Mission Briefing:
Welcome to the mission. Your objective:
- Protect the platform
- Safeguard the data
- Keep the operation invisible
The tools? Layers of defence, strategic boundaries, and a mindset that never sleeps.
From CTA to Facilitation: A Shift in Lens
Last year, I completed my CTA journey. This year, as part of the facilitation delivery team, I’ve gained sharper perspectives and a deeper appreciation for security as a design principle, not just a control.
Security Architecture is not just about locking things down - it is about designing with clarity, care, and context.
Security Across Borders:
Security is not universal. It bends to:
• Geography
• Regulation
• Culture
GDPR, data residency, and regional compliance are not obstacles - they are checkpoints.
Scaling globally means designing with local sensitivity.
Edge & Encryption: The Art of Balance
Security starts at the edge where trust begins.Push controls closer to the user without breaking experience.
Encryption is not a blanket -it is a strategy.Balance risk posture with performance and usability.
CLEE: Column-Level Encryption after Edge Encryption
Encryption is a family of tactics, each with its own purpose and trade-offs:
|
Type |
Purpose |
Trade-offs |
|
Edge Encryption |
Sovereignty & control |
Complexity & cost |
|
Column-Level Encryption (CLEE) |
Field-level precision |
Often paired with ACLs |
|
Cloud Encryption |
Compliance for data at rest |
Platform-dependent |
|
Full Disk Encryption |
Hardware-level protection |
Scalability trade-offs |
CLEE builds on edge encryption by adding granular control at the field level - ideal for sensitive data like PII or financials.But remember: encryption is not a silver bullet.
Key Principle:
Start with the risk, not the tech.
Ask “why” five times before choosing a control.
Sometimes, the answer is not encryption but better governance, process, or audits.
Scoped Applications: Elegance or Excess?
Scoped apps offer:
• Contained logic
• Reduced interference
• Cleaner governance
But sometimes, a well-governed global app is leaner and more elegant.Scoping is strategic, not habitual.
Moving Code: Old Roads vs Expressways
- Update Sets = Back roads: reliable, familiar, slow
- App Repository = Expressway: fast, safe, scalable
When to use what?
|
Scenario |
Tool |
|
Big changes, scoped apps |
App Repository |
|
Tiny tweaks to OOB |
Update Sets |
Shared Responsibility
Security is everyone’s job:
- Architects
- Developers
- Admins
- Business teams
Even the strongest encryption can’t outpace a careless click. Security thrives when it is embedded in culture, not bolted on.
Three Layers of Platform Security
Think of security as three doors:
- Network Layer – “Show me your ID.”
IP restrictions, VPN, edge trust - Application Layer – “Which rooms can you enter?”
Roles, ACLs, scoped boundaries - Data Layer – “The vault? Only if you have the right keys.”
Encryption, data classification
Encryption across layers:
- Purpose: reduce exposure
- Defence-in-depth: assume failure
- Trade-offs: always present
Principle: Encrypt what matters most, where it matters most.
Mid-Week Check-In: Shift from Explaining to Applying
Ask yourself:
- Does every recommendation tie back to outcomes?
- Can you answer: “What changes for them on Monday morning?”
- Are your benefits specific, not generic?
Presenting Tips:
- Breathe slower than your nerves want you to
- Pause before you speak
Self-talk works: You have done the work. You own this story.
Evolving Security Landscape in ServiceNow (2025)
To stay ahead of emerging threats and platform capabilities, I have updated this Bonus section with recent security enhancements introduced in the Vancouver and Zurich releases:
- ACL Hardening & CVE-2025-3648 Mitigation
ServiceNow addressed a critical ACL vulnerability where misconfigured range queries (e.g., “Starts with”, “Greater than”) could infer sensitive data. The Query Range ACL Update now enforces stricter evaluation logic, and the CVE-2025-3648 patch introduces visibility controls that prevent conditional ACL exploitation. This reinforces the need to audit ACLs not just for presence, but for logic integrity.
- Vault Console & Machine Identity Console
Introduced in the Zurich release, these tools provide native governance over secrets, credentials, and integration tokens. Scoped apps can now leverage machine identity management to securely interact with external systems without hard coding secrets or relying on legacy credential stores.
- AI Control Tower & Agentic Playbooks
As AI agents become embedded in workflows, ServiceNow’s AI Control Tower offers centralised oversight of agent behaviour, performance, and compliance. Scoped apps can now define agentic playbooks that blend AI and human decisioning while maintaining auditability and control over execution paths.
- Zero Trust Access Framework
The Vancouver release introduced adaptive authentication and policy-based session access, allowing scoped apps to dynamically adjust user privileges based on login context (IP, device, role). This aligns with the principle of least privilege and supports granular access control without over engineering ACLs.
- Unified DLP & Data Discovery
Scoped apps handling sensitive data can now integrate with Service Now's Data Loss Prevention (DLP) workflows and Data Discovery Tool, which proactively scans for PII and compliance risks. This is especially relevant for apps in regulated environments or those interfacing with external data sources.
Final Thoughts: What Shifted for Me
Facilitating this week helped me shift from “lock it down” to “design it in.”
Security became:
• Curious yet cautious
• Modular yet meaningful
• Open yet observant
Scoped apps? Boundaries with intent but not always the answer.
Security is not about saying no. It is about saying yes with clarity and care.
Staying Current: Security as a Living Practice
What truly shifted for me is the realisation that security architecture is not static. It evolves with the platform, the threat landscape, and the way we build.
Recent features like Vault Console, AI Control Tower, and adaptive authentication are not just technical upgrades they are signals. Signals that we, as architects, must stay curious, stay updated, and stay intentional.
So now, I ask:
- What new controls can I design into my solution, not bolt on later?
- How do I ensure my scoped app doesn’t just pass ACL audits, but aligns with platform-native security posture?
- Am I building with tomorrow’s threats in mind?
Frame Your Solution Like a Story
- What problem does it solve?
- How does it scale?
- Why is it the right fit?
Embed real-world stats or platform metrics.
Anticipate objections and address them with pros/cons - not defensiveness.
Because clarity isn’t just a design principle – it is a leadership trait.
Thanks,
Mahathi Veena
ServiceNow CTA,MVP @2025
Linkedin: https://www.linkedin.com/in/mahathi-veena-6a162623b/
