BYOK Data Security for Marketing Cloud

BYOK Data security for Marketing Cloud
Photo by cottonbro from Pexels

Released Feb 15th, 2021, Salesforce now offers an enhanced level of security for data transferred to and stored inside Marketing Cloud, called Bring Your Own Key (BYOK). a.k.a. Bring Your Own Encryption (BYOE) or Customer-supplied Encryption Key (CSEK)

While BYOK is not new to the world of data security, BYOK is brand new to Salesforce Marketing Cloud. Well, almost brand new. It has actually been in testing before early 2020 and then had an initial rollout to eight customers in August of 2020.

What is it?

BYOK is a new SKU now available to all Marketing Cloud customers using transparent data encryption and a dedicated database for your data. An admin can generate a custom RSA2048 encryption key for the dedicated database for a Marketing Cloud account. The customer becomes the owner/custodian of the key, and this key takes the place of security keys that are otherwise generated by Marketing Cloud in the background. This customer-supplied encryption key is imported, rotated, and revoked based on a customer’s specific security and business needs.

How does it work?

Using a command line interface and OpenSSL, or by using a Hardware Security Module (HSM), you start by generating a custom RSA2048 key, and then you wrap that key with Marketing Cloud’s public key. This is so you can import your key into the Marketing Cloud platform without exposing it to anyone. Upon importing your key, you can then apply that key, and your data is encrypted.

Once your data has been encrypted using BYOK, it is impossible for Salesforce, or any other party, to read or decrypt the data. The key used to encrypt the data can also be rotated based on an organization’s security policy, and an active key can also be revoked. So in the event of revoking the key for security reasons, the data is rendered completely unreadable and can only be restored using that same key.

Great! Right? Well, yes… Just don’t lose your key!

Why would you need this? 

In today’s world with increasing amounts of data and privacy laws, you can’t stop modern-day data breaches without advanced and complex encryption, and an organization is put at risk by having customer data exposed. If you have sensitive data or you are in a highly-regulated industry, then you might consider it. Typical use cases could apply to Financial Services (FINS) and sensitive financial data, Healthcare & Life Sciences (HLS) and personal health information (PHI), or even eCommerce Marketing data and personally identifiable information (PII).

What else should you consider?

Some form of key management must be put into place to ensure the key is never lost or exposed outside of an organization. A best-practice solution to BYOK key management is for the enterprise to generate strong keys in a tamper-resistant HSM and control the secure export of its keys. Additionally, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure all offer key broker/key management services (KMS), AWS KMS, GCP KMS, and Cloud HSM services.

Again, don’t lose your key! Another best practice is for an organization to assign at least three individuals, preferably in three different geographic locations, with access to the key management system, and all three of those people should NEVER get on the same plane!

How do we know about all this?

Xede’s Digital Experience team was one of very few Salesforce System Integration (SI) Partners that brought one of the first eight customers onto a BYOK instance of Salesforce Marketing Cloud. Back in August 2020, we partnered with our Healthcare client that needed to meet very rigorous security requirements around data inside of Marketing Cloud to comply with their largest customer’s data-related mandates. The solution was to stand up a new Marketing Cloud instance with a dedicated database that utilizes BYOK. Now as end-customer PHI and PII, as well as Marketing data, are loaded into the platform, it is extremely secure inside of Marketing Cloud meeting high security requirements using BYOK and Multi-factor Authentication (MFA).

Want to chat more about this and determine if BYOK and Salesforce Marketing Cloud is right for you? Let’s have a conversation!

Check out more of our great Marketing Cloud articles and more.

Andrew Driscoll
Ready to Go Beyond ?

Connect with Xede today to start growing your business faster, smarter and stronger.