ServiceNow Discovery

klautrup · ‎05-03-2018

Hi,
At Vestas we are evaluating whether we want to purchase a license for ServiceNow Discovery.

Anybody else here in Denmark who have implemented, or are considering to implement Discovery?

Have you alternatively evaluated alternatives like iQSonar (visible in the ServiceNow store and seems to provide much of the same functionality as Discovery)?

Seems Discovery requires local admin access to the target servers.
Our security team is not happy about having the credentials in the ServiceNow instance (all though they are in an encrypted table).
For windows servers an alternative is to run the MID server on a service account granting local admin access to the target windows servers, but this is not an option for Unix servers, network devices etc.
There is also a possibility to use a 3rd party local credentials storage like CyberArk which seems like the most secure option, but is also an expensive option.

If you have implemented, or are considering to implement Discovery which security model for the credentials have you decided to use?

Regards,
Kristian

Michael Skov2 · ‎05-07-2018

"then we might end up with more chaos in stead of clarity"

I've heard this before, and while i do agree, there are solutions for this. I've had customers where we disabled everything, and then enabled little by little. For instance, we disabled everything but Windows Server and Microsoft SQL. After a while we enabled Linux and so on.

Just for inspiration.

klautrup · ‎05-08-2018

Thank you for all the input - very useful 🙂

If we decide to go ahead with Discovery I think the right solution is to use PowerBroker since we have it.

@Michael our Security teams concern about storing credentials directly in ServiceNow is the table encryption only being AES-128 where they would prefer at least AES-256.
And acccording to larsstange an admin can run a small script using GlideEncryper() and decrypt the passwords to clear text.

Bit unclear to me whether this would still be a risk if using 3rd party password tools like CyberArk, ThyCotic or PowerBroker as indicated by Lasse?

Michael Skov2 · ‎05-08-2018

According to my knowledge that is not entirely correct. All credentials are stored on the instance using 3DES encryption and are decrypted on the instance with the password2 fixed key. The password2 fields are encryption fields using 3DES (192/168), which further encrypt the 3DES key using AES with a 256 bit key size, where the key is stored in the safenet devices (a separate key storage appliance and retrieved by the instance).

I have more info on this if you want - just email me privately.

Regarding the 3rd party... You will have some risk no matter what you do. Im positive you already have that risk in some sense, as you are probably storing passwords somewhere right now. That said, if your security team is more confident have the passwords on-prem using a tool of their choosing, i say go ahead.

Surely an integration adds a complexity, but if that makes the security team happy, its the best solution.

soren_lynggaard · ‎08-02-2018

Hi All,

For your information we are going to support Microsoft Just Enough Administration in London. JYA uses Powershell Remoting Protocol and it will help you prevent exposing highly sensitive passwords in Windows environments and make your security people happy too 🙂

JYA overview

https://docs.microsoft.com/en-us/powershell/jea/overview

Rgds

Søren Lynggaard

Solution Consultant

ServiceNow