CMDB Security

Jon Miller1
Kilo Guru

‎10-04-2022 01:09 PM

Does anybody have any thoughts, recommendations or experiences on restricting access to the CMDB? Because out-of-box, access is very open, our Information Security group has concerns that if a bad actor compromises a company account with access to ServiceNow (which is basically everybody), they will easily be able to see all of our servers with OS, version, etc. and use that information to gain access to servers with unresolved vulnerabilities.

 

Has anybody done anything to reduce that risk? Has anybody spoken with ServiceNow and gotten their recommendations? Or does anybody have a good response to that IS argument?

0 Helpfuls
  • 1,586 Views
8 REPLIES 8

Ian Ma
Tera Expert
In response to Jon Miller1

‎10-10-2022 05:48 PM - edited ‎10-10-2022 05:53 PM

  • I think your security team is essentially asking you to restrict read access on a needs to know basis. Which I would argue anyone who have access to ServiceNow backend (I'm generalising here but let's say with an ITIL role) is an IT operator and need to know. 
  • ess users who only have access to portal should already be filtered by allowed requests catalogs.

I think at end of the day, any security concerns needs to be weight up against operational concerns. locking down a system completely while secure is going to be a nightmare operationally and defeats any benefits you derive from a record keeping system. 

0 Helpfuls

Rahul Priyadars
Giga Sage
Giga Sage

‎10-05-2022 10:27 PM

At Service Now Instance Level - You can use VPN Tunneling for added security.

You can also do IP Whitelisting for your Instance access.

Servicenow login generally uses AD SSO - if its compromised then its going to be a bigger risk than only service now.

At CMDB Application level you can add extra access control using ACLs. We have done in past support group wise read/write access on CMDB classes to do some kind of access restriction .

Regards

RP

Jon Miller1
Kilo Guru
In response to Rahul Priyadars

‎10-08-2022 11:06 AM

Thanks RP. This further validates our thinking. We do already use IP white-listing and have SSO but the idea of a VPN tunnel is an interesting one we hadn't considered. I'd rather not go that route (a lot of overhead for not much additional risk reduction e.g. doesn't prevent internal, "disgruntled employee" attacks) but could offer that option. to our security group.

0 Helpfuls

Rahul Priyadars
Giga Sage
Giga Sage
In response to Jon Miller1

‎10-08-2022 09:26 PM

Please close the thread if you got what you are looking for.

Regards

RP

0 Helpfuls