In the second part of our series, we explored how the InCountry platform can address the compliance issues in ServiceNow with minimal effort from your side. To remove any confusion out there, we want to compare our solution to the ServiceNow Edge Encryption that can also be applied to handle compliance regulations when dealing with PII data in ServiceNow, and how that native solution differs from the InCountry platform.
How Edge Encryption works
ServiceNow Edge Encryption encrypts and decrypts sensitive data that is communicated between your company premises and the ServiceNow cloud instance. This option allows you to control the end-to-end encryption of your sensitive data and perform key management within your corporate facilities.
Edge Encryption utilizes a proxy application that is installed within your own corporate network, so you have full control over it without exception. This proxy application can either tokenize specific data patterns or encrypt supported fields (such as string, date, date/time, or journal fields, as well as attachment data) before they are transferred from your premises to your ServiceNow instance. This proxy application can also decrypt the same data within your own corporate network, using the encryption keys stored on your own premises. ServiceNow has no access to your encryption keys, so no sensitive data values are accessible in clear text by ServiceNow cloud instances. Edge Encryption works with AES 128-bit and AES 256-bit encryption keys and supports standard, equality-preserving, and order-preserving encryption types.
The Edge Encryption proxy application requires a MySQL database hosted within your corporate network when using order-preserving encryption or encryption patterns. Clear-text values are stored in the proxy application's database in your network. Thus you need to take adequate measures to secure and regularly back up your proxy application's database.
The proxy application operates as a bridge between your browser and your ServiceNow cloud instance. The browser traffic goes through this gateway, which encrypts outbound data marked for encryption and decrypts inbound data, so the end-user views clear-text values in their browser when working with ServiceNow.
Components of Edge Encryption
The Edge Encryption solution is built on a proxy server that runs on the server within your corporate network and the Edge Encryption extension installed on your ServiceNow instance. When you use order-preserving encryption types or encryption patterns, you also need to set up a proxy database.
Proxy application
When sensitive data goes through the Edge Encryption proxy server, the Edge Encryption extension lets you specify which fields, patterns, and attachments should undergo encryption. Additionally, you can define encryption rules to encrypt only specific requests and schedule mass encryption jobs.
Proxy server
The proxy server uses encryption rules to identify what to encrypt within an HTTP request payload and encrypts it before routing the request to the ServiceNow cloud instance. When decrypting, the proxy server handles HTTP responses and checks them for any encrypted data, and decrypts it before returning the response back to the client. The proxy server must handle all HTTP requests and responses, otherwise, the Edge Encryption may not properly work. This applies to any requests coming from a browser, including SOAP or REST requests.
Proxy database
When using order-preserving encryption or encryption patterns, your proxy server needs a MySQL database located in your network. All the proxy servers in your network must use the same database as a single source of truth.
As encryption patterns deal with tokenization, the proxy database stores clear-text values that are mapped to tokens stored in the ServiceNow cloud database. If the proxy database is corrupted, you will not be able to restore clear-text values.
Pros and cons of Edge Encryption
When introducing Edge Encryption for your ServiceNow cloud instance, you should consider possible functional limitations within a ServiceNow instance as a result of adding an additional layer of security.
Advantages of using Edge Encryption include the following:
-
You get absolute control of who sees your sensitive information and can prevent data breaches.
-
Sensitive information is stored on your proxy server and never leaves your network unencrypted.
-
Sensitive information is encrypted in transit before it even reaches the ServiceNow cloud instance.
-
You keep and manage all your own encryption keys. No one else outside of your company can touch your keys.
-
You can choose the appropriate encryption algorithm: AES-128 or AES-256.
-
Support for encryption of different field types, as follows string text, date and date/time fields, attachments, URLs, and journals.
-
Edge Encryption provides standard, equality preserving, and order-preserving encryption of data at rest within the database and ServiceNow cloud instance.
-
Encryption rules support custom scripts that help the proxy server identify what to encrypt and where to put that encrypted information in the database. This is useful when the data structure differs from the ServiceNow cloud instance.
-
Encryption patterns support tokenization of information such as passwords.
Disadvantages of using Edge Encryption include the following:
-
Edge Encryption increases the request processing and adds delay to traffic communication between the user and ServiceNow cloud instances.
-
Management and maintenance of your own encryption keys can require significant resources.
-
Management of the entire infrastructure for the operation of Edge Encryption (proxy server, proxy application, and proxy database) might require significant efforts from your side.
-
You can maintain a maximum of two keys, with no flexibility to define different keys for different subsets of columns/data, or for different roles, etc.
-
Edge Encryption has the drawback that the server or platform can't decrypt the data to perform any manipulation of the decrypted data on the server-side.
-
You have a single database that stores sensitive clear-text values, which will be not sufficient when dealing with customers from multiple countries with stringent data regulations.
Localization of regulated data with Edge Encryption
More and more countries have issued data regulations and PII protection laws that greatly complicate multinational business operations in these countries. Companies encountering such challenges need to adapt to the constantly changing legislative landscape and envision all the risks that are present. These risks and obscurities usually affect customers and end-users, as companies need either elaborate approaches to service them or leave regulation-stringent markets forever properly.
Over recent years, modern businesses and large enterprises have encountered new regulations on how to handle customer PII data in Russia (152-FZ), China (PIPL), Saudi Arabia, Turkey, and other countries. The regulations in these countries all require data owners to localize citizens' data within the country of origin. Such an approach can work for proprietary software systems, but this is not achievable for SaaS solutions operating in the cloud.
A great number of companies use the ServiceNow Cloud to provide support services to their customers, and data localization requirements greatly impact what they are doing now. You cannot just keep the data of Russian citizens in the ServiceNow cloud database, as you need to localize it within the territory of the Russian Federation. Designing and engineering an appropriate solution considering all the regulation specifics can take months of work, which can result in market share decrease, deteriorating company brand, and abrupt drops in customer loyalty.
Edge Encryption seems a good way to localize data in a specific country if the customer segment is relatively high. An experienced DevOps team can implement this within an acceptable amount of time, so the quality of customer support will not be compromised by switching to the local support solution (if it is available).
In this case, your proxy server will store the sensitive data of your customers from a country with stringent regulations, so this data does not leave the boundaries of its country of origin. The proxy application can be configured to encrypt and decrypt this data stored in the ServiceNow cloud instance, so you stay compliant and keep customer data on your premises in the necessary country.
Unfortunately, this approach is not scalable if you have customers from more than one country. Edge Encryption cannot handle this as you can have only one proxy database for storing clear-text values. How can you manageably handle this? It's quite easy when using the InCountry platform.
InCountry’s data residency-as-a-service platform
InCountry provides a data residency-as-a-service platform that integrates with the leading SaaS platforms, such as Salesforce and ServiceNow. InCountry has points of presence (databases for regulated data retention) in more than 90 countries, so you don't need to set up a separate proxy server in each country where you run local data through ServiceNow. When using the InCountry platform, you just need to install the Data Residency for ServiceNow application and set up a connection to the required countries, and that's it.
Every time you deal with the PII data of your customers, the application will save it to the country of origin and will pull it from there once you need to view it in ServiceNow. The application can work with multiple countries, considering the specifics of local data regulations and adapting to these requirements. When using the InCountry Data Residency for ServiceNow solution, you don't need to manage any infrastructure, fortify the existing company network, monitor continuously appearing vulnerabilities in your infrastructure components, perform regular updates, or monitor the network perimeter. InCountry takes this burden in full from you, and all you just need is to service your customers and provide superior support quality to them.
How the InCountry platform differs from Edge Encryption
In its essence, both solutions are quite alike and provide almost a similar set of functionality, but in a slightly different way. While Edge Encryption requires the setup of a proxy server in each country in which you need to localize the data of your customers, the InCountry platform provides support for 90+ countries out of the box, and can expand the geography of availability in other countries per customer request. Both solutions support the AES-256 encryption algorithm, but the main difference is that Edge Encryption supports tokenization, while InCountry's application just nulls out values in the ServiceNow user interface.
When we talk about PII data management and retention, you need to adjust Edge Encryption to save data in the particular country, but when using InCountry's application, you just set the configuration rules. The key difference is that customer data is stored in ServiceNow in the encrypted form and in the proxy server in clear-text form, while on the InCountry platform, all PII data is stored on the InCountry platform and loaded when the user views or edits this data. When using Edge Encryption you need to have a VPN, but with InCountry you don't have to as the application considers cross-border rules and regulates access to PII data. Both solutions can work with multiple countries, but Edge Encryption cannot support a distributed network of proxy databases, which can be an issue when dealing with customers from Saudi Arabia or China. What makes the InCountry platform stand out is that it uses geo IP identification, which regulates access to PII data and does not allow users to view the PII data of customers from countries with stringent regulations, forbidding access to data outside the country of origin.
Edge Encryption supports more field types, but InCountry is continuously working on adding the missing fields based on customer requests and their priority.
The other crucial difference between the solutions is in the pricing itself. When using Edge Encryption you need to spend money on infrastructure management, but with the InCountry platform you just pay for the records you store. This becomes very efficient when you need to store a small number of records but in many countries, a situation where the setup of a proxy server in each country would greatly increase your company's expenditures. With the InCountry platform, you will not even notice these spendings at all.
.jpg){kind=link}
