DATA ENCRYPTION

ENCRYPTION TECHNOLOGIES FOR

DATA PROTECTION ON THE NOW PLATFORM®

START
 Executive summary white paper will explain these solutions and provide
the information you need to choose the correct ones
ServiceNow® is a software as a service (SaaS) based on your security needs.
company that provides robust data security
and privacy capabilities to modern enterprises,
transforming those businesses to run in the cloud. In Edge Encryption
today’s environment, there is no single encryption Edge Encryption is a ServiceNow product that allows
solution that addresses all data protection needs. customers to encrypt columns (i.e., application
Edge Encryption
Instead, the approach ServiceNow has taken is to fields) and attachments with encryption keys that
provide customers with a suite of encryption options customers own, control, and manage within their
that can be used individually or in tandem to address own networks outside of their ServiceNow instances.
a variety of data confidentiality use cases.
Edge Encryption acts as a gateway between your
Column-level encryption To meet the data security needs of modern browser and your SaaS ServiceNow instance. Traffic
enterprises—ranging from governmental regulatory from your browser passes through the gateway on
and industry compliance objectives to implementing its way to the ServiceNow instance. The gateway, in
risk mitigation controls—ServiceNow offers encryption turn, is configured to encrypt specific fields of data
solutions at the application tier, database tier, and as they pass through. The traffic in the other direction
Edge Encryption versus hardware tier. is decrypted through the gateway, and users see
Column-level encryption plain text based on their request.
At the application tier, your data is encrypted within
the customer instance down to the database, so In more detail, Edge Encryption uses a proxy
even an attacker with full software access to the application hosted within your network. It encrypts
database can’t read your data. Column-level data before the data is sent over the internet to
encryption provides data encryption in our network. your ServiceNow instance. The data remains in an
Database Encryption
With ServiceNow Edge Encryption, your data is encrypted state while in flight to the customer’s
encrypted before it even reaches your ServiceNow ServiceNow instance, which means the data
instance in our network—this ensures there’s literally continues to be encrypted at rest in the ServiceNow
no way anyone at ServiceNow—or an attacker—can datacenter. The encrypted data is sent back, in its
read your data. encrypted state, to the proxy application when it’s
Full Disk Encryption requested by a ServiceNow user and remains in the
At the database tier, ServiceNow Database same encrypted state while it’s being sent to that
Encryption encrypts your data directly in the user. Finally, the Edge Encryption proxy decrypts the
database accessed by your applications running on encrypted data before sending it to the user within
your ServiceNow instance. your network.
Appendix At the hardware tier, our Full Disk Encryption ensures You can also tokenize data to mask a subset of
data is encrypted at rest, thereby protecting you from particular data stored within a field. The tokenization
a theft of storage attack. process operates much like encryption—it’s
Each approach has different pros and cons in terms performed by a proxy application that runs within
of implementation, benefits, and functionality. This the customer’s network and not in the ServiceNow
datacenter where a customer’s ServiceNow instance
PREVIOUS resides. NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 2
 Key features of Edge Encryption Common use cases

• Customer-owned
Customer-retained encryption key administration Requirements that prohibit encryption keys
from being stored in a cloud service provider
• Flexibility
Edge Encryption Flexible encryption options to balance security and user
operation requirements
Mitigating the risk of exposing sensitive data
• Tokenization
as either the result of a direct attack or of
Provides pattern-specific protection for structured data, such
compromised data stored in a cloud
as credit card or Social Security numbers

Column-level encryption • API Support

REST and SOAP APIs to support additional system integrations,
web services, and customizations Customers who need to comply with
governmental and industry certification
• Easy administration requirements and regulations
Easily administer and rotate encryption keys

Edge Encryption versus • Native platform

Column-level encryption Tight integration within the ServiceNow platform architecture
to support ServiceNow applications and the ServiceNow
portal interface Addressing the data sovereignty requirements
for data that may be stored outside of a
• Simple rule development country’s domain
A native encryption rule development environment to
Database Encryption provide integration support

Perspectives on Edge Encryption

When considering Edge Encryption, there are two important perspectives to consider using it from: your
Full Disk Encryption
company’s infrastructure and the ServiceNow infrastructure.

Your company’s infrastructure

It’s imperative to examine the potential vulnerabilities of using Edge Encryption from the perspective of your
Appendix
company’s infrastructure. Although it’s not our purpose to provide an exhaustive list of prudent IT security
practices here, the importance of protecting the user credentials used to connect to the ServiceNow instance
through the Edge Encryption proxy cannot be overemphasized.

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 3
 With Edge Encryption, your company’s encryption keys are applied for sessions that are connected through the
Edge Encryption proxy. The proxy applies controls that secure the connections originating within the customer
network. With this level of security, you can be sure your company’s data is securely encrypted and tokenized
from within your own network infrastructure.

The ServiceNow infrastructure

The ServiceNow infrastructure provides additional protection when a user attempts to access sensitive
Edge Encryption
data directly instead of connecting through the Edge Encryption proxy. Encrypted data that is at rest in the
ServiceNow instance remains in an encrypted state and is shielded from exposure since the encryption keys do
not reside on the instance. In this way, Edge Encryption provides data breach protection as well as reduces data
sovereignty and compliance risks. So, if access to your company’s encrypted data were jeopardized, neither
ServiceNow nor anyone else could examine the encrypted data and decrypt it without your encryption key—
Column-level encryption which is only accessible within your infrastructure.

Between the ServiceNow infrastructure and your company’s infrastructure, Edge Encryption addresses the big
security issues companies face: data privacy, financial data protection, and data confidentiality. For example,
a government agency that needs ServiceNow to decrypt its data may need to use Edge Encryption to keep the
encryption keys to sensitive data within its own infrastructure. Figure 1 below depicts Edge Encryption in action
Edge Encryption versus
Column-level encryption from this perspective.

Edge Encryption in action

Database Encryption

CUSTOMER DATA CUSTOMER ENVIRONMENT DATA IN TRANSIT DATA IN USE AND AT REST

100110100010
Full Disk Encryption 0101001010010010
00101001
0101111011110100
11101111
0101010111010001
01011101
10101000010001
00110101000010
10101000
1010101101
Appendix
FIG. 1

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 4
 The Edge Encryption process
Figure 2 below shows the Edge Encryption process using a Social Security number field (SSN) that is configured
with Edge Encryption within the ServiceNow customer instance. Whenever a ServiceNow user connected
through the Edge Encryption proxy on your network enters or reads SSN data, the user sees the SSN in plain
text because all encryption and decryption operations are processed by the Edge Encryption proxy. Upon
closer examination, when the SSN field data is submitted to the ServiceNow instance, it is encrypted using an
encryption key that resides on your premises.
Edge Encryption

CUSTOMER PREMISES
Column-level encryption
Edge Encryption proxy

Edge Encryption versus

Column-level encryption
Target table

Field 2: Plain text

SSN SSN SSN
[...]000-00-0000[...] [...]QUVTXE2X2J[...] [...]QUVTXE2X2J[...] Field 2: Plain text
Database Encryption
SSN: [...]QUVTXE2X2J[...]

FIG. 2

Full Disk Encryption

As you can see on the left side of Figure 2, the data in the SSN field is converted from plain text to ciphertext.
The data in the SSN field remains as ciphertext between the ServiceNow instance and where it is stored. When
the user retrieves the SSN field, the data in the SSN field is processed through the Edge Encryption proxy using
the same encryption key, then decrypted from ciphertext to plain text. Once the encryption is applied to the
Appendix SSN field, ServiceNow can no longer see the SSN value as plain text, only its encrypted ciphertext. Because
the encryption occurred prior to being entered into the ServiceNow instance, the instance only has a history
of “000-00-0000” as “QUVTXzE2X2J.” The ServiceNow instance has no ability to decrypt this data because it
has never had access to the required encryption keys.

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 5
 Figures 3 and 4 show the user experience perspective when a field is encrypted with Edge Encryption. In
this example, the short description field in the incident table was configured for encryption. When users are
connected through the Edge Encryption proxy, they can see the content in plain text (Figure 3). However, if a
user were to bypass the Edge Encryption proxy and access the same field directly, the short description would be
presented as ciphertext (Figure 4). Even if the user bypassing the Edge Encryption proxy wanted to submit data in
the short description field, the update would be rejected.

Edge Encryption

FIG. 3

Column-level encryption

FIG. 4

Edge Encryption versus

Column-level encryption
Types of encryption
Edge Encryption provides three options that support the Advanced Encryption Standard (AES) for key lengths
of 128 and 256 bits you can apply to data fields within an instance: standard, equality-preserving, and order-
preserving encryption. All three use the customer-provided encryption key that resides on your premises, outside
of the instance, and each includes its own capabilities and considerations.
Database Encryption
Standard encryption is the strongest of these encryption options as it produces random ciphertext for the
value entered into a field. The tradeoff is that you’ll have a reduced ability to run any level of logic against the
encrypted field. Another important consideration is that you can only encrypt attachments to records using the
standard encryption option.

Full Disk Encryption The equality-preserving and order-preserving encryption options support logical operations and functionality on
encrypted fields, but encrypted fields retain the same encrypted ciphertext value. Because of this, these two
options provide less security than standard encryption.

Equality-preserving encryption supports comparison operations, such as filtering, matching, and grouping. Order-
preserving encryption does what equality-preserving encryption does but also supports sorting and less than/
Appendix greater than operations. For a side-by-side comparison of these encryption options, see Appendix A.

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 6
 Tokenization
Another layer of data protection that Edge Encryption provides is tokenization. During this process, Edge
Encryption uses a randomly generated token to mask a particular predefined pattern of characters within a data
field when the pattern is matched. The pattern itself is defined as a regular expression, and length-preserving
random tokens are used to replace the tokenized value.

The token applied to the data contained in a field is stored on your premises in the same MySQL database your
Edge Encryption company uses for order-preserving encryption—never on ServiceNow instances. When tokenized data is stored on
the instance, it will not appear in plain text while it’s in transit or at rest on ServiceNow instances.

Benefits of tokenization
Another benefit of tokenization is that it prevents your users from intentionally or unintentionally comingling
Column-level encryption sensitive data, such as Social Security numbers, within a ServiceNow instance. In addition, tokenization is an
alternative option to apply where the field type is not supported by available encryption options.

The examples in Figures 5 and 6 illustrate tokenization from the user experience perspective. In this example, the
patterns for a credit card and Social Security number were configured for tokenization. When the user connects
Edge Encryption versus through the Edge Encryption proxy, the content for those two values are displayed in plain text (Figure 5) but are
Column-level encryption actually tokenized in the instance. If the user were to bypass the Edge Encryption proxy and access the same
incidents directly, the corresponding values within the short description field would be represented as a token
(Figure 6).

Database Encryption

FIG. 5
Full Disk Encryption

Appendix
FIG. 6

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 7
 Implementation considerations
While encrypting specific fields or tokenizing embedded strings of data is beneficial from a data security
perspective, having ciphertext in place of actual data can lead to potential functional or operational
challenges within the ServiceNow application. To avoid running into these challenges, follow the implementation
considerations and suggested capability and configuration approaches provided in detail in Appendix B.

While the following list of known limitations is not intended to be exhaustive, we encourage you to do due
Edge Encryption diligence with respect to your own security and business requirements and corresponding impact when
encrypting data.

Limitations
• Only string, journal, journal input, date, date/time, and URL fields as well as file attachments can be encrypted.
Column-level encryption
• Encryption occurs on a per-field basis only, and not as a group of fields within a record.

• Items that cannot be encrypted:

- System tables, system fields in tables, choice fields, and virtual fields
Edge Encryption versus - Fields named “number” and fields associated with an automatic numbering scheme
Column-level encryption
• Encrypted data cannot be processed by back-end logic. If the database contains encrypted data, any
business rule, back-end script, or back-end feature that relies on evaluating the data in the encrypted field will
not run correctly.

• Encrypted fields cannot be changed by scripts run on the server.

Database Encryption
• Encrypted data cannot be copied to a record where the field is not encrypted.

• Only Java KeyStore, SafeNet KeySecure, Unbound, and file store encryption key management are supported.

• An Edge Encryption proxy or defined group of Edge Encryption proxies may only support a single instance.

Full Disk Encryption

Appendix

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 8
 Column-level encryption These are the main features of column-level
encryption:
The ServiceNow subscription service includes
a feature that allows users to encrypt columns • Supported field types (e.g., string, date, date/time,
(i.e., application fields) and attachments on their and URL) and file attachments can be encrypted using
column-level encryption.
ServiceNow instances. With column-level encryption,
the encryption key is stored and maintained within the • It uses AES-128 or AES-256 encryption keys.
ServiceNow instance.
Edge Encryption • You may supply your own column encryption keys,
or the ServiceNow application will generate a
random key.

• Access to encrypted data is based on the role assigned

to the user.
Column-level encryption Common use cases

Edge Encryption versus * * * * *

Column-level encryption

Mitigating the risk of exposing sensitive data Enabling customers to comply with Limiting user access to sensitive data
as either the result of a direct attack or of governmental and industry certification based on defined roles
compromised data stored in a cloud requirements and regulations

Database Encryption

Column-level encryption uses standard symmetric algorithms that encrypt columns, as well as any
attachments within a ServiceNow application instance.
Full Disk Encryption
Encryption contexts
Column-level encryption introduces the concept of encryption contexts. An encryption context defines the
key used by the encryption algorithm to encrypt the data in a field. You can use an encryption context to
encrypt one or more fields and to encrypt attachments. You can also create more than one encryption
Appendix context in a single ServiceNow instance, each of which may have a separate key.

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 9
 Role-based encryption
Role-based encryption is a key benefit of column-level encryption. Figure 7 illustrates how role-based encryption
is enabled.

Edge Encryption

Column-level encryption

Edge Encryption versus

Column-level encryption

Database Encryption

FIG. 7

Full Disk Encryption Here are the results of these relationships:

• User 1 is a member of Role 1, which provides access to Encryption Context 1; this allows User 1 to see the contents of Field
A and Field B.

• User 2 and User 3 are members of Group 1; Group 1 is a member of Role 1, which allows everyone in Group 1 access to
Encryption Context 1 and allows User 2 and User 3 to see the contents of Field A and Field B.
Appendix
• User 4 is not a member of any group or role and has no access to Encryption Context 1; not only does User 4 not have
access to Field A or Field B, but User 4 will not even see that these fields exist.

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 10
 The first example shows a simple configuration, but your use of the capability can be considerably more
complex. Figure 8 shows multiple roles and multiple encryption contexts.

Edge Encryption

Column-level encryption

Edge Encryption versus

Column-level encryption

Database Encryption

Full Disk Encryption

FIG. 8

Here are the results of these relationships:

Appendix • User 1, User 2, and User 3 have access to Field A and Field B via Encryption Context 1.

• User 4 is a member of Role 1 and Role 2 and has access to all fields and to both encryption contexts.

• User 5 has access to Field C and Field D via Role 2.

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 11
 Usage and restrictions
When you want to process sensitive data sets in the ServiceNow environment, you can use column-level
encryption. The data is only decrypted when it’s viewed by a user with a role that is assigned the encryption
context. This encryption is maintained throughout the backup process.

With column-level encryption, you can also apply the same encryption to attachments uploaded by users that
you can apply to individual fields.
Edge Encryption
Controlling access to sensitive data often means limiting access either to a select group of users or granting it
on an as-needed basis. Using role-based access control in conjunction with the column-level encryption feature
ensures access to specific fields or attachments is only granted to the users who are assigned the appropriate
roles.

Column-level encryption Currently, ServiceNow does not support indexing or

scheduled reporting data that is encrypted using Functionality
Edge Column-level

column-level encryption. This is due to the nature of Encryption Encryption

the data and ACL restrictions in the encrypted context; Encryption key controlled and owned by
YES NO1
customer
system accounts do not have access to encryption
Multiple levels of functional encryption for
Edge Encryption versus contexts. equality, filtering, grouping, and sorting YES NO2
Column-level encryption operations

Edge Encryption versus column-level encryption Data tokenization based on defined

YES NO
encryption pattern
This section serves as a guide to help you determine
Built-in encryption key rotation YES NO
when to opt for column-level or Edge Encryption. At
a high level, when enterprises want maximum control Encryption of standard out-of-the-box fields YES YES
Database Encryption over the encryption of their data, Edge Encryption is the
REST/SOAP API encryption support YES NO
choice over column-level encryption. This is because the
customer owns and controls the encryption key outside Built-in mass encryption/decryption support YES YES3

of the ServiceNow instance. However, depending on Automatic attachment encryption YES NO4
your requirements, using Edge Encryption may leave
Customer maintains additional infrastructure
Full Disk Encryption you with reduced functionality. in their network to control encryption keys YES NO
and encryption processing
For example, column-level encryption can decrypt an Decryption by server-side business rules NO YES5
encrypted column used in a server-side business rule
when that rule is executed by a logged-in, interactive Encryption/decryption based on user roles NO YES

end user assigned the appropriate encryption context.

Appendix However, Edge Encryption would not have this Table 1: Edge Encryption versus column-level encryption
1
Customer can define the encryption key
capability since the data needs to be decrypted on the 2
Column-level encryption supports only equality filtering
instance to run the business rule. Table 1 shows a side- 3
Where a single encryption context is used, mass encryption/mass decryption is
supported for column-level encryption
by-side comparison of the differences between Edge 4
Manual process per record attachment for column-level encryption

Encryption and column-level encryption functionality. Supported only when business rules are executed by a logged-in, interactive end user
5

assigned the appropriate encryption context

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 12
 Database Encryption
Database Encryption encrypts all customer data at
rest in the database with no impact to functionality. It Application
utilizes the native capabilities of the database engine
to encrypt data as it is written to the database and
decrypt as it is read from the database using industry Encryption Decryption

Edge Encryption standard AES encryption. This technology, often called

Tablespace Encryption or Transparent Data Encryption,
is fully transparent to the customer and to the
Database
application. ServiceNow applications as well as custom
applications can operate seamlessly without any
changes necessary because the application always
Column-level encryption has access to the data it needs in the clear. When using Database Encryption all data is encrypted, including
attachments, logs, and backups.

Edge Encryption versus

Column-level encryption

Keys are managed by ServiceNow

using a three-level key hierarchy:

Database Encryption • 1st level: An AES-256 key is used to

encrypt the data.

• 2nd level: An AES-256 key is used to

protect the AES-256 key.
Full Disk Encryption
• 3rd level: An additional AES-256
key, used to protect the 2nd level
key, is created by and stored
within our FIPS 140-2 compliant key
management appliances in the
Appendix ServiceNow Datacenters.

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 13
 Common use cases
Encrypting all data at rest is a useful approach that provides a layer of security in cases where a large portion of
the data in your environment is considered sensitive or when data may be considered sensitive in the future, such
as due to regulations or changes in your business environment. Database Encryption is also useful in cases where
it is critical to not impact functionality and application tier encryption is not necessary.

Edge Encryption
Database Encryption can be coupled with application tier encryption for a layered security approach.
Highly sensitive fields that need to be encrypted at the application tier can be secured with Edge Encryption
or column-level encryption. Layering encryption allows all data to be protected when not in use and highly
sensitive fields, such as PII and PHI, to be protected from additional attack vectors.

Column-level encryption

Full Disk Encryption

Full disk encryption is provided via self-encrypting hard drives with AES-256 bit encryption. This delivers “at-rest”
protection only and is focused on preventing data exposure through the loss or theft of hard disks holding
Edge Encryption versus customer data. It does not provide application tier protection for data in transit or against unauthorized access
Column-level encryption while the drive is operational. The key features of full disk encryption are:

• Encryption of the entire disk, which can only be decrypted by the operating system

• Does not impact the performance or functionality of the application

Database Encryption
Common Use Cases
• Mitigate risk of sensitive data being exposed as a result of the physical theft of a disk drive used in a cloud instance

Usage and restrictions

Full Disk Encryption Full-disk encryption is a high-speed encryption method integrated into ServiceNow’s Advanced High Availability
(AHA) Architecture that provides encryption of customer data at rest. Full-disk encryption decrypts the data
when actively being used or accessed by the server’s operating system. The hard drive models used by
ServiceNow comply with the TCG Enterprise specifications and are secured using a passphrase generated from a
key stored in our SafeNet key management appliance.

Appendix Full Disk Encryption can be coupled with both application tier encryption and database tier encryption for
a layered security approach. Highly sensitive fields that need to be encrypted at the application tier can
be secured with Edge Encryption or column-level encryption. Layering encryption allows all data to be
protected when not in use and highly sensitive fields, such as PII and PHI, to be protected from additional
attack vectors.

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 14
 Summary
The use of data encryption solutions is an impactful decision and must be methodically thought through. With
application tier encryption, selectively choosing which columns to encrypt and how to encrypt those can
mitigate some of the issues discussed, but for others there may not be a mitigation strategy. Column-level
encryption provides a user role-based approach to protecting data whereas with Edge Encryption data is
also encrypted in transit and in use by applications running on the Now Platform. Database Encryption solves
Edge Encryption a different need at the database tier, making it possible to decrypt only the data required while leaving the
remainder of your data not in use in an encrypted state. Full Disk Encryption solves the need to protect against
physical theft of the hard drive, maintaining the data in a decrypted state while the hard drive is operational.

Appendix C provides a comparison of the ServiceNow data encryption solutions covered in this white paper.
Collectively, these data encryption capabilities provide flexible and scalable security controls for protecting
Column-level encryption sensitive data running on ServiceNow solutions.

Edge Encryption versus

Column-level encryption

Database Encryption

Full Disk Encryption

Appendix

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 15
 APPENDIX A:
Edge Encryption options

Standard
Equality-preserving Order-preserving*
Operations AES-128 or
AES-128 or AES-256 AES-128 or AES-256
AES-256

Edge Encryption Group by X X

Is empty X X

Is not empty X X

Column-level encryption
Equal X X

Not equal (excludes empty fields) X X

Is not X X
Edge Encryption versus
Column-level encryption Sort by X

Is greater than X

Is greater than or equal X

Database Encryption
Is less than X

Is less than or equal X

Contains
Full Disk Encryption
Starts with

Ends with

Operators that imply the right side of the clause is a field

Appendix
Text search

*MySQL is required for order-preserving encryption.

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 16
 APPENDIX B:
Functionality and encryption implications for Edge Encryption

Functionality Implications Mitigation

Review the columns you need to include in
Reporting operates on column data values. Because the
the report that may benefit from equality-
ServiceNow application must use the column’s values to
Edge Encryption preserving or order-preserving encryption,
generate reports, there is the potential a report will not
and use those supported functions where
Reporting generate correctly because it does not have access
necessary. Do not export reports that contain
to the clear text. This is only an issue if the report being
encrypted columns since the report is
generated uses columns that have been encrypted
generated on your instance without access
using Edge Encryption.
to the encryption key.
Review the columns included in business rules
Column-level encryption that may benefit from equality-preserving or
ServiceNow runs all business logic on the back end, so
Business rules and order-preserving encryption, and use those
any business rule that needs to read from or write to an
logic supported functions where necessary. If this
encrypted column may have trouble executing the rule.
is not possible, do not use the encrypted
columns.
Encryption algorithms often create ciphertext that is
Edge Encryption versus longer than the plain text. For example, the name “King
Column-level encryption George III,” which is 15 bytes long, might be encrypted to Examine each column you plan to encrypt
Encrypted text “#j&_xz|[~`K@6_69FExñ$$4n\{2*)c,” which is 30 bytes (either programmatically or by hand) and
exceeding table long. If the column in the ServiceNow instance is limited widen them to ensure each can store the
column widths to 20 characters, the full length of encrypted text will not longest possible encrypted value for that
be stored, causing it to become invalid and incapable of column.
decryption.

Database Encryption
Review the columns from your workflows
Similar to business rules, workflows often operate from
that may benefit from equality-preserving or
a column’s value. A workflow that depends on the
order-preserving encryption, and use those
Workflows ability to examine plain text in a table column will fail
supported functions where necessary. If this
to function because it only has access to encrypted
is not possible, do not use the encrypted
versions of the text.
columns.
Full Disk Encryption ServiceNow executes all searches on the back-end
database, which means all searches use the data
within the columns. If the search is being executed Tokenization can make “contains” searches
against columns with ciphertext values rather than possible. For example, a word or character
plain text values, a user may not receive the desired string can be tokenized individually so the
results. However, searches for exact matches will still encrypted search text finds a matching
work because the search term will be converted into tokenized word in the body of the field.
Appendix Searching
ciphertext by Edge Encryption. This enables the back- Equality-preserving and order-preserving
end search function within ServiceNow to effectively encryption provide a technique that partially
search for the desired term. “Contains” searches on addresses the “contains” search with strong
free-form text fields are the most difficult to implement encryption.
because the search text cannot be found in the body of
the encrypted text.

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 17
 APPENDIX B (continued):
Functionality and encryption implications for Edge Encryption

Functionality Implications Mitigation

ServiceNow does all sorting on the back-end server. As an Apply order-preserving encryption to
application, ServiceNow deals with large data sets and implement a technique that addresses
Edge Encryption generally returns the Top N to the user based on some form of this issue (while maintaining strong
sorting. Because the application always sorts on the back end, encryption) using a stored subset of
Sorting
and the application always sorts on the ciphertext values, when plain text table data as a token to
a user initiates the sorting of encrypted data, the results may prepend to the ciphertext for sorting
appear incorrectly. purposes before it is sent to the
instance.

Column-level encryption ServiceNow does all export and import activities on the back- Some vendor solutions are capable of
end servers. As such, any exported data—Excel, XML, CSV, intercepting exported data files, such
PDF, or other— exports the ciphertext values of any encrypted as XML or CSV, and decrypting them
columns. Likewise, because these data formats are not prior to being delivered to the user.
Bulk import/export supported, any attempt to import data into an encrypted Check with your vendors to ensure
column will result in unencrypted values being written into the they can encrypt and decrypt the file
Edge Encryption versus column, unless the process that is sending data to the instance types you need. If they can, a web
is configured to proxy communications through the Edge service integration is necessary.
Column-level encryption
Encryption proxy.

Ensure that mobile access to the

To see any data that has been encrypted using Edge ServiceNow instance goes through the
Encryption, a mobile browser must access the ServiceNow company’s network so all access is
instance through the Edge Encryption proxy. Actions allowed granted via the Edge Encryption proxy.
Database Encryption Mobile access via mobile devices need the ability to see the clear text data Be selective about which columns you
in order for the ServiceNow application to function correctly. encrypt. Modify any workflows that
This includes workflow approvals via mobile devices and other use encrypted columns if the workflow
actions available to the user through the mobile interface. is visible or accessible using mobile
devices.
Edge encryption does not support
inbound nor outbound email. Taking
Full Disk Encryption
When ServiceNow triggers a notification, it could send an this into account, be selective about
email or SMS that contains a mixture of hard-coded plain text which columns you encrypt. Modify
and encrypted field text. For example, an email template any SMS text message that uses
Inbound/outbound that looks like this: Dear ${name}, we have changed your shirt encrypted columns and remove them
email and SMS size from ${old_ size} to ${new_size}. Will be rendered with field from the message. Provide a URL
notifications substitutions, so it looks like this if the corresponding columns are in the message that leads to a
encrypted: Dear Bob Baker, we have changed your shirt size ServiceNow page that shows the
Appendix from 6^SD[&%T to H7asdh78. contents of the message—this way,
the Edge Encryption Proxy can
decrypt the text.

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 18
 APPENDIX B (continued):
Functionality and encryption implications for Edge Encryption

Functionality Implications Mitigation

Use a secondary field, encrypt it, and

hide the reference from the form. The
Edge Encryption Reference fields are not supported by Edge Encryption because
actual source field must be a string
Reference fields the sysid that is being used to make the link between your form
type and will need to be configured
and the actual field needs to be in the clear.
to be encrypted with one of the three
available encryption types.

ServiceNow can integrate with outside data sources using

Column-level encryption industry-standard web service protocols like REST and SOAP.
A third-party integration, which is usually software running on Configure all automated processes
a computer inside your network, can retrieve and insert data to send or receive data from the
Web service into ServiceNow automatically, but if that data is not properly ServiceNow instance using encryption
integrations encrypted, plain text can be inserted into columns that are rules so the Edge Encryption proxy can
expected to be encrypted. As a result, the Edge Encryption identify the columns in the payload
proxy attempts to decrypt text that was not encrypted in the first with the encrypted instances.
Edge Encryption versus
place. This leads to data inconsistencies within the ServiceNow
Column-level encryption instance and could impact what the user sees.

You can run a mass encryption job

ServiceNow customers may have amassed large amounts of
on a per-column and attachment
data within their ServiceNow instances within various columns.
basis. Plan when you want to run this
The amount of data these customers need to encrypt could
Legacy data type of operation carefully so you
Database Encryption contain millions of records. Because encryption keys and
can accommodate for the volume of
algorithms cannot be held within ServiceNow, encrypting large
columns and attachments you plan to
amounts of data using Edge Encryption can take a long time.
encrypt.

Full Disk Encryption

Appendix

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 19
 APPENDIX C
Data encryption solutions

Edge Encryption Column-level Database encryption Full disk encryption

encryption

Edge Encryption Standard, equality-preserving,

and order-preserving
Equality-preserving
encryption of data at rest Encryption of data at rest
encryption of data at rest Encryption of data at
within the database and when not being processed in
Description within the database based rest when hard disk is not
instance. Data sent to the instance.
on user role in the instance. operational.
ServiceNow already encrypted
by customer.
Column-level encryption

• String Text
• String text
• Date
• Date
• Date/Time
Type of data • Date/Time
• Attachments All data is encrypted All data is encrypted
encrypted • Attachments
Edge Encryption versus • URL
• URL
Column-level encryption • Journal

Supported
AES-128 and AES-256 AES-128 and AES-256 AES-256 AES-256
key sizes

Database Encryption

Tokenization Yes, for pattern-matched data No No No

Full Disk Encryption

Encryption Managed by ServiceNow
Customer ServiceNow Self-encrypting drive
key creation and the customer

• On-premises encryption
proxy
• Encryption key store
Appendix Additional • Optional on-premises
None None Dedicated environment
requirements MySQL Database for
tokenization and order-
preserving encryption

PREVIOUS NEXT

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 20
© Copyright 2020 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, and other ServiceNow marks are trademarks
and /or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. Other company and product names may be
trademarks of the respective companies with which they are associated.

PREVIOUS

DATA ENCRYPTION | ENCRYPTION TECHNOLOGIES FOR DATA PROTECTION ON THE NOW PLATFORM® 21