- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
I've been reading this document: ITOM Visibility security overview
I'm working with a customer that want to enrich their CMDB but are not able to store any credentials in their ServiceNow cloud instance.
I see that there are alternatives like having them in Cyber Ark or BeyondTrust (https://www.servicenow.com/docs/r/platform-security/connections-and-credentials/c_ExternalCredential... ) but also using ACC and "Credential-less discovery.
My question is:
Is it possible to run Credential-less discovery and get IT infrastructure (on prem and Cloud) using Credential-less discovery - without storing any credentials in ServiceNow?
I really need answers from someone who have done this and KNOW this. Not just linking to an article that tells me 50% or what I need to know. Sorry for the harsh tone but this is an increasing problem nowadays 🙂
Solved! Go to Solution.
- Labels:
-
Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Heyhey,
Having done all of the above, let me try to give an answer.
Your first option is to use an external credential store (BeyondTrust, CyberArk or anything that has an exposed API for credentials). Doing this will give you the full functionality of the Discovery without storing Credentials on ServiceNow (Note: You will need to create credential-records which point to the correlating entry in the credential store). This is the best way forward, if you don't want to use ACC.
Going for ACC has the advantage of not needing credentials on the ServiceNow platform. However, it comes with the limitations of - well - using ACC: No network device discovery & needing to install an agent on everything.
Lastly, you have credential-less discovery. This is the last straw. It is super limited with what it can discover. Out of all of these it is the only "true" credential-less discovery as it does not need any credentials at all. But what you get is just the data available through the NMAP protocol. Which is absolutely nothing.
So out of all these options, if you can, go with the first option: Credentials, but stored in a credential store, not on ServiceNow.
If you only want hosts, then ACC might be okay.
Credential-less is only for getting an idea for a device. Absolutely not enough to fill your CMDB. I would not recommend using this as the only inventory solution.
Hope this helps.
Regards
Fabian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Heyhey,
Having done all of the above, let me try to give an answer.
Your first option is to use an external credential store (BeyondTrust, CyberArk or anything that has an exposed API for credentials). Doing this will give you the full functionality of the Discovery without storing Credentials on ServiceNow (Note: You will need to create credential-records which point to the correlating entry in the credential store). This is the best way forward, if you don't want to use ACC.
Going for ACC has the advantage of not needing credentials on the ServiceNow platform. However, it comes with the limitations of - well - using ACC: No network device discovery & needing to install an agent on everything.
Lastly, you have credential-less discovery. This is the last straw. It is super limited with what it can discover. Out of all of these it is the only "true" credential-less discovery as it does not need any credentials at all. But what you get is just the data available through the NMAP protocol. Which is absolutely nothing.
So out of all these options, if you can, go with the first option: Credentials, but stored in a credential store, not on ServiceNow.
If you only want hosts, then ACC might be okay.
Credential-less is only for getting an idea for a device. Absolutely not enough to fill your CMDB. I would not recommend using this as the only inventory solution.
Hope this helps.
Regards
Fabian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago - last edited 3 weeks ago
Hi Fabian and thanks for taking time here with my question.
I did some digging yesterday and it seems that ACC-V is the best alternative so far.
I really like it that you took time and gave me a thorough answer since you mentioned all the ideas I had myself regarding CyberArk, ACC and Credential-less discovery with your own experience of this. Both ups and down.
Hope you have a great day and thanks once again.
Kind regards
/Henrik
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Happy to help. Just to make sure we are on the right track: The visibility extension for ACC is called ACC-V. So please look into that.
It is also build on the Sensu Monitoring Framework, so even though you may not be able to directly discover networks, it may have extensions for connected devices. If you have any questions, feel free to check this forum. Usually people are quite helpful (or just reach out to me directly).
