Part 2 - A Layered Approach to Security in ServiceNow Solutions

Read Part 1: Building Secure Solutions from the Start

When it comes to designing secure ServiceNow solutions, I like to take a layered approach—starting with the network, then the application, and finally the database. Each layer has its own set of capabilities and considerations, and together they form a comprehensive security strategy.

At the network level, you might consider IP address controls, adaptive authentication, SSO, and integration with identity and access management platforms. Edge Encryption is another option, though it’s rarely applicable. These controls help ensure that only authorized users and systems can access the instance.

For application-level security, ServiceNow offers features like column-level encryption, data privacy tools, and ServiceNow Vault. These help protect sensitive data and ensure compliance with privacy regulations.

At the database level, you can leverage cloud encryption and server or disk-level encryption to secure data at rest. These capabilities are especially important for clients with strict regulatory requirements.

Security risks should also be documented in the risk and mitigation section of the solution plan. For example, if the client’s environment has technical debt or lacks proper access controls, those risks need to be called out with clear mitigation strategies.

Finally, remember that there are some security-related assumptions like needing access to a secure development environment without personal identifiable information (PII), or expecting the client to configure their identity provider. These should be documented appropriately, either in the assumptions section or under client responsibilities.

A layered security approach helps ensure your ServiceNow solution is protected at every level. By integrating platform capabilities, aligning with client technologies, and documenting risks and responsibilities, you build solutions that are secure by design.