GDPR & Salesforce 2018: Part I – Shield (Platform Encryption, Field Audit Trail, Event Monitoring, )

GDPR & Salesforce 2018: Part I – Shield (Platform Encryption, Field Audit Trail, Event Monitoring, )


Ultimately, you know, we hope you get to this end state where when you think about GDPR you think about it the way we do. We came, we saw, we kicked it’s ass. Right. Welcome back! RevCult Salesforce Security Series Also really cool, having some international participants. We’re gonna be starting with privacy by design, data protection, and then accountability. But what we try to do is
we kind of take these 88 pages of craziness and boil it down to a few
primary themes. We see it as privacy by design which is really kind of a small
area of the GDPR but if you back up a little bit, it really goes throughout the
entire regulation. Just think about privacy first, and none of the other
stuff is going to be a problem because you thought about it early. Second is
accountability – taking responsibility for people’s privacy. And this is a human
element of what GDPR is. And then finally individual rights and control – so content
management, right to object, the right to be forgotten is kind of headline item, a
lot of people know about, and data portability, so the ability to kind of
get information out of systems and move it to other places upon request by the data subject. You know we put the blue box around the top two because that’s what we’re gonna talk about in our part one webinar today. Alright, so GDPR is not de-spawn memory that you have from
childhood about this marshmallow that then gets taken over by the dual, and
takes over the world, and is running around the streets of Manhattan all over
the place. One of the things that we hear that actually not … Well
first things first, let’s all be very excited that it’s not a hundred foot
tall marshmallow. That’s frightening. A lot of people say, you know hey, I’m not
storing Social Security numbers or credit card numbers – I’m cool. Again GDPR
is very broad and so when it defines personal information, it’s really
anything that can identify a person – from their name, to email address, to phone
number; and every single person that uses Salesforce has personal information
in there because if you have users, you have personal information. Why is it taking so long for people to really proactively think about what they’re
going to do in preparation for the enforcement date? You know, I think our
theme here is it plays well with our marshmallow man – it can be really
scary, but when it’s something you don’t understand,
it feels so broad so everybody’s like, I don’t even know where to start and now
it’s to the point where it’s like, okay, well we have to start somewhere. You kick
the can down the road as long as you possibly can and probably a little longer. Now let’s talk about it as it relates to Salesforce. Today we’re going to really
focus on the elements that tie into Salesforce shield. Shield ultimately has
three components, one has platform encryption which natively encrypt
database, then we have event monitoring which allows you to track the data from an
activity standpoint, and then finally field audit trail which prevents data
loss. We’ve been having a lot of conversation with both sets that are
doing the right things but then ultimately they’re not necessarily
going that final step of actually deploying them in a way that addresses
the need to comply with an individual article. Let’s get into the details
article by article. Oh sounds like fun! You guys want to read some GDPR? Now it’s a party! Some of the articles that really apply to what we’re talking about in today’s webinar, which really focuses on privacy by design, data protection, and
accountability. We’ll focus on other attributes of GDPR later. I’ll try to
distill them down in a way that you can understand them and then take it
away and be able to actually act on it. Twenty-five talks about the
privacy and protection by design attribute. When you’re designing a system
or you’re implementing a system or a way to store information or whatever it may
be, that you think about privacy first and then by default it’s as secure as
possible. And then thirty-two is just general protection of data so it talks
about technical security, data access controls and change control and
oversight. So let’s talk about – from this – what elements of shield can
kind of play into those two. GDPR is one of the only regulation mention
encryptions; so platform encryption is a great solution for that, it encrypts data at
the database tier all the way down on the hard drives and it also can
help with some other attributes of just the identifying sensitive personal
information so you can still store that information but it’s anonymized
at the database level. Event monitoring is going to help you keep an eye on general
security measures, make sure that if there’s suspicious activity going on,
you’re collecting the information you need to be able to identify this as early
as possible and possibly prevent further negative actions. And then field auto trail
is going to help you kind of understand data resilience. In general what it means is the ability to know what
happened with their information and the ability to retrieve damaged information historically. So we look at the way those three kind of interweave with articles twenty-five and thirty-two and I think they’re great solutions to help close that gap. Thirty-three and
thirty-four talk about breaches. If you lose information you’ve got to tell the
individual and you’ve got to tell the authorities. And thirty-three is to tell the
authorities and thirty-four is to tell the individual. How can we overlay some tools to help
with that? From a shield perspective what we can do is two things. We can
try to minimize the risk of a breach by using platform encryption to make that
data unintelligible or kind of useless at the database tier so if that data
was breached or extracted from the database your breach may be
significantly less impactful if your personally identifiable information was
encrypted at rest. Event monitoring will also help you do some of that forensics
information to really know what the severity was and so is it elevated to
the level that you need to notify the data subject, which is what GDPR calls it,
or the individual person themselves. And again they can help you identify
suspicious activity early so that you can mitigate any further
exposure. Am I responsible for notification of data – the data is
encrypted? If the data was extracted from the database and it was encrypted at
rest then the information is effectively useless. Assuming that they didn’t gain
access to the key as well, which in the case of platform encryption is stored
separately and you’re good to go. So in those cases you should be okay. Article five talks about what data can or should be stored and for how long. Field Auto Trail is kind of our go-to; it’s native to the platform and it helps
you track history over time. It will help you keep it long enough to be able to
provide evidence of what’s occurred and provides you a true daily resiliency but
be able to enforce data retention policies to make sure you’re not keeping
them too long. Article twenty-four talks about controller responsibilities. There are these two terms you hear all the time, processor and controller. If
you’re using the information to do business, you are the controller of the
data. A processor is anybody who helps the person who needs the information to
do business, the controller, do their business. Twenty-four is all about as a controller what do you need to do; and one of the key aspects
of being a controller is knowing what you have and being able to demonstrate
your policies. What we come back to again on article twenty-four is its field
audit trail it helps you know what’s in the system and it helps you
provide that data resiliency and it helps you be able to you know, prove, or
show, hey I’ve implemented these data
retention policies, I’ve defined them, I’ve implemented them, and I can
prove that the system is enacting on them. There’s also some other stuff that
you can do here around platform encryption that didn’t quite make it to the
slide, you know there’s new encryption statistics features built into
Salesforce in Spring ’18 that … to prove for this field 100% of my
values are encrypted at rest in the data tier with my loss current key.
Across-the-board shield is a enabling solution for some of these core aspects
of privacy by design, data protection, and accountability they see on the bottom is
a couple accelerators as I mentioned earlier, we’ve got some products that
help people accelerate their adoption and roll out of the shields
capabilities. One is shield security cockpit and two is field audit trail cockpit – both in the app exchange, both have 5-star reviews. If you’re looking to move faster and not
going to do things easier internally, those are tools that can certainly help. So
first question that came in… You know what my favorite part is? What? Hat raffle. My favorite part of the webinar! And as we do part two of GDPR and Salesforce as part of our security
series, we’re gonna be focusing on the individual object and consent in a few weeks, so watch, keep track, and follow us on LinkedIn and Twitter and
enjoying the next webinar to get more details of how that actually works.

Leave a Reply

Your email address will not be published. Required fields are marked *