Field Encryption Enterprise examples
These examples walk you through the encryption of fields and attachments using customer-supplied keys.
Field Encryption Enterprise walkthrough
This walkthrough shows you how to encrypt a field in your instance using Field Encryption Enterprise with the Key Management Framework (KMF). It also shows you how to use your own key.
시작하기 전에
Role required: security_admin and sn_kmf.cryptographic_manager or sn_kmf.admin
이 태스크 정보
This walkthrough starts with an instance where you have already created and uploaded your personal cryptographic key. You could use the ServiceNow key, but this example uses a customer-supplied key.
After the key has been stored in a cryptographic module, you can start configuring fields in your instance, such as salary or social security numbers that have limited access from certain users. In the Encrypted Field Configuration, specify which authorized personnel can access sensitive data.
This task demonstrates two scenarios. One example encrypts the Short Description field in an Incident for users who are not authorized to view the sensitive data.
Attachments can also be encrypted and only visible to users who are granted access, or is visible to all users that are not restricted from viewing the data. See Attachment encryption walkthrough to encrypt an attachment.
프로시저
-
On the form, fill in the fields.
표 1. Encrypted field configuration form Field Description Table Table that stores the sensitive information. For this example, select Incident [incident]. Type Column is required to use your personal key. Column Column, or specific information, that represents the sensitive date to be encrypted. For this example, select short_description. Active Option to mark Active to use the field configuration. Encrypt by default Enabled by default when creating an EFC from the Modules page. This encrypts records without matching row conditions using the selected Field Encryption Module. To create a configuration without this option selected, create the EFC from the Configurations page. Algorithm Equality Preserving The option is automatically selected. Method The Single Module option is used to apply the policies for one module. Multiple Modules is used to apply the policies across multiple modules. 그림 1. Encryption field configuration example -
On the form, fill in the fields.
표 2. Module access policy form Field Description Policy name Name for the policy, such, as short description. Type Type of access designation for the crypto policy. Use Role to grant access to the encrypted field to only those users that have the assigned role. Target Role The role that has access to the encrypted field. For this example, select Admin. Active Option to activate the Module Access Policy. Result The Trackoption enables the access to the field for the selected role. (To restrict access to that field for the selected role, select Reject orStrict Reject.) Impersonation Option to enable module access via impersonation. 그림 2. Module access policy example -
As a user with the sn_kmf.admin role, navigate to .
그림 3. Example of encrypted field visible You can now view the Short description field based on the module access policy configuration.주:The sn_kmf.admin role was granted user access to the encrypted field, Short description, by setting the module access policy to Track. Notice the lock icon (
) under the field name indicating that the field is an encrypted field.You can now access the Incidents module as an end user to test the encrypted field configuration.
-
Log in as a user who has access to the table but doesn't have access to the configured encryption module.
그림 4. Encrypted field level data When you access the incident number, the data in the Short description will not be visible.
결과
You have successfully used your symmetric key to control access to a specific field using Field Encryption Enterprise.
Attachment encryption walkthrough
This walkthrough shows you how to encrypt an attachment in your instance using Field Encryption Enterprise with the Key Management Framework (KMF). It also shows you how to use your own key.
시작하기 전에
Role required: sn_kmf.cryptographic_manager
이 태스크 정보
This walkthrough starts with an instance where you have already created and uploaded your customer-supplied cryptographic key. You could use the key, but this example uses a customer-supplied key.
Upload confidential attachments in your instance and limit access from certain users. Use Encrypted Field Configuration to specify which authorized personnel can access sensitive data.
We show you how to encrypt attachments to only be visible to users who are granted access, or be visible to all users that are not restricted from viewing the data. In this example, we restrict a certain role from being able to access an attachment in the Incidents module.
프로시저
-
Complete the form:
표 3. Encrypted field configuration fields Field Description Table Select the table to access the sensitive information. For this example, select Incident [incident]. Type Select Attachment to use your personal key for encrypting an attachment from the selected Table For this example, select Incident. Active Mark Active to be able to use the field configuration. 중요사항:When active, your instance is actively encrypting new data in the selected fields or attachments. Users won’t have access to this data unless they have permission via an associated Module Access Policy. Don’t select if the field isn’t ready to begin encrypting and enforcing Module Access Policies.To verify historical data is encrypted after an Encrypted Field Configuration is active, you’ll need to run a Mass Encryption Job on the column. For details, see “Schedule Mass Encryption, Decryption, or Rekeying”.
Encrypt by default When selected, records that don’t match row conditions will be encrypted using the Field Encryption module selected in the field below.
When not selected, these records will not be encrypted.
Field Encryption module The field encryption module used by this encrypted field configuration. Column If you have chosen Column in the Type field, select the fields to be encrypted. 주:If the field you want to encrypt is not available, it isn’t a supported type. The supported field types are:- Date
- Date/Time
- URL
- HTML
- Journal
- Translated
- Phone
Algorithm Equality Preserving When selecting Field Encryption Enterprise, this field is visible based on the table selected. Displays whether Equality Preserving is enabled in the field encryption module selected in the Crypto Module field. Method The Single Module option is used to apply the policies for one module. Multiple Modules is used to apply the policies across multiple modules. 그림 5. Encrypted Field Configuration table -
Complete the form:
표 4. Module access policy fields Field Description Policy name Enter a name for the policy, such, as "Attachment policy." Type Select Role to restrict access to the encrypted field from users with the assigned role. Result Select Strict Reject to control the access to the attachment from the selected role. (To grant access for the selected role, select Track.) Crypto module Select the crypto module that you created to encrypt your key. Active Select this check box to be able to use the Module Access Policy. Target Role Select the role that will not have access to the encrypted field. For this example, select itil. Specify purpose Optional. Enable to display the Crypto Spec field on the form. Enable this option to configure granular operations, such as some users being able to encrypt, but not decrypt. Application The Application scope is auto-populated by your current scope. 그림 6. Module Access Policy form -
As user with access to the encryption module, navigate to Incidents and add an attachment to the form.
Once the attachment is uploaded, it will be available from the Activities screen.
그림 7. Attachment available per role
결과
You have successfully used your customer-supplied key to control access to a specific attachment using Field Encryption Enterprise.