Since its launch in 1999, Salesforce.com’s cloud-based CRM, customer service, marketing and social applications have become indispensable to thousands of enterprises all over the world.
The company’s customer base hit six digits in 2011, and if your business doesn’t already number among that 100,000+, chances are good that you’re considering joining the ranks. But the increasing complexity of data privacy and residency regulations, the decision to move your operations to the cloud isn’t always an easy one to make. What additional steps should you take to ensure your enterprise’s and customers’ cloud data privacy?
1. Understand what data you’re sending to the cloud
If you don’t know what data your business sends to the cloud, or even whether your employees use the cloud, you most likely won’t remain in compliance. The phenomenon of “shadow IT“—enterprise end users adopting cloud applications without IT’s involvement or authorization—can severely compromise cloud data privacy. End users aren’t always aware of exactly what data needs to be protected, or why. What they know is that SaaS applications like Salesforce are often easier to learn and use than their employers’ legacy CRM systems, and that along with a pay as you go model and other benefits drives them to adopt those applications. Unfortunately, when they do so, they may put sensitive data like credit card numbers or other PII into the cloud in violation of corporate policy or industry regulation.
Mitigating this threat requires total knowledge of what your employees have sent to the Salesforce cloud. That’s why we developed our new Data Discovery & Monitoring tool. CipherCloud Data Discovery & Monitoring for Salesforce works to monitor user activity at a granular level, identify sensitive or inappropriately handled information, and detect anomalous or suspicious activity before it becomes a cloud data privacy problem.
2. Understand what data you can send to the cloud, and how you keep it private
Compliance requirements differ from country to country, region to region, and industry to industry, creating a web of regulations that no enterprise can expect every end user to understand. It’s up to your data security personnel to understand exactly what regulations apply to your business, whether they be data privacy standards like PCI-DSS or HIPAA, data disclosure laws UK ICO Guidance, Australia Privacy Act, EU Directive and many others, or national data traffic and residency restrictions. Are there areas where one country’s data disclosure laws violate another country’s data privacy laws? To ensure cloud data privacy for your enterprise, you must know exactly what limitations and restrictions to cloud use the relevant regulations impose.
3. Protect what you must, using the most appropriate method
Now that you know what’s going to the cloud and what laws and standards regulate that traffic, you can protect the information that needs to stay private.
Understand that cloud data privacy does not, should not, and cannot entail encrypting every single piece of information your company sends to the cloud. Regulations don’t require it. Only specific kinds of data require protection, and they may not all require the same level of protection. Within the structured and unstructured data your company sends to Salesforce, you’ll most likely find fields for credit card numbers, account numbers, customer names and addresses, and transaction information. Some of those must be encrypted or tokenized using the strongest methods available. Others might need some protection, but not at that level. Meanwhile, you’ll want to retain your data’s functionality in the cloud through a method like CipherCloud Searchable Strong Encryption.
How do you do all that? It’s easier than it sounds. CipherCloud Salesforce security offers cloud data protection at a granular level, so that you can easily choose and apply exactly the right kind of encryption or tokenization to each field of structured or unstructured data you need to protect. This way, you can ensure the best blend of cloud data privacy and Salesforce functionality for your business.