificates as well as CA Certificates. You control the Key and how
often your rotate your keys. Salesforce does advise that if you manage your own keys that you export and backup your
keys to a keystore for safe keeping.
10. I encrypted a field, why can my staff still see the data? Don’t confuse encryption of “data at rest” with “data masking”. If you need to restrict who can see data, you should
utilize Salesforce’s object, record, or field level security. Additionally Salesforce offers a data type called “Text
(Encrypted)” that applies masking. For additional details refer to What’s the Difference Between Classic Encryption and
Shield Platform Encryption?
11. Are there limitations? Yes. Due to the strength and nature of the encryption algorithm being used there are a number of limitations. We
suggest you refer to Salesforce General Shield Platform Encryption Considerations. Additionally please refer to the
Remedyforce Documentation around support for Platform Encryption. We have distinguished fields that hold data that
can be encrypted and fields that how metadata (data about data) that are integral to the running of Remedyforce and
should not be encrypted.
Frequently Asked Questions regarding Salesforce Shield & Platform Encryption
PAGE 5 OF 12 CONFIDENTIAL
12. What is the order of enabling encryption in my Org? Before you enable Platform Encryption, there’s definitely some leg work and planning that needs to happen.
13. How do I encrypt the fields that hold the data provided in Service Requests?
While Service Requests share the Incident object, the “user input” is actually held in the Request Detail Inputs object.
Trying to encrypt Request Definitions is considered metadata and should not be encrypted else it will cause failures.
Instead, you’ll want to encrypt the fields of the Request Detail Inputs object. The fields that can be encrypted are:
Input/Prompt
NewResponse
Response
Stored Value
Additionally please be aware that if you map these inputs to fields of other objects such as Incident, Task, or Change,
for example, that the receiving field is also encrypted else you run the risk of that data not being encrypted at rest when
used in another object.
14. Can I encrypt Rich Text Fields? Not today. Rich Text Fields are not supported as one of the data types that Salesforce Platform Encryption supports.
Frequently Asked Questions regarding Salesforce Shield & Platform Encryption
PAGE 6 OF 12 CONFIDENTIAL
15. So if I use Rich Text Fields in Service Requests what can I do? First, make sure you run the Encryption Impact Report from General Application Settings. This will report on where you
are using Text Area (Rich) fields in Service Requests.
Once you have that list you will need to convert those input fields within each Request Definition from being a Text Area
(Rich) to Text Area.
16. What about Rich Text Email (incoming and outgoing)? When you select the Support Salesforce Platform Encryption in Remedyforce from the General Applications Settings a couple of things happen with RTF emails.
Any incoming emails that are Rich Text, will be converted to plain text when added to the module’s History
object if the Note field on the history object is encrypted.
Any outgoing emails that are Rich Text, will be sent in Rich Text, but recorded in the module’s History object as
plain text when the Note field on the history object is encrypted.
No data will be stored in the Rich Text Note field and the value will be blank.
Remember, that RichTextNote on History objects are of data type Rich Text Area and not supported for encryption.
17. I encrypted a field and now I’m getting an error when I try and use the Remedyforce Console! It says something about “Object type not accessible. Please check permissions and make sure the object is not in development mode: SELECT <field> FROM <object> WHERE <field=data>……” Typically when this error happens, it means you have encrypted a field that was being used in a Salesforce list view.
Unfortunately, Salesforce removes the field from the Filter Criteria of the list view so there is no way to know which list
view had the field as part of the Filter Criteria. The only work around is to go through and re-saving any List Views you
think may be causing the problem. We’ve reported this to Salesforce but they have not taken action on it at this time.
You can let Salesforce know this issue is impacting you by going here and attaching yourself to the Known Issue.
https://success.salesforce.com/issues_view?id=a1p3A0000008ggtQAA
18. I elected to encrypt a field. Is my data automatically encrypted? No. Once you encrypt a field, only new records or updated records after the encryption will be encrypted. If you need
your existing data encrypted, submit a case to Remedyforce Support to have them work with Salesforce to perform a
Mass Encryption action which will update and encrypt the data for you.
Frequently Asked Questions regarding Salesforce Shield & Platform Encryption
PAGE 7 OF 12 CONFIDENTIAL
19. Are there resources available to learn more around Salesforce Platform Encryption? Check out these resources from Salesforce and the Remedyforce online documentation.
• Salesforce Shield Platform Encryption Architecture
• Salesforce Security Guide
• Salesforce Shield Platform Encryption Implementation Guide
• Salesforce Shield Platform Encryption Online Help
20. Do I need to back up my Platform Encryption Key? Yes. You should have a plan in place to ensure that you not only backup your Platform Encryption Key but that it is
kept or stored in a safe key repository. You are solely responsible for the backup and safe keeping of your key.
Salesforce will not be able to restore your keys if the security admin destroys the key and there is no backup.
See “Back Up Your Tenant Secret” in the Salesforce Platform Encryption Implementation Guide.
21. Are there any resources we can refer to? Yes. Salesforce has a number of great resources around Salesforce Platform Encryption.
• Salesforce Shield Platform Encryption Architecture
• Salesforce Shield Platform Encryption Implementation Guide
• Salesforce Shield Platform Encryption Online Help
• Salesforce Security Guide
In addition, as it relates to Remedyforce support of Salesforce Platform Encryption, you can reference our online help.
22. If WHERE clause is not supported for encrypted fields, then how does this impact search for things like Knowledge Articles? We use SOSL for full text searches which uses the FIND API. Something like Incident Description would be passed as
“what to find” argument and not in the WHERE clause.
23. How does Platform Encryption work with Sandboxes? Refreshing a sandbox from a production organization creates an exact copy of the production organization. If Shield
Platform Encryption is enabled on the production organization, all encryption settings are copied, including tenant
secrets created in production. For more details please refer to:
https://help.salesforce.com/articleView?id=security_pe_sandboxes.htm&language=en_US&type=0
BMC delivers software solutions that help IT transform digital enterprises for the ultimate competitive business advantage. We have
worked with thousands of leading companies to create and deliver powerful IT management services. From mainframe to cloud to
mobile, we pair high-speed digital innovation with robust IT industrialization—allowing our customers to provide amazing user
experiences with optimized IT performance, cost, compliance, and productivity. We believe that technology is the heart of every
business, and that IT drives business to the digital age.
BMC – Bring IT to Life.