Understanding Field Encryption (FE) in ServiceNow
In today’s digital age, protecting sensitive information is more critical than ever. For instance, data breaches in 2023 alone exposed millions of personal records, highlighting the urgent need for robust encryption measures. Encryption is a method of securing data by converting it into an unreadable format that can only be accessed with a special key. Think of it like locking valuable items in a safe—you need the right combination to open it.
Field Encryption (FE) is a security feature in ServiceNow that enhances data protection by encrypting sensitive information at the database column level. This ensures that specific data, such as personally identifiable information (PII) or financial records, remains secure and accessible only to authorized users. FE is particularly useful for organizations that need to comply with stringent data protection regulations like GDPR or HIPAA.
Field Encryption vs. Field Encryption Enterprise
ServiceNow offers two variations of column-level encryption: Field Encryption (FE) and Field Encryption Enterprise (FEE). FE is a base system feature while FEE requires a separate subscription. FEE provides additional features such as:
- Support for additional field types
- Allows configuration of more than 5 modules and module access policies
- Key management
More information on this topic can be found in ServiceNow Docs.
When to Choose FE vs. FEE
- Choose FE for smaller organizations or those with minimal encryption requirements.
- Choose FEE if you require high levels of customization, scalability, and compliance with advanced regulations. This version is especially suited for enterprises dealing with sensitive data across multiple regions or industries.
Example Use Case
A financial organization uses FE to encrypt Social Security Numbers (SSNs) stored in the ServiceNow database. This ensures that only authorized HR personnel can access the data, preventing unauthorized access and maintaining compliance with data protection laws such as GDPR and PCI DSS.
How to Use Field Encryption
Using FE in ServiceNow involves several steps:
- Activate Plugin: Enable the Field Encryption [com.glide.encryption] plugin in the ServiceNow instance to access encryption capabilities.
- Role required: sn_kmf.cryptographic_manager or sn_kmf_admin, security_admin, admin. To add the sn_kmf roles, navigate to System Security > Key Management Administration
- Identify Sensitive Data: Determine which columns in the database require encryption. In this example use case, we will be encrypting the Social Security number field on the HR Profile table.
- Define Encryption Rules: Create encryption contexts to specify who can view or edit the encrypted data.
- Navigate to System Security > Field Encryption Modules > New. Fill out the module name and click Submit.
b. Click on the created Crypto specification in the related list
c. Click next. Default values are set on Lifecycle Definition. Click next again on Key Origin until you get to Key Creation.
d. Click Generate Key
5. Apply Encryption: Use the encryption module to apply encryption to the designated columns. Navigate to Key Management > Module Access Policies > All. Click New. Fill out the form and click Submit.
When encryption is applied, users without the correct role will not be able to see the encrypted field.
Things to note when implementing FE
- When debugging Field Encryption, you must log in as the user with the correct encryption context. Impersonation can be controlled in the Module Access Policy. This provides an extra layer of security unlike for Access Control.
- When encrypting information collected via the Service Catalogue, you must delete the content in the variable and transfer the content to a field. You can do this via a business rule or a flow.
- A flow must have the correct role to process encrypted fields and attachments. You can assign a role to your flow via Flow Properties
