As a ServiceNow customer, you have control over the security of your instance and your data within the ServiceNow cloud. You have the ability to control specific security settings within the instance that enable you to harden the application and platform settings to meet your unique security needs. You can choose from several data-at-rest encryption options, manage application-level role based access controls, and authentication mechanisms, and you are also permitted to conduct an application-level penetration test against your sub-production instance every year. We believe security is a shared responsibility between ServiceNow and our customers.
Security keeps evolving, as new threats and vulnerabilities emerge every day. How do I know my ServiceNow instance is secure over the duration of my subscription?
1. Follow the ServiceNow Instance Hardening Guide for the key settings and configurations that can be implemented to improve the security of your ServiceNow instance.
a. You can check the Instance Security Dashboard for a real-time evaluation of your Instance Hardening progress. The dashboard also allows you to review basic security alerts, such as failed administrator login attempts and latest administrator login.
2. Apply patches to your instance. ServiceNow gives its customers the flexibility to apply patches at their discretion to allow for any impact to functionality, but patches should be applied as quickly after their release as possible. The Patching Program schedules patches in intervals throughout the year to make sure that your instance is up-to-date with the latest security, performance, and availability requirements. ServiceNow supports the current release (N) and the most recent previous release (N-1). If you are on a version earlier than N-1 you are putting your instance at risk, as older versions are unsupported. Instances on versions earlier than (N-1) must upgrade, or ServiceNow will initiate a forced upgrade.
3. As discussed above, ServiceNow allows customers to perform an annual penetration test. Plan your penetration test by following the procedure outlined here. Because we allow all of our customers to perform a penetration test, this is equivalent to a crowd penetration test that helps improve the Now Platform at rapid scale! Of course, ServiceNow also has an internal functional penetration testing program, as well as a third party penetration testing program. Because we encourage our customers to continually innovate with ServiceNow, functional testing is always available. This enables customers to test their integrations with ServiceNow without performing a full penetration test. This can be done continuously, not just once per year: See "simulated testing methods"
4. Communication between ServiceNow's security team and our customers' security teams is important to make sure any major security-related information can be disseminated quickly and efficiently. To that end, please make sure there is a designated security contact for your company listed in NOW Support here.
5. Monitor your instance regularly using Instance Security Center— review system logs and restrict admin accounts. Admin related events and and other security events can be tracked automatically in your Instance Security Dashboard
Enjoy ServiceNow securely and please do not hesitate to pass along your feedback on any topics, concerns, or questions regarding ServiceNow Platform Security.
Did these resources help to answer some of your ServiceNow platform security questions? Comment below!
2 Comments
