Over the last few years, digitalization, new working models and rapid economic changes have made it more imperative than ever for business processes to be agile and scalable. Cloud-Services optimally meet these requirements and offer a flexible and dynamic solution. In the CRM segment, Salesforce is indisputably the market leader with a global market share of over 20 percent and is an indispensable part of modern business life for numerous companies. Many departments, such as sales, marketing, e-commerce, and customer service, can collaborate with this Cloud-based CRM solution anytime, anywhere. With the use and storage of sensitive customer data in the cloud, however, also come significant security responsibilities. Far-reaching consequences await a company should its internal and confidential business information, customer contacts, price lists, or supply chain details be compromised. For companies that use Salesforce as a CRM it is mandatory to deal intensively with the security and compliance of the Cloud-Solution due to the enormous importance of this tool and the volume of sensitive data it contains.
Why does using Salesforce violate industry compliance regulations without additional protective measures?
Salesforce is an US Cloud-Provider. The USA is considered an unsafe third country in terms of the GDPR, as the handling of personal data is not equivalent to the European standard. Although Salesforce is now offering European customers the option of storing their data on servers within the EU, there is still a possibility of data being transferred to servers outside the EU when using multiple Salesforce Cloud products. Regardless of the storage of data, the possible access of US administrators to EU servers is already considered third-country data traffic. The Cloud-Provider's standard contractual clauses are not a sufficient precaution for the transfer of sensitive data either. For even such an agreement with an US data importer cannot prevent legal access by US authorities with no prior court order. Data protection compliance requires the safeguarding of personal data before it is transferred to the Cloud, if stored in countries without an adequacy decision. This ensures that US administrators can only see sensitive data in encrypted form when it is accessed.
Does Salesforce Shield not provide sufficient protection for the secure use of the platform?
Over the years, Salesforce has greatly expanded its product range and added several integrated services to its primary offering. Salesforce Shield is an additional feature of the Cloud-Provider that is intended to ensure the security of personal data and that enables, among other things, platform encryption. Encryption can be configured by both the Cloud-User and Salesforce community experts. However, despite encryption Salesforce Shield administrators always have access to sensitive plain-text data, as they control the key to pseudonymize customer data in the cloud.
If a company wants to avoid this access, then the encryption must be done in-house before the data is sent to the CRM service.
Which is the best solution to protect my sensitive data? What does the eperi gateway offer that other data protection tools can't?
With the encryption of personal data in the data stream, the eperi gateway ensures the adherence to current compliance guidelines in data protection. Pseudonymization and tokenization remove the personal reference from the data before it is stored in the Cloud and our customers act in compliance with data protection regulations. The eperi gateway does not affect the compatibility among different applications. On the contrary, it can help prevent the usage of shadow IT and avoid serious security breaches. With our solution, your independence and autonomy are preserved. With the help of selective encryption, the eperi gateway can flexibly encrypt personal data on a field and content basis. Keys and encryption always remain under your sole control. This leaves plenty of room for individual configurations. The IT infrastructure remains unrestricted due to the seamless integration and there are no latencies when using the application. Due to the function-preserving encryption of eperi, functions such as search, sorting, filters, and rules can continue to be used without restriction. These functions are no longer available when using Salesforce Shield. Data-centric encryption and tokenization at field level, as well as the pseudonymization of unstructured data, especially files, are also not a self-evident feature when using Cloud-Services. This way, even in the event of data theft, sensitive data remains securely protected since the attacker cannot make use of the encrypted data.
Is it not Salesforce's responsibility to take care of the security of their application?
Under the "Shared Responsibility Model", cloud users must do their part in keeping sensitive data safe in the cloud. They cannot rely on their Cloud-Provider to ensure the security of their data. Many companies are not aware of this responsibility. The "Shared Responsibility Model" is a security and compliance framework that clearly defines the responsibilities of Cloud-Service providers, SaaS providers and customers for securing all aspects of the Cloud environment. This includes, but is not limited to, hardware, infrastructure, endpoints, and operating systems, as well as the data stored in the systems. In simple terms, the model specifies which contract partner is responsible for security measures regarding certain components. The cloud provider is responsible for monitoring and defending against security threats that attack the Cloud itself and the underlying infrastructure. Cloud-Users are required to protect the data and other assets stored in the Cloud environment.