Skip to content

Salesforce Breach Highlights Why Encryption Gateways Are Essential

salesforce breach highlights why cloud encryption gateways are essential for security

In October 2025, Salesforce confirmed it would not pay a ransom demand following claims that nearly 1 billion customer records were stolen via third-party integration exploits and OAuth token abuse. A hacker group informed Reuters it had obtained the Salesforce records, and said they contained personally identifiable information (PII). According to reports, the group has since leaked millions of records

While Salesforce stated its internal systems weren’t breached, customer data was still exfiltrated through the SaaS ecosystem. This incident highlights a crucial truth: SaaS system encryption alone is insufficient to protect sensitive data.

This article will detail the risk of relying on SaaS-native encryption solutions to secure data and meet your compliance requirements, and propose a solution: hosting your own encryption gateway. The end goal: encryption at arms' length from your SaaS provider. 

Why Native SaaS Encryption Falls Short

The critical weakness in most SaaS-native encryption models is the lack of separation between the encryption system and the SaaS provider itself.

If the same environment that stores your data can also decrypt it (because they manage cryptographic functions), then attackers, insiders, or compromised integrations may still access the plaintext. This holds true even when HYOK, CMEK and BYOK are offered. Why? Because they often control key orchestration, encryption operations, and policy enforcement within their own infrastructure. In practice, the SaaS provider still performs the cryptographic operations and holds the ability to decrypt data during normal application use. 

Using Your Saas Providers' Encryption? What are the Risks? 

Relying on your SaaS provider’s native encryption may feel convenient, keys may be managed for you, integrations work seamlessly, and setup might feel minimal. But that convenience comes at the expense of separation and control. This can leave the organization exposed to vendor access, third-party integration exploits, and ongoing compliance risk.

The key risks include:

  • Vendor exposure: SaaS platforms can still decrypt data for application logic and integrations.

  • Integration risk: Compromised third-party applications and OAuth tokens bypass perimeter controls.

  • Compliance burden: Because data is decrypted and processed inside the SaaS provider’s environment, it can remain within regulatory scope, increasing audit complexity and shared liability.

In short, even if the SaaS provider resists ransom demands, your organization still bears the impact, from data loss and compliance failures to reputational damage and operational disruption.

The StratoKey CDP Platform Advantage: Hosting Your Own Encryption Gateway

A Cloud Data Protection (CDP) platform with a self-hosted encryption gateway, like StratoKey, changes the equation. Instead of relying on SaaS-native encryption, sensitive fields are encrypted or tokenized before they reach applications like Salesforce. The SaaS platform only ever stores ciphertext or tokens, not usable data.

Cloud Encryption Gateways enable:

  • Customer-controlled keys (BYOK/HYOK): Encryption keys are never transmitted to, or reside with the vendor, ensuring the provider has no access to plaintext.

  • Defense-in-depth: Even if Salesforce or an integration layer is breached, encryption occurs upstream in your controlled environment, ensuring attackers only obtain ciphertext while the original plaintext remains only accessible within your boundary.

  • Audit and compliance: Detailed logs and monitoring simplify reporting and investigations, helping identify unauthorized access or anomalies.

  • Regulatory scope reduction: By encrypting data to NIST standards and ensuring key separation, the application is often removed from compliance scope by meeting carve-outs, reducing audit exposure and simplifying adherence to frameworks like HIPAA, ITAR, and GDPR.
  • Reduced extortion leverage: Stolen or exfiltrated data is worthless without the keys to perform decryption.

  • Reduced extortion incentive: Encryption at the gateway renders stolen data unusable and unattractive to threat actors. Once attackers identify that only ciphertext is available, the likelihood of data exposure or ransom attempts drops significantly.

Native SaaS encryption can reduce some risk but doesn’t eliminate it. Without a clear separation of duties, where your organization controls encryption entirely outside the SaaS boundary, you remain exposed to potential data loss, compliance failures, and reputational damage in the event of a breach.

Why you Should Harden Salesforce Security with StratoKey

Attackers go where the data is. Platforms like Salesforce are high-value targets because they aggregate enormous volumes of customer records, financial details, and proprietary business information. Instead of going after one company at a time, if hackers compromise a single SaaS provider or its connected ecosystem, they instantly gain access to thousands of organizations’ sensitive data. This makes CRM platforms a constant focus for cybercriminal groups, extortion rings, and nation-state actors.

The risk is real, and it is only growing in the age of plug-ins, AI tools and increasingly creative social engineering phishing and impersonation campaigns. 

This is where “going the extra step” matters.

Traditional SaaS encryption protects data within the provider’s boundary, but it doesn’t change who ultimately has control. In a breach, the SaaS platform remains a high-value target because usable data still resides there. By contrast, hosting your own encryption gateway shifts control outward, creating an arm’s-length barrier between your sensitive data and every external system. Even if the SaaS layer is compromised, attackers only see encrypted ciphertext or tokenized values, and the decryption keys remain entirely under your authority.

This approach not only protects data, it changes the economics of attack. Encrypted data has limited ransom value, no resale market, and little leverage. By securing information at arm’s length, organizations turn a potential breach from a crisis into a contained event.

The Takeaway

The Salesforce breach is a reminder that even the most trusted SaaS platforms can’t fully protect customer data from compromise. Once data leaves your control, you also lose control over how it’s handled — including whether a third party decides to pay or resist ransom demands.

True resilience comes from encryption at arm’s length. By moving encryption and key management outside the SaaS boundary, organizations can ensure that even in a breach scenario, their data remains protected, unreadable, and worthless to attackers.

With StratoKey’s CDP Platform, organizations regain control of their data, their keys, and their compliance, no matter what happens inside the SaaS provider’s environment.

Secure Your Data Today

Don’t wait for the next breach to expose sensitive records. StratoKey’s Cloud Data Protection Platform gives you control of your encryption keys, cryptographic processes, policies, and data, keeping Salesforce and other SaaS applications secure against third-party risks.

Ready to take control of your data security?

Get in touch to learn how an encryption gateway can protect Salesforce, NetSuite, Jira, Confluence, ServiceNow, and more.