Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

What’s New in Zurich: Platform Encryption

maucblancha
ServiceNow Employee
ServiceNow Employee

3 weeks ago

As organizations continue to expand their ServiceNow usage across HR, CSM, and Security Operations, the amount and sensitivity of stored data grows exponentially. Protecting that data—while maintaining platform functionality and compliance—has become a key focus for every enterprise. The Zurich release of ServiceNow introduces significant enhancements to Platform Encryption, extending the Vault suite’s capabilities to help customers protect, manage, and control sensitive information at an even more granular level.

 

Why Platform Encryption Matters

 

Platform Encryption is part of the ServiceNow Vault suite, designed to protect sensitive data through its entire lifecycle—from discovery and access control to encryption and visibility management. The suite enables organizations to:

 

- Comply with regulatory frameworks such as GDPR, HIPAA, and PCI

- Protect data without sacrificing platform usability

- Manage access across internal and external user profiles

- Confidently add new workflows without compromising compliance

 

ServiceNow offers a layered approach to encryption:

 

1. Cloud Encryption – Encrypts all data at rest across the database. Ideal for broad compliance requirements and organizations that need to use, rotate, or revoke their own encryption keys.

 

2. Field Encryption Enterprise – Enables more targeted encryption at the field level. This allows administrators to define precisely which users or groups can view specific data within a table, leveraging encryption-backed access controls for deeper protection.

 

Common Customer Scenarios

 

Scenario 1: Full Instance Encryption


A customer needs all data encrypted at rest with the option to revoke keys if necessary. Cloud Encryption fits this use case perfectly, providing complete database encryption and flexible key management. The enablement process is quick—typically requiring only a short downtime window—and keys can be managed, rotated, or revoked as part of an organization’s internal key management policy.

 

Scenario 2: Granular Field Encryption


Another customer needs to encrypt protected health information (PHI) within specific fields using their own private key. With Field Encryption Enterprise, they can define cryptographic modules, set up module access policies (MAPs), and apply encryption at the field or even row level. Only users or groups with access to the defined key can decrypt and view that data.

 

What’s New in Zurich

 

The Zurich release advances Platform Encryption with the introduction of row conditions—a major step beyond traditional column-level encryption.

 

Previously, administrators could apply encryption rules at the column level, but managing keys across multiple teams often led to unnecessary data exposure or access restrictions. Now, row conditions allow encryption rules to be applied dynamically—on individual rows within a shared table.

 

For example:

- HR data can be encrypted using one key while IT data in the same table is encrypted with another.

- Only users with the correct key for their department will see the decrypted data.

 

This enhancement delivers precision encryption, ensuring that sensitive data is protected at both the column and row levels, based on real-time context and access conditions.

 

Managing Keys and Policies

 

To configure encryption in the Zurich release, administrators follow a straightforward process that aligns with the new enhancements:

 

1. Create a Cryptographic Module – Define the encryption key and its attributes, including type, source, and lifecycle. 

2. Set Module Access Policy (MAP) – Specify which users, groups, or roles are authorized to access data protected by that key.

3. Configure Field Encryption – Select the tables, columns, and, with Zurich’s update, individual rows that should be encrypted.

 

The addition of row-level conditions fits naturally into this workflow, expanding the control administrators have over how encryption policies are applied and maintained.

 

Key Management and Best Practices

 

- Flexible Key Control: Bring your own keys, manage key rotation, and revoke keys when necessary.

- Granular Access Control: Use encryption-backed permissions to ensure only authorized users can view decrypted data.

- Implementation Tips: Understand which data needs encryption and where it resides. Use ServiceNow Vault’s data discovery capabilities or the Data Privacy 30-day trial to assess your environment before deployment.

 

Final Thoughts

 

The Zurich release of Platform Encryption continues ServiceNow’s mission to make enterprise data security both stronger and smarter. With the new row conditions, organizations can encrypt data with surgical precision—balancing compliance, usability, and control. Combined with flexible key management and integration within the ServiceNow Vault suite, Platform Encryption empowers customers to stay secure while expanding their digital workflows confidently.

 

 

  • 415 Views
Version history
Last update:
3 weeks ago
Updated by:
ServiceNow Employee
Contributors