How can we leverage ServiceNow in a Zero Trust environment?

rahimulah · ‎10-11-2022

Background

Zero Trust is a cybersecurity strategy wherein security policy is applied based on context established through least-privileged access controls and strict user authentication. Rooted in the principle of “never trust, always verify, " devices should not be trusted by default, even if they are connected to a trusted network such as a corporate LAN, and even if they were previously verified.

Leveraging the CISA Zero Trust Maturity Model, ServiceNow has multiple products to drive the adoption of Zero Trust and its pillars.

By mapping the pillars to the ServiceNow features, customers can quickly roll out Zero Trust with a strategic approach to enhance their Zero Trust posture.

Recommendation

Familiarize yourself with the CISA Zero Trust Maturity Model to better understand the mapping checklist. ServiceNow can deliver on a Zero Trust using SIR, which covers Network / Environment, application Workload, and Device under the Maturity Model. Steps to enabling the capabilities are to allow SIEM to data ingestion, automation via workflow, and create response playbooks.

Product	Feature	Zero Trust Model	What to enable
SecOps	VR	- Network / Environment - Application Workload - Device	- Ingest Vuln scan data - Assign Vulns to remediation teams - Resolve Vulnerabilities
SecOps	SIR	- Identity - Device - Network/Environment - Application Workload - Data	- Ingest SIEM data - Automate work assignments via workflows - Build response playbooks focused on data exposure, DoS, Lost equipment, and more - Create reports leveraging KPIs
SecOps	AVR	- Application Workload	- Ingest daily from the application scanner - Assign Vulns to remediation teams - Resolve Application Vulnerabilities
SecOps	CC	- Device	- Run configuration tests against CIs - Assign remediation tasks to stakeholders responsible for configuration issues - Resolve and track configuration issue
SecOps	DLP	- Data	- Integrate with third-party DLP solution - Assign DLP incidents to end users or DLP analyst - Report on resolved and unresolved
Platform	Vault	- Data	- Enable encryption with self-managed keys
Risk	Policy & Compliance	- Governance	- Enable controls - Assign controls to tasks
Risk	Audit	- Governance	- Create audit engagements - Create reports to validated audit activities
Risk	Risk	- Governance	- Create Risk Framework and associate risk statement to it - Run Risk assessments
ITSM	DevOps	- Application Workload	- Integrate with your DevOps tool chain (GitHub, Gitlab, Jira…) - Integrate with ServiceNow Change Management
ITOM	Discovery	- Network / Environment - Device	- Run ServiceNow Discovery throughout in your environment
ITOM	Service Mapping	- Application Workload - Device	- Map all devices, applications, and configuration profiles used in application services
ITOM	Health Log Analytics	- Application Workload	- Collects raw log data streaming into your instance - Leverage detected anomaly in data to send to event management
ITOM	CMDB	- Network / Environment - Data - Device - Application Workload	- Tracks physical and logical states of IT service elements and helps analyze trends to reduce problems and maintain system integrity - Aids in understanding relationships among CIs to determine the effects of outages and who in the user community will be impacted
SPM	Performance Analytics	- Data - Application Workload	- Build Automated KPI signals related to anomalies - Continual Improvement Management Lifecycle
SPM	Project Portfolio Management	- Governance	- Manage projects with project workspace, you can define, plan, track, manage all work (including incident, problem, change, and release management) - Monitor project status, exceptions and KPIs from a single location
ITAM	HAM	- Device - Network / Environment - Data	- Streamline and automate asset onboarding and offboarding processes to prevent data exploitation
ITAM	SAM	- Application Workload - Network / Environment - Data	- Setup Request Software Asset management - Leverage End of Life (EOL) and End of Support (EOS) life cycles - Create entitlements in the Software Asset Management application classic to record your license details and allocate purchased software rights to users or devices.

ManuelRivera · ‎07-27-2024

Interesting that leveraging ServiceNow in a Zero Trust environment seems to be more relevant in our current CrowdStrike crisis two years after this article was published. More interesting is that protection was needed from within, and not from outside threats. Maybe a Black Swan moment.

It seems one of the reasons for multiple failures across the global regions was the automatic update feature in a trusted SaaS environment. Although automatic updates are an option, leveraging ServiceNow in a Zero Trust environment and using the CISA Zero Trust Maturity Model could be a ServiceNow feature/value proposition to help assess/prevent a repeat of the CRWD failure. That's why pilots rely on checklists, even if they know the procedure by memory. From a sales perspective, it's a potential upsell for ServiceNow to all our customers that use CRWD, and sell thru for our partners.