Skip to content
theCodeFlash

Shield Platform Encryption, Event Monitoring & Field Audit Trail

Salesforce Shield is a suite of three products that address enterprise compliance, audit, and data protection requirements. For CTA scenarios, Shield surfaces whenever the customer has regulatory obligations (HIPAA, GDPR, PCI-DSS, SOX) or needs data protection beyond what standard platform security provides.

Shield Components Overview

Three Shield components and their primary compliance use cases: Platform Encryption for data at rest, Event Monitoring for threat detection, and Field Audit Trail for long-term audit history.
Figure 1. Shield bundles three distinct compliance capabilities. Each addresses a different audit dimension: encryption protects data at rest, Event Monitoring answers who accessed what data and when, and Field Audit Trail provides the long-term change history required by SOX and HIPAA retention mandates.

Platform Encryption

Platform Encryption encrypts data at rest in the Salesforce database. It sits on top of the standard encryption that protects data in transit (TLS) and at rest (AES-256 for all Salesforce data).

Standard Encryption vs Platform Encryption

FeatureStandard Salesforce EncryptionPlatform Encryption (Shield)
Data in transitTLS 1.2+TLS 1.2+
Data at restAES-256 (Salesforce manages)AES-256 with customer-controlled keys
Key managementSalesforce onlyCustomer can manage keys (BYOK, cache-only)
Field-level controlNoYes, choose which fields to encrypt
Compliance certificationsSOC 2HIPAA, PCI-DSS, GDPR, SOX
Functionality impactNoneSome; see trade-offs below

Encryption Schemes

SchemeSearchabilityFilter/SortUniquenessUse Case
DeterministicYes (exact match)Yes (limited)Can enforceFields that need filtering: Email, Phone, SSN
ProbabilisticNoNoCannot enforceMaximum security: Description, Notes, custom text areas
Decision tree for choosing between deterministic and probabilistic encryption per field based on whether the field needs to be searchable and whether exact-match or substring search is required.
Figure 2. Encryption scheme selection is driven entirely by how the field is queried. Fields that need substring search (LIKE, CONTAINS) cannot be fully satisfied by either scheme. The masked formula field pattern is the only workaround that preserves partial display without exposing the source value.

Deterministic Is Not Fully Searchable

Deterministic encryption only supports exact-match searches. LIKE, CONTAINS, and wildcards do not work. If users need to search for “John%” across encrypted Name fields, deterministic encryption will not satisfy that requirement. Plan for this limitation up front.

What Can Be Encrypted

EncryptableExamplesNotes
Standard fieldsName (First/Last), Email, Phone, Description, Address fieldsNot all standard fields are encryptable
Custom fieldsText, Text Area, Long Text Area, Email, Phone, URL, Date, Date/TimeNumber and Currency are not supported for field-level encryption (they break aggregation, reporting, and roll-up summaries)
Files & AttachmentsFiles, Attachments, ContentEntire body is encrypted
Search IndexThe search index itselfAdditional protection for search data
ChatterPosts, commentsEnterprise-grade Chatter security

Database Encryption (Hyperforce)

Database Encryption (also called Transparent Data Encryption) encrypts the entire database at the storage layer, rather than selectively encrypting individual fields. It is available only on Hyperforce with a Shield license.

AspectField-Level Encryption (FLE)Database Encryption
ApproachApplication-layer, per-fieldStorage-layer, whole-database
Functional ImpactBreaks aggregate/sort/filter (unless deterministic)Zero; transparent to the application
GranularitySelective (choose specific fields)Entire database (not selective)
Key ManagementBYOK, Cache-Only Keys, SF-managedBYOK, SF-managed (no Cache-Only Keys)
RequirementAny infrastructureHyperforce only

Because Database Encryption operates at the storage layer, it has none of the field-type restrictions that FLE has. Number, Currency, and all other field types are encrypted transparently without breaking queries, sorting, aggregation, or reporting. The trade-off: you cannot selectively encrypt specific fields. It is all or nothing at the database level.

CTA Decision: FLE vs Database Encryption

If the scenario is on Hyperforce and the compliance requirement is “encrypt data at rest” without needing field-selective control or Cache-Only Key management, recommend Database Encryption for zero functional impact. If the scenario requires selective field encryption, crypto-shredding via Cache-Only Keys, or is not on Hyperforce, FLE remains the only option despite its functional trade-offs.

What CANNOT Be Encrypted

Not EncryptableWhy
Formula fieldsDerived from other fields; encrypt the source field instead
Auto-Number fieldsPlatform-generated sequences
Lookup/Master-Detail fieldsRelationship fields (IDs)
Picklist fieldsLimited data type; use sharing rules instead
Standard Name fields on some objectsPlatform limitations per object

Encryption Trade-offs

This is where CTA candidates are tested: not on whether to encrypt, but on understanding the cost.

CapabilityWithout EncryptionWith DeterministicWith Probabilistic
SOQL WHERE clauseFull supportExact match onlyNot supported
SOQL ORDER BYFull supportLimitedNot supported
SOQL LIKEFull supportNot supportedNot supported
Aggregate functionsFull supportNot supportedNot supported
Workflow field updatesFull supportFull supportFull support
Validation rulesFull supportLimitedLimited
Duplicate rulesFull supportExact match onlyNot supported
Formula fields referencingFull supportLimited functionsLimited functions
Report filtersFull supportExact match onlyNot supported
Auto-complete/typeaheadFull supportNot supportedNot supported

Encryption Breaks Things

Platform Encryption is not free. It breaks functionality users depend on: SOQL filtering, sorting, LIKE queries, auto-complete, and aggregate reporting. A thorough impact analysis is required before encrypting any field. The CTA board will ask “what breaks when you encrypt this?”

Key Management

Key OptionWho ManagesKey LocationRotationUse Case
Salesforce-managedSalesforceSalesforce infrastructureSalesforce rotatesStandard compliance; simplest
Customer-managed (BYOK)CustomerHSM (via API upload)Customer controlsHigh-security; regulatory requirement for key control
Cache-only keysCustomerCustomer infrastructure (never persisted in SF)Customer controlsMaximum control; key only exists in SF cache

BYOK (Bring Your Own Key)

Customer generates encryption keys in their own HSM, uploads them to Salesforce via API where they are stored as tenant secrets, and retains control to revoke or rotate the key.
Figure 3. BYOK gives the customer control over encryption key generation and rotation while Salesforce retains a copy as a tenant secret. The key trade-off versus cache-only keys: the key is persisted in Salesforce infrastructure, which simplifies availability but gives the customer less absolute control.

Key Management Architecture

Understanding the full key management decision flow helps select the right approach for a given compliance scenario.

Decision tree for selecting between Salesforce-managed keys, BYOK, and cache-only keys based on customer key control requirements and acceptable availability trade-offs.
Figure 4. Cache-only keys provide maximum control but introduce an availability dependency: if the customer’s key service is down, Salesforce cannot decrypt data. When the customer cannot accept that risk, BYOK is the correct fallback, as it offers key control without the availability dependency.

Cache-Only Keys

Cache-only keys provide the highest level of customer control. The key is sent to Salesforce on-demand and only exists in memory; it is never persisted.

AspectBYOKCache-Only Keys
Key persistence in SFYes (encrypted tenant secret)No, only in RAM cache
Data access if key revokedData remains encrypted; can re-provide keyData inaccessible until key re-provided
Availability riskLow; key persistedHigher; key service must be available
Control levelHighMaximum
ComplexityMediumHigh

Cache-Only Key Availability

With cache-only keys, if the customer’s key service is unavailable, Salesforce cannot decrypt the data. This creates an availability dependency on the customer’s infrastructure. Architects must evaluate whether this trade-off is acceptable.

Event Monitoring

Event Monitoring captures detailed user activity logs across the Salesforce platform. It answers “who did what, when, and from where?”

Event Types

CategoryEvents TrackedUse Case
Login eventsLogin attempts, login geography, login statusDetect unauthorized access, credential stuffing
API eventsAPI calls, object access, query patternsDetect data exfiltration, API abuse
Report/Dashboard eventsReport runs, dashboard views, export eventsDetect mass data export attempts
URI eventsPage views, record viewsUser behavior analysis
Lightning eventsLWC/Aura component interactionsApplication usage analytics
Apex eventsApex execution, governor limit usagePerformance monitoring
Content eventsFile downloads, content accessDetect sensitive document access

Event Monitoring Architecture

Event Monitoring flow from user activity capture through event log files and real-time platform events, to forensic analysis via API or CRM Analytics, and real-time automated responses via Transaction Security policies.
Figure 5. Event Monitoring splits into two paths: log files for retrospective forensic analysis (with a 24-hour delay) and real-time platform events that feed Transaction Security policies for immediate automated responses like blocking or requiring MFA re-authentication.

Real-Time Event Monitoring

FeatureStandard Event MonitoringReal-Time Event Monitoring
Log availability24-hour delay (log files)Near real-time (Platform Events)
Retention30 days (or 1 day for some types)Subscription-based
AutomationDownload and analyzeTransaction Security policies
Use caseHistorical analysis, forensicsActive threat detection, automated response

Transaction Security

Transaction Security policies evaluate events in real-time and can block, notify, or require MFA when conditions are met.

Real-time policy evaluation flow where a user action triggers condition checking, then routes to block, MFA step-up, or notify-only based on the policy action configured.
Figure 6. Transaction Security evaluates policies in real time at the moment of the user action. The three response options (block, MFA step-up, and notify-only) allow graduated responses: blocking for high-risk actions like mass data export, MFA step-up for sensitive record access, and notification-only for audit visibility.

Example policies:

  • Block report exports containing more than 10,000 records
  • Require MFA when a user logs in from an unrecognized IP
  • Notify admin when a user views more than 500 records in an hour
  • Block API sessions that exceed normal query patterns

Field Audit Trail

Field Audit Trail (FAT) extends standard field history tracking to support up to 10 years of data retention and up to 60 fields per object.

Standard History vs Field Audit Trail

FeatureStandard Field HistoryField Audit Trail
Fields per object2060
Retention18-24 monthsUp to 10 years
StorageStandard Salesforce storageBig Object (FieldHistoryArchive)
QueryableSOQLStandard SOQL on FieldHistoryArchive Big Object, or Salesforce CLI
CostFreeShield license
Data type supportMost field typesSame as standard
Archive policyN/AConfigurable retention per object

Field Audit Trail Architecture

Field value changes flow through standard Field History Tracking, then archive to the FieldHistoryArchive Big Object for long-term retention queryable via SOQL, CLI, or REST API.
Figure 7. Field Audit Trail extends standard field history by archiving changes to a Big Object, enabling up to 10 years of retention with 60 fields per object. The FieldHistoryArchive Big Object is queried like any other object via SOQL, making historical data accessible for SOX and HIPAA audit responses.

Field Audit Trail Use Cases

RegulationRequirementHow FAT Helps
SOXFinancial data change audit trailTrack changes to Amount, Stage, Close Date on Opportunities
HIPAAProtected health information access loggingTrack changes to patient fields on Health Cloud objects
GDPRData processing recordsTrack changes to consent fields, data subject attributes
PCI-DSSCardholder data access loggingTrack access to payment-related fields

Shield Licensing and Cost Considerations

Shield Costs

Shield is an add-on license priced per-org, not per-user. The cost is significant, typically 30-50% of the base platform license cost. Weigh the compliance benefit against the cost and recommend Shield only when regulatory requirements demand it. If the scenario does not mention compliance requirements, do not recommend Shield.

Decision FactorRecommend ShieldDo Not Recommend Shield
HIPAA/PCI/SOX complianceYesN/A
Regulatory audit requirementsYesN/A
Customer demands key managementYes (BYOK/cache-only)N/A
General “we want more security”Evaluate if standard features sufficeIf standard encryption + sharing model is adequate
Data breach concernIf need forensics + real-time detectionIf standard login tracking is sufficient

Sources

Personal study notes for the Salesforce CTA exam. Content compiled from VJ's study notes, official Salesforce documentation, community sources, and online publicly available content, then organized and presented with AI assistance. Not affiliated with Salesforce. © 2025–2026 VJ Srivastava.