Three Layers - One Platform: The Controls You Have, Need and Can't Afford to Skip

maucblancha
ServiceNow Employee
an hour ago

Session Overview

 

The session focused on how ServiceNow customers can assess, improve, and demonstrate the security of their ServiceNow instances, especially as organizations adopt agentic AI.

 

The key message throughout the session was: 

      Security is not just about doing the right things, it is about being able to prove you did them. 

 

Shared Security Model

 

Securing a ServiceNow instance is a shared responsibility between ServiceNow and the customer.

 

For a detailed breakdown of responsibilities, refer to the official ServiceNow Shared Responsibility Model:
https://www.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/resource-center/white...

 

Three Layers of ServiceNow Security

 

The session introduced three layers for understanding platform security:

 

                   - Invisibles: Built-in protections provided by the platform

                   - Configurables: Security controls customers enable and manage 

                   - Enhanceables: Advanced security capabilities for additional requirements

 

Invisibles

 

These are protections built into the platform, including:

 

- Infrastructure security 

- Physical security 

- Patch management 

- Network protections

- Compliance controls 

 

Configurables

 

Security Center

 

Security Center was highlighted as the starting point for reviewing security posture.

 

Key capabilities:

 

- Hardening score 

- Security recommendations 

- Risk acceptance tracking

 

 

Access Management Console (within Security Center)

 

The Access Management Console provides centralized access analysis capabilities, including:

 

Access Analyzer

 

Used for:

 

- Comparing user access 

- Troubleshooting permission differences 

- Simulating the impact of role or group roles 

 

Access Findings

 

Provides automated checks to identify issues such as:

 

- Dormant accounts 

- Excessive permissions 

- External users accessing sensitive data 

 

Log Export Service

 

Log Export Service is a standalone platform capability and is not part of Security Center.

 

It provides forensic-quality platform logs that can be exported to SIEM platforms such as:

 

- Splunk 

- Elastic 

-Dynatrace

 

Benefits include:

 

- Long-term retention

- Investigation support 

- Visibility into authentication, access, and configuration changes 

 

Log Export Service is included with the platform with throughput limits and is also available through Vault with unlimited throughput.

 

Vault Suite (Enhanceables)

 

Vault provides advanced security capabilities for organizations with stronger privacy and regulatory requirements.

 

Data Privacy

 

Helps organizations:

 

- Discover sensitive data 

- Remove or anonymize unwanted information 

- Protect data in non-production environments

 

Platform Encryption

 

Provides:

 

- Encryption at rest 

- Field-level encryption 

- Customer-controlled keys 

- Advanced encryption controls 

 

Zero Trust Access

 

Enables dynamic access adjustments based on security context, such as device posture or location.

 

Agentic AI Security

 

The session emphasized that AI security requires more than prompts and instructions.

 

The key principle:

 

                System prompts are not security controls.

 

Secure AI requires a strong runtime environment, often referred to as a harness, which includes:

 

- Permissions 

- Approval workflows 

- Observability 

- Execution boundaries 

- Policy enforcement

 

AI Security Capabilities

 

Now Assist Guardian

 

Helps protect AI interactions from:

 

- Prompt injection

- Unsafe content 

- Policy violations 

 

 

Data Privacy for Now Assist

 

Protects sensitive information by masking personal data before it reaches AI models and restoring it afterward.

 

 

AI Agent Controls

 

Additional controls include:

 

- AI Agent User Types

- Agent Role Masking 

- Granular admin roles 

 

These capabilities support least-privilege access and reduce the potential impact of autonomous agents.

 

AI Control Tower

 

AI Control Tower extends AI governance across ServiceNow and external AI environments.

 

Key areas:

 

- Discover 

- Govern 

- Secure 

- Observe 

- Measure 

 

Recommended Next Steps

 

The session recommended three immediate actions:

 

1. Review Security Center

       - Check your hardening score and address improvements areas. 

2. Review Access Management Console

       - Use Access Analyzer and Access Findings to identify access risks. 

3. Enable Log Export Service

       - Ensure logs are exported, retained, and available for investigation. 

 

Final Takeaway

 

ServiceNow security is built through a combination of:

 

- Platform protections 

- Customer-configured controls 

- Advanced security capabilities

 

As AI adoption grows, organizations need secure foundations built around least privilege, data protection, observability, and controlled execution, enabling innovation while maintaining security and compliance.

 

Watch the Full Session

Want to dive deeper into the concepts, examples, and security capabilities discussed in this session?

 

Watch the full session recording:

 

0 Helpfuls
  • 30 Views