We're reclaiming inactive PDIs to keep them available for active builders. Learn what's changing, who's affected, and how to protect your work. Read More

Charles Benedi1
Tera Explorer

What does ServiceNow offer in security architecture in platform?
As we know, ServiceNow provides both Cloud and On-Prem implementation strategies, the latter least recommended until there is an absolute need to segregate data from the public networks as much as possible.  Within the Cloud implementation approaches, there is Commercial (Official classification) and SPP-Protected (above Official) platform offerings.

We know that Commercial and SPP instances/architectures have varying security architectures. Whilst the former is strong is its security architecture in general, SPP was built to comply with Australian Privacy requirements, and attained IRAP, PSPF and ISM compliancy.

Privacy by Design in the Cloud
The Australian Privacy Principles require that Australian Government departments/agencies take "reasonable steps" to protect data. I stated 'Reasonable' rather that 'strict' steps, is because the ISM and PSPF frameworks are guidelines for each department or agency to reference in assessing how much risk is acceptable, what risk can be mitigated and what risk can be completely removed. Hence, it does not mean that every single requirement in these frameworks/manuals must be achieved as a 'pass', but by design, the risks can be managed with both system, technology and procedural controls. 

For example, in a cloud context, this means we must architect for Data Minimisation. We shouldn't ingest every piece of PII; we should only ingest what is "Fit-for-Purpose."

The Best Approach to Compliance

To meet these requirements effectively, we should adopt a three-tiered approach:

  1. The Protected Platform (SPP) Baseline: This is non-negotiable for high-sensitivity departments/agencies. It ensures the data is hosted on Australian soil, managed by NV1-cleared staff, and has undergone the "Standardised IRAP Assessment." For these high sensitive departments/agencies, the ServiceNow Protected Platform (SPP) is the baseline. 
  2. ServiceNow Vault for Data Hardening: We utilise Vault to implement Field-Level Encryption and Data Masking. For example, a TFN (Tax File Number) should be masked so that even a system administrator cannot view it unless they have a documented "Need to Know."
  3. Identity Sovereignty: We ensure that access is strictly controlled via Australian-hosted Identity Providers (IdP) using SAML 2.0 or OIDC, ensuring that the "keys to the kingdom" never leave the agency’s control.  We must educate the customer that ServiceNow provides the secure plumbing, but the department/agency is still responsible for the secure usage. This means robust ACLs, strict "Least Privilege" role management, and regular "Identity Governance" reviews.

By aligning the platform architecture with the ISM (Information Security Manual), we can turn "ServiceNow Cloud Security" from a hurdle into a high-strength vault.