Database encryption vs Edge encryption

Gary22 · ‎05-13-2020

Hi All

We have been asked to do encryption for our instance and we have been comparing database encryption vs edge encryption to see which one suits us better

Database Encryption versus Edge Encryption ===================================================================================== Database Encryption is complementary to application tier encryption but does not replace it in some cases. Cmmon use cases addressed by application level encryption but not Database Encryption include: Data must be protected at the application layer Data must accessible in the clear to only certain groups of users Customer must own encryption keys (Edge Encryption only) ServiceNow cannot have access to data in the clear (Edge Encryption only) Encrypted data should not be in the clear outside of the customer’s environment (Edge Encryption only) Database Encryption also covers certain use cases that application-level encryption does not: Protection of data types that cannot be encrypted via Edge Encryption or column-level encryption Encryption with no impact to functionality Encryption of all data-at-rest Database Encryption can be used in conjunction with Edge Encryption and/or column-level encryption to apply a layered security approach. Database encryption protects all data at rest and Edge Encryption or column-level encryption provides higher security protections to sensitive fields such as PII and PHI.

Now I got the above info from a product documentation . I am trying to analyze the pros and cons of using edge encryption over database encryption for a simple ITSM system . Can someone please explain the major pros and cons of these two approaches in layman's term please . thanks a lot

Allen Andreas · ‎05-14-2020

Edge Encryption, if that's your concern.

There really isn't much else to say that someone else hasn't already said here, so I think you've done a good job evaluating everything, but if you're ultimately wanting the data to be secure on YOUR end with SN NOT having access, then Edge Encryption is it.

Ultimately, you'd want to discuss this with your company. I'm unsure of your position, but your profile says Dev. So, really, the platform owner + compliance + security team would be the ones to have the ultimate say. Then the company over top of that as there is a price model associated...so that may or may not change the approach.

Please get your SN Account Executive to discuss pricing of Edge and Database, then run it through the appropriate channels and they can make the final call.

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

View solution in original post

Community Alums · ‎05-13-2020

Hi,

edge is using actually your own server acting as a gateway between SN instance and the client(your browser started from behind company's firewall). This way the private key of the certificate, doing the encription is only available to you. In SN DB you put encrypted values that SN cannot decrypt (well....anything could be decrypted but thats another topic). Such an approach is for ultra high security needs. The Edge server is paid and expensive.

If you use DB encription (2-way encrypted field for example), the private key needed to decript ( + public one of course) is located in the SN instance itself. You rely on ServiceNow security here (although if you dont trust it - why use SN at first place 🙂 ). This is free and doesnt cost you resources compared to Edge.

Both have their place under the sun, but it depends on your needs which one to use.

Hope that helps

Joro

Gary22 · ‎05-13-2020

Based on the below table , everyone shud opt for database encryption over edge encryption .

Can anyone highlight why edge encryption will be preferred over database encryption , in which scenario

DrewW · ‎05-13-2020

I agree but if your security people refuse to let ServiceNow hold the encryption keys then you cannot use database encryption.

DrewW · ‎05-13-2020

I would read thru the documentation but last I checked email and journal fields were not supported in Edge encryption but its been a number of years since I checked. Edge encryption is going to require you maintain servers which is a point of failure for accessing the instance because if you cannot get at one of the Edge encryption proxies then you cannot decrypt the data so you see encrypted values all over.

I think the biggest question is do you need to answer is do you need to hold the encryption keys or is it Ok if ServiceNow holds them? If that does not matter then database encryption is easier to deal with and I believe costs less but thats going to depend on your contract.

Database encryption encrypts everything so there is no need to mess around with anything and nothing to maintain, its all on ServiceNow. But they also hold the encryption keys and that is a deal breaker for some.

Here is a doc that talks about all of the options
https://blogs.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/resource-center/white-paper/wp-data-encryption-with-servicenow.pdf

I'm not a fan of Edge encryption do to the fact that if the proxies go down or are unavailable because of many possible reasons you cannot really use your instance until they are backup.