CRM allows you to set field security to limit permissions on individual fields in CRM. Note that for users of 2015+ you can enable field security on any field. For those with older versions (2011, 2013 etc) you can only set field security on your custom fields, the option is not available for CRM fields. Field security allows you to set, read, update, and create permissions for users on the fields. So for example if you have a numeric id for contacts that should only be set by administrators but viewable by staff, you can set an administrator field permission that allows create, update and read permissions. The staff permission could be limited to read only. The steps below show you how to enable a field for security and how to create a field security profile.
Enable the Field for Field Security
Save your update and Publish the customizations
Create a Field Security Profile
Click New and give your profile a name and save

Add Teams or Users to the Group

Test with different users to confirm the security permissions are working as expected
Potential Issues
Cobalt does have custom code on some fields that may override the standard Field Security Profile functionality.
System Administrators have full access to all secured fields and that cannot be altered. So this will only work for users who have a security role other than system administrator.
Users without the field security profile may have issues updating or creating records if information is required or included for the secured field. A permissions error will be thrown. This is something to think about when creating workflows to update secure fields, for example.