Who is better at protecting your cloud data: Dynamics 365 or Salesforce?

Encryption is needed to secure your data in the following two cases:

  1. When data is At-Rest (i.e. data that exist statically on physical media)
  2. When data is In-Transit or In-Motion (i.e. data that is being transferred between components, locations or programs, such as over the Internet)

In my previous post, I stated the fact that both Dynamics CRM and Salesforce use a secure channel for securing in-transit data. I also provided a description of the at-rest encryption approaches used by Dynamics 365 and Salesforce. Based on that analysis, I will discuss the approach and limitations of each platform and then, to summarize, provide a comparison of both approaches.

Salesforce approach, limitations and alternatives

In Salesforce, at-rest encryption is available within the platform. If you decide to go with the native Classic Encryption, then you will be limited and unable to encrypt OOB fields or existing custom fields. You will also not be able to perform the following on encrypted fields:

  • Search
  • Workflow Rules
  • Workflow Field Updates
  • Approval Process Entry Criteria
  • Approval Step Criteria

These limitations do not exist with the Shield Platform Encryption but this solution is not free!

Not to mention that both Classic and Shield Platform encryptions occurs at the platform’s application layer. This is also called Software-based encryption which achieves poor performance as it takes longer to encrypt/decrypt data at the application level.

Dynamics 365 approach

Actually, the answer for Dynamics 365 Online case is simple and straightforward! At-rest encryption is built-in with Office 365/Dynamics 365 which means that encryption is enabled by default with every new Office 365 deployment/implementation!! (see Built-in Security from Office365)

However, in Dynamics 365 On-premise, other than some entity attributes that are encrypted by default, the platform does not support encrypting other kind of data at the application level. In the On-premise cases you will need to make sure that at-rest encryption is enabled at the hardware level.

In fact, in both Dynamics 365 Online and On-premise cases, at-rest encryption is based on what we call hardware-based encryption. It’s important to know that this kind of encryption achieves increased performance compared to software-based encryption. This will also have the advantage of decoupling the encryption functionality from the application. It is also more flexible as there are multiple techniques that you might want to implement at the hardware level (e.g. see  Azure Data Security and Encryption Best Practices).


First, I personally think that, unless your organization has additional compliance and security considerations associated with planning for a Microsoft Dynamics 365 Online or SFDC deployment, there is no real need to rely on at-rest encryption for storing your data. Cloud data is stored in data centers (e.g. Azue, AWS) that usually implement advanced data protection and security practices. Check this page for some details about how Salesforce is protecting customer data in the cloud.

Now, for the Dynamics 365 case, it does not really matter whether you have compliance or security considerations or you don’t: The at-rest encryption in Dynamics 365 is enabled by default, achieves high performance and it’s free of charge!


Encryption approach in Dynamics CRM vs Salesforce

Encryption is the process of converting information or data into a code before it’s sent or stored.  This is especially performed to secure your data and prevent unauthorized access such as:

  • A DB Administrator trying to access the stored data
  • A sniffer trying to read the data being sent over the Internet

In fact, encrypting data before it’s stored is different from sending/receiving encrypted data over the network (e.g. Internet) through a secure channel (e.g. HTTPS).

Generally speaking, encryption is needed to secure your data on the following two cases:

  1. When data is At-Rest (i.e. data that exist statically on physical media)
  2. When data is In-Transit or In-Motion (i.e. data that is being transferred between components, locations or programs, such as over the Internet)

For the first case, both Dynamics365 (Online) and SFDC enforce a secure data transfer over the Internet.


Now that you know that your data is always secured (i.e. encrypted) when sent over the Internet, do you still require Dynamics365 or SFDC to encrypt your data when they store it locally (i.e. within their data centers)?

Let’s first have an overview of each product’s approach for handling the so called At-rest Encryption!

Dynamics 365:

For both Microsoft Dynamics 365 (online & on-premises), all new and upgraded organizations have data encryption activated. An encryption key is provided and can be easily changed by the administrator (The administrator should store this key in a safe location).

Microsoft Dynamics 365 uses standard Microsoft SQL Server cell level encryption for a set of default entity attributes that contain sensitive information (See details here), such as user names and email passwords. For more details about Encryption in Dynamics CRM you can watch this video or refer to this detailed post by my fellow CRM colleague Ben Hosking.


In SFDC, fields are not encrypted by default, unlike Dynamics 365 which, OOB, encrypts a bunch of default entity attributes. However, you have the ability to pick which field to encrypt, with some limitations!

SFDC have two solutions for encryption: Classic Encryption and the Shield Platform Encryption. Below you can find a table that summarizes the main differences between both solutions. You can find the full list of differences here.


Classic Encryption

Shield Platform Encryption


Included in base user license

Additional fee applies

Native Solution (No Hardware or Software Required) X  X
Encrypted Standard Fields  X
Encrypted Attachments, Files, and Content  X
Encrypted Custom Fields

Dedicated custom field type, limited to 175 characters

Encrypt Existing Fields for Supported Custom Field Types  X
Search (UI, Partial Search, Lookups, Certain SOSL Queries)  X
Available in Workflow Rules and Workflow Field Updates  X
Available in Approval Process Entry Criteria and Approval Step Criteria  X

Check the following links for further details about Encryption in SFDC: Security Guide, Shield Platform, Encryption 101.

So, from a business perspective, the main limitations in the classic solution is the inability to encrypt OOB fields or existing custom fields. You also cannot perform search on encrypted fields. These are limitations that the Shield Platform Encryption solution address but with a price!

Oh well, this post is already getting too long!! I’ll stop here for now.

In my next post, and based on this preliminary analysis, I’ll provide a comparison of at-rest encryption approaches for both Dynamics CRM and SFDC. I’ll also discuss the alternatives to each approach’s limitations.

Happy CRMing!