Take full control of your Salesforce Cloud data with Utimaco’s secure BYOK & HYOK key management.

The Salesforce Cloud is designed to help businesses manage customer relationships, streamline operations, and drive growth. With the integration of Utimaco’s Key Enterprise Secure Key Manager, customers can now add an additional layer of security and control.
 

Securing Cloud-Based Platforms Leveraging from BYOK and HYOK Capabilities

Vast amounts of sensitive customer data are stored on this fully cloud-based platform. As for any other cloud-based solution, specific security requirements are crucial to effectively protecting them from misconfiguration, unauthorized access (external or internal – known as insider threats) which might result in data breaches or data loss. 

Inadequate security measures can also lead to failures in meeting data protection regulations and compliance requirements, causing legal and financial penalties.

While Salesforce offers their own native KMS, Shield Platform Encryption, customers do not have control over the keys used to protect their data.  The security models Bring Your Own Key (BYoK) and Host Your Own Key (HYoK) are ideal mechanisms for ensuring highest data security, strict access control and compliance fulfillment for customers.

Bring  Your Own Key (BYOK) 
BYOK allows organizations to generate, own, and manage their encryption keys, which are then used by Cloud Service Providers (CSPs) to encrypt and decrypt data. This provides users with greater control over their data security, as they can revoke or rotate keys at their discretion, ensuring that even the CSP cannot access their encrypted data without permission.

HYOK (Hold Your Own Key)
HYOK takes data security a step further by allowing organizations to also store their encryption keys within their own infrastructure. This means the CSP never has access to the keys, ensuring that only the customer can decrypt the data, making it especially beneficial for highly sensitive or regulated data where maximum control and security are required.

Centralized Key Management – The Technological Base for BYOK / HYOK

Integrating a secure and reliable Key Management System (KSM) adds significant advantages to the security and compliance levels of cloud-based environments. 

While secure encryption utilizing high-quality keys is the basis for the security of data in any cloud environment, it is just one part of the full picture. 

Adding centralized KMS capabilities here enables central storage and access to all enterprise encryption keys through one single pane of glass. This grants you full security and transparent accessibility to any key at any time throughout the entire lifecycle. 
Utilizing BYOK and HYOK in a secure way – introduces strict separation of encrypted data and cryptographic key material – and also demands the capabilities of a KMS. 

In BYOK / HYOK use cases KMS enables centralized key management and storage of the encryption keys outside of the cloud environments and under the users’ sole control, limiting CSP access to keys and critical data.  

Enterprise Secure Key Manager enabling BYOK and HYOK for Salesforce Cloud

With the integration of Enterprise Secure Key Manager (ESKM), Utimaco’s flagship product for KMS, Salesforce Cloud created the foundation for secure and reliable BYOK and HYOK use cases, further enhancing security for their customer’s data. 
This integration includes various customer key management models with the Salesforce Cloud, each dedicated to meeting specific needs: 

• Salesforce BYoK
  Customers can generate their own keys from an external KMS, upload them to protect sensitive data within the core Salesforce platform (Sales Cloud, Service Cloud, etc.)
• Salesforce Market BYoK
  Similar to Salesforce BYoK but extends key control to Marketing Cloud data, including data for backup, recovery, and archiving.
• Salesforce Cache-Only Key (e.g. Hold Your Own Key) 
  Customers generate and store key material from their ESKM and the Cache-Only Key Service fetches the key on demand from that key service within an encrypted channel. Salesforce doesn’t retain or persist your cache-only keys in any system of record or backups. You can revoke key material at any time.

Utimaco x Salesforce Cloud Value Proposition 

The main benefits of the integration of Utimaco’s KMS with Salesforce Cloud are based on the superior key management and protection capabilities of ESKM. 

• Separation of Keys and Data: The reliable separation between encryption keys and data being encrypted effectively prevents all threads laid out in the beginning of this blog (from unauthorized access prevention to data loss).
• Full Key Control: ESKM’s central key access and management capabilities ensuring full sovereignty over your keys at every stage of their lifecycle . Starting from secure key generation, rotation to termination.
• Compliance: By generation, management and storage of the crypto keys independent from the CSP and outside their environment ESKM unlocks your path to compliance according to various data protection requirements

As a security technology provider, we stand behind the solutions and services that we promote and sell to our customers! Utimaco has deployed ESKM into its corporate enterprise and leverages the Salesforce Cache-only key service to maintain complete separation and control of corporate and customer data!  

Your Path to Strongest Data Protection in Salesforce Cloud

At Utimaco, we provide superior KMS offering secure centralized key management. 

With Enterprise Secure Key Manager we deliver the most interoperable and integrated KMS in the market, providing a single pane of glass for all cryptographic keys and available for different FIPS-certification levels. 

Get in touch with our experts and discover how Utimaco’s KMS solutions can elevate the security if our your Saleforce Cloud Data.

About the Author

Silvia Clauss

Head of Product Marketing, Utimaco