- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Nearly a decade ago, my first ServiceNow project was integrating non-IT processes into onboarding/termination. Ever since, myself and others like me have pushed ServiceNow far beyond the realm of IT Service Management, legitimizing ServiceNow's "Everything as a Service" aspirations. That rapid infiltration into all business silos has brought risks we're only now realizing. "Trust in the cloud" has been a conversation dominated by questions of availability. With 10 years of ServiceNow's peerless availability, the conversation should refocus on trusting safety of data. Can we trust the cloud for safety?
The answer is a resounding no. Just ask Drop Box, Ashley Madison, Sony, Oracle, Last.fm, or the US Democratic Party.
Before you point out not all of these were Cloud breaches, lets take a moment to observe the bigger lesson. Be mindful of where & how you store exploitable data. In last generation's ITSM tools, the value of the data to infiltrators was tenuous, but lets look at 10 years of ServiceNow's horizontal expansion.
(Did someone say honeypot?)
SERVICE MAPPING
No question this new capability presents immense operational value. The long dreamed of capability to map infrastructure to top level business services is within your grasp. Now imagine the advantage intruders have if they can deconstruct your key business services down to the IP's of the devices supporting it. You've just put the critical path for your business onto the Cloud in plain text.
Risk: Increased risk loss expectancy for intrusions leveraging this info
IT SECURITY RESPONSE & VULNERABILITY MANAGEMENT
This excellent new utility has the capability to assess your assets and configurations for exposure to the latest known vulnerabilities, and track your response to said vulnerabilities and intrusions. Immense value. If you are a Financial institution, or otherwise security conscious brand, how much do you feel malicious parties would pay to know what vulnerabilities you're exposed to, and what intrusions were previously successful? The answer is stored in the ServiceNow cloud.
Risk: Increased risk loss expectancy and rate of occurrence for intrusions leveraging this info
HR SERVICE MANAGEMENT
Just browse the default catalog. Disciplinary issue logging. Profiles containing PII of employee emergency contacts. Clear text data regarding terminations and new hires.
Risk: Non-compliance for PII handling. Exposure to strategic hiring and staff reduction.
INBOUND EMAIL
Here is a sample of data I've found in ServiceNow systems, that came in via inbound mail actions: suicide threats, sexual harassment complaints, whistleblowing on unethical / illegal activities, credit card numbers, social security numbers, addresses, phone numbers of external customers, collection agency letters. Every last bit of it stored in clear text.
Risk: Enough legal turmoil to make your ServiceNow deployment budgets look like a single tray of appetizers at the K16 mega-party.
CUSTOM APPLICATIONS
Sky is the limit on this one, as you're truly putting your business' operational digital DNA out there. Sometimes we're dealing with banal hum-drum processes that just needed to get off email. Other times we're dealing with data that speaks to strategic business decisions and relationships. Here's some samples of applications I've prototyped, investigated, and heard of:
- Strategic Staff Vetting & Non-Compete Negotiations
- Strategic Asset Procurement
- Supply Chain Management
- External Counsel Integrations
- Customer Experience Management
- Public facing UI pages
In each case, customers were concerned enough that the data hosted in the cloud would make ServiceNow a proverbial Honeypot, and in many cases the app interest died on the vine.
Risk: Increased risk loss expectancy and rate of occurrence for actual business operations.
What Now?
ServiceNow long ago left its gestation of the ITSM space. In so doing, we've put far more interesting and valuable data into the cloud. It is now up to the responsible organization to assess how to protect that data from outside malice. We can't control ServiceNow's (so far excellent) intrusion countermeasures, but we *can* control what the data looks like when it reaches the cloud. To do so, we must have the encryption discussion. I have recently had the opportunity to assess all major providers of encryption on ServiceNow, and not all solutions are created equal. To help you reach the best possible decision, I've blogged about ways to evaluate your encryption provider. My company is also here to assist you in maximizing your cloud data safety.
Further reading:
Encryption: How not to get $#%&ed
Encryption: How not to get $#%&ed Part 2
Encryption: How not to get $#%&ed Part 3
The Creative Platform Thinkers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.