You've likely heard of edge encryption, but may not understand what it is or how it applies to ServiceNow. Hopefully, I can help with that!
What is Edge Encryption?
Edge Encryption is a security mechanism that encrypts sensitive data as it enters and exits a network boundary, ensuring the data is unreadable if intercepted during transit. It allows organizations to maintain control over their encryption keys and manage the data encryption process within their own infrastructure, rather than in the cloud. This is more common in highly regulated environments where highly sensitive data is being exchanged.
How does it work on ServiceNow?
When a client makes a request in a ServiceNow environment with Edge Encryption, the request first hits the Edge Encryption proxy server located within the client's network. This proxy server encrypts the request data according to predefined rules before sending it over to the ServiceNow instance in the cloud. Any data marked for encryption is transformed at this edge layer, ensuring sensitive information is never exposed in its raw form outside the secure perimeter of the client's network. As the ServiceNow instance processes the request, it only handles and stores encrypted data. On the way back, the proxy server decrypts the encrypted response data from the ServiceNow instance before presenting it to the client, ensuring that at no point in this communication is sensitive data exposed in clear text over the internet.
Edge Encryption on ServiceNow Benefits:
✔ Encrypts sensitive data at the network edge, ensuring data remains secure both in transit and at rest.
✔ Meets requirements for data residency and sovereignty by ensuring sensitive data does not leave the customer's environment in a readable form.
✔ Customers maintain complete control over encryption keys, which are managed within their infrastructure.
✔ The average additional latency introduced by the encryption process is around 40ms per transaction, which is relatively low.
✔ Edge Encryption also works with mobile devices
✔ Offers tokenization capabilities for additional security layers, especially useful for patterns like social security numbers and credit card information.
✔ Supports load-balanced configurations to ensure high availability and continuity of encryption services.
✔ Provides the ability to configure which data gets encrypted, with options for field-level encryption.
✔ Users interact with data as they normally would
Considerations:
👀 Complex Setup and Maintenance: Requires a careful and sometimes complex setup of proxy servers within the customer's network.
👀 Infrastructure Requirements: Customers need to provision and maintain the necessary infrastructure for the Edge Encryption proxies and tokenization databases.
👀 Limited Field Types: Edge Encryption only supports encryption for string, journal, and date fields and not for other data types like choice fields or system fields.
👀 Server-Side Processing Limitations: Encrypted data cannot be used for server-side processing, such as in business rules or scripts that need to evaluate the data.
👀 Customization Needs: Custom HTTP requests or integrations may require additional encryption rules to be written.
👀 Key Management Responsibilities: Customers must take on the responsibility of key management, including key rotation.
👀 Potential Performance Impacts for Attachments: Encrypting attachments can have a more significant performance impact, especially for larger files.
👀 Impact on Reporting and Searching: Reporting capabilities can be limited, and global searches are not supported for encrypted data unless accessed through the proxy.
The image below details how this works in ServiceNow.
