Platform Privacy and Security Yokohama Innovations

SandrineR
ServiceNow Employee
ServiceNow Employee
‎03-12-2025 08:47 AM
The Yokohama release is here, and with it comes a suite of powerful new security features. The Platform Security team has been hard at work, and we’re excited to share the highlights. Below is a quick rundown of what’s new, and if you want a deeper dive, join our Discover What's New in ServiceNow Yokohama Release for Platform Security & ServiceNow Vault webinar on March 26 (click here to register) to hear directly from the Product Management team.
 
Platform Security Foundational Updates
We'll start by talking about the out-of-the-box security features we've created to protect your data on the platform:
  • There's no doubt about it, Multi-Factor Authentication (MFA) is one of the most effective ways of combating phishing and account takeover attacks. Beginning in Yokohama, ServiceNow is going to begin enforcing MFA by default for any internal local logins, meaning any login that is not through a Single Sign-On (SSO) provider or from a Service Account. A new MFA policy will be enforced in Personal Developer Instances as well as production and non-prod instances. All internal users using local logins will be prompted to self-enroll within a 30 day period of their first login after the Yokohama upgrade. 
  • There's a new role for Access Analyzer: When this feature was released, it was only available to people with the admin role. In Yokohama we have added another role, access_analyzer_admin, which is intended for people in support roles to be able to analyze access without having to grant full admin access.
  • If you're looking to level up the security of your instance, your first stop should be Security Center. It is a set of tools designed to help your organization maintain the security of your ServiceNow deployments. Using Security Center, you can improve security posture and strengthen compliance levels with a seamless user experience. We have been steadily adding new features and improvements such as Critical Customer Actions. In Yokohama, we have added new entries to the Security Best Practices tool, and some new checks to the Security Scanner tool.
  • Security data filters: Security Data Filters remove the need to use scripted Query Business Rules as an access control, which was not their original intent, and improves auditability and performance. Historically, access managed by Access Control Lists (ACLs) and the existing data filtration feature are applied post-query. This approach presented several drawbacks, such as blank pages in list views. Data filters securely enforce additional constraints on database queries, modifying their results before ACLs perform access control. Unlike ACLs, which operate on a default-deny basis, data filters work on a default-allow principle, granting access unless a filter is present. Importantly, ACLs and data filters function collaboratively, with data filters limiting the data ACLs can act upon while ACLs remain the primary administrators of access control on the instance.
  • Related Record Access: For large enterprises with multiple departments or sub-organizations working on different projects, managing access to projects and their associated entities, such as project tasks and cost plans, has been challenging without writing complex ACLs. Now, with Related Record Access, users who have access to a record can also access other records related to it, either through direct reference or many-to-many relationships, simplifying access management and ensuring smoother performance.

Vault and Domain Separation

As you move more of your workflows onto the ServiceNow Platform, your security needs grow and change. That’s why we offer premium security solutions like the ServiceNow Vault bundle, which provides sensitive data discovery, advanced encryption, code signing, key management, and zero-trust access controls. Certain organizations choose to leverage Domain Separation, which allows them to segment data and processes for greater isolation and governance. In the Yokohama release, we’ve introduced new capabilities to help you further enhance security while maximizing the power of the platform. Here’s what’s new.
  • The centerpiece of ServiceNow Vault is the data-at-rest encryption capabilities made available through the Platform Encryption component which itself consists of Cloud Encryption and Column Level Encryption Enterprise. For years, customers have used Column Level Encryption enterprise to encrypt the values written into some database columns while preserving Platform functionality and performance. We have some exciting features on the product roadmap that are going to open up all kinds of new use cases for our customers - but the existing Column Level Encryption Enterprise product has some technical challenges that are making that hard to achieve. So, in Yokohama, we are introducing Field Encryption and Field Encryption Enterprise as a replacement for Column Level Encryption. In Yokohama, the functionality of Field Encryption will not be much different from Column Level Encryption, but as the year goes on, we will be adding new features to Field Encryption and we will stop development of Column Level Encryption. No need to worry about migrating, though - customers that are using Column Level Encryption today will still be able to keep using their encrypted fields and Module Access Policies.
  • Access Observer: In the last few releases, we have been creating more tools to help you understand who has access to what. In Xanadu we added Access Simulator to our Access Analyzer tool. Now in Yokohama, we are adding a new tool, Access Observer as part of the Platform Encryption product. Access Observer allows you to monitor a field to see who is accessing it. With Access Observer, you can encrypt a sensitive data field with confidence as you know which people and processes you need to configure in the Module Access Policy. You can also use this tool to troubleshoot unexpected data changes. The Admin can see what roles, scripts, system processes are accessing that field and identify what remediations are necessary.
  • AI-Powered Sensitive Data Detection: Leveraging AI and machine learning, Yokohama enhances Real-Time Anonymization (RTA) by intelligently identifying patterns and anomalies across structured and unstructured data in the Data Privacy application. In addition to traditional structured data patterns like phone numbers, or social security numbers, unstructured patterns for people, NRP (nationality, religious, or political groups), locations, dates & times, and organizations have been added. This automated detection helps organizations proactively manage compliance risks and enforce data protection policies more effectively.
  • Sensitive Data Discovery in Attachments: Further expanding on the capabilities of Data Privacy, Yokohama enhances the Data Discovery application with the ability to scan and detect sensitive data within file attachments. This can be done as a standalone scheduled job of scanning just attachments, or alongside of a regular schedule scan of tables. With this release TXT, DOC, DOCX, and PDFs are supported and admins are informed of the findings both in the Data Privacy application and via email. This ensures that critical information, such as personally identifiable information (PII) or financial data, is properly identified and secured, reducing the risk of unintended exposure. 
  • Zero Trust Access, one of the components of the ServiceNow Vault, has rolled out Continuous Authentication. ZTA helps you tailor the level of access you want to grant to a user based on parameters that are evaluated at login time. But what if those parameters change? A user session may have started in a high trust environment - like on the company network but has since changed to a lower trust level - like an employee's home. With Continuous Authentication you can protect your critical data by reauthenticating users or presenting them with a multi-factor authentication challenge when they attempt to access sensitive records.
  • It's not all Vault components that got some development love in Yokohama. Domain Separation introduced the Post-Production Domain Separation Activation Utility. OK, that's kind of a mouthful, what does that mean? In the past Domain Separation could only be configured on a fresh instance. If you wanted to introduce Domain Separation to an existing instance, you had to stand up another instance, install domain separation, and begin migrating your data from one instance to the other. This new utility provides a step-by-step guided setup for creating domains in an already existing instance. You can take greater advantage of the ServiceNow Platform capabilities without having to go through an instance migration.
The ServiceNow Platform and Workflow Security team has been continuously enhancing its controls and products to meet the evolving security needs of enterprises. With the Yokohama release, we have introduced a range of new features, such as Multi-Factor Authentication enforcement, Access Observer, and Security Data Filters, to bolster platform security. Additionally, premium add-ons like ServiceNow Vault now include AI-powered Sensitive Data Detection and Continuous Authentication, leveraging machine learning and AI to proactively manage compliance risks and enforce data protection policies. These advancements demonstrate the team's commitment to integrating the latest innovations in security technology to ensure robust protection for enterprise workflows and sensitive data.
  • 2,231 Views
3 Comments
Popular Blog Posts