The times they are a changin’! A recent Cloud Security Alliance (CSA) survey of IT and Security professionals showed that a majority (64.9%), say that the cloud is either as secure or more secure than on-premises software. Reflecting this changing sentiment, an increasing number of organizations have adopted a ‘cloud first’ attitude. A key reason for this paradigm shift is the robust security controls instituted by leading cloud service providers to secure their customer data. The best example is that of Salesforce, which consistently advances its infrastructure to ensure the security and compliance for their customer data.

Salesforce has built security controls into multiple layers of its cloud platform, including infrastructure, network, and application. It is compliant with key global industry standards such as ISO 27018, ISO 27001, and FedRAMP and is transparent about its system performance and incidents, which can be monitored by customers on the Trust website. With the release of Shield, Salesforce has provided additional level of trust and security services to its customers. Companies can now detect and prevent data misuse with Event Monitoring, implement controls for greater compliance with Platform Encryption, and retain data to ensure integrity and audibility with Field Audit Trail.

Salesforce provides multiple APIs that enable partner solutions, like Skyhigh Networks, to access usage and data logs to further enhance Salesforce Shield. Skyhigh Networks, the market-leading Cloud Access Security Broker (CASB), can act as an additional control point between enterprise users and the cloud to provide enhanced analytics into cloud usage, detect threats from insiders, compromised accounts and privileged users, enforce compliance policies with DLP, and apply encryption and contextual access controls.

Skyhigh and Salesforce BYOK

Learn how Skyhigh’s Bring-Your-Own-Key (BYOK) integration with Salesforce Shield enables companies using Salesforce encryption to automate the brokering of encryption keys

Download Now

The newly announced BYOK release by Salesforce represents the increasing depth of Skyhigh’s integration with Salesforce. With the BYOK capability, Salesforce now enables native encryption of data using a customer hosted tenant secret manager used to derive encryption keys. Skyhigh acts as a key broker between the customer’s key manager and Salesforce. The process begins with the admin (or any designated user) generating a BYOK certificate within Salesforce. Skyhigh provides the customer-generated tenant secret from the key management server. This tenant secret is wrapped with the BYOK certificate by Skyhigh and uploaded to Salesforce. The tenant secret is used by Salesforce to generate a Data Encryption Key (DEK) that is used to encrypt data in the selected Salesforce fields.

An important benefit of key brokering via Skyhigh is the automation of the tenant secret rotation process. Enterprises have different key rotation schedules based on compliance and internal security requirements. The absence of manual intervention reduces errors in the key rotation process. This benefit is amplified in companies that have multiple Salesforce orgs, which is common in large enterprises as a result of mergers and acquisitions, multiple product lines, or businesses spread across geographies. By automating key rotation across multiple Salesforce orgs, Skyhigh helps reduce admin overhead significantly. Furthermore, the automation of key rotation enables the Security team, rather than a Salesforce admin to manage the process.

In addition to encryption with BYOK, Skyhigh can extend Salesforce Shield with a wide range of additional security controls over Salesforce usage. Skyhigh uses Native APIs to enforce data loss prevention policies, and to integrate and remediate with on-premises DLP solutions. Skyhigh pulls Event Monitoring logs using Shield APIs and analyzes this information using machine learning to surface threats associated with insiders, compromised accounts, and privileged users. For example, a spike in the number of reports downloaded by a Salesforce user, correlated with other high risk activities, could be indicative of an employee downloading customer contacts in bulk before leaving the company to join a competitor. Additionally, Skyhigh provides enterprises with a platform approach for cloud security where it is able to combine analysis of Salesforce activity with data across multiple cloud platforms to accurately surface the most credible threats. Examples include a user logging into Salesforce and another cloud services from two disparate locations in a given time period, or a user uploading massive amounts of data to a cloud-file sharing service after downloading a similar amount of data from Salesforce.

Salesforce says, “Trust is our #1 value” and they mean it. Skyhigh is proud to partner with a company who invests in security and is proud to help Salesforce customers enhance their security by supporting BYOK encryption, and additionally, detecting intentional or inadvertent threats from employees or third parties, enforcing granular access controls based on parameters such as role, device, data, and location, and enforcing DLP policies.