edge encryption

MKhan1 · ‎09-28-2017

We are trying to setup edge encryption and this requires setting up proxy server within customer premises. If anybody connects directly to ServiceNow instance without connecting to internal network of customer then will edge encryption would still work? or will it make it a mandate for all employees to connect to customer network before accessing ServiceNow instance?

mikeadler · ‎10-03-2017

Hi Mohammed,

With respect to your questions, by number:

Yes, you can have more than one Edge Encryption proxy server. However, I do recommend at a minimum, using two Edge Encryption proxy servers for high availability purposes. There is no limit to the number of Edge Encryption proxy servers. A useful reference that I would you encourage you and others that have a similar interest on Edge Encryption proxy server sizing at the Sizing your Edge Encryption environment landing page which will provide you with additional information and guidance when making implementation design considerations for this solution.
You could potentially allocate an Edge Encryption proxy server to different sets of individuals. However, this approach would need to be configured at the network level and DNS settings, apart from the proxy server configuration. This is because the Edge Encryption proxy server does not restrict access to data according to criteria based on which particular Edge Encryption proxy server a user connects through. Therefore, in the scenario you described, person A and person B could still see each other's data regardless of which Edge Encryption proxy they connect to their shared instance with. I do like your scenario and it is something that we would eventually like to be able to support in the future at some point. At a high level, this would require a set of keys that is unique to each each Edge Encryption proxy server connecting users to the same shared instance.

Could you please kindly mark the appropriate response as correct for the benefit of other community members?

Thanks in advance and please do feel free to share any other feedback.

Kind regards,

Mike

View solution in original post

jarodm · ‎09-28-2017

Users will still be able to authenticate to SN, and will see and be able to update any non-Edge-protected fields. Any [string] fields that are encrypted by Edge will display the encrypted ciphertext and will be prevented changing.

Video example of what you see with/without the proxy (jump to 3:33 in for screenshots):

WEBINAR - Edge Encryption for ServiceNow - Overcoming the Final Obstacle in Cloud Security - YouTube

Jarod

mikeadler · ‎09-29-2017

Hi Mohammed,

Adding on to the great information that Jarod shared here, I'd like to share some additional advice in this regard. If you do allow it in your ServiceNow instance configuration, users could indeed still bypass the Edge Encryption proxy. However, please do kindly consider in this scenario what you want to provide in the experience for that particular set of users to be. To expand upon that thought further, removing any encrypted field from the view of the user bypassing the Edge Encryption proxy, such as in a form or list, may help to avoid the user from seeing an encrypted field as ciphertext, as well as receiving warnings when trying to enter or update content into a field that is already configured to be encrypted.

I happen to demonstrate your particular question and scenario on a regular basis for customers and am delighted to see you posted your question here for the rest of the community.

Please feel free to let me know if this helps to address your question.

Kind regards,

Mike

MKhan1 · ‎10-02-2017

Hi Michael

Could you please clarify this scenario as well

1) Can we have more than one proxy server?. if yes then what is the limit on the number of servers?

2) If we can have more than one proxy server for encryption then can they be allocated to different set of individuals?. For example, person A connects through proxy A and person B connects through proxy B. In this setup, can person A see the data of person B in the instance?.

Thanks, Mohammed

mikeadler · ‎10-03-2017

Hi Mohammed,

With respect to your questions, by number:

Yes, you can have more than one Edge Encryption proxy server. However, I do recommend at a minimum, using two Edge Encryption proxy servers for high availability purposes. There is no limit to the number of Edge Encryption proxy servers. A useful reference that I would you encourage you and others that have a similar interest on Edge Encryption proxy server sizing at the Sizing your Edge Encryption environment landing page which will provide you with additional information and guidance when making implementation design considerations for this solution.
You could potentially allocate an Edge Encryption proxy server to different sets of individuals. However, this approach would need to be configured at the network level and DNS settings, apart from the proxy server configuration. This is because the Edge Encryption proxy server does not restrict access to data according to criteria based on which particular Edge Encryption proxy server a user connects through. Therefore, in the scenario you described, person A and person B could still see each other's data regardless of which Edge Encryption proxy they connect to their shared instance with. I do like your scenario and it is something that we would eventually like to be able to support in the future at some point. At a high level, this would require a set of keys that is unique to each each Edge Encryption proxy server connecting users to the same shared instance.

Could you please kindly mark the appropriate response as correct for the benefit of other community members?

Thanks in advance and please do feel free to share any other feedback.

Kind regards,

Mike