Identify different options to secure data in Marketing Cloud.
Marketing Cloud provides different features to encrypt data and resources. Data can be encrypted at system or application layer and on field or database level.
Marketing Cloud encryption keys can be stored with the Key Management tool. This tool allows manage keys used to encrypt and decrypt data, digitally sign email messages, and implement SAML single-sign on.
Following types of keys can be managed in the Key Management tool:
AMPscript provides functions to programatically hash, encrypt, and decrypt data. Keys stored in Key Management can be used in encryption and decryption functions.
Following hashing and encryption methods can be used with AMPscript:
DecryptSymmetric() functions can be used to encrypt and decrypt data with AMPscript. Encryption keys used in those functions can either be hardcoded or retrieved from the Key Management tool using external record references.
As an example, the following AMPscript code uses keys stored in the Key Management tool, to encrypt and decrypt a string.
%%[ SET @string = "My secret" SET @encryptedString = EncryptSymmetric(@string, "AES", "passwordExternalKey", @null, "saltExternalKey", @null, "IVExternalKey", @null) SET @decryptedString = DecryptSymmetric(@encryptedString, "AES", "passwordExternalKey", @null, "saltExternalKey", @null, "IVExternalKey", @null) ]%%
File Transfer activities allow to encrypt and decrypt files in Automation Studio workflows. Keys stored in the Key Management tool can be used in those encryption or decryption activities.
A single File Transfer activity can be used to encrypt a file in the Marketing Cloud account, and move the encrypted file to an external file location. Supported encryption methods are PGP or GPG.
Two File Transfer activities are needed to decrypt a file located on an external file location. The first activity decrypts the file in the Safehouse location, and the second activity copies the decrypted file from the SAfehouse to the Marketing Cloud account.
The standard Sender Authentication Package (SAP) does not include SSL certificates to securely serve resources over the encrypted HTTPS protocol. However, SSL certificates can be purchased separately and installed for the SAP domain.
Following resource types can be secured with SSL certificates and HTTPS:
To secure both types of resources, two separate SSL certificates need to be purchased and installed. This is because Marketing Cloud uses an external content delivery network (CDN) for serving portfolio content.
Marketing Cloud provides different encryption methods to encrypt data at field or database level. Depending on the method, the encryption and decryption process happens on the application or server layer.
|Transparent Data Encryption||Database||Server (SQL)|
Field-Level Encryption is an application-layer encryption method that encrypts data at field-level. It allows the Marketing Cloud application to encrypt data at rest, and decrypt data at send time.
The Field-Level Encryption method uses a symmetric key and initialization vector stored in the Key Management tool within Marketing Cloud. This allows to import encrypted data into Marketing Cloud.
Transparent Data Encryption is a server-layer encryption method that encrypts data at database-level. It allows the SQL server to encrypt data at rest, and exposes decrypted data to the Marketing Cloud application.
The Transparent Data Encryption method uses a symmetric or asymmetric key stored in the boot record of the SQL server. Encryption and decryption of database files is performed real-time, which allows to implement encryption without modifying existing application code.
The Transparent Data Encryption protects from physical data theft of media containing database files, but does not provide application-layer or field-level encryption. It is also not supported for data stored by the Einstein (Predictive Intelligence), Audience Builder, and Social Studio applications.
Tokenized Sending is an application-layer encryption method that uses tokens to mask data at field-level. Tokens can be resolved to actual values at send time using API calls to an external source system.
The Tokenized Sending method can be used to prevent sensitive data from being stored in Marketing Cloud. Sensitive data can be tokenized in an external source system and loaded into Marketing Cloud. Tokens are then resolved to actual values at send time. The Messaging Engine calls a Token Resolve API towards the source system to replace the tokens with actual values from the source system.
Tokens can be used in Marketing Cloud standard functionalities such as segmentation or personalization. The token resolving occurs in system memory and injects the rendered values into the Marketing Cloud mail transfer agent. Additional mail transfer agents between Marketing Cloud and the destination could log messages passing through their server. Tokenized Sending does not protect against this.