How to ensure that end-users are saving records through the Cloud Data Protection server and not directly through Sales force where unprotected data can be saved.
Validation rules can be used in Sales force to ensure that only protected data (tokenized or encrypted) is saved to the cloud.
The prefix and suffix of cipher text are consistent within an environment.
Other environments (eg. Dev, UAT, Prod) could potentially have a different prefix and suffix.
NOT AND( LEFT( Account.Name , 1) = '갇', RIGHT( Account.Name , 1) = '각')
The above example ensures that the Name field under the Account object contains protected data and will throw an exception if that is not the case.