Data is one of your organization’s most valuable assets, but without the right security it can also be its greatest vulnerability. Whether it’s customer records or financial details, sensitive data in your Salesforce org needs more than just basic protection.
Salesforce’s shared security responsibility model means that the customer shoulders a big portion of the risk. A data breach could have severe financial and operational consequences, making strong data protection essential — not just for maintaining customer trust, but for safeguarding your organization’s reputation and stability.
This is where Salesforce Shield comes in. A suite of additional security products that boosts the standard security of Salesforce, Shield helps teams to safeguard critical information while maintaining trust with their users. But what is Salesforce Shield, and how does it help protect your orgs?
Salesforce Shield benefits
Salesforce Shield adds an extra layer of security to your org, giving you stronger security, improved visibility, and easier compliance. Here’s a closer look at some key benefits you can expect from Shield:
Real-time security updates
As data breaches aren’t something you can predict, you need security that’s always ready to be tested. Shield gives you real-time insight into what’s happening in your org — who’s accessing data, from where, and when. If there’s any unusual activity, you can spot it fast and take action before it turns into a problem.
Regulatory compliance
Salesforce protects its platform, but customers are responsible for securing their data. Without strong protections in place, you risk breaches that can have serious financial and reputational consequences. Regulations like SOC 2, ISO 27001, GDPR, and HIPAA, apply to different industries but all have the same underlying purpose: to protect data.
The 2024 State of Salesforce DevOps Report found that 82% of Salesforce teams are already aligned with one or more security frameworks, and over half were working toward additional compliance goals in 2024. If you have compliance requirements you need to get a handle on, Shield can help you take control of security by providing encryption, monitoring, and auditing capabilities that go beyond Salesforce’s standard security tools.
Sheraton Grand Chicago Riverwalk
DevOps Dreamin’ Chicago 2025
Salesforce Shield features
While Salesforce’s core platform does offer a core set of security features — like Classic Encryption, role-based access control (RBAC), and multi-factor authentication (MFA) — businesses with stricter compliance or security needs will want to consider Salesforce Shield.
Shield has four key capabilities:
1. Shield Platform Encryption
Shield Platform Encryption supports the encryption of data at rest — stored data that isn’t actively being transmitted or processed — with AES 256-bit encryption at the field level. It supports both probabilistic and deterministic encryption. The default, probabilistic encryption, applies a random initialization vector (IV), so encrypting the same data multiple times creates different ciphertexts. Deterministic encryption produces consistent ciphertexts, allowing filtering and exact-match searches.
This goes further than Classic Encryption, which has more limitations. Shield Platform Encryption lets you encrypt more types of data, like files and search indexes, keep control of your encryption keys, and meet tougher security and compliance requirements. But not every field type is supported; some formula fields, long text fields, and external IDs can’t be encrypted.
Admins can also configure Shield Platform Encryption policies to define how and where encryption is applied within their orgs, keeping data secure without messing up essential functionality such as reporting and search.
Shield Platform Encryption gives you control over the entire key lifecycle, from creation to retirement. Data encryption keys aren’t designed to last forever and the process of creating, activating, revoking and destroying them is part of good data security. Even if unauthorized access happens, your data remains unreadable without the decryption keys.
With Shield you can choose to use Salesforce-managed encryption keys or upload your own with the Bring Your Own Key (BYOK) feature for more control. If you use the default key derivation function (KDF), your org’s unique data encryption key (DEK) is made up of a unique tenant secret that you control and a primary secret that Salesforce maintains. With BYOK, you generate and manage your own tenant secret, adding an extra layer of security.
2. Event Monitoring
Shield’s Event Monitoring lets you set security rules to detect and respond to suspicious activity before it becomes a security incident. This is especially important if you’re working on building a robust DevSecOps process, with security embedded in every stage of development and deployment.
Salesforce provides Core Event Monitoring — basic logs of user activity and a limited audit trail — as standard. But for organizations that need to be more proactive Shield ramps this up with Real-Time Event Monitoring.
Real-Time Event Monitoring provides visibility of user activity and system events as they happen. It captures and logs event data like logins, data exports, API usage, and record access. Event log files, for both Core and Real-Time Monitoring, are retained for a maximum of 30 days. That means if you’re relying solely on this data for security investigations or compliance, your window to catch and analyze incidents is relatively short.
If you’re looking for a centralized view of security risks across your Salesforce orgs, you can also use Salesforce Security Center. This provides a dashboard with real-time insights into user permissions, security policies, and potential vulnerabilities.
Salesforce Shield’s transaction security policies let you set up automatic responses to security events. You can create custom rules to trigger custom alerts and actions when specific activities occur, helping you to react immediately to critical events, such as a user downloading a large volume of sensitive customer data outside of business hours.
3. Field Audit Trail
Field Audit Trail upgrades the standard field history tracking functionality, capturing and retaining historical changes to data on a bigger scale. Useful for regulatory compliance or internal audits, it provides an unaltered, verifiable audit log of data changes, recording details like old and new values, who made the change, and when it happened. Field Audit Trail supports tracking for up to 60 fields per object, giving you a detailed history of changes so you can maintain data integrity.
Field Audit Trail helps with data retention too. You can define custom retention policies depending on your security and regulatory compliance needs. You can store data for up to ten years — important if you need to have historical records accessible for audits or investigations.
4. Data Detect
Data Detect (formerly Einstein Data Detect) is a managed package that scans your Salesforce org for sensitive data like personally identifiable information (PII), financial data, and other high-risk details that could put your business in breach of compliance regulations like GDPR, CCPA, and HIPAA. Instead of trawling through records manually, Data Detect uses advanced pattern matching to give you a clearer picture of exactly what sensitive data you’re storing and where. Without this visibility, your sensitive data could be overexposed or stored in the wrong places.
Does Salesforce Shield include data masking?
Shield doesn’t include data masking. Also known as obfuscating — this is when sensitive information is hidden and users see disguised copies. For this you’ll need a separate Salesforce feature called Data Mask which creates anonymized data in sandbox environments, or Gearset’s sandbox seeding add-on.
Salesforce Shield limitations
While Shield adds some powerful security and compliance features, it’s not without its drawbacks. Here are some of the key limitations to consider:
No native backup and recovery. Shield encrypts and protects your data, but it doesn’t provide built-in backup and recovery. If data is deleted or corrupted, you’ll need a separate backup solution, like the Salesforce Backup managed package or Gearset’s backup and restore solution, to recover lost records quickly and minimize disruption.
Not all apps are supported. Shield Platform Encryption now extends to Data Cloud, but it doesn’t cover everything. Some widely used apps — including Einstein (AI tools), Marketing Cloud, and Quip — aren’t supported, meaning data in these applications can’t be encrypted with Shield. That doesn’t mean AI-powered processes are unprotected. The Salesforce platform has security built into its AI capabilities with the Einstein Trust Layer. This framework ensures data privacy, masking, and compliance when using AI tools, even without Shield encryption.
Doesn’t support auditing of metadata changes. Shield tracks data changes with Field Audit Trail, but it doesn’t capture metadata changes like updates to workflows, validation rules, or custom objects. If you need to track org configuration changes, you’ll need a solution like Gearset’s automated metadata change monitoring.
Doesn’t offer out-of-the-box compliance. Shield provides the tools to strengthen security, but it doesn’t guarantee compliance on its own. You’ll still need to configure encryption, permissions, and audit policies correctly to meet specific regulatory requirements.
How to set up Salesforce Shield
First, make sure you have a Salesforce Shield license. Then head to Setup > Platform Encryption to enable encryption. Decide what you want to encrypt: this could be fields, files, or attachments. Salesforce manages encryption keys by default, but if you want full control, you can select Bring Your Own Key (BYOK) under Key Management. Not every field and app supports encryption, so check compatibility before switching it on. For a deeper dive into encryption setup, check out our blog post.
Next, configure Event Monitoring in Setup > Event Monitoring to track key activities like logins, data exports, and API usage. If you need a longer audit history, turn on Field Audit Trail in Setup > Field Audit Trail, then set retention policies to store data for up to ten years.
For a more detailed guide, Salesforce’s Shield Platform Encryption Implementation Guide walks you through every step.
Best practices for getting the most from Salesforce Shield
Salesforce Shield is a powerful set of tools, but just enabling it isn’t enough — you need to configure it correctly and make sure strong security is embedded across your DevSecOps process. Here are some best practices to help you maximize Shield’s value:
Encrypt strategically. Encryption is crucial for protecting sensitive data, but it can also impact performance and functionality. Be deliberate about what you encrypt — focus on personally identifiable information (PII), financial records, and other critical business data. You’ll also want to test encryption policies in a sandbox before rolling them out in production to avoid breaking key functionality like search and reporting.
Set up event monitoring with real-time alerting. Event logs are only as useful as the actions they trigger. Shield’s Event Monitoring can be integrated with a Security Information and Event Management (SIEM) system like Splunk or AWS to get real-time alerts and automate responses to suspicious activity like unusual data exports or login attempts from unexpected locations.
Manage encryption keys properly. If you’re using Bring Your Own Key (BYOK), a solid key management strategy is essential. Without proper key rotation and backups, losing access to your encryption keys could mean losing access to your data altogether. Make sure you have a clear process in place to keep your keys secure, rotated, and recoverable.
Regularly review access and security settings. Shield strengthens your security posture, but it’s only one part of the puzzle. Regularly review user permissions and sharing settings to ensure there are no gaps. Even the strongest encryption won’t help if users have too much access to sensitive records.
How much does Salesforce Shield cost?
Salesforce Shield is an add-on to your Salesforce subscription and its pricing is tailored to each customer’s needs. Salesforce doesn’t publish fixed prices, so you’ll need to speak to their sales team to get a quote based on your org size, industry, and security requirements. You can find more details on Salesforce’s Shield pricing page.
How Salesforce Shield plays a part in DevSecOps
Security isn’t something you bolt on at the end of your development process — it needs to be part of every stage, from planning through deployment to observability. Breaches and compliance failures don’t just put data at risk; they can be costly and damaging to your business.
The 2024 State of Salesforce DevOps Report found that 38% of Salesforce teams see better security as a key driver of DevOps ROI. Stronger security means fewer incidents, reduced downtime, and less time spent fixing avoidable issues — all of which contribute to smoother, more efficient DevOps processes.
Salesforce DevOps is evolving fast, and security is becoming a bigger priority for every team. To dive deeper into how DevSecOps can strengthen your Salesforce security strategy, check out our ebook, DevSecOps for Salesforce Teams.
