Thales Blog

The Freedom To Choose Your Key Management And Deployment Model

October 4, 2016

As cybersecurity risks increasingly threaten both corporate and public well-being, lawmakers and regulators alike are enhancing existing data security compliance requirements, implementing new legal frameworks and defining new regulations to respond to increasing internal and external hazards. Compliance mandates, data residency requirements, government regulations and best practices require enterprises protect and maintain encryption keys in accordance with specific frameworks and laws. To meet the requirements of these frameworks and laws, enterprises must also meet specific maintenance and storage requirements.


Salesforce allows organizations to “bring your own key,” also known as BYOK, to maximize the control and trust between the data owner and Salesforce. BYOK allows for the separation, creation, ownership, and control of tenant secrets used to derive encryption keys from the encrypted data. Data security and compliance experts consider this to be a security best practice for internal and external compliance controls. By introducing Salesforce Platform Encryption combined with the Vormetric Key Management as a Service (KMaaS) offering, we can help organizations maintain trust, control and compliance of sensitive data in the Salesforce platform.

Key Management for Salesforce Shield Platform Encryption assures customers control the lifecycle of their encryption keys in a segregated, cost efficient manner. Two convenient and fully integrated deployment options include cloud based “as-a-service” (aaS) as well as an on-premises option for highly regulated or hybrid organizations. Both options are easy to deploy, seamless in operation and enable lifecycle key management including key creation, uploading, updating, storing and deletion:

  • On-premises: Many organizations are strong adopters of Salesforce, but prefer to keep direct control of their Salesforce data within their local data center. Often this is due to compliance and industry guidelines, or a desire to use Salesforce with minimum risk. For these customers, Vormetric Key Management for Salesforce enables the enterprise to manage and control the encryption of their Salesforce information directly (through management of their tenant secrets) within their data centers.
  • In the Cloud: KMaaS for Salesforce enables rapid deployment of the solution, eliminating the time and resources needed for installation and on-going maintenance. Physical hardware acquisition, configuration and integration are eliminated, along with ongoing infrastructure management, maintenance and upgrade costs. The experts deploy and maintain KMaaS infrastructure, while enterprises simply use the application to protect their critical data in Salesforce.

So what’s the big deal here? It’s called freedom, the freedom to choose a specific key management and customized deployment model that best fits organizations’ needs. To top it off, the ‘as-as’ service model provides that best of both worlds: benefits of the cloud while ensuring control – with no need to deploy hardware, the solution eliminates the hassle of architecting and maintaining a high availability key management solution.

Now you can have your encryption while maintaining key ownership to protect sensitive data at the infrastructure cloud layer. As we announce the general availability of both our on-premises solution for managing , and of our Key Management as a Service offering, we fully complement the Salesforce Shield robust encryption service. Enterprises now have the choice they need to take complete control of their data encryption, by simply and easily managing encryption key lifecycles outside of Salesforce in a way that makes the most sense for their business.

I know it sounds redundant but one of the most successful tactics in defending data is defending yourself from yourself. This includes looking at the target (data, compute, etc.), and then wrapping controls like encryption, activity monitoring, and access controls around said target that are not governed or accessible to the privileged users that run your systems. The key is to make sure even your most privileged users are removed from the target. Why? Because that’s exactly how attackers look to compromise the target. One can’t steal what one doesn’t have privilege to.

Want to get one step ahead of your competition? Get started with the key management solution now, and you can be among the first to capitalize on the solution’s compliance and business efficiency advantages. Take control of your keys and contact us to learn more,