{"id":5689,"date":"2016-09-01T04:21:26","date_gmt":"2016-09-01T04:21:26","guid":{"rendered":"http:\/\/www.jitendrazaa.com\/blog\/?p=5689"},"modified":"2016-09-01T04:21:26","modified_gmt":"2016-09-01T04:21:26","slug":"considerations-and-best-practices-before-enabling-salesforce-shield-platform-encryption","status":"publish","type":"post","link":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/considerations-and-best-practices-before-enabling-salesforce-shield-platform-encryption\/","title":{"rendered":"Considerations and Best Practices before enabling Salesforce Shield Platform Encryption"},"content":{"rendered":"<p style=\"text-align: justify;\">Its been more than a year since launch of platform encryption solution by Salesforce named <strong>Shield.\u00a0<\/strong>Even though its one of most costly offerings by Salesforce however momentum of adaption amongst\u00a0financial and healthcare industry\u00a0are very high. I have already implemented platform encryption for few of my clients within a year. In this post, I will share some of my learning and best practices around rolling out platform shield to customers.<\/p>\n<h3 style=\"text-align: justify;\">First question to ask customer before going with Platform encryption is, &#8220;Which security threat customer\u00a0trying to solve&#8221; ?<\/h3>\n<p style=\"text-align: justify;\">If answer is security from internal Salesforce users then unfortunately shield is not an answer. We can leverage OWD, sharing rules, profiles, FLS to set security for Salesforce internal users.<\/p>\n<p style=\"text-align: justify;\">If answer from customer is &#8211; compliance, security at database and data center level then\u00a0<strong>Shield\u00a0<\/strong>is a way to go to solve security issue.<!--more--><\/p>\n<h3 style=\"text-align: justify;\">Comparing Shield with existing encryption solutions<\/h3>\n<p style=\"text-align: justify;\">There are many offerings on AppExchange to solve encryption problems. I have used couple of them either for POC or client. All of them introduces intermediate system mostly reverse proxy. Communication with Salesforce needs to happen with custom URL provided by vendor. All integrations, data loading etc needs to tunnel through those servers.<\/p>\n<h5>Advantages of encryption solutions from AppExchange<\/h5>\n<ul>\n<li style=\"text-align: justify;\">Cost effective<\/li>\n<li style=\"text-align: justify;\">Complete control over encryption key life cycle management<\/li>\n<li style=\"text-align: justify;\">Server can be established within company infrastructure meeting security requirements<\/li>\n<\/ul>\n<h5>Downside of AppExchange solutions<\/h5>\n<ul>\n<li style=\"text-align: justify;\">Introducing intermediate system between end user and Salesforce can cause possible network issues and slow performace<\/li>\n<li style=\"text-align: justify;\">In existing Salesforce implementation, all integrations needs to re-modify to point new URL provided by vendor<\/li>\n<li style=\"text-align: justify;\">As data is encrypted at Rest and decrypted during transmission, getting away from vendor is painful. In future, lets say if we decide not to encrypt data, we need to get decrypted data in files and load it again in Salesforce in decrypted format.<\/li>\n<\/ul>\n<h3>Three products included in Shield<\/h3>\n<ul>\n<li>Encryption<\/li>\n<li>Field Audit<\/li>\n<li>Event Monitoring<\/li>\n<\/ul>\n<h3 style=\"text-align: justify;\">Considerations and Best practices of Shield Platform Encryption<\/h3>\n<ul>\n<li style=\"text-align: justify;\">Picklist, Multipicklist, Number, Percent, Geolocation and Currency data types not yet supported<\/li>\n<li style=\"text-align: justify;\">Classic encrypted fields and Shield platform encrypted fields uses different technology under hood. Read more in detail <a href=\"https:\/\/help.salesforce.com\/HTViewHelpDoc?id=security_pe_comparison_table.htm&amp;language=en_US\">here<\/a>.<\/li>\n<li style=\"text-align: justify;\">Some standard objects like Lead, Activities not supported yet. There are many ideas around this to <a href=\"https:\/\/success.salesforce.com\/ideaView?id=0873A000000cLkwQAE\">vote on<\/a>.<\/li>\n<li style=\"text-align: justify;\">Process builder and Flows are not yet supported, however these are on roadmap and I can assure you Shield product team is working day and night ti bring as much as features possible<\/li>\n<li style=\"text-align: justify;\">Shield is <strong><a href=\"https:\/\/releasenotes.docs.salesforce.com\/en-us\/winter17\/release-notes\/rn_security_pe_fedramp.htm\">FedRamp <\/a><\/strong>approved<\/li>\n<li style=\"text-align: justify;\">Encrypted fields cannot be referred in formula fields<\/li>\n<li style=\"text-align: justify;\">Data will be encrypted after shield is enabled in Org. For existing data, we need to create a case in Salesforce to run background job for existing records so that those can be encrypted. Other solution is to update existing data using API or Dataloader.<\/li>\n<li style=\"text-align: justify;\">If you are planning to use AppExchange or in case of existing Salesforce instance, make sure to talk to vendor and confirm if they are shield ready. Not many Appexchange products are shield compatible.<\/li>\n<li style=\"text-align: justify;\">We cannot use encrypted field in where clause of SOQL in Apex<\/li>\n<li style=\"text-align: justify;\">Encrypted fields cannot be referred in report and List view filter criteria<\/li>\n<li style=\"text-align: justify;\">Make sure not to grant login access to anyone if use has view encrypted data permission. This is more of end user training issue. Even for Salesforce support, instead of giving them login access, share your screen.<\/li>\n<li style=\"text-align: justify;\">Make sure even System administrators does not has\u00a0<em>Manage Encryption Key\u00a0<\/em>permission. If Salesforce instance has many System admins and someone accidentally deleted existing tenant secret then there is no way to go back and decipher data.<\/li>\n<li style=\"text-align: justify;\">Come up with process and very few user acting as\u00a0<em><strong>Security Admin<\/strong>.<\/em> This user will have permission to play with tenant secrets.<\/li>\n<li style=\"text-align: justify;\">Right now, there is no approval process on deletion of tenant secret however it wouldn&#8217;t hurt to create an Idea and spread words to vote on it<\/li>\n<li style=\"text-align: justify;\">Technically we can generate tenant secret every 24 hours on production and 4 hours in Sandbox. As per best practices, when we generate new tenant secret, create a Salesforce ticket to encrypt all existing data with new tenant secret. Its not necessary but important for performance. Imagine , you are running report and records returned by report needs to be decrypted using 10+ tenant secrets.<\/li>\n<li style=\"text-align: justify;\">If legacy portal is enabled in your Salesforce instance then standard fields cannot be encrypted. Communities however are supported.<\/li>\n<li style=\"text-align: justify;\">Encryption not extended to other clouds like Pardot, Marketing cloud, SalesforceIQ, Heroku and Thunder.<\/li>\n<li style=\"text-align: justify;\">Trial\u00a0orgs are not supported for encryption.<\/li>\n<li style=\"text-align: justify;\"><a href=\"https:\/\/en.wikipedia.org\/wiki\/Key_Management_Interoperability_Protocol\">KMIP <\/a>not yet supported.<\/li>\n<li style=\"text-align: justify;\">Trailhead modules to <a href=\"https:\/\/trailhead.salesforce.com\/en\/module\/spe_admins\">get your hands dirty with product<\/a><\/li>\n<li style=\"text-align: justify;\">Read in more detail from <a href=\"https:\/\/resources.docs.salesforce.com\/202\/latest\/en-us\/sfdc\/pdf\/salesforce_platform_encryption_implementation_guide.pdf\">Shield platform encryption implementation guide<\/a><\/li>\n<\/ul>\n<p>https:\/\/www.youtube.com\/watch?v=LdPC7xT98Hg<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Best practices and things to consider before rolling out Shield Platform Encryption for your customer<\/p>\n","protected":false},"author":1,"featured_media":5709,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"jz_research_post":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[9],"tags":[373],"class_list":["post-5689","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-salesforce","tag-shield-platform-encryption"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2016\/08\/Salesforce-Shield-Platform-Encryption.jpg?fit=640%2C366&ssl=1","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":31003,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/salesforce-shield-platform-encryption-complete-guide-setup\/","url_meta":{"origin":5689,"position":0},"title":"Salesforce Shield Platform Encryption: Complete Guide 2026 | Setup, Best Practices &amp; Implementation","author":"Jitendra Zaa","date":"January 7, 2026","format":false,"excerpt":"Master Salesforce Shield Platform Encryption: Complete guide on setup, BYOK, field selection, Classic vs Shield comparison, and best practices.","rel":"","context":"In &quot;Experience&quot;","block_context":{"text":"Experience","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/experience\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/salesforce-shield-platform-encryption-guide-featured-1.png?fit=1200%2C574&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/salesforce-shield-platform-encryption-guide-featured-1.png?fit=1200%2C574&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/salesforce-shield-platform-encryption-guide-featured-1.png?fit=1200%2C574&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/salesforce-shield-platform-encryption-guide-featured-1.png?fit=1200%2C574&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/salesforce-shield-platform-encryption-guide-featured-1.png?fit=1200%2C574&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":30645,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/salesforce-security-ultimate-guide\/","url_meta":{"origin":5689,"position":1},"title":"Salesforce Security Ultimate Guide","author":"Jitendra Zaa","date":"November 16, 2025","format":false,"excerpt":"Complete guide to Salesforce security covering MFA setup, SOQL injection prevention, OAuth security, Shield encryption, and more. Includes step-by-step instructions, code examples, and checklists that even Salesforce admins can follow to protect their org from the 2025 breach wave.","rel":"","context":"In &quot;Salesforce&quot;","block_context":{"text":"Salesforce","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/salesforce\/"},"img":{"alt_text":"Featured image","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-Security-Ultimate-Guide-featured.png?fit=1200%2C630&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-Security-Ultimate-Guide-featured.png?fit=1200%2C630&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-Security-Ultimate-Guide-featured.png?fit=1200%2C630&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-Security-Ultimate-Guide-featured.png?fit=1200%2C630&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-Security-Ultimate-Guide-featured.png?fit=1200%2C630&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":6298,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/salesforce-winter-18-release-my-favorite-features\/","url_meta":{"origin":5689,"position":2},"title":"Salesforce Winter 18 Release \u2013 My Favorite Features","author":"Jitendra","date":"October 4, 2017","format":false,"excerpt":"My favorite Salesforce Winter 18 features about Lightning, Flow, Platform Event , Shield and Salesforce DX","rel":"","context":"In &quot;Salesforce&quot;","block_context":{"text":"Salesforce","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/salesforce\/"},"img":{"alt_text":"Flow in Salesforce App Builder","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2017\/10\/Flow-in-Salesforce-App-Builder.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2017\/10\/Flow-in-Salesforce-App-Builder.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2017\/10\/Flow-in-Salesforce-App-Builder.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2017\/10\/Flow-in-Salesforce-App-Builder.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":5717,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/flipcard-lightning-component\/","url_meta":{"origin":5689,"position":3},"title":"Flipcard Lightning Component","author":"Jitendra","date":"September 8, 2016","format":false,"excerpt":"A simple CSS based animated Flip card Lightning Component for beginners","rel":"","context":"In &quot;Salesforce&quot;","block_context":{"text":"Salesforce","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/salesforce\/"},"img":{"alt_text":"Flipcard Lightning Component","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2016\/09\/FlipCard-Component.gif?fit=420%2C328&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":31119,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/salesforce-mobile-offline-complete-guide-2026-briefcase-2\/","url_meta":{"origin":5689,"position":4},"title":"Salesforce Mobile Offline Complete Guide 2026 | Briefcase Builder, LWC Offline &amp; Best Practices","author":"Jitendra Zaa","date":"January 15, 2026","format":false,"excerpt":"Master Salesforce Mobile Offline in 2026: Complete guide covering Briefcase Builder, LWC Offline, Mobile App Plus, data priming, sync, and governor limits. Learn offline architecture, conflict resolution, and best practices with official Salesforce sources.","rel":"","context":"In &quot;Experience&quot;","block_context":{"text":"Experience","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/experience\/"},"img":{"alt_text":"Salesforce Mobile Offline Complete Guide 2026 - Featured Image","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/Salesforce-Mobile-Offline-Complete-Guide-featured.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/Salesforce-Mobile-Offline-Complete-Guide-featured.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/Salesforce-Mobile-Offline-Complete-Guide-featured.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/Salesforce-Mobile-Offline-Complete-Guide-featured.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/Salesforce-Mobile-Offline-Complete-Guide-featured.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":31957,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/salesforce-data-360-credit-optimization-guide-march-2026\/","url_meta":{"origin":5689,"position":5},"title":"Salesforce Data 360 Credit Optimization Guide | March 2026","author":"Jitendra","date":"March 15, 2026","format":false,"excerpt":"Master Salesforce Data 360 credit optimization with proven strategies to reduce consumption by up to 40%. Complete rate card, new pricing models, and tips.","rel":"","context":"In &quot;Salesforce&quot;","block_context":{"text":"Salesforce","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/salesforce\/"},"img":{"alt_text":"Salesforce Data 360 governance architecture showing data flow from structured, unstructured, and zero-copy sources through metadata exchange into Data 360 with policy-based governance, AI tagging, data space management, and platform encryption, outputting to Agentforce, Analytics, Data Sharing, Automation, Segmentation, and Activation","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/03\/salesforce-data-360-governance-architecture.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/03\/salesforce-data-360-governance-architecture.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/03\/salesforce-data-360-governance-architecture.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/03\/salesforce-data-360-governance-architecture.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/03\/salesforce-data-360-governance-architecture.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/posts\/5689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/comments?post=5689"}],"version-history":[{"count":18,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/posts\/5689\/revisions"}],"predecessor-version":[{"id":5713,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/posts\/5689\/revisions\/5713"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/media\/5709"}],"wp:attachment":[{"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/media?parent=5689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/categories?post=5689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/tags?post=5689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}