Encrypting Remedyforce data by using Salesforce Platform encryption

• • Before you encrypt
  • Guidelines to implement Salesforce Platform Encryption
  • Considerations
  • Limitations 
  • Encrypted fields in SOQL and SOSL queries 
  • Related topics

Before you encrypt

Before you decide to encrypt data in Salesforce, ensure that you match the right security solution to the type of threats you face. Salesforce Shield Platform Encryption protects data at rest.  It should not be confused with a control that encrypts data in transit, such as Transport Layer Security which Salesforce enables by default for your organization. Shield Platform Encryption is best suited for:

• Protecting against data theft or data loss due to unauthorized database access.
• Bolstering compliance with regulatory requirements or internal security policies.
• Satisfying contractual obligations to handle sensitive and private data on behalf of customers.

The best approach is to adopt a defense-in-depth strategy by implementing all security features that Salesforce offers.  For more information about the security implementation, see Security Implementation Guide.

Guidelines to implement Salesforce Platform Encryption

• Check what you can and cannot encrypt. For more information about data that you can encrypt, see 02.
• Ensure that you understand the limitations of encryption as encrypted fields are not available in the criteria of QuickViews, Lookup filters, Normalization rules, and Reconciliation rules.
• If you want to encrypt data in a Text Area (Rich) field, change the data type of the field to Text Area or Text Area (Long) as Salesforce currently does not support encryption for a field of type Text Area (Rich).
• BMC recommends that you begin with encrypting a few fields. Run the report to see the impact of encrypted fields on query conditions in Remedyforce and take all the necessary measures to ensure all query conditions are working fine.

Considerations

• Evaluate the impact of the considerations on your business solution and implementation.
• Test Shield Platform Encryption in a sandbox environment before deploying to a production environment.
• Salesforce Spring 17 has a new Beta feature “Retrieve Encrypted Data with Custom Formula Fields” in which encrypted fields can be used in Formula fields. If you wish to participate, a case has to be opened with Salesforce requesting the feature be turned on. However, be aware, this feature has a very narrow scope at this time. Formula fields that use an encrypted field have to follow these restrictions.
  • The only operators that are supported are the concatenation operators:
    • &
    • +
  • The only formula functions that are currently supported are:
    • isBlank
    • isNull
    • IF
    • HYPERLINK
    • IMAGE

Any formulas using any operators or functions not listed in the preceding list will fail.  Remedyforce has a number of formula fields that don’t fit the narrow scope defined above. In these instances, you will not be able to encrypt the field. We’ve noted these exceptions throughout this document.

• Platform Encryption is a part of Salesforce Shield and Salesforce Shield is an additional cost. However, you can purchase just Salesforce Platform Encryption from BMC. Please reach out to your Sales Account Manager or Business Relationship Manager for details.
• Once Platform Encryption is enabled on your Org, if you need to encrypt any Remedyforce managed package fields, you’ll need to make a separate request to Salesforce to have this feature enabled for you. 
• There is a limit as to the number of files that Salesforce will scan when trying to encrypt a field that may have been used in a formula field.  Today (March 31, 2017), customers wanting to encrypt the Contact Name or Account Name when Remedyforce is installed, will need to submit a request to Salesforce to increase the following limits:
  • Maximum number of formulas that can be visited when performing Custom Formula Field validation for encryption enablement raised to 1000
  • Maximum number of formulas that can be loaded when performing Custom Formula Field validation for encryption enablement raised to 500
• If you have custom Apex Classes and Triggers, encryption could have an impact on that custom Apex code. Before enabling encryption, fix any violations that you uncover. For example, reference encrypted fields in a SOQL WHERE clause triggers a violation. Similarly, if you reference encrypted fields in a SOQL ORDER BY clause, a violation occurs.

Limitations

BMC Helix Remedyforce is verified using Probabilistic encryption with the following known limitations.

Encrypted fields in SOQL and SOSL queries

Salesforce does not allow use of encrypted fields in the WHERE and ORDER BY clauses of a query. These clauses are used in Salesforce Object Query Language (SOQL) and Salesforce Object Search Language (SOSL) queries in BMC Remedyforce code. The following user-configured areas of BMC Remedyforce might be affected by encrypted fields:

• Lookup filters
• QuickViews
• Service level agreements (SLAs) – Service Targets
• Service Request Definitions – Fulfillment Criteria - CMDB
• Suggested Owners and Queue Assignment
• Reconciliation rules
• Rule Based Classes
• Select From Business Services windows

If you have selected the Support Salesforce Platform Encryption in Remedyforce check box, BMC Remedyforce checks all fields in the query condition of WHERE and ORDER BY clauses before running a query. If an encrypted field is found, the condition is removed and all results are displayed without applying any condition. Same behavior is also observed in Self Service 2.0, Self Service 3.0, Service Desk on Salesforce Mobile App, and Self Service on Salesforce Mobile App.

The following figure explains if conditions are retained or removed from a SOQL or SOSL query and what results you can expect.

The following exceptions from this flow can be observed:

• Reconciliation rules - If an encrypted field is present in the condition of a reconciliation rule, the reconciliation rule will not run.
• Rule Based Asset classes - For a Rule Based Asset class, you encrypt a field used in the criteria, the criteria remain as is. However, if you deactivate the rule of the Rule Based Class and activate it later, the records added to the class during the deactivated time are not synchronized.
• Filter in the Remedyforce CMDB () - You have encrypted a field used in an existing filter. Only the condition that includes the encrypted field is removed from the filter.
• QuickView Filters - You cannot filter QuickView results based on the encrypted fields.

Existing query conditions are not changed. However, those query conditions are not run. For example, you had configured a Lookup filter on the Incident object to display all incidents where the value of the Client Phone field matches the phone number of the current client. If you encrypt the Client Phone field, you will view the Lookup filter in your list. However, the Lookup filter will not run the condition.

Whenever you configure a new query, the fields marked for encryption are not displayed. For example, you encrypt the Client Phone field of the Incident object. You will not be able to configure a new query condition on the Client Phone field.

Note the following important behavior of encrypted fields:

• If you view the chart view of a QuickView where you have selected an encrypted field in the Data Field list, no data is displayed in the QuickView chart. 
• If you are searching for a value of an encrypted field in a lookup window, no suggestions are displayed. 
• If an encrypted field is present in a list view, sorting is not allowed on the encrypted field column.

Related topics

Enabling-encryption-and-viewing-encryption-report-in-Remedyforce

What-you-can-and-cannot-encrypt

Object-and-field-details-for-encryption