Interested in ServiceNow security and need to know where to start? Great, welcome to securing Everything as a Service with ServiceNow Security Best Practices. It's likely you are tasked with running your ServiceNow instance AND keeping it secure — that's no small task and we're here to help. Security has never been a more relevant topic.
In response to the current threat landscape, the security team at ServiceNow is reaching out to engage the
community by answering some of the more common questions and concerns. Your leadership team might ask you questions like "Is our data protected?" or "What security controls are applied to our instance?" or even "What have I done to ensure that our instance is safe?" Follow our recommendations and you'll be able to lock down your instance like a boss!
Whether you have been part of the ServiceNow ecosystem since the good old days or are on the sugar high from your go-live cake, there is a wealth of accessible resources to learn the about the security controls relevant to your ServiceNow instance(s). In this post we'll keep it high-level to provide an overview of where to find salient information for ServiceNow Security.
Instance Hardening Guide
The Instance Hardening Guide should be used as a starting point for any new instance or additional security features you might not be aware of. It covers a number of best practices from access-control lists (ACLs) to attachments and password best practices. If your enterprise utilizes the Discovery functionality the guide also extends to include our recommendations for configuring MID servers. Consider the hardening guide as ServiceNow's security best practices guide.
How-To Documentation
The ServiceNow Wiki is a legacy repository containing security documentation. Of particular interest is for most security minded individuals is the management of Access Control Lists(ACLs). There is also extensive information on configuring alternate authentication mechanisms like SSO and SAML and details on our High Security Plugin. Our support engineers at ServiceNow also keep the community updated with blog posts. See what Bill Brown had to say inYou Don't Need a VPN Pt I - LDAP Integrations, User Data Imports & the MID Server solution and You Don't Need a VPN Part III - Using Single Sign-On for Authentication. And maja jovanovic had interesting workarounds to share inViewing articles in Knowledge v3 without High Security activated.
Staying Up to Date
So you've locked down your instance and you want to make sure you keep that new car smell; don't worry we've got you covered. Beginning in Q3 of 2015, ServiceNow will automatically patch your instance every quarter to address security and performance issues. Security issues will be noted in the release notes, you may choose to update prior to the automatic upgrade when noted security issues patched. Always be sure to upgrade your development or QA instances first and test before upgrading production.
Follow the Security space as we dive deeper into the technical details and discuss security enhancements to the product or optional controls you may utilize in your ServiceNow instance. If you find yourself with questions feel free to open an Incident in HI and ask for the product security team.
To share sensitive information with us, our PGP/GPG key is included.
2 Comments
