ServiceNow Discovery

klautrup · ‎05-03-2018

Hi,
At Vestas we are evaluating whether we want to purchase a license for ServiceNow Discovery.

Anybody else here in Denmark who have implemented, or are considering to implement Discovery?

Have you alternatively evaluated alternatives like iQSonar (visible in the ServiceNow store and seems to provide much of the same functionality as Discovery)?

Seems Discovery requires local admin access to the target servers.
Our security team is not happy about having the credentials in the ServiceNow instance (all though they are in an encrypted table).
For windows servers an alternative is to run the MID server on a service account granting local admin access to the target windows servers, but this is not an option for Unix servers, network devices etc.
There is also a possibility to use a 3rd party local credentials storage like CyberArk which seems like the most secure option, but is also an expensive option.

If you have implemented, or are considering to implement Discovery which security model for the credentials have you decided to use?

Regards,
Kristian

lasse3 · ‎05-03-2018

Hi Kristian,

I think that this depends heavily on what you wish to discover.

Could you add more information about the items that you wish to discover and which attributes of these items that you are trying to monitor. Also, if possible, which environment they are in? Eg. are we talking configuration items in a cloud like AWS or Azure or is this an on premise VMWare installation or physical servers?

Kind regards
Lasse

klautrup · ‎05-03-2018

Hi Lasse,
We have a quite large number of VMware windows servers as well as some dedicated windows+linux servers and we are beginning also to use Azure IAAS. Besides servers we also want to Discovery routers+switches and perhaps later on also printers and UPS's.

We have a lot of SAP and as far as I can see Discovery has some support for discovering various SAP components. However, it is unclear to me how complete a picture of the SAP landscape Discovery ootb can provide making it relevant to manually map our business service CIs down to the relevant SAP CIs, or whether Service Mapping would also be needed (not in question for us due to the very high license cost).

We also have a lot running on SharePoint and Citrix.
Discovery seems to be able to discover running instances of SharePoint, but doesn't mention any ootb support for Citrix as Service Mapping does.

Besides this we also want to be able to discover IIS web servers and MSSQL + Oracle databases which Discovery seems to do.

Regards,
Kristian

Michael Skov2 · ‎05-03-2018

To clarify this a little bit... Discovery will not map out your SAP invironments as business services. It will however find SAP components on all your discovered devices and the relationships between these components.

Service Mapping will take all these components and create a business service of these (using entry points in SM). That is why Service Mapping relies on Discovery, as we take the data found by Discovery and publish them to the business services.

The same goes for Citrix. Service Mapping has oob patterns (the backend mechanism for SM and partly Discovery) for both Citrix and SharePoint.

I hope this helps a little, else let me know and i will elaborate.

larstange · ‎05-03-2018

Hi Kristian

We at Topdanmark evaluated the solution last year, but it was simply too expensive for us, as we have a lot of virtual servers compared with our company size.

My conslusion was that the discovery solution work very well and is very easy to setup. Within a very short timeframe you will be able to have it up and running and I didn't really run into any issues in our Windows environment. As all our Linux servers are connected to our windows domain, I could run the discovery using the same windows user, which was a member of a group with local admin access for all servers.

Security wise the credentials are stored encrypted in ServiceNow. BUT...its a 2-way encryption field. This means that any admin can run a small script using GlideEncrypter() and descrypt the password to clear text.

So if any of you servicenow admin accounts are ever compromised, this information is easy to get a hold of.

We also evaluated a couple of other solutions (Eracent and ScienceLogic) that we met with at K17, but they weren't the right solutions for us either.

I ended up making an integration to SolarWinds, which already has an agent on all our servers and has a very nice Asset Inventory in its database which mapped very well with the CMDB in ServiceNow.