Field Encryption Enterprise
Summarize
Summary of Field Encryption Enterprise
Field Encryption Enterprise is an advanced encryption solution in ServiceNow that leverages the Key Management Framework (KMF) to customize and manage encryption and decryption of fields and attachments. It requires a subscription and offers enhanced security features beyond the standard Field Encryption version, including comprehensive key management, integration with FIPS 140-2-L3 Hardware Security Modules (HSM), and adherence to NIST 800-57 practices.
Show less
This enterprise solution enables control over server-side encryption by using cryptographic modules and access policies, allowing you to define encryption mechanisms, key life-cycle management, and access controls based on various roles and scopes.
Key Features
- Key Management Framework (KMF): Provides key life-cycle management, key rotation, segregation of duties, secure key transfer between instances, auditing, and support for customer-supplied keys (CSK) with key-wrapping.
- Customer-Supplied Keys: Allows use of your own encryption keys with full lifecycle control, including revocation, rotation, and inactivation. Keys are securely wrapped and uploaded using tokens and public ephemeral keys.
- Field and Attachment Encryption: Supports encryption of both fields and attachments through Encrypted Field Configurations (EFC), with default encryption of attachments on configured tables and the option to opt out.
- Non-Deterministic Encryption: Enhances security by producing different ciphertexts for the same data on multiple encryptions, implemented via AES encryption with Cipher Block Chaining (CBC).
- Resource Exchange: Securely exchanges cryptographic keys and resources between instances using KMF cryptographic APIs, ensuring confidentiality, integrity, authentication, and non-repudiation.
- Support for Unlimited Encrypted Fields: Unlike the standard version limited to five encrypted columns, the enterprise version supports unlimited encrypted columns.
- Supported Field Types: Includes attachments, dates, emails, HTML, journals, phone numbers, strings, translated fields, URLs, and others.
- API Support: Offers APIs to manage encryption contexts, cryptographic modules, encryption enabling/disabling, and retrieval or setting of encrypted field values, enabling programmatic control of encryption operations.
Important Considerations for ServiceNow Customers
- A subscription is required to activate Field Encryption Enterprise.
- It supports on-premise deployments but does not support Domain Separation.
- Administrators can configure access policies based on roles, scopes, scripts, and system users to control encryption key usage.
- Attachment encryption is enabled by default for tables with active EFCs but can be disabled by creating a support case with ServiceNow and acknowledging the security implications.
- Using customer-supplied keys enhances control over encryption keys but requires specific configuration steps involving token and key wrapping.
- API behavior may vary based on the ServiceNow system version; the default is to return decrypted values when permitted by access policies.
Practical Benefits
With Field Encryption Enterprise, you gain robust, compliant encryption capabilities that protect sensitive data at the application level. You can tailor encryption policies to your organization's security requirements, maintain strict key management controls, and ensure secure key exchanges across your ServiceNow instances. This empowers you to meet regulatory standards, protect sensitive information, and maintain operational control over encryption processes within your ServiceNow environment.
Field Encryption Enterprise uses the Key Management Framework (KMF) to enable you to customize and manage how fields and attachments are encrypted and decrypted on your instance. A subscription is required to use Field Encryption Enterprise.
Field Encryption Enterprise is premised with Field Encryption and uses the Key Management Framework and its full support of key management functions. Field Encryption Enterprise provides key-protection and key life-cycle management for application-level field encryption. All keys are protected with a key-wrapping hierarchy ultimately rooted in FIPS (Federal Information Processing Standards) 140-2-L3 Hardware Security Modules (HSM).
Field Encryption Enterprise gives you the ability to manage how supported fields are encrypted and decrypted in accordance with NIST 800-57 practices. It also uses the most updated version of field-level encryption, including integration for proper key protection and management.
Specifically, Field Encryption Enterprise uses the KMF encryption modules, granting you more control of server-side encryption. KMF verifies proper data encryption key protection using key hierarchy and envelope encryption. Your instance encrypts data through cryptographic modules that you configure. You can create an access policy for each module then configure cryptographic specifications and access policies and control key life-cycle management control.
Field Encryption Enterprise supports module access policies based on:
- Scope
- Role
- Script
- Resource Exchange
- System User
Encryption terms
| Term | Description |
|---|---|
| Support for key management Fundamental to Field Encryption Enterprise is the Key Management Framework (KMF). Gain the following capabilities:
See Key Management Framework Reference for details. |
|
| Support for customer supplied keys One of the biggest benefits of Field Encryption Enterprise is that you can use your own keys for encryption. Administrators have the choice to use ServiceNow supplied keys or your own customer-supplied keys (CSK) for encryption on the ServiceNow AI Platform®. You can also manage the key life cycle and decide when to revoke, rotate, and inactivate the keys. After you enable customer-supplied keys and create a cryptographic module, you download a token and public ephemeral key. You use the token and public key to wrap your key and then upload to the instance. To use customer-supplied keys, see Configure field encryption settings to select key type and Using customer-supplied keys with Field Encryption Enterprise. |
|
| Support for both field encryption and attachment encryption Both field encryption and attachment encryption use cryptographic modules and access policies through Encrypted Field Configurations. The Encrypted Field Configuration form is used to choose an encryption type of column or attachment encryption. See Set encrypted field configurations for more information and supported field types. |
|
| Support for non-deterministic encryption Field Encryption Enterprise supports non-deterministic encryption for enhanced security. If the system encrypts the same data more than once, the ciphertexts are different each time. Non-deterministic encryption is available with Advanced Encryption Standard (AES) encryption with Cipher Block Chaining (CBC). You can enable this feature through the Equality Preserving option on the Algorithm Definition stage of the cryptographic specification. Create a cryptographic specification for a crypto module and define an algorithm for encryption and generate the key. See Create a cryptographic module to define the mechanisms used for cryptographic operations and for more information on enabling non-deterministic encryption. |
|
Resource Exchange Field Encryption Enterprise keys instance to instance in a secure manner using the KMF cryptographic APIs to provide confidentiality, integrity, authentication, and non-repudiation. Resource Exchange is a KMF feature that gives you the capability to exchange resources between instances in a secure manner. See Key Management Framework Resource Exchange for details. |
Field Encryption Enterprise supports on-premise customers. It doesn’t support Domain Separation.
Support for additional encrypted fields
The standard version of Field Encryption is limited to five encrypted columns. Field Encryption Enterprise supports an unlimited number of encrypted columns.
Supported field information
- Attachments
- Date
- Date/Time
- HTML
- Journal
- Journal Input
- Journal List
- Phone
- String text
- Translated Field
- Translated HTML
- Translated Text
- URL
Attachment Encryption
- Attachment encryption by default
Customers using Field Encryption have attachments encrypted by default in tables that have an active Encrypted Field Configuration (EFC) type of Attachment.
This default encryption defined by the EFC configuration means that it's not necessary for admins to manually declare that an attachment should be encrypted on upload for these tables.
- Administrators can disallow users from attaching unencrypted files
- For details, see Prevent users from attaching unencrypted files.
- Opt out of default encryption
If you don’t want attachments encrypted by default based on EFC configuration, you can opt out of this option by contacting ServiceNow support.
To opt out of this feature, create a support case with ServiceNow support, and include this statement in a comment on the case record:
"I [customer name], understand that I am asking ServiceNow to turn off a recommended security best practice for attachments, and that [customer company] assumes any additional risk related to their configuration and use of unencrypted attachments in the ServiceNow application."
API support
Field Encryption Enterprise enables the following APIs.
| API | Description | Parameters | Return type |
|---|---|---|---|
|
Updates an active Encryption Context (EC) used to encrypt an attachment. When CLE is enabled with the CLE Starter plugin using KMF Crypto Module (CM), the API locates the CM for the EC and uses it to encrypt the attachment. Note: This API is only available in the Global scope. |
|
Boolean |
changeCryptoModule() |
Updates an active encryption module used to encrypt an attachment. Note: This API is only available in the Global scope. |
|
Boolean |
disableEncryption() |
Disable active encryption on an attachment. |
|
Boolean |
getDisplayValue() |
Returns the cleartext display value of an encrypted field. | String | |
getValue() |
Returns the cleartext value of an ecrypted field when glide_encryption.set_value_support_cle.disabled is false (requires Module Access Policy (MAP)). Returns the encrypted value of an encrypted field when glide_encryption.set_value_support_cle.disabled is true. |
String | |
setDisplayValue() |
Inserts encrypted data into an encrypted field for display purposes. |
|
Boolean |
setValue() |
Inserts encrypted data into an encrypted field, controlled by a system property. Encrypts data when glide_encryption.set_value_support_cle.disabled is false (requires MAP); writes unencrypted data when set to true (no MAP required), when glide_encryption.set_value_support_cle.disabled is true. |
|
Boolean |
The following script illustrates API changes when the Incident short description is encrypted:
var gr = new GlideRecord('incident'); //creates a new incident
gr.setValue('short_description','test123'); //sets the value to test123
var sys_ID = gr.insert(); //inserts the record in the Incident table.
gs.info(gr.getValue('short_description')); //displays the unencrypted value
When the Field Encryption plugin is installed, glide_encryption.set_value_support_cle.disabled is set to false by default.
When you call getValue() on an encrypted text field, it returns the plaintext if you have access to the cryptographic module; otherwise, it returns either the ciphertext or null.