What is the most important tip for working with Salesforce Shield?

Shield is operational, not turnkey. Budget for a security engineer to manage tenant keys, route Event Monitoring logs into your SIEM, and review the Field Audit Trail configuration as objects evolve. Without that, you have a license you are not using.

Shield adds extra security for organizations that need it.

AdministrationAdvanced

Salesforce Shield

Q: What is Salesforce Shield?

Shield is a bundle of security products for enhanced protection.

Q: What are the four components?

Shield includes four distinct security capabilities.

Salesforce Shield is the security-and-compliance add-on bundle for Salesforce that pairs three products together: Platform Encryption, Event Monitoring, and Field Audit Trail.

Hear it

§ 01

Definition

Salesforce Shield is the security-and-compliance add-on bundle for Salesforce that pairs three products together: Platform Encryption, Event Monitoring, and Field Audit Trail. It sells as an annual subscription on top of any Sales Cloud, Service Cloud, or Platform license and is the default purchase for enterprise customers in regulated industries (healthcare, financial services, government) who need stronger encryption-at-rest, deeper user activity logging, and longer field-history retention than the standard product provides.

Shield does not change how the application runs day to day. End users see the same UI, admins see the same Setup, integrations call the same APIs. What Shield adds is what happens behind the scenes: encryption keys controlled by the customer, every API call and report run recorded for forensic review, and field changes preserved for up to ten years instead of the standard 24 months. Customers buy Shield when their compliance team requires controls beyond Salesforce's baseline, and they renew it as long as those controls remain a contractual or regulatory obligation.

§ 02

What each Shield product does and why customers buy them together

Platform Encryption

Standard Salesforce encrypts data at rest with platform-managed keys. Platform Encryption (Shield's first component) lets the customer hold their own tenant secret used to derive the data encryption keys, with a Bring Your Own Key flow for customers who need to control rotation. Encrypted fields stay searchable, sortable, and visible to authorized users, but the data is unreadable on disk and in backups without the tenant key. Customers can encrypt any of dozens of supported fields (Account.Name, Contact.Email, Case.Subject, custom long-text, files, attachments, search indexes) with no code changes.

Event Monitoring

Event Monitoring captures every meaningful platform action as an event log: API calls, login attempts, report exports, file downloads, page navigation, Apex executions, dashboard refreshes. The logs are exposed through the Event Log File API and as live event streams via the Streaming API. Customers route these logs into Splunk, Datadog, or a SIEM and run forensic searches: who downloaded the customer list on Tuesday, which API user has been hammering the limit, which dashboard the suspicious account viewed at 2am. Standard Salesforce has none of this; the audit trail is a small subset of admin actions only.

Field Audit Trail

Standard field history tracks up to 20 fields per object and keeps the changes for 24 months. Field Audit Trail (Shield's third component) lifts the field limit to 60 per object and extends retention to 10 years. The history table is the same shape, queryable through SOQL and reports, but the data persists much longer. Customers in regulated industries (HIPAA, SOX, GxP) need this retention to satisfy audit, e-discovery, and legal hold requirements that 24-month retention does not cover.

Real-Time Event Monitoring

The latest Shield evolution is Real-Time Event Monitoring, which moves Event Monitoring from a 24-hour-delayed log file to a streaming push of events as they happen. Customers can subscribe to the event stream through Pub/Sub API, route into Kafka or a downstream alerting tool, and react within seconds. Use cases include credential theft detection, mass-export blocking, and anomaly alerting on production traffic. Real-Time is a separate SKU within the Shield family for customers who need the millisecond view rather than the daily view.

When Shield is not enough

Shield covers many compliance use cases but not all. Customers needing customer-managed encryption keys with HSM-backed key material need to add Bring Your Own Key (BYOK), often paired with Cache-Only Key Service for the highest-security scenarios. Customers needing data residency in specific regions need the Hyperforce data residency option separately. Customers needing app-level Data Loss Prevention (DLP) need third-party integrations because Shield alone does not block sensitive data exfiltration; it logs the exfiltration after the fact.

Pricing model and how customers buy

Shield is priced as an org-wide add-on, typically 30 percent uplift on the underlying Salesforce license cost, or as separately negotiated enterprise contracts. The product is sold to security and compliance teams as much as to IT. Customers usually buy after their first internal or external audit identifies a gap (insufficient encryption, missing API monitoring, short field history). Once a customer turns Shield on, they almost never turn it off, because the compliance posture becomes baseline and the audit framework depends on it.

Operational discipline once Shield is on

Shield generates a large volume of event data. Customers underestimate the storage and routing costs of forwarding the events to their SIEM; a busy production org can produce gigabytes of event logs per day. Customers also need to define key rotation policies for Platform Encryption (Salesforce supports annual rotation by default), monitor alerts on the Real-Time event stream, and review the field audit trail retention configuration as objects come and go. Shield is not a buy-and-forget product; it is an operational toolkit that requires a security engineer to run.

§ 03

Turn on Shield Platform Encryption for a Salesforce field

Enable Platform Encryption on a specific field so the data is unreadable at rest without the customer-controlled tenant key, while remaining functional for users in the UI.

Confirm the Shield license
Setup, Company Information. Verify Platform Encryption is listed under Permission Set Licenses. Without the license, the encryption controls do not appear.
Generate a tenant secret
Setup, Platform Encryption, Key Management. Click Generate Tenant Secret. Salesforce creates a customer-controlled key. Optionally upload your own key under Bring Your Own Key.
Pick a field to encrypt
Setup, Platform Encryption, Encryption Policy, Encrypt Fields. The list shows supported fields per object. Select the target field (Account.Name, Contact.Email, etc.).
Choose the encryption scheme
Probabilistic (more secure, not searchable in case-sensitive search) or Deterministic (less secure, allows exact-match SOQL queries). Deterministic is the right choice for fields used in WHERE clauses; probabilistic for everything else.
Activate and wait for backfill
Click Encrypt. Salesforce runs a background job to encrypt existing data in that field. The job can take hours for large orgs; the UI shows progress.
Verify and document
Open a record. The field renders normally to authorized users but is stored encrypted at rest. Add the field to your security control evidence file for audit.

Key options

Tenant Secretremember

Customer-controlled key used to derive data encryption keys. Salesforce never sees the underlying secret in plaintext.

Bring Your Own Keyremember

Option to provide a key generated outside Salesforce (HSM, AWS KMS, Azure Key Vault).

Probabilistic vs Deterministicremember

Encryption scheme choice. Probabilistic is more secure; deterministic enables exact-match search.

Cache-Only Key Serviceremember

Highest-security option where Salesforce holds the key only in memory, fetched on each request.

Gotchas

Encrypting a field breaks some downstream features: external IDs that rely on case-sensitive uniqueness, certain Einstein features that train on the raw data, some reporting filters. Test in a sandbox first.
Tenant key rotation needs an operational schedule. Salesforce supports annual rotation by default; long key lifetimes weaken the security posture and may fail audit.
Shield Event Monitoring logs are not free to store. Routing them to Splunk or Datadog costs ingestion fees; budget the downstream cost when planning the Shield rollout.
Field Audit Trail extends history but does not retroactively capture older changes. If you need 10-year history starting today, history before activation stays at the standard 24-month retention.

Trust & references

Sources

Cross-checked against the following references.

Salesforce Shield Product PageSalesforce
Platform Encryption OverviewSalesforce Help
Real-Time Event MonitoringSalesforce Help

Official documentation

Straight from the source - Salesforce's reference material on Salesforce Shield.

Platform Encryption DocumentationSalesforce Help
Event Monitoring DocumentationSalesforce Help
Field Audit Trail DocumentationSalesforce Help

Keep learning

Hands-on resources to go deeper on Salesforce Shield.

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.

Test your knowledge

Q1. What is Salesforce Shield?

Q2. What are the four components?

Q3. Who needs Shield?

Discussion

Loading…

Loading discussion…

Back to Dictionary