Welcome to this blog!
This article created with intent to share information about transition of DBE (Database Encryption) to Cloud Encryption (MariaDB to RaptorDb Migration).
What's Database Encryption (DBE)?
Database Encryption with Customer-Controlled Switch (DBE-CCS) is an encryption solution that encrypts all data-at-rest when not in use in the database, often called Tablespace Encryption or Transparent Data Encryption.
Database Encryption with customer-controlled switch uses industry standard AES encryption, with no impact to functionality. The database encrypts data as it is written to the disk and decrypted by the database as it is read from the disk. Applications always have the data in an unencrypted state to perform the necessary logic and functions.
For more details on the technology, refer to the MariaDB website under "Tablespace Encryption."
|
For more information explore below references: |
Database Encryption Deprecation
ServiceNow is updating the way we provide data-at-rest encryption for customer databases. We are gradually moving away from the product Database Encryption and to the new Cloud Encryption product offering.
As being communicated [COMM1147698] Database Encryption will no longer be available for renewal as of the Now Platform Washington D.C. release.
- Beginning with the Washington D.C. release planned for March 2024, Database Encryption will no longer be available for renewal.
- Database Encryption is architecturally tied to MariaDB, which ServiceNow is migrating away from.
- Cloud Encryption is the replacement product for Database Encryption to enable data-at-rest encryption.
- The ServiceNow led migration from Database Encryption to Cloud Encryption will be executed as part of the database migration from MariaDB to Postgres planned between July 2024 – December 2025
|
Note: If you have DBE enabled, then Prepare for the migration to Cloud Encryption:
|
| References for more information |
|
Why should a customer choose to use Cloud Encryption compared with other encryption offerings?
ServiceNow offers a range of encryption products designed to solve different use cases.
Cloud Encryption is used to solve the compliance use case of encrypting data at rest. Cloud Encryption is fully transparent to applications and offers the ability to switch between ServiceNow Managed Keys and Customer Managed Keys, as well as rotate the keys, all at a time the customer chooses (no need to involve the ServiceNow Support team).
Column Level Encryption Enterprise provides protection of sensitive data against insider threats, so data is in cleartext only for specified groups of users. This application-layer encryption includes customer key management, including optional Bring Your Own Key (BYOK). The underlying key management framework supports integrations, minimizing app disruption and insecure workarounds.
Edge Encryption is used for the use case of customer owning encryption keys. With Edge Encryption, encrypted data will not be in cleartext outside of the customer's environment. In our product documentation, see "Edge Encryption Limitations" as there are significant limitations that need to be considered before using Edge Encryption.
What are the differences between Database Encryption and Cloud Encryption?
Database Encryption (DBE) |
Cloud Encryption |
DBE focuses solely on database encryption. "DBE" (Database Encryption) refers specifically to encrypting data stored within the ServiceNow database. |
Cloud Encryption covers data encryption across the entire ServiceNow cloud environment.
|
Compatibility: ServiceNow Database Encryption offer data-at-rest encryption and is compatible with MariaDB |
Compatibility: Cloud Encryption also offer data-at-rest encryption though it is compatible with multiple types of databases, including MariaDB, Postgres®, and other database systems ServiceNow may use in the future. |
Functionality: DBE primarily encrypts data at rest within the database |
Functionality: Cloud Encryption may include additional features like encryption in transit and finer-grained control over which data fields are encrypted. |
Key Management: DBE at rest, encryption key needs to be managed by customer (CCS/CSK) and have specific implementation to be followed. Typically, it offers 2 ways of implementation
The Customer Endpoint must have read access to the customer's secret key (KEK), which must have the following characteristics:
|
Key Management: Cloud Encryption offers more advanced key management features and granular control over encryption policies.With Cloud Encryption, customers are able to manage their own keys, in addition to being able to rotate ServiceNow managed keys.Additionally, customers are able to schedule a key rotation reminder (to help keep within policy guidelines for key rotation). |
Version Supported:Database Encryption (DBE) is being prepared for future depreciation starting with Washington DC release. Though it's supported across all versions of the Now Platform. |
Version Supported: Cloud Encryption launched in the San Diego release and is available in San Diego and later versions. |
Key Rotation:No, At this time key rotation is not supported. Thus, key id should always be 1. |
Key Rotation:Yes. Cloud Encryption customers may choose when they want to click the "Rotate" button in the product's user interface to initiate key rotation. There is no need to involve ServiceNow Support for a key rotation request. |
Key TypesCloud Encryption provides customer with the flexibility to choose either ServiceNow Managed Key (SMK) or Customer Managed Key (CMK). |
Key Types:There is no difference in keys availability for encryption and it's same for DBE and Cloud Encryption. Cloud Encryption provides customer with the flexibility to choose either ServiceNow Managed Key (SMK) or Customer Managed Key (CMK). |
ServiceNow is moving from MariaDB to RaptorDB‼️
If your organization has opted for Database Encryption solution and your instances are encrypted then it's crucial to start the transitioning process as DBE is reaching the End-of-Renewal milestone in the Washington release which means Database Encryption is compatible only with MariaDB and ServiceNow has begun planning to move to a new database, Cloud Encryption is compatible with multiple types of databases, including MariaDB, Postgres®, and other database systems ServiceNow may use in the future.
If you are a customer you can continue to renew with Database Encryption until Washington’s General Availability – March 20th, 2024.
How may I tell if my instance has been encrypted with DARE (Cloud Encryption)?
As a user with any of the following roles you can validate the encryption.
-
sn_kmf.cryptographic_auditor OR
-
sn_kmf.cryptographic_manager OR
-
sn_kmf.admin, under
Step-01: Go to "Cloud Encryption Key Management" menu and click on "Key Management Operations".
Step-02: Click on the "Key Alias" item for the active key to confirm the key creation date and other details about the key.
|
Note: To validate this, do ensure cloud encryption plugin is enabled
|
Cloud Encryption entitlement and migration process looks like?
ServiceNow will schedule database migrations in a phased approach (starting in 2024 through 2025, or further out if that’s when a customer obtains the Cloud Encryption entitlement).
As this is a phased approach, customers are migrated on a timeline that aligns with the resources ServiceNow has available. The majority of Database Encryption customers will be able to begin migrating to Cloud Encryption in 2025.
The migration from Database Encryption to Cloud Encryption will occur during the database migration.
How is instance cloning supported with cloud encryption or DBE?
- If a clone is done from an encrypted source to an unencrypted target: the target will be encrypted after the clone is completed.
- If a clone is done from an unencrypted source to an encrypted target: the target will no longer be encrypted after the clone is completed.
It is critical that all instances are encrypted to avoid unintentionally exposing decrypted data.
| If this article helped you in any way to understand Cloud Encryption, Database Encryption (DBE) and Transition process then please, do mark this as 'Helpful' and 'Bookmark' it for future references and share with your peers and teammates. |
References
2 Comments
