Encryption is needed to secure your data in the following two cases:
- When data is At-Rest (i.e. data that exist statically on physical media)
- When data is In-Transit or In-Motion (i.e. data that is being transferred between components, locations or programs, such as over the Internet)
In my previous post, I stated the fact that both Dynamics CRM and Salesforce use a secure channel for securing in-transit data. I also provided a description of the at-rest encryption approaches used by Dynamics 365 and Salesforce. Based on that analysis, I will discuss the approach and limitations of each platform and then, to summarize, provide a comparison of both approaches.
Salesforce approach, limitations and alternatives
In Salesforce, at-rest encryption is available within the platform. If you decide to go with the native Classic Encryption, then you will be limited and unable to encrypt OOB fields or existing custom fields. You will also not be able to perform the following on encrypted fields:
- Workflow Rules
- Workflow Field Updates
- Approval Process Entry Criteria
- Approval Step Criteria
These limitations do not exist with the Shield Platform Encryption but this solution is not free!
Not to mention that both Classic and Shield Platform encryptions occurs at the platform’s application layer. This is also called Software-based encryption which achieves poor performance as it takes longer to encrypt/decrypt data at the application level.
Dynamics 365 approach
Actually, the answer for Dynamics 365 Online case is simple and straightforward! At-rest encryption is built-in with Office 365/Dynamics 365 which means that encryption is enabled by default with every new Office 365 deployment/implementation!! (see Built-in Security from Office365)
However, in Dynamics 365 On-premise, other than some entity attributes that are encrypted by default, the platform does not support encrypting other kind of data at the application level. In the On-premise cases you will need to make sure that at-rest encryption is enabled at the hardware level.
In fact, in both Dynamics 365 Online and On-premise cases, at-rest encryption is based on what we call hardware-based encryption. It’s important to know that this kind of encryption achieves increased performance compared to software-based encryption. This will also have the advantage of decoupling the encryption functionality from the application. It is also more flexible as there are multiple techniques that you might want to implement at the hardware level (e.g. see Azure Data Security and Encryption Best Practices).
First, I personally think that, unless your organization has additional compliance and security considerations associated with planning for a Microsoft Dynamics 365 Online or SFDC deployment, there is no real need to rely on at-rest encryption for storing your data. Cloud data is stored in data centers (e.g. Azue, AWS) that usually implement advanced data protection and security practices. Check this page for some details about how Salesforce is protecting customer data in the cloud.
Now, for the Dynamics 365 case, it does not really matter whether you have compliance or security considerations or you don’t: The at-rest encryption in Dynamics 365 is enabled by default, achieves high performance and it’s free of charge!