Database encryption vs Edge encryption

Gary22 · ‎05-13-2020

Hi All

We have been asked to do encryption for our instance and we have been comparing database encryption vs edge encryption to see which one suits us better

Database Encryption versus Edge Encryption ===================================================================================== Database Encryption is complementary to application tier encryption but does not replace it in some cases. Cmmon use cases addressed by application level encryption but not Database Encryption include: Data must be protected at the application layer Data must accessible in the clear to only certain groups of users Customer must own encryption keys (Edge Encryption only) ServiceNow cannot have access to data in the clear (Edge Encryption only) Encrypted data should not be in the clear outside of the customer’s environment (Edge Encryption only) Database Encryption also covers certain use cases that application-level encryption does not: Protection of data types that cannot be encrypted via Edge Encryption or column-level encryption Encryption with no impact to functionality Encryption of all data-at-rest Database Encryption can be used in conjunction with Edge Encryption and/or column-level encryption to apply a layered security approach. Database encryption protects all data at rest and Edge Encryption or column-level encryption provides higher security protections to sensitive fields such as PII and PHI.

Now I got the above info from a product documentation . I am trying to analyze the pros and cons of using edge encryption over database encryption for a simple ITSM system . Can someone please explain the major pros and cons of these two approaches in layman's term please . thanks a lot

Allen Andreas · ‎05-14-2020

Edge Encryption, if that's your concern.

There really isn't much else to say that someone else hasn't already said here, so I think you've done a good job evaluating everything, but if you're ultimately wanting the data to be secure on YOUR end with SN NOT having access, then Edge Encryption is it.

Ultimately, you'd want to discuss this with your company. I'm unsure of your position, but your profile says Dev. So, really, the platform owner + compliance + security team would be the ones to have the ultimate say. Then the company over top of that as there is a price model associated...so that may or may not change the approach.

Please get your SN Account Executive to discuss pricing of Edge and Database, then run it through the appropriate channels and they can make the final call.

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

View solution in original post

Mike Patel · ‎05-13-2020

If your security team is fine with SN holding encryption keys than best option is Database Encryption.

Edge requires server patching, SN upgrades, Java updates etc which adds up time when you are doing it.

Allen Andreas · ‎05-13-2020

Hello,

We've sort of covered some of this here in your other post: https://community.servicenow.com/community?id=community_question&sys_id=d1aa2d641b34d010a59033f2cd4b...

But...to boil it all down, point blank:

If your company is fine with ServiceNow having access to the encrypted data (which in normal situations...is just fine...) then Database Encryption is all you need.

If your company is responsible for extensive amounts of data...and you're a healthcare company, security company, have nuclear code access, stuff like that...then Edge Encryption would be what you'd want to do.

Also...on top of those 2 things..you'd want to review pricing. They are NOT the price. They are NOT the same setup process either. Edge Encryption requires some extensive setup that a regular joe...can't do without trouble.

You'd need to review pros and cons for yourself. Your company needs to review pros and cons from a data security issue...so your CISO or someone would have a better opinion about all this.

In my experience, I won't mention the company names, but 2 of the healthcare companies I've worked for opted for Database Encryption. Starting with Orlando...Database encryption also allows you to handle the "keys" to your encryption whereas before Orlando...you only got that if going with Edge (I'm looking for the official verbiage on this but right as I was leaving my last company they were talking to SN Account Reps and we were told that).

Link to the white paper, which I think you already have, but providing it again here, because it's useful and explains the difference: https://www.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/resource-center/white...

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Gary22 · ‎05-14-2020

Hi All

I need one more clarification . Please guide me . In case of database encryption , once data is encypted at db layer .Can servicenow team access that data ?

DrewW · ‎05-14-2020

Yes by accessing the instance but you will see a login event for them. They probably can via the database server or other backend item but I doubt many people on there end would have the access to do so but do not know for sure. My impression of Database encryption is more about someone stealing the file and also complying with policies that require data to be secured at rest.

Gary22 · ‎05-14-2020

Hi Drew

Thanks for replying . In that case , should i opt for edge encryption ? I have vulnerable data and i dont want product team to have access to that data , even from the backend . what encryption method should we use