- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
a week ago - edited a week ago
The "What's New in Zurich" session focused on major enhancements to ServiceNow’s machine identity management and API integration security, introduced with the Zurich release.
Machine Identity Console: Clarity and Control
The session began by defining machine identity as service accounts used for inbound API integrations—non-human users that allow external systems to interact with ServiceNow. The proliferation of these identities, especially as organizations adopt more SaaS apps and APIs, has made manual management risky and inefficient. Common issues include credential theft, lack of visibility, compliance challenges, and operational shortcuts that increase security debt.
To address these, the Zurich release introduces the Machine Identity Console, designed to provide a single pane of glass for managing inbound API integrations.
Key capabilities include:
- Risk Identification and Recommendations: The console surfaces risks and offers actionable steps to improve security.
- Usage Visualization: Users can see which machine identities accessed which APIs, track authentication methods, and receive upgrade recommendations for insecure configurations.
- Streamlined Inbound Integrations: The new UI simplifies OAuth-based integration setup, guiding users through connection type selection, authorization, and configuration—making secure integrations the default, not an afterthought.
Enhanced Authentication Flows
The Zurich release brings significant improvements to authentication for inbound integrations:
- OAuth Configuration: Now integrated directly into the Machine Identity Console, OAuth setup is more intuitive, with separate forms for each grant type (e.g., authorization code, client credentials, JWT bearer, resource owner password, and third-party ID token flows). This reduces confusion and ensures only relevant fields are shown for each scenario.
- Grant Type Visibility: Existing integration records are automatically categorized by grant type during upgrade, improving clarity.
- Scope Management: Users can create and assign scopes directly within the console, streamlining permission management.
- JWT Enhancements: Support for JWKS URLs allows seamless key rotation, and custom claim names provide flexibility for JWT bearer flows.
- Third-Party ID Token Flow: ServiceNow now supports token federation, enabling integration with external identity providers without creating local accounts.
Machine Identity Access Controls: Defense in Depth
A standout feature in Zurich is the new Machine Identity Access Control. Previously, integration users were managed by ACLs and roles, but Zurich introduces granular policies that strictly define what each machine identity can access—down to specific API endpoints and tables. This "deny by default" approach enforces least privilege, reduces accidental data exposure, and simplifies auditability and compliance.
- Policy Configuration: Built atop existing REST and SOAP API access policies, admins can map integration users to specific endpoints and tables, ensuring they can only access what’s explicitly allowed.
- Use Cases: For example, an integration user can be restricted to only the incident table, even if their role grants broader access. This extra layer of control prevents privilege creep and secures sensitive data.
- IP Address Controls: Separate access controls allow further restriction by IP address, enhancing security for API integrations.
Availability and Best Practices
All features discussed are available out-of-the-box in any ServiceNow instance running Zurich—no additional licensing or plugins required. The session emphasized best practices, such as mapping access control policies to the same scope as custom endpoints for better governance, and recommended using secure authentication methods over basic auth whenever possible.
