Shield & Encryption Quick Reference

Fast-track reference for Salesforce Shield — Platform Encryption, Event Monitoring, and Field Audit Trail. Read this if you have 2 hours before a mock board and need to know what breaks, what each key option means, and how to map compliance regs to Salesforce controls.

Shield at a Glance

Component	What It Does	When to Recommend
Platform Encryption	Encrypts data at rest with customer-controlled keys	Regulatory requirement for data-at-rest encryption (HIPAA, PCI, GDPR)
Event Monitoring	Captures 74+ event types; real-time threat detection	Need forensics, data exfiltration detection, or automated policy enforcement
Field Audit Trail	60 fields/object, up to 10-year retention	SOX/HIPAA audit requirements beyond 18-month standard tracking

Shield Is Expensive

Shield is priced per-org at ~30-50% of base platform license cost. Never recommend it unless the scenario explicitly requires regulatory compliance, customer-controlled key management, or long-term audit trails. If no compliance driver exists, standard encryption + sharing model is sufficient.

Encryption Scheme Comparison

Dimension	Deterministic	Probabilistic
How it works	Static IV — same plaintext produces same ciphertext per field/org	Random IV — same plaintext produces different ciphertext each time
SOQL WHERE (exact match)	Yes	No
SOQL LIKE / CONTAINS	No	No
SOQL ORDER BY	Limited	No
Report filters	Exact match only	No
List view filters	Exact match only	No
Duplicate rules	Exact match	No
Uniqueness enforcement	Yes	No
Auto-complete / typeahead	No	No
Aggregate functions (SUM, AVG)	No	No
Security level	High	Maximum
Best for	Email, Phone, SSN — fields users must filter on	Notes, Descriptions, PHI narrative fields — no search needed

Board Script

“I recommend deterministic encryption for the Email field because users need to filter cases by patient email. I accept the trade-off of exact-match-only search. For clinical notes, I use probabilistic because no one filters on narrative text and it provides maximum security.”

Key Management Options

Option	Key Location	Who Rotates	Availability Risk	Complexity	When to Use
Salesforce-managed	Salesforce infrastructure	Salesforce	None	Low	Standard compliance; no regulatory key-control mandate
BYOK	Customer HSM, uploaded via API	Customer	Low (key persisted in SF tenant secret)	Medium	Regulation requires customer-controlled keys (PCI-DSS, HIPAA)
Cache-only	Customer infrastructure only; never persisted in SF	Customer	High — key service outage = data inaccessible	High	Maximum control; “kill switch” requirement; highly regulated industries

Cache-Only Availability Trap

Cache-only keys create a hard dependency on the customer’s key service. If that service is down, Salesforce cannot decrypt any data. Architect for HA/DR on the key service itself. The board will ask: “What happens if your key service goes down?”

What Breaks When You Encrypt

Capability	Impact	Mitigation
SOQL LIKE / CONTAINS	Broken (both schemes)	Use unencrypted masked formula field for partial display
Aggregate queries (SUM, AVG, COUNT)	Broken (both schemes)	Pre-aggregate in unencrypted rollup fields or external analytics
Formula fields referencing encrypted field	Limited functions only	Encrypt the source, not the formula; redesign formula logic
Auto-complete / typeahead	Broken (both schemes)	Accept UX trade-off or use external search
Flows / Process Builder filters	Cannot filter on encrypted values	Use Apex triggers or unencrypted criteria fields
Validation rules	Limited	Test each rule; some operators fail silently
Skinny tables	Encrypted fields excluded	Do not encrypt fields critical to skinny table performance
Change Data Capture	Encrypted values in CDC events	Decrypt in subscriber; adds integration complexity

Never Encrypt These

Lookup / Master-Detail fields — breaks relationships entirely
Auto-Number fields — platform-generated, not encryptable
Picklist fields — not supported; use sharing rules for picklist-based access
Fields used in skinny tables — defeats LDV performance optimization
Foreign keys or External IDs used in integrations — breaks matching/upsert logic

Encryption Decision Flowchart

flowchart TD
    Start{"Does a regulation require\ndata-at-rest encryption?"} -->|No| NoShield["Use standard platform\nencryption (TLS + AES-256)\nDo NOT recommend Shield"]
    Start -->|Yes| FieldQ{"Which fields\ncontain regulated data?"}
    FieldQ --> SchemeQ{"Do users need to\nfilter/search this field?"}
    SchemeQ -->|Yes| Det["Deterministic\n(exact-match filter preserved)"]
    SchemeQ -->|No| Prob["Probabilistic\n(maximum security)"]
    Det --> KeyQ{"Does regulation require\ncustomer key control?"}
    Prob --> KeyQ
    KeyQ -->|No| SFKey["Salesforce-managed keys"]
    KeyQ -->|"Yes, with persistence OK"| BYOK["BYOK\n(customer HSM, key persisted in SF)"]
    KeyQ -->|"Yes, zero persistence"| Cache["Cache-only keys\n(key never stored in SF)"]
    Cache --> HA["Architect HA/DR\nfor key service"]

    style NoShield fill:#2e7d32,color:#fff
    style Det fill:#1565c0,color:#fff
    style Prob fill:#1565c0,color:#fff
    style Cache fill:#c62828,color:#fff

Event Monitoring Quick Reference

Capability	What It Does	Key Use Cases
Login Event Monitoring	Tracks login attempts, geo, IP, status, device	Credential stuffing detection, suspicious login alerts
API Event Monitoring	API calls, objects accessed, query patterns	Data exfiltration detection, API abuse throttling
Report Export Events	Report runs, row counts, export actions	Block mass data exports (>10K rows)
Real-Time Events	Near-real-time via Platform Events (vs 24h log delay)	Active threat response, automated enforcement
Transaction Security Policies	Evaluate events in real-time; block, require MFA, or notify	Block large report exports, force MFA on unknown IP, alert on bulk API queries

Transaction Security Policy examples to know:

Block report export when row count > 10,000
Require MFA when login from unrecognized IP/device
Notify admin when user views > 500 records/hour
Block API session exceeding normal query volume

Field Audit Trail Quick Reference

Dimension	Standard Field History	Field Audit Trail (Shield)
Fields per object	20	60
Retention	18 months (24 months via API)	Up to 10 years (configurable policy)
Storage	Counts against org storage	Big Object (`FieldHistoryArchive`) — does NOT count
Query method	Standard SOQL	Standard SOQL on FieldHistoryArchive Big Object, REST API, Salesforce CLI
Cost	Free	Shield license required
Archive policy	None	Configurable retention per object

FAT Architecture

Data flows: Field change —> Standard Field History Tracking (18 months) —> archived to FieldHistoryArchive Big Object (up to 10 years). Query archived data via standard SOQL on the FieldHistoryArchive Big Object, REST API, or Salesforce CLI. Plan for this in reporting architecture.

Compliance-to-Controls Mapping

Regulation	Key Requirement	Salesforce Shield Controls
HIPAA	Encrypt PHI at rest; audit access to patient data; breach notification readiness	Platform Encryption on PHI fields (probabilistic for notes, deterministic for patient email/phone); Event Monitoring for access forensics; FAT on clinical fields
GDPR	Data subject access/erasure rights; lawful processing records; breach notification within 72h	Encryption on PII; FAT for processing activity records; Event Monitoring for breach detection; Individual object for DSAR tracking
SOX	Financial data integrity; change audit trail; segregation of duties	FAT on Opportunity Amount/Stage/Close Date (10-year retention); Event Monitoring for change tracking; Setup Audit Trail for config changes
PCI-DSS	Encrypt cardholder data; restrict access; log access attempts; key management controls	Platform Encryption (BYOK or cache-only for key control); Event Monitoring for access logging; never store full card numbers in Salesforce

PCI-DSS Scope Warning

Salesforce is NOT a PCI-compliant payment vault. Never store full credit card numbers (PAN) in Salesforce, even with Shield Encryption. Use a PCI-certified payment gateway and store only last-4 or tokenized references. The board will challenge you if you suggest storing card data in Salesforce.

Reverse-Engineered Use Case 1: Healthcare with PHI + SOX

Situation: Regional hospital system on Health Cloud. 3,000 users. Must comply with HIPAA (patient data) and SOX (financial reporting for the parent corporation). Mix of clinical staff, billing, and executive leadership.

What you’d present:

Platform Encryption: Probabilistic on clinical notes, care plan narratives (no filter needed). Deterministic on patient Email, Phone (care coordinators filter by these).
Key management: BYOK — hospital compliance mandates customer key control but accepts key persistence in Salesforce.
Field Audit Trail: 10-year retention on patient demographic fields (HIPAA), Opportunity Amount/Stage/Close Date (SOX). 60 fields tracked on the Patient (Contact) object.
Event Monitoring: Transaction Security policy blocks report exports > 5,000 patient records. Login monitoring flags access from outside hospital network.
What NOT to encrypt: Lookup fields to Account (breaks relationships), fields in skinny tables (LDV performance on appointment queries).

Situation: European wealth management firm. 1,200 users across 8 countries. GDPR compliance mandatory. Client PII includes name, address, national ID, portfolio details. Must support right-to-erasure requests.