Exploring Field Encryption
Summarize
Summary of Exploring Field Encryption
Field Encryption in ServiceNow provides robust encryption to protect sensitive data by blocking all access to encrypted fields by default. It uses an access control feature distinct from traditional Access Control Lists (ACLs) to ensure that only authorized users, scripts, or system processes can access encrypted data. Configuration involves three key components: Field Encryption Modules, Encrypted Field Configurations, and Module Access Policies (MAPs), which define precise access rules for different encrypted fields and accessors.
Show less
Key Features
- Access Control: MAPs enable granular control by specifying which users, scripts, or system processes can access particular encrypted fields. Multiple MAPs can be configured to apply different rules to various fields.
- Field Encryption Starter vs. Enterprise:
- Starter: Limits encryption to up to 5 fields, no built-in key management, and no attachment encryption.
- Enterprise: No limits on encrypted fields, supports attachment encryption, and includes integrated key management capabilities allowing customers to manage keys directly.
- Supported Data Types and Modules: Both editions support all data types and have no restrictions on the number of encryption modules or MAPs.
- User Roles: Specific roles like KMF Admin, KMF Cryptographic Manager, and KMF Cryptographic Operator are responsible for configuring Field Encryption elements, managing keys, policies, and reviewing access logs.
- Limitations: Field Encryption does not support encryption of fields or attachments on system tables (those starting with sys). Also, changes to encrypted fields are not recorded in the activity stream or record history.
Practical Benefits for ServiceNow Customers
- Ensures sensitive data is encrypted and access is tightly controlled, improving compliance and security posture.
- Allows tailoring encryption access policies to different user roles and processes, enhancing operational flexibility.
- Enterprise customers gain advanced key management, enabling better control over encryption keys without ServiceNow support intervention.
- Supports encryption for both fields and attachments (Enterprise), addressing broader data protection needs.
Next Steps
To implement Field Encryption effectively, explore configuration guides and usage instructions specific to your edition. Enterprise customers should leverage the Key Management Framework (KMF) for managing encryption keys and policies. A subscription is required to use Field Encryption Enterprise.
Learn the details of Field Encryption Starter and Field Encryption Enterprise
Encryption-backed access control
By default, Field Encryption blocks all users, scripts, and system processes from accessing encrypted data. However, Field Encryption has an access control feature that is used in combination with, but also separate from, Access Control Lists (ACLs) to ensure only the correct users, scripts, or system processes can access encrypted data.
You can configure Field Encryption access control feature through a combination of Field Encryption Modules, Encrypted Field Configurations, and Module Access Policies (MAPs). The next image shows how these three components work together.
By default, encrypted data is locked down from all access. A MAP defines which accessor (users, scripts, and system processes) can be authorized to access the data.
You can configure multiple MAPs to apply different access rules to different encrypted fields. In this diagram, Module Access Policy A covers columns A, B, C, and D, and Module Access Policy B covers column E — each with its own rules per accessor.
Access rules can differ between two policies for each accessor type. The following table reflects the access rules defined for Module Access Policy A, applied to columns A, B, C, and D, and Module Access Policy B, applied to column E.
| Accessor | MAP A Columns A, B, C, D |
MAP B Column E |
|---|---|---|
| Role A | Allow | Block |
| Role B | Allow | Block |
| Role C | Block | Allow |
| Script A | Allow | Block |
| Script B | Block | Block |
| Script C | Block | Allow |
| System Context Processes | Block | Allow |
Differences between Field Encryption Starter and Field Encryption Enterprise
The feature-set is different between Field Encryption Starter and Field Encryption Enterprise.
| Feature | Field Encryption Starter | Field Encryption Enterprise |
|---|---|---|
| Number of encrypted fields | Up to 5 encrypted fields Note: Field Encryption Starter limits the number of encrypted fields, not encryption modules or contexts. Field Encryption replaces the deprecated Column Level Encryption product, which used a module and context-based limit. |
No restriction on number of encrypted fields |
| Attachment encryption | No | Yes |
| Key management | None (Contact ServiceNow Support for key rotation) | Manage keys from your instance with no involvement from ServiceNow Support |
| Supported data types | All supported data types | All supported data types |
| Number of Field Encryption Modules | No restriction | No restriction |
| Number of Module Access Policies | No restriction | No restriction |
Field Encryption users
| User | Description |
|---|---|
| Key Management Framework (KMF)Admin or KMF Cryptographic Manager | These roles are used to configure elements of Field Encryption.
|
| KMF Cryptographic Operator | Configures properties for customer supplied keys |
Field Encryption and record history
Changes to fields encrypted with Field Encryption are not tracked in the activity stream for the record or in the record history [sys_history_set] table.
Encryption on system tables
Field Encryption currently doesn’t support the encryption of fields and attachments of system tables (tables that begin with sys_).