Storing sensitive data in password field for Requested item form

Ravish Shetty
Tera Guru

‎08-15-2018 08:42 AM

we have a initiative where they want to store the PII information in ServiceNow for Request items.

There is a challenge in using encryption context on request item because you cant encrypt variables using encryption contexts...and we do not want to use edge encryption.

My solution to this is to store the data in a 2 way password encrypted field. This field can be present on the request item table or some other table.

There will be a ui page on the request item which will call a script include and decrypt this password based on certain conditions.

find_real_file.png

The problem here is that when someone applies a direct filter as shown below, they are able to get the data. 

I can store the data in some other hidden table which is not easily accessible but even then this will still be a security loophole.

 

find_real_file.png

Preview file
71 KB
Preview file
51 KB
Preview file
53 KB
0 Helpfuls
  • 3,528 Views
3 REPLIES 3

BigMikeyVegas
Tera Guru

‎08-15-2018 09:04 AM

Using a business rule, you can hide the variables on the Task and Request based on the assignment group. I did this with a confidential security investigation request. 

 

 

Table: Variable Ownership [sc_item_option_mtom]

Advanced: Yes



When to Run

When: before

Query: Yes



Advanced

(function executeRule(current, previous /*null when async*/) {
if(!gs.getUser().isMemberOf('YOUR ASSIGNMENT GROUP')){
current.addQuery('request_item.cat_item.name','!=','YOUR CATALOG ITEM');
}
})(current, previous);

 

I hope that this helps. If so, please mark Helpful or Correct.

David OBrien
Kilo Guru

‎08-15-2018 09:10 AM

You're correct that you can't use the encryption context on the variable, but you can move it into an encrypted field and if it is being submitted by users without the encryption context, you can use a GlideRemoteGlideRecord call with a user that has the context to perform the encryption.

 

There are a few pieces you need to do it the way I've described.  When I've done this in the past it has been more complicated because it was searching for sensitive data across a variety of fields and based on what was found, masking the data in place and then moving into one of a couple different encrypted fields.  I think I've captured the elements that you'll need though.

Before insert Business Rule on Requested Item to call an event with the encrypted data. This allows enough time for the requested item it finish getting created before trying to run a GlideRemoteGlideRecord call to update it with the encrypted data.

gs.eventQueue('encrypt.data',current,current.variables.sensitive_data);
current.variables.sensitive_data = '';

Create an event called encrypt.data.

Create a script action to run when the encrypt.data event is triggered. This will call a script include to run the remote glide record call and then remove the sensitive data from the event parameter.

var encrypt = new encryptData();
encrypt.encryptData(current.sys_id,event.parm1);
event.parm1 = '';
event.update();

Script Include named encryptData would look something like this.  Replace the name of your encrypted field in the 'field' variable.

var encryptData = Class.create();
encryptData.prototype = {
	initialize: function() {
	},
	
	encryptData : function(record,data){
		var table_name = current.getTableName();
		var instance = gs.getProperty('encryption.instance');
		var username = gs.getProperty('encryption.user_id');
		var password = gs.getProperty('encryption.password');
		var rgr = new GlideRemoteGlideRecord(instance, table_name);
		var field = '<insert encrypted field name>';
		rgr.setBasicAuth(username, password);
		rgr.addQuery('sys_id', record);
		rgr.query();
		if (rgr.next()){
			if (rgr.getValue(field)==''){
				rgr.setValue(field,data);
				rgr.update();
			}
		}
		return;
	},
type: 'encryptData'
};

 

Hope this helps. Let me know if you run try it and how it goes.

Ravish Shetty
Tera Guru
In response to David OBrien

‎08-15-2018 01:00 PM

Hi David,

In the below statement it seems you just update the field in some table in some remote instance. I do not see any encryption happening.

 

Assuming that any data update done using 'GlideRemoteGlideRecord' automatically encrypts the data, are we supposed to retrieve it later when we need to show the PII data to the Support team?

 

 

if (rgr.next()){
			if (rgr.getValue(field)==''){
				rgr.setValue(field,data);
				rgr.update();
			}
		}
0 Helpfuls