ServiceNow Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2018 12:50 AM
Hi,
At Vestas we are evaluating whether we want to purchase a license for ServiceNow Discovery.
Anybody else here in Denmark who have implemented, or are considering to implement Discovery?
Have you alternatively evaluated alternatives like iQSonar (visible in the ServiceNow store and seems to provide much of the same functionality as Discovery)?
Seems Discovery requires local admin access to the target servers.
Our security team is not happy about having the credentials in the ServiceNow instance (all though they are in an encrypted table).
For windows servers an alternative is to run the MID server on a service account granting local admin access to the target windows servers, but this is not an option for Unix servers, network devices etc.
There is also a possibility to use a 3rd party local credentials storage like CyberArk which seems like the most secure option, but is also an expensive option.
If you have implemented, or are considering to implement Discovery which security model for the credentials have you decided to use?
Regards,
Kristian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2018 02:57 AM
Hi Kristian
We have several customers with exactly the same security concerns, to which we have different approaches.
First, what is the specific reason the security team doesnt want to store the credentials in ServiceNow? I've heard this a lot of times, without the team being able to specificy a concrete reason. If it is due to encryption, i can send you how data is being encrypted between ServiceNow and the MID server.
Second, if they dont want to have credentials stored in ServiceNow and they have good reasons for this, i do encourage to use third party tool, such as CyberArk or Thycotic. It can be any tool you have on-prem.
Third, it is correct we need local administrator on all Windows servers (mostly due to WMI mechanisms). Depending on the configuration of your network, an idea could be to isolate permissions on each vlan. Meaning that you place a MID server in each vlan and create a Windows account with access only to the servers in that vlan. Surely you need to create more accounts and servers, but in my experience it increases the "lets do it" chances for the security team.
For the UNIX part, we need very few permissions with sudo, the rest of the permissions are only read. The same goes for network devices. Both can be configured with SSH PSK.
For Discovery, this is the permissions you need. For Service Mapping, there might be need to further permissions (such as MySQL, Tomcat, MSSQL etc.).
Let me know if you have further questions, i will be happy to answer.
Regards
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2018 01:59 AM
Hi Kristian,
I have done a few implementations of Discovery. I would say that it is very efficient. The down site to being efficient is that discovery needs access to collect information.
It can of course be handled using an on premise vault system for storing credentials.
There are other ways to lower the risk. Those that I know of includes additional management/process in one way or another.
The most pragmatic reduction of risk I have implemented is relative simple.
We build a workflow, were we disable the user, and reset the password when it was not used. Assign a new password and enable the user at part of the process were servicenow needs to do some automated action the credentials are still stored in Servicenow, but useless outside the time frame where they are used by Servicenow.
Due to change of password and disabling the user, the security team accepted the risk.
Regards
Lars
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2018 03:43 AM
At CIMT (Danish Capital Region IT Centre) we are considering, once again, if we should implement ServiceNow Discovery.
The main consideration is the price, since we have a mixed enviroment with 50.000+ computers and a lot of servers (mixed virtual/non-virtual, windows/non-windows) it will cost quite a lot.
The next consideration beside security is if we are mature enough in our CMDB to get benefit from ServiceNow Discovery.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2018 04:14 AM
Hi,
I would say that the less mature, then discovery provides more quality.
And is an enabler for getting more mature, and more in control.
If you would like to test the statement, then ask ServiceNow to enable it in a non production or on a POC environmentd then start collecting.
You will see the effect with in hours!
Regards
Lars
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2018 04:19 AM
Hi Lars.
I am not in doubt of the effect Discovery can have, but if we do not have the needed structure (classes etc.) then we might end up with more chaos in stead of clarity 😉
There a no magical solutions. If you read the documentation for ServiceNow in regards of Asset Management, they state that assets appears (is created) when Discovery detects them, completely disregarding the procurement phase.
