remedyforce - bmc software · built on a big data backend for massive scalability, field audit...

Frequently Asked Questions

Remedyforce Frequently Asked Questions regarding Remedyforce & Salesforce Platform Encryption

(Confidential – For Internal and Partner Use Only)

09 August 2017

Frequently Asked Questions regarding Salesforce Shield & Platform Encryption

PAGE 1 OF 12 CONFIDENTIAL

Table of Contents Salesforce Platform Encryption ___________________________________________________________________________ 3 Features of Salesforce Platform Encryption _________________________________________________________________ 3 Defense in Depth Strategy _______________________________________________________________________________ 3

Platform Encryption Facilitates .............................................................................................................................................................. 3 Does NOT replace ................................................................................................................................................................................. 3

Salesforce Driving Principles in Designing Platform Encryption ________________________________________________ 3 Salesforce Shield _______________________________________________________________________________________ 1

Platform Encryption ............................................................................................................................................................................... 1 Event Monitoring .................................................................................................................................................................................... 1 Field Audit Trail ...................................................................................................................................................................................... 1

Remedyforce and Salesforce Platform Encryption ___________________________________________________________ 1 Frequently Asked Questions _____________________________________________________________________________ 2

1. Is Salesforce Platform Encryption an additional cost? .................................................................................................................... 2 2. Can I buy Salesforce Platform Encryption from BMC? ................................................................................................................... 2 3. Can I buy Salesforce Shield from BMC? .......................................................................................................................................... 2 4. Can I buy each of the point products that make up Shield individually? For example, I only want to purchase Event Monitoring? ............................................................................................................................................................................................ 2 5. Why would a customer need Platform Encryption or encrypt data at rest? ................................................................................... 3 6. Can I encrypt everything?................................................................................................................................................................. 3 7. Can I encrypt managed package fields? ......................................................................................................................................... 4 8. I have Platform Encryption enabled but I still cannot encrypt a managed package field. What’s going on? ............................... 4 9. I see that I can have Salesforce generate a Key for me, but can I bring and manage my own Keys? ......................................... 4 10. I encrypted a field, why can my staff still see the data? ................................................................................................................ 4 11. Are there limitations? ...................................................................................................................................................................... 4 12. What is the order of enabling encryption in my Org? .................................................................................................................... 5 13. How do I encrypt the fields that hold the data provided in Service Requests? ............................................................................ 5 14. Can I encrypt Rich Text Fields? ..................................................................................................................................................... 5 15. So if I use Rich Text Fields in Service Requests what can I do? .................................................................................................. 6 16. What about Rich Text Email (incoming and outgoing)? ................................................................................................................ 6 17. I encrypted a field and now I’m getting an error when I try and use the Remedyforce Console! It says something about “Object type not accessible. Please check permissions and make sure the object is not in development mode: SELECT <field> FROM <object> WHERE <field=data>……” ........................................................................................................................................ 6 18. I elected to encrypt a field. Is my data automatically encrypted? ................................................................................................. 6 19. Are there resources available to learn more around Salesforce Platform Encryption? ............................................................... 7 20. Do I need to back up my Platform Encryption Key?...................................................................................................................... 7 21. Are there any resources we can refer to? ...................................................................................................................................... 7 22. If WHERE clause is not supported for encrypted fields, then how does this impact search for things like Knowledge Articles? .................................................................................................................................................................................................. 7 23. How does Platform Encryption work with Sandboxes? ................................................................................................................ 7



Document Information

Version: 6.0

Created by: Virginia Leandro

Last Modified on: 9 August 2017

Modified by: Virginia Leandro



Salesforce Platform Encryption Salesforce Platform Encryption gives data a new layer of security while preserving critical platform functionality. If

enables customers to encrypt sensitive data at rest, and not just when transmitted over a network so companies can

confidently comply with privacy policies, regulatory requirements, and contractual obligations for handling private data.

Features of Salesforce Platform Encryption Strong encryption of data at rest.

Preserve critical business functionality.

Control the lifecycle of encryption keys.

Defense in Depth Strategy

Platform Encryption Facilitates Regulatory Compliance

Prevention of unauthorized access to

database

Contractual obligations

PII & Data privacy

Does NOT replace Sharing Model

Object/Field Level Security

Data Residency Solution

Encryption for Non-Salesforce Data

Protection against Social Engineering

Salesforce Driving Principles in Designing Platform Encryption Salesforce needed to balance security demands with customers’ functional requirements so a set of principles drove

their solution design and architecture:

Encrypt data at rest.

Natively integrate encryption at rest with key Salesforce features.

Use strong encryption.

Enable customers to drive key lifecycle.

Protect keys from unauthorized access

Encrypt as little as possible.



Salesforce Shield You will sometimes here Salesforce Shield in the same conversation as Salesforce Platform Encryption. That is

because Salesforce Shield is a bundle of point and click tools that includes Platform Encryption. Shield includes:

Platform Encryption

Event Monitoring

Field Audit Trail

Platform Encryption Platform Encryption allows you to natively encrypt your most sensitive data at rest across all your Salesforce apps.

This helps you protect PII, sensitive, confidential, or proprietary data and meet both external and internal data

compliance policies while keeping critical app functionality — like search, workflow, and validation rules. You keep full

control over encryption keys and can set encrypted data permissions to protect sensitive data from unauthorized users.

Event Monitoring Event Monitoring gives you access to detailed performance, security, and usage data on all your Salesforce apps.

Every interaction is tracked and accessible via API, so you can view it in the data visualization app of your choice. See

who is accessing critical business data when, and from where. Understand user adoption across your apps.

Troubleshoot and optimize performance to improve end-user experience. Event Monitoring data can be easily imported

into any data visualization or application monitoring tool like Wave Analytics, Splunk, or New Relic.

Field Audit Trail Field Audit Trail lets you know the state and value of your data for any date, at any time. You can use it for regulatory

compliance, internal governance, audit, or customer service. Built on a big data backend for massive scalability, Field

Audit Trail helps companies create a forensic data-level audit trail with up to 10 years of history, and set triggers for

when data is deleted. Salesforce Shield (the three components) and the individual components can all be purchased

separately. BMC has the ability to resell Platform Encryption. Customers wanting Shield, Event Monitor, or Field Audit

will need to purchase from Salesforce.

Remedyforce and Salesforce Platform Encryption With our Remedyforce Summer 17 release we now actively support Salesforce Platform Encryption. Customers who

opt to purchase Salesforce Platform Encryption or Salesforce Shield with Platform Encryption should be able to use

Remedyforce and encrypt select fields within Remedyforce. Additional features such as Email Conversation, Service

Level Agreements, Service Requests, etc. will work within the new encryption environment.



Frequently Asked Questions

1. Is Salesforce Platform Encryption an additional cost? Yes.

2. Can I buy Salesforce Platform Encryption from BMC? Yes. If you or a customer are interested in Salesforce Platform Encryption, you will need to contact your Remedyforce

Business Relationship Manager or a Salesforce Account Executive for guidance and pricing.

3. Can I buy Salesforce Shield from BMC? No. We are only authorized to resell Salesforce Platform Encryption. If you are interested in Salesforce Shield, please

reach out to your Remedyforce Business Relationship Manager who can provide guidance and get you in touch with a

Salesforce Account Executive to provide you a quote on Salesforce Shield.

4. Can I buy each of the point products that make up Shield individually? For example, I only want to purchase Event Monitoring? Yes. If you want to purchase Salesforce Shield Event Monitoring, or Field Audit Trail please reach out to your

Remedyforce Business Relationship Manager who can provide guidance and get you in touch with a Salesforce

Account Executive to provide you a quote on those point products.



5. Why would a customer need Platform Encryption or encrypt data at rest? Salesforce is the World’s #1 trusted customer success platform. They provide a full set of tools to ensure reliability as

well as security.

The Platform Encryption solution is typically adopted by enterprise organizations in highly regulated industries such as

financial, insurance, healthcare, and government. Platform Encryption adds an extra layer of security to their private,

sensitive and proprietary data.

6. Can I encrypt everything? The approach Salesforce has taken is that you should encrypt as little data as possible. Salesforce gives customers

control over what data they encrypt. Your organization’s security officer or administrator chooses whether to turn on

encryption for standard fields, customer fields, files, and attachments. Customers also choose which specific fields to

encrypt at rest. The driving principle is to encrypt as little as possible to preserve functionality while keeping private,

sensitive, confidential, and regulated data safe.



7. Can I encrypt managed package fields? Remedyforce managed packaged fields can be encrypted. The data types supported for encryption are:

Date

Date/Time

Email

Phone

Text

Text area

Text area (long)

URL

As Salesforce supports more data types, we’ll make sure that Remedyforce is kept up to date and support any added

types.

8. I have Platform Encryption enabled but I still cannot encrypt a managed package field. What’s going on? Once you purchase Platform Encryption and Salesforce enables it for your Org, you will need to contact Remedyforce

Support who can submit a case to Salesforce on your behalf to enable Encryption of Managed Package Fields.

9. I see that I can have Salesforce generate a Key for me, but can I bring and manage my own Keys? Absolutely. Salesforce supports both Self-Signed Certificates as well as CA Certificates. You control the Key and how

often your rotate your keys. Salesforce does advise that if you manage your own keys that you export and backup your

keys to a keystore for safe keeping.

10. I encrypted a field, why can my staff still see the data? Don’t confuse encryption of “data at rest” with “data masking”. If you need to restrict who can see data, you should

utilize Salesforce’s object, record, or field level security. Additionally Salesforce offers a data type called “Text

(Encrypted)” that applies masking. For additional details refer to What’s the Difference Between Classic Encryption and

Shield Platform Encryption?

11. Are there limitations? Yes. Due to the strength and nature of the encryption algorithm being used there are a number of limitations. We

suggest you refer to Salesforce General Shield Platform Encryption Considerations. Additionally please refer to the

Remedyforce Documentation around support for Platform Encryption. We have distinguished fields that hold data that

can be encrypted and fields that how metadata (data about data) that are integral to the running of Remedyforce and

should not be encrypted.

https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/security_pe_comparison_table.htm

https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/security_pe_comparison_table.htm

https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/security_pe_considerations_general.htm



12. What is the order of enabling encryption in my Org? Before you enable Platform Encryption, there’s definitely some leg work and planning that needs to happen.

13. How do I encrypt the fields that hold the data provided in Service Requests?

While Service Requests share the Incident object, the “user input” is actually held in the Request Detail Inputs object.

Trying to encrypt Request Definitions is considered metadata and should not be encrypted else it will cause failures.

Instead, you’ll want to encrypt the fields of the Request Detail Inputs object. The fields that can be encrypted are:

Input/Prompt

NewResponse

Response

Stored Value

Additionally please be aware that if you map these inputs to fields of other objects such as Incident, Task, or Change,

for example, that the receiving field is also encrypted else you run the risk of that data not being encrypted at rest when

used in another object.

14. Can I encrypt Rich Text Fields? Not today. Rich Text Fields are not supported as one of the data types that Salesforce Platform Encryption supports.



15. So if I use Rich Text Fields in Service Requests what can I do? First, make sure you run the Encryption Impact Report from General Application Settings. This will report on where you

are using Text Area (Rich) fields in Service Requests.

Once you have that list you will need to convert those input fields within each Request Definition from being a Text Area

(Rich) to Text Area.

16. What about Rich Text Email (incoming and outgoing)? When you select the Support Salesforce Platform Encryption in Remedyforce from the General Applications Settings a couple of things happen with RTF emails.

Any incoming emails that are Rich Text, will be converted to plain text when added to the module’s History

object if the Note field on the history object is encrypted.

Any outgoing emails that are Rich Text, will be sent in Rich Text, but recorded in the module’s History object as

plain text when the Note field on the history object is encrypted.

No data will be stored in the Rich Text Note field and the value will be blank.

Remember, that RichTextNote on History objects are of data type Rich Text Area and not supported for encryption.

17. I encrypted a field and now I’m getting an error when I try and use the Remedyforce Console! It says something about “Object type not accessible. Please check permissions and make sure the object is not in development mode: SELECT <field> FROM <object> WHERE <field=data>……” Typically when this error happens, it means you have encrypted a field that was being used in a Salesforce list view.

Unfortunately, Salesforce removes the field from the Filter Criteria of the list view so there is no way to know which list

view had the field as part of the Filter Criteria. The only work around is to go through and re-saving any List Views you

think may be causing the problem. We’ve reported this to Salesforce but they have not taken action on it at this time.

You can let Salesforce know this issue is impacting you by going here and attaching yourself to the Known Issue.

https://success.salesforce.com/issues_view?id=a1p3A0000008ggtQAA

18. I elected to encrypt a field. Is my data automatically encrypted? No. Once you encrypt a field, only new records or updated records after the encryption will be encrypted. If you need

your existing data encrypted, submit a case to Remedyforce Support to have them work with Salesforce to perform a

Mass Encryption action which will update and encrypt the data for you.

https://success.salesforce.com/issues_view?id=a1p3A0000008ggtQAA



19. Are there resources available to learn more around Salesforce Platform Encryption? Check out these resources from Salesforce and the Remedyforce online documentation.

• Salesforce Shield Platform Encryption Architecture

• Salesforce Security Guide

• Salesforce Shield Platform Encryption Implementation Guide

• Salesforce Shield Platform Encryption Online Help

20. Do I need to back up my Platform Encryption Key? Yes. You should have a plan in place to ensure that you not only backup your Platform Encryption Key but that it is

kept or stored in a safe key repository. You are solely responsible for the backup and safe keeping of your key.

Salesforce will not be able to restore your keys if the security admin destroys the key and there is no backup.

See “Back Up Your Tenant Secret” in the Salesforce Platform Encryption Implementation Guide.

21. Are there any resources we can refer to? Yes. Salesforce has a number of great resources around Salesforce Platform Encryption.

• Salesforce Shield Platform Encryption Architecture

• Salesforce Shield Platform Encryption Implementation Guide

• Salesforce Shield Platform Encryption Online Help

• Salesforce Security Guide

In addition, as it relates to Remedyforce support of Salesforce Platform Encryption, you can reference our online help.

22. If WHERE clause is not supported for encrypted fields, then how does this impact search for things like Knowledge Articles? We use SOSL for full text searches which uses the FIND API. Something like Incident Description would be passed as

“what to find” argument and not in the WHERE clause.

23. How does Platform Encryption work with Sandboxes? Refreshing a sandbox from a production organization creates an exact copy of the production organization. If Shield

Platform Encryption is enabled on the production organization, all encryption settings are copied, including tenant

secrets created in production. For more details please refer to:

https://help.salesforce.com/articleView?id=security_pe_sandboxes.htm&language=en_US&type=0

https://www.salesforce.com/assets/pdf/misc/Platform_Encryption_Architecture_White_Paper.pdf

https://resources.docs.salesforce.com/204/latest/en-us/sfdc/pdf/salesforce_security_impl_guide.pdf

https://resources.docs.salesforce.com/202/latest/en-us/sfdc/pdf/salesforce_platform_encryption_implementation_guide.pdf

https://help.salesforce.com/articleView?id=security_pe_overview.htm&type=0&language=en_US&release=206.13


https://www.salesforce.com/assets/pdf/misc/Platform_Encryption_Architecture_White_Paper.pdf


https://help.salesforce.com/articleView?id=security_pe_overview.htm&type=0&language=en_US&release=206.13

https://resources.docs.salesforce.com/204/latest/en-us/sfdc/pdf/salesforce_security_impl_guide.pdf

https://help.salesforce.com/articleView?id=security_pe_sandboxes.htm&language=en_US&type=0

BMC delivers software solutions that help IT transform digital enterprises for the ultimate competitive business advantage. We have

worked with thousands of leading companies to create and deliver powerful IT management services. From mainframe to cloud to

mobile, we pair high-speed digital innovation with robust IT industrialization—allowing our customers to provide amazing user

experiences with optimized IT performance, cost, compliance, and productivity. We believe that technology is the heart of every

business, and that IT drives business to the digital age.

BMC – Bring IT to Life.

remedyforce - bmc software · built on a big data backend for massive scalability, field audit...

Documents