In today's digital landscape, securing your IT infrastructure is more critical than ever. As organizations increasingly rely on ServiceNow for managing their enterprise services and workflows, ensuring the security of this powerful platform becomes paramount. Security hardening, the process of enhancing the security measures of your system, is essential to protect sensitive data, prevent unauthorized access, and maintain compliance with industry standards. This article aims to provide developers and administrators with practical insights and best practices for applying security hardening to your ServiceNow instance, helping you to safeguard your organization against potential threats and vulnerabilities.

What is Security Hardening?

Security hardening for the ServiceNow platform is essential for protecting sensitive data and ensuring the integrity of your instance. It involves a series of best practices and measures designed to reduce vulnerabilities and defend against potential threats.

Key Aspects of Security Hardening:

1. Access Control: Implement Role-Based Access Control (RBAC) to limit user permissions, enforce Multi-Factor Authentication (MFA), and integrate Single Sign-On (SSO) for secure authentication.
2. Data Protection: Use encryption for data at rest and in transit, and apply data masking techniques in non-production environments to protect sensitive information.
3. Application Security: Define and enforce security policies for custom applications, conduct regular code reviews, and use application scanning tools to identify and fix vulnerabilities.
4. Platform Configuration: Follow ServiceNow’s instance hardening guidelines by configuring system properties, setting session timeouts, enabling logging, and disabling unused features and services.
5. Monitoring and Auditing: Enable log management and maintain audit trails to monitor suspicious activities and track changes to sensitive data and configurations.
6. Compliance and Governance: Ensure compliance with regulatory requirements like GDPR and HIPAA, and enforce security policies to maintain a secure environment.
7. Patch Management: Keep your ServiceNow instance up to date with the latest patches and updates to mitigate known vulnerabilities.

By following these practices, you can significantly enhance the security of their ServiceNow instances, safeguarding against data breaches and other security incidents.

What is Security Center?

ServiceNow provides the Security Center application to help you understand the current security posture of your instance.  Security Center provides;

The Security Center homepage provides you with a high level overview of your current Security Hardening compliance and a list your top non-compliant settings.  For a new environment, you will typically start at around 86-88%.

Security Hardening

In order to increase your Security Hardening score and drive toward a more secure platform, I recommend concentrating on the Non-Compliant items.  The Security Center homepage includes a widget which lists the Top non-compliant hardening settings.

As you review the non-compliant items, ensure that you follow your normal governances processes.   It's important to have the right level of technical review in place as you plan to make changes to ensure that you do not create unexpected outcomes.  The following 2 examples show the different degrees of planning that might be required as you work through these settings to improve your overall instance security posture.

As an example, the "Enable SNC Access Control Plugin" is a very straight forward setting. The only real consideration is that once you enable it, you will need to manage ServiceNow's access to your Instance.  Details on how to configure and allow access using the SNC Access Control Plugin can be found here - https://docs.servicenow.com/csh?topicname=c_SNCAccessControl.html&version=latest

In other cases, there might be a far greater impact that may require you to remediate other areas before you can enable a specific hardening setting.  For instance, settings related to deprecation of 3DES encryption require you to ensure that the new Key Management Framework and Instance Level Encryption configuration are in place before disabling 3DES encryption.  Failing to do so will likely impact any process on your instance that is using existing Password2 fields to store passwords.  Implementing 3DES encryption will require additional planning to ensure that all of the prerequisite steps have been completed before the final steps can be taken.

As you can see, the level of technical complexity and impact are significantly different based on the hardening setting you are altering to improve your security posture.  I highly recommend that you work with your Technical Governance team to ensure all aspects of each changes have been considered and planned for.

Working through this process with your Cyber Security team is also important.   Depending on the industry you are operating in, along with any regulations or specific security policies that your organisation has in place, many of these controls may require a different approach and potentially already be mitigated through other controls. 

Ongoing Maintenance

Ongoing maintenance of your security posture is also a very important process.  By default, Security Centre will track your Security Hardening Score based on a daily update to the score.  I would recommend that each time you are performing an upgrade, patch or even a store application upgrade that you review your Security Hardening score both before and after and consider the impact of any findings before you release these changes to your Production environment.  Don't forget to ensure you keep the Security Center application up to date as well.  

Outside of the Security Centre Hardening areas, there remains the Security Scanner, Metrics and Best Practice recommendations.   Check back soon for another blog post that will dive into the Security Center capabilities in those areas.