ServiceNow Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2018 12:50 AM
Hi,
At Vestas we are evaluating whether we want to purchase a license for ServiceNow Discovery.
Anybody else here in Denmark who have implemented, or are considering to implement Discovery?
Have you alternatively evaluated alternatives like iQSonar (visible in the ServiceNow store and seems to provide much of the same functionality as Discovery)?
Seems Discovery requires local admin access to the target servers.
Our security team is not happy about having the credentials in the ServiceNow instance (all though they are in an encrypted table).
For windows servers an alternative is to run the MID server on a service account granting local admin access to the target windows servers, but this is not an option for Unix servers, network devices etc.
There is also a possibility to use a 3rd party local credentials storage like CyberArk which seems like the most secure option, but is also an expensive option.
If you have implemented, or are considering to implement Discovery which security model for the credentials have you decided to use?
Regards,
Kristian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2018 01:30 AM
Hi Lars
Ok if it is possible for an admin to decrypt the credentials stored in the cloud then our security team would never approve.
So if we end up chosing Discovery despite the very high license cost (we also have a quite high number of virtual servers) then I think the best solution is to store the credentials in our local PowerBroker password vault. I just noticed that BeyondTrust provides a free plugin for this.
We also have SolarWinds but only for network devices (I was not aware the SolarWinds can also be used for servers).
But even if you have servers in SolarWinds I assume the agent only gives you basic asset+CI information for the Server CIs like hw information and OS information. You don't get any software+database CIs or relationships between CIs from SolarWinds do you?
Regards,
Kristian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2018 02:14 AM
Decrypting a password is very easy - https://developer.servicenow.com/app.do#!/api_doc?v=jakarta&id=GlideEnc-Decrypt_S
If you have the SAM module for SolarWinds, then SolarWinds will do infrastructure monitoring as well. It uses an agent on the server.
The Asset database also covers software but not relations to databases.
We are currently building a database relation integration ourself. Our DB team will do it with some powershell and dump the information in a DB that I can import.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2018 02:23 AM
Please have in mind that no matter which solution you choose it will always be possible to decrypt the password / key etc. as the key needs to be decrypted when authenticating with whatever system you are trying to retrieve data from. This is not ServiceNow specific. If you save the password in your local PowerBroker software ServiceNow would still need to have access to retrieve/send the password to whichever system you are trying to authenticate with, meaning that an admin would also be able to retrieve it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2018 01:49 AM
Hi Kristian,
We at Maersk have had the exact same discussions as you are having now about Discovery and security.
We have actually bought ServiceNow Discovery, but not managed to go live with it yet, simply because of the security concerns that you also mention. Plus as people know, then we had quite the Cyber Attack recently, and therefore are very cautious about these kind of Agent less solutions.
That being said, then we at Maersk are looking at possibly using CyberArk for this. We furthermore bought Service Mapping, but that tool has the same security related concerns as it uses standard ports and needs local admin access as well. CyberArk should deal with that concern as well, and hopefully give us a well functioning CMDB with automated feeds.
There are many other integrations that can improve your CMDB as well. Options like, Flexera. Solarwinds as Lars is mentioning, possible tools like Splunk or Qualys as well.
Not sure what you have in Vestas today.
You are move than welcome to reach out if you would like to discuss this in detail. Or come by CPH for a cup of coffee, just write me a personal message if you like 🙂
Kind regards
Lasse Koch
ServiceNow Architect
Maersk
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2018 02:28 AM
Hi Kristian,
We have considered, but will start with populating the CMDB with information we have from our current "discovery" tools, and the re-consider ServiceNow Orchestration again later.
Kind Regards,
Bo Møller
Enterprise Solution Architect, Backoffice
_________________________________________________________________
Nilfisk A/S | Group-IT | Kornmarksvej 1 | 2605 Brøndby | Denmark | Mobile:+45 2098 4544 | bo.moller@nilfisk.com | www.nilfisk.com
