Insight

Missing something? Unlocking the value of Salesforce Shield

Salesforce Shield is a suite of tools designed to improve security, compliance and governance within your Salesforce organization

Christian Leva

Christian Leva

Managing Director, GRC Technology, KPMG LLP

+1 214-840-2000

There’s an axiom in the enterprise software world: if somebody can do something with a software platform, somebody will.

Let’s say you’re using Salesforce to track the progress of sales opportunities, and you cut commission checks to the salespeople listed in the opportunity once its status is marked as closed. What happens if someone re-opens the opportunity, adds a name to the list of salespeople and then closes it again? Do you cut another check?

Now, it may be that this action is entirely appropriate. Perhaps the newly added person was inadvertently omitted when the opportunity was created, or they stepped in half-way through to help close the deal. Maybe it was a related follow-on sale that really should be characterized as a separate opportunity. Maybe it’s outright fraud. But without the ability to detect such an event or the business rules for how to respond, you may never know.

This is exactly the kind of thing Salesforce Shield was designed to detect and respond to. The response might be as simple as requiring approval by a supervisor, but that alone could be the difference between fixing a mistake and being the victim of fraud.

Is it really optional?

Salesforce Shield is a suite of tools designed to improve security, compliance and governance within your Salesforce organization through three key features:

  1. Real-Time Event Monitoring
  2. Enhanced Encryption
  3. Extended Audit Trail Functionality

Many organizations begin their Salesforce journey with Shield as part of the package, but after a while cancel it because they determine it’s not being used. Of course, Salesforce is a highly secure platform even without Shield, so the temptation to cancel is understandable. But that may be a shortsighted decision.

Detecting when someone tries to reopen a sales opportunity is a perfect use for the first of Shield’s key features, Real-Time Event Monitoring, and its related feature, enhanced transaction security. Together, these features enable you to define policies that describe what actions or events to track and how the system should respond, such as sending notifications, requiring multi-factor authentication or simply blocking the action, all in real time.

You can use these features as part of control testing, access rectifications or change management processes. For example, Shield lets you to create permission sets — collections of permissions that give users access to various tools, data and functions. You can use Real-Time Event Monitoring to alert you when someone is assigned a permission set that gives them access to particularly sensitive information.

You might also use these features to monitor the report event stream to help detect and prevent bulk exporting of account and opportunity listings. It’s not too difficult to imagine why someone might do it — or why you should know about it. Shield’s Real-Time Event Monitoring is the only way to track this.

Battening down the hatches

Enhanced Encryption is largely technical. Shield increases native Salesforce encryption from 128 to 256 bits, allows for additional encryption options such as deterministic or probabilistic, and lets you use your own encryption keys — things that might be required for compliance in some industries but can’t hurt no matter what business you’re in. It’s largely a “set and forget” feature. Once enabled and configured, you can sleep at night knowing your data is better protected.

Sitting on a gold mine?

The Extended Audit Trail features expand the number of actions and events that are logged, and stores those logs for a longer period of time. Again, by itself, that’s not a bad thing and is actually a compliance requirement in some industries.

Like Real-Time Event Monitoring, audit trail is not quite as “set and forget” as encryption. You must define the proper retention policies — exactly what’s tracked and how long it’s stored. And like that old lawn mower I have rusting out in the back yard, if the logs just sit there, they’re not doing you much good.

Unlike my lawnmower, however, whose value is dubious, you’re likely sitting on a goldmine of data with those log files. With the proper analysis, including advanced AI and machine learning technologies such as Salesforce’s own Einstein Analytics, you can identify trends, uncover insights, detect anomalous or potentially fraudulent behaviors, security vulnerabilities and more. Failing to mine this data is the moral equivalent of closing your eyes and putting your fingers in your ears when someone is trying to tell you something critically important about your business.

It's up to you

Shield’s value won’t unlock itself. To enjoy these benefits, action on your part is required.

We have a great deal of experience helping our clients with leading practices for Shield, and you may be surprised at just how quickly you could reap the rewards. If you’d like to hear more, shoot me a message—I’d love to chat.