# Overview ![](/files/bV66cgZUHAhsDBXbIqYV) ## CS:Govern Overview CS:Govern adds rich transparent field encryption capabilities to the entire suite of CapStorm® products. With CS:Govern you can: 1. 1. Force fields in a CopyStorm backup to automatically be encrypted (without changing any of your current backup processes.) 2. Inherit encryption and compliance categories from Salesforce/Shield® and automatically apply the same rules in a CopyStorm backup. 3. Control CopyStorm decrypted field access based on database user/role rules you define. 4. Control encryption keys yourself or use CS:Govern’s built in support for the industry standard encryption standards (example: AES256). Why would a CopyStorm customer want to add CS:Govern capabilities? 1. 1. A customer wants a complete backup of Salesforce — including all data which is encrypted in Salesforce. 2. A customer wants to safely use their CopyStorm backup for reporting and analytics without exposing sensitive data to all database users. 3. A customer wants to adhere to all Compliance and Regulatory requirements throughout the Salesforce backup environment ## How Does CS:Govern Work? CS:Govern employs a technique called Transparent Data Encryption (TDE) to achieve a security compliant CopyStorm database. In a TDE implementation: 1. 1. An application writing to a database does not know that certain fields are being encrypted. 2. An application writes to database fields as if the fields are encrypted or unencrypted automatically. CS:Govern achieves TDE by dynamically generating and installing code into a CopyStorm database based on the security rules supplied by a customer. The only way to bypass the security code installed by CS:Govern is by explicitly deleting CS:Govern code as a database administrator (i.e. a high level, high privilege bad actor is required). In addition, CS:Govern has exactly one component that should be kept secret from normal database users — the encryption key store. Making decryption totally transparent is pretty much impossible to do unless a person writes to the database engine. What CS:Govern does is generate database access code for every table under CS:Govern management. The code determines if the current database session user has access to a field and returns its unencrypted value if access is allowed (based on CS:Govern rules) or the field’s masked value otherwise. Naturally, CapStorm’s application automatically generate database queries which include CS:Govern access code wrappers. Other applications can do the same or, for simplicity, create a database view which uses the CS:Govern wrappers. CS:Govern is, at a minimum, an intelligent dynamic SQL function and trigger generator that reacts to administrative changes to the selected fields to be Governed, the masking rules, and the associated compliance categories. ## Supported Databases CS:Govern currently supports Oracle, SQL Server and PostgreSQL. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://learn.capstorm.com/cs-govern/overview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.