BYOK Data Security for Marketing Cloud

Released Feb 15th, 2021, Salesforce now offers an enhanced level of security for data transferred to and stored inside Marketing Cloud, called Bring Your Own Key (BYOK). a.k.a. Bring Your Own Encryption (BYOE) or Customer-supplied Encryption Key (CSEK)

While BYOK is not new to the world of data security, BYOK is brand new to Salesforce Marketing Cloud. Well, almost brand new. It has actually been in testing before early 2020 and then had an initial rollout to eight customers in August of 2020.

What is it?

BYOK is a new SKU now available to all Marketing Cloud customers using transparent data encryption and a dedicated database for your data. An admin can generate a custom RSA2048 encryption key for the dedicated database for a Marketing Cloud account. The customer becomes the owner/custodian of the key, and this key takes the place of security keys that are otherwise generated by Marketing Cloud in the background. This customer-supplied encryption key is imported, rotated, and revoked based on a customer’s specific security and business needs.

How does it work?

Using a command line interface and OpenSSL, or by using a Hardware Security Module (HSM), you start by generating a custom RSA2048 key, and then you wrap that key with Marketing Cloud’s public key. This is so you can import your key into the Marketing Cloud platform without exposing it to anyone. Upon importing your key, you can then apply that key, and your data is encrypted.

Once your data has been encrypted using BYOK, it is impossible for Salesforce, or any other party, to read or decrypt the data. The key used to encrypt the data can also be rotated based on an organization’s security policy, and an active key can also be revoked. So in the event of revoking the key for security reasons, the data is rendered completely unreadable and can only be restored using that same key.

Great! Right? Well, yes… Just don’t lose your key!

Why would you need this? 

In today’s world with increasing amounts of data and privacy laws, you can’t stop modern-day data breaches without advanced and complex encryption, and an organization is put at risk by having customer data exposed. If you have sensitive data or you are in a highly-regulated industry, then you might consider it. Typical use cases could apply to Financial Services (FINS) and sensitive financial data, Healthcare & Life Sciences (HLS) and personal health information (PHI), or even eCommerce Marketing data and personally identifiable information (PII).

What else should you consider?

Some form of key management must be put into place to ensure the key is never lost or exposed outside of an organization. A best-practice solution to BYOK key management is for the enterprise to generate strong keys in a tamper-resistant HSM and control the secure export of its keys. Additionally, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure all offer key broker/key management services (KMS), AWS KMS, GCP KMS, and Cloud HSM services.

Again, don’t lose your key! Another best practice is for an organization to assign at least three individuals, preferably in three different geographic locations, with access to the key management system, and all three of those people should NEVER get on the same plane!

How do we know about all this?

Xede’s Digital Experience team was one of very few Salesforce System Integration (SI) Partners that brought one of the first eight customers onto a BYOK instance of Salesforce Marketing Cloud. Back in August 2020, we partnered with our Healthcare client that needed to meet very rigorous security requirements around data inside of Marketing Cloud to comply with their largest customer’s data-related mandates. The solution was to stand up a new Marketing Cloud instance with a dedicated database that utilizes BYOK. Now as end-customer PHI and PII, as well as Marketing data, are loaded into the platform, it is extremely secure inside of Marketing Cloud meeting high security requirements using BYOK and Multi-factor Authentication (MFA).

Want to chat more about this and determine if BYOK and Salesforce Marketing Cloud is right for you? Let’s have a conversation!

Check out more of our great Marketing Cloud articles and more.

• Author
• Recent Posts

Andrew Driscoll

Practice Manager, DXM COE at Xede

With 25+ years in MarTech, Andrew Driscoll has been in the Digital and Email Marketing space for over a decade with a focus of servicing clients across banking, insurance, and healthcare. His certified experience with Salesforce Marketing Cloud began on the Exact Target platform, and he is skilled across other major marketing, data, CRM, and BI platforms. He has been recognized by clients as bringing “a very special and diverse blend of digital vision, email marketing expertise, and deep technical chops to the table.”

Latest posts by Andrew Driscoll (see all)

• BYOK Data Security for Marketing Cloud - February 25, 2021
• The Value of Marketing Cloud Realized for Financial Services - August 14, 2020
• One Preference Center to Rule Them All: Xelerating SFMC - June 12, 2020