I am having a really hard time coming to grips with the security surrounding our discovery credentials. In turn our Chief Security Officer is throwing up road blocks in regards to credentials that have access to the servers.

Does anyone have more information regarding this topic in particular these questions.

I understand that the Credentials are stored in the servicenow cloud platform with 3DES Encryption. Which is very strong and at present, several magnitudes to large to be broken computationally. But as stated in the Wiki they are decrypted at the servicenow end with an instance encryption key. Where is this key stored? If there was a breach at the servicenow end what is in place to prevent an infiltrator using the encryption key and the stored credential to decrypt it themselves and then compromise our security with an account that has local admin access to all our machines, servers , networking equipment, etc?

Is there a middle ground opportunity whereby we can enable read only access to our servers through a locked down account? I have attempted to follow the wiki partially in this area but it has left us with inconsistent access to the test servers and with certain elements of discovery not working.