Encrypting Remedyforce data by using Salesforce Platform encryption
Before you encrypt
Before you decide to encrypt data in Salesforce, ensure that you match the right security solution to the type of threats you face. Salesforce Shield Platform Encryption protects data at rest. It should not be confused with a control that encrypts data in transit, such as Transport Layer Security which Salesforce enables by default for your organization. Shield Platform Encryption is best suited for:
- Protecting against data theft or data loss due to unauthorized database access.
- Bolstering compliance with regulatory requirements or internal security policies.
- Satisfying contractual obligations to handle sensitive and private data on behalf of customers.
The best approach is to adopt a defense-in-depth strategy by implementing all security features that Salesforce offers. For more information about the security implementation, see Security Implementation Guide.
Guidelines to implement Salesforce Platform Encryption
- Check what you can and cannot encrypt. For more information about data that you can encrypt, see What you can and cannot encrypt.
- Ensure that you understand the limitations of encryption as encrypted fields are not available in the criteria of QuickViews, Lookup filters, Normalization rules, and Reconciliation rules.
- If you want to encrypt data in a Text Area (Rich) field, change the data type of the field to Text Area or Text Area (Long) as Salesforce currently does not support encryption for a field of type Text Area (Rich).
- BMC recommends that you begin with encrypting a few fields. Run the report to see the impact of encrypted fields on query conditions in Remedyforce and take all the necessary measures to ensure all query conditions are working fine.
- Evaluate the impact of the considerations on your business solution and implementation.
- Test Shield Platform Encryption in a sandbox environment before deploying to a production environment.
- Salesforce Spring 17 has a new Beta feature “Retrieve Encrypted Data with Custom Formula Fields” in which encrypted fields can be used in Formula fields. If you wish to participate, a case has to be opened with Salesforce requesting the feature be turned on. However, be aware, this feature has a very narrow scope at this time. Formula fields that use an encrypted field have to follow these restrictions.
- The only operators that are supported are the concatenation operators:
- The only formula functions that are currently supported are:
- The only operators that are supported are the concatenation operators:
Any formulas using any operators or functions not listed in the preceding list will fail. Remedyforce has a number of formula fields that don’t fit the narrow scope defined above. In these instances, you will not be able to encrypt the field. We’ve noted these exceptions throughout this document.
- Platform Encryption is a part of Salesforce Shield and Salesforce Shield is an additional cost. However, you can purchase just Salesforce Platform Encryption from BMC. Please reach out to your Sales Account Manager or Business Relationship Manager for details.
- Once Platform Encryption is enabled on your Org, if you need to encrypt any Remedyforce managed package fields, you’ll need to make a separate request to Salesforce to have this feature enabled for you.
- There is a limit as to the number of files that Salesforce will scan when trying to encrypt a field that may have been used in a formula field. Today (March 31, 2017), customers wanting to encrypt the Contact Name or Account Name when Remedyforce is installed, will need to submit a request to Salesforce to increase the following limits:
- Maximum number of formulas that can be visited when performing Custom Formula Field validation for encryption enablement raised to 1000
- Maximum number of formulas that can be loaded when performing Custom Formula Field validation for encryption enablement raised to 500
- If you have custom Apex Classes and Triggers, encryption could have an impact on that custom Apex code. Before enabling encryption, fix any violations that you uncover. For example, reference encrypted fields in a SOQL WHERE clause triggers a violation. Similarly, if you reference encrypted fields in a SOQL ORDER BY clause, a violation occurs.
Salesforce Platform Encryption has some restrictions that affects a few Remedyforce functionalities. The following table summarizes the impact of the Salesforce Platform Encryption limitations on Remedyforce functionalities.
|Salesforce Platform Encryption limitation||Loss of Remedyforce functionality|
|Encrypted fields are not allowed in query conditions|
Salesforce does not allow the use of encrypted fields in the following clauses of the SOQL and SOSL query conditions:
For example, query conditions of a QuickView that contains the WHERE clause.
To ensure that all functionalities of Remedyforce continue to work, before running a query, all fields in the WHERE and ORDER BY clauses are checked. If an encrypted field is used in a condition, the condition is removed and all results are displayed without applying any condition. For more information, see Encrypted fields in SOQL and SOSL queries.
|Encrypted fields are not allowed in Aggregate functions||Salesforce also does not allow use of encrypted fields in Aggregate functions, such as Max and Min.|
|Fields of type Text Area (Rich) cannot be encrypted|
Salesforce currently does not support encryption for a field of type Text Area (Rich). Therefore, you cannot enable encryption for such fields.
If you have Text Area (Rich) fields in the Remedyforce Console, Self Service forms, or Service Request Definitions and you want to encrypt data of such fields, plan and update the field type to Text Area (Long). When you convert a Text Area (Rich) field to Text Area (Long) field, Salesforce confirms if you want to remove the HTML tags from the content.
When you convert the Text Area (Rich) type fields, ensure that you select the Remove HTML markup. Only the content will be kept option. This option also ensures that line breaks in the text are converted to new lines.
Also, all email messages that are in a rich text format are saved as plain text in the Note field of History objects, such as Incident History.
|Field limits with Salesforce Platform Encryption|
Encrypted fields in SOQL and SOSL queries
Salesforce does not allow use of encrypted fields in the WHERE and ORDER BY clauses of a query. These clauses are used in Salesforce Object Query Language (SOQL) and Salesforce Object Search Language (SOSL) queries in BMC Remedyforce code. The following user-configured areas of BMC Remedyforce might be affected by encrypted fields:
- Lookup filters
- Service level agreements (SLAs) – Service Targets
- Service Request Definitions – Fulfillment Criteria - CMDB
- Suggested Owners and Queue Assignment
- Reconciliation rules
- Rule Based Classes
- Select From Business Services windows
If you have selected the Support Salesforce Platform Encryption in Remedyforce check box, BMC Remedyforce checks all fields in the query condition of WHERE and ORDER BY clauses before running a query. If an encrypted field is found, the condition is removed and all results are displayed without applying any condition. Same behavior is also observed in Self Service 2.0, Self Service 3.0, Service Desk on Salesforce1 Mobile App, and Self Service on Salesforce1 Mobile App.
If you have not selected the Support Salesforce Platform Encryption in Remedyforce check box and encrypt Remedyforce fields, you might receive Salesforce exceptions while running some Remedyforce functionalities.
The following figure explains if conditions are retained or removed from a SOQL or SOSL query and what results you can expect.
The following exceptions from this flow can be observed:
- Reconciliation rules - If an encrypted field is present in the condition of a reconciliation rule, the reconciliation rule will not run.
- Rule Based Asset classes - For a Rule Based Asset class, you encrypt a field used in the criteria, the criteria remain as is. However, if you deactivate the rule of the Rule Based Class and activate it later, the records added to the class during the deactivated time are not synchronized.
- Filter in the Remedyforce CMDB ( ) - You have encrypted a field used in an existing filter. Only the condition that includes the encrypted field is removed from the filter.
- QuickView Filters - You cannot filter QuickView results based on the encrypted fields.
Existing query conditions are not changed. However, those query conditions are not run. For example, you had configured a Lookup filter on the Incident object to display all incidents where the value of the Client Phone field matches the phone number of the current client. If you encrypt the Client Phone field, you will view the Lookup filter in your list. However, the Lookup filter will not run the condition.
Whenever you configure a new query, the fields marked for encryption are not displayed. For example, you encrypt the Client Phone field of the
Incident object. You will not be able to configure a new query condition on the Client Phone field.
Note the following important behavior of encrypted fields:
- If you view the chart view of a QuickView where you have selected an encrypted field in the Data Field list, no data is displayed in the QuickView chart.
- If you are searching for a value of an encrypted field in a lookup window, no suggestions are displayed.
- If an encrypted field is present in a list view, sorting is not allowed on the encrypted field column.