Exploring Database Encryption
Summarize
Summary of Exploring Database Encryption
ServiceNow® provides database encryption (DBE) and full-disk encryption for customers needing at-rest data protection. Starting with the Washington DC release, DBE is set for future deprecation, with Cloud Encryption being the recommended solution for data at rest. This encryption method uses symmetric AES-256 encryption to secure all data, whether online or offline, without impacting functionality.
Show less
Key Features
- Real-time encryption of all stored data, with decryption occurring in memory during access.
- Protection of new or modified data as it is entered, including associated activity log files.
- Full disk encryption safeguards data from loss or theft when offline.
- Transparent to users, maintaining full functionality while ensuring data security.
- Supports instance cloning with minimal performance impact (up to 5%).
- Utilizes a three-level key hierarchy for enhanced security:
- Customer-specific AES-256 keys for data encryption and key protection.
- FIPS 140 validated key management for the highest level of security.
- DBE with CCS allows for customer-supplied keys, ensuring data-at-rest encryption without affecting application performance.
Key Outcomes
By implementing database encryption, ServiceNow customers can ensure their data is secure, comply with statutory obligations, and maintain operational efficiency. It enables real-time protection and minimizes risks associated with data breaches, loss, or theft, all while preserving functionality across supported ServiceNow AI Platform instances.
ServiceNow® offers database encryption (DBE) and full-disk encryption methods for customers with statutory obligations for data protection which may require at-rest protection for all data.
Database Encryption enables all data to be protected with symmetric AES-256 encryption, whether the database is online or offline. From the ServiceNow AI Platform perspective, all data flows in decrypted.
- Database Encryption supports all stored data to be encrypted in real time providing protection for data online and offline with no loss of functionality.
- Full disk encryption protects offline data if there is disk loss or theft.
With Database Encryption, all stored data is encrypted and individual records or tables are decrypted in memory while being accessed. New or changed data is encrypted as it is entered into a table and associated activity log files (bin, redo, undo, and error) are also encrypted.
Database Encryption is transparent to users, with no loss of functionality. When using this feature, all instances are encrypted, along with replication traffic and backups. Instance cloning is still available with a minor performance impact for using Database Encryption of up to 5%. Both new and existing instances on supported releases of the ServiceNow AI Platform can take advantage of database encryption.
As illustrated, ServiceNow stores and manages keys using a three-level key hierarchy:
- A customer specific AES-256 key is created by the database engine and is used to encrypt the data.
- A second customer specific AES-256 key is created by the database engine and is used to protect the first-level key.
- A third AES-256 key is created by and stored within FIPS 140 validated key management appliances in the ServiceNow datacenters. This key protects the second-level key and is unique per customer instance.
The ServiceNow AI Platform also supports database encryption with a customer supplied switch, DBE with CCS. This is an encryption solution that encrypts all data-at-rest when not in use in the database. It uses industry standard AES encryption with no impact to functionality. The database encrypts data as it is written to the disk, and decrypts data as it is read from the disk. That means that applications always have the data in an unencrypted state to perform the necessary logic and functions without impact.
If you are using your own keys for database encryption, see .