How to ensure that end-users are saving records through the Cloud Data Protection server and not directly through Sales force where unprotected data can be saved.
 

Validation rules can be used in Sales force to ensure that only protected data (tokenized or encrypted) is saved to the cloud.

Note:
The prefix and suffix of cipher text are consistent within an environment.
Other environments (eg. Dev, UAT, Prod) could potentially have a different prefix and suffix.

Steps:

1. Log into Sales force directly
2. Copy a field containing a cipher text value
3. Go to Setup
4. Under Customize, select Validation Rules for the object in question
5. Create a new validation rule for the field in question
6. Copy the first and last character of the cipher text and create a rule similar to the below example

NOT AND( LEFT( Account.Name , 1)  = '갇', RIGHT( Account.Name , 1)  = '각')

The above example ensures that the Name field under the Account object contains protected data and will throw an exception if that is not the case.