Uncle Rob
Kilo Patron

Nearly a decade ago, my first ServiceNow project was integrating non-IT processes into onboarding/termination. Ever since, myself and others like me have pushed ServiceNow far beyond the realm of IT Service Management, legitimizing ServiceNow's "Everything as a Service" aspirations.     That rapid infiltration into all business silos has brought risks we're only now realizing.   "Trust in the cloud" has been a conversation dominated by questions of availability.   With 10 years of ServiceNow's peerless availability, the conversation should refocus on trusting safety of data.   Can we trust the cloud for safety?

The answer is a resounding no.   Just ask Drop Box, Ashley Madison, Sony, Oracle, Last.fm, or the US Democratic Party.

Before you point out not all of these were Cloud breaches, lets take a moment to observe the bigger lesson.   Be mindful of where & how you store exploitable data.   In last generation's ITSM tools, the value of the data to infiltrators was tenuous, but lets look at 10 years of ServiceNow's horizontal expansion.

Image result for honey pot

(Did someone say honeypot?)

SERVICE MAPPING

No question this new capability presents immense operational value.   The long dreamed of capability to map infrastructure to top level business services is within your grasp.   Now imagine the advantage intruders have if they can deconstruct your key business services down to the IP's of the devices supporting it.   You've just put the critical path for your business onto the Cloud in plain text.

Dont mind me. Im just figuring out the weak points in your key systems


Risk:   Increased risk loss expectancy for intrusions leveraging this info

IT SECURITY RESPONSE & VULNERABILITY MANAGEMENT

This excellent new utility has the capability to assess your assets and configurations for exposure to the latest known vulnerabilities, and track your response to said vulnerabilities and intrusions.   Immense value.   If you are a Financial institution, or otherwise security conscious brand, how much do you feel malicious parties would pay to know what vulnerabilities you're exposed to, and what intrusions were previously successful?   The answer is stored in the ServiceNow cloud.

yes computer charlie hunnam success laptop

Risk:   Increased risk loss expectancy and rate of occurrence for intrusions leveraging this info

HR SERVICE MANAGEMENT

Just browse the default catalog.   Disciplinary issue logging.   Profiles containing PII of employee emergency contacts.   Clear text data regarding terminations and new hires.

find_real_file.png   find_real_file.png

Risk:   Non-compliance for PII handling.   Exposure to strategic hiring and staff reduction.

INBOUND EMAIL

Here is a sample of data I've found in ServiceNow systems, that came in via inbound mail actions:   suicide threats, sexual harassment complaints, whistleblowing on unethical / illegal activities, credit card numbers, social security numbers, addresses, phone numbers of external customers, collection agency letters.   Every last bit of it stored in clear text.

Risk:   Enough legal turmoil to make your ServiceNow deployment budgets look like a single tray of appetizers at the K16 mega-party.

CUSTOM APPLICATIONS

Sky is the limit on this one, as you're truly putting your business' operational digital DNA out there.   Sometimes we're dealing with banal hum-drum processes that just needed to get off email.   Other times we're dealing with data that speaks to strategic business decisions and relationships.   Here's some samples of applications I've prototyped, investigated, and heard of:

- Strategic Staff Vetting & Non-Compete Negotiations

- Strategic Asset Procurement

- Supply Chain Management

- External Counsel Integrations

- Customer Experience Management

- Public facing UI pages

In each case, customers were concerned enough that the data hosted in the cloud would make ServiceNow a proverbial Honeypot, and in many cases the app interest died on the vine.

Risk:   Increased risk loss expectancy and rate of occurrence for actual business operations.

What Now?

ServiceNow long ago left its gestation of the ITSM space.   In so doing, we've put far more interesting and valuable data into the cloud.   It is now up to the responsible organization to assess how to protect that data from outside malice.   We can't control ServiceNow's (so far excellent) intrusion countermeasures, but we *can* control what the data looks like when it reaches the cloud.   To do so, we must have the encryption discussion.   I have recently had the opportunity to assess all major providers of encryption on ServiceNow, and not all solutions are created equal.   To help you reach the best possible decision, I've blogged about ways to evaluate your encryption provider.   My company is also here to assist you in maximizing your cloud data safety.

Further reading:

Encryption: How not to get $#%&ed

Encryption: How not to get $#%&ed Part 2

Encryption: How not to get $#%&ed Part 3

find_real_file.png

Robert Fedoruk

WolfPack Cloud Services

The Creative Platform Thinkers