Request Demo

HOW TO PROTECT SENSITIVE DATA RELIABLY IN THE SALESFORCE CLOUD?

Digitalization, new working models and major economic change have made it more necessary than ever in recent years to

Digitalization, new working models and major economic change have made it more important than ever in recent years for business processes to be agile and scalable. Cloud services meet this requirement perfectly and offer a flexible and dynamic solution. In the CRM segment, Salesforce is the undisputed global market leader with a market share of over 20 percent and is an indispensable part of modern business life for many companies. Many departments, such as sales, marketing, e-commerce and customer service, can collaborate with the cloud-based CRM solution anytime and anywhere. However, with the use and storage of sensitive customer data in the cloud comes a significant security responsibility. If internal and confidential business information, customer contacts, price lists or supply chain details are compromised, this has far-reaching consequences for a company.
Far-reaching consequences await a company should its internal and confidential business information, customer contacts, price lists, or supply chain details be compromised. For companies that use Salesforce as a CRM it is mandatory to deal intensively with the security and compliance of the Cloud-Solution due to the enormous importance of this tool and the volume of sensitive data it contains.

WHY DOES USING SALESFORCE VIOLATE INDUSTRY COMPLIANCE REGULATIONS WITHOUT ADDITIONAL PROTECTIVE MEASURES?

Salesforce is a US cloud provider. The USA is considered an unsafe third country within the meaning of the GDPR, as the handling of personal data there does not correspond to the European standard. Although Salesforce now offers European customers the option of storing their data on servers within the EU, data may still be transferred to servers outside the EU if several Salesforce Cloud products are used. Regardless of this, possible access by US administrators to EU servers is already considered third-country data traffic. The cloud provider's standard contractual clauses are also not sufficient precautions for the transfer of sensitive data. This is because even such an agreement with a US data importer cannot prevent legal access by US authorities without a prior court order.
Data protection compliance requires the protection of personal data before it is transferred to the cloud if it is stored in countries without an adequacy decision. This ensures that US administrators can only see sensitive data in encrypted form when it is accessed.

DOES SALESFORCE SHIELD NOT PROVIDE SUFFICIENT PROTECTION FOR THE SECURE USE OF THE PLATFORM?

Over the years, Salesforce has greatly expanded its product range and added a number of integrated services to its primary offering. Salesforce Shield is an additional feature of the cloud provider that is designed to ensure the security of personal data and enables platform encryption, among other things. Encryption can be configured both by the cloud user and by Salesforce community experts. However, Salesforce Shield administrators have access to sensitive clear data at all times with this service despite encryption, as they control the key to pseudonymize customer data in the cloud.

If a company wants to avoid this access, then the encryption must be done in-house before the data is sent to the CRM service.

WHAT IS THE BEST WAY TO PROTECT MY SENSITIVE DATA? WHAT DOES THE EPERI GATEWAY OFFER THAT OTHER APPLICATIONS CANNOT?

By encrypting personal data in the data stream, the eperi Gateway ensures adherence to the current data protection compliance guidelines. Pseudonymization and tokenization remove the personal reference from the data before it is stored in the cloud and our customers act in compliance with data protection regulations. The eperi Gateway has no impact on compatibility between different applications. On the contrary, it can help to prevent the use of shadow IT and avoid serious security gaps. Our solution preserves your independence and self-determination. With the help of selective encryption, the eperi Gateway can flexibly encrypt personal data based on fields and content. The key and encryption remain under your sole control at all times. This leaves plenty of scope for individual configurations. The IT infrastructure remains unrestricted thanks to the seamless integration and there are no latencies when using the application. Thanks to eperi's function-preserving encryption, functions such as search, sorting, filters and rules can continue to be used without restriction. These functions are no longer available when using Salesforce Shield. Data-centric encryption and tokenization at field level, as well as the pseudonymization of unstructured data, especially files, is also not a matter of course when using cloud applications. Even in the event of data theft, sensitive data remains securely protected in this way, as the attacker cannot use the encrypted data.

IS IT NOT SALESFORCE'S RESPONSIBILITY TO TAKE CARE OF THE SECURITY OF THEIR APPLICATION?

As part of the "shared responsibility" model, cloud users must do their part to ensure the security of sensitive data in the cloud. They cannot rely on their cloud provider to ensure the security of their data. Many companies are not aware of this responsibility.
As a security and compliance framework, the shared responsibility model clearly regulates the areas of responsibility of cloud service providers, SaaS providers and customers when it comes to securing all aspects of the cloud environment. This includes hardware, infrastructure, end devices and operating systems, but also the data stored in the systems. Put simply, the model determines which contractual partner must take over the security precautions for certain components. The cloud provider is responsible for monitoring and defending against security threats that attack the cloud itself and the underlying infrastructure. Cloud users are obliged to protect the data and other assets stored in the cloud environment. A holistic approach to security can only be guaranteed if both contractual partners take their task seriously and take care of their part of the shared responsibility.

Did you like this article?


Then like it now or share it with colleagues, business partners, and friends.

Email
Facebook
LinkedIn
X

Knowledge that protects - your next measure for more data security

On our download page, you will find free white papers and fact sheets on data protection, data encryption, and compliance—specifically for IT managers and decision-makers.

Get concise knowledge, strategic recommendations, and practical tips to effectively protect your data and securely comply with regulatory requirements such as GDPR, NIS2, and DORA.