Exploring Secrets Management
Summarize
Summary of Exploring Secrets Management
ServiceNow Secrets Management allows for detailed control over password access tailored to your business needs. Admins must possess the appropriate role to access modules and records related to Secrets Management.
Show less
Key Features
- Core and Enterprise Versions: Choose between Secrets Management Core, available by default at no cost, and Secrets Management Enterprise, which requires a specific license.
- Secrets Groups: Organize secrets into basic or criteria-based groups for better management. Basic groups apply to all secrets, while criteria-based groups refine inclusion based on defined criteria such as application scope and table.
- Granular Access Controls: Admins can restrict access to secrets based on specified criteria, offering more precise control than traditional methods.
- Secure Storage: Client-side secret groups utilize a new encryption scheme where ServiceNow cannot access the encryption key, enhancing security.
- Policy Application: Module access policies can be applied to secret groups to define access controls and validity for cryptographic keys.
Key Outcomes
By implementing Secrets Management, customers can achieve enhanced security through organized secret groups, improved access control, and the assurance that sensitive data is protected using advanced encryption methods. This leads to a more secure and manageable password management solution tailored to meet enterprise needs.
Use ServiceNow Secrets Management for granular management of access to your passwords to fit your business needs.
Select from Core and Enterprise versions of Secrets Management
Choose from Secrets Management Core and Secrets Management Enterprise depending on your business needs.
The Secrets Management Core plugin (com.glide.sm.core) is available by default. No installation is required on the instance for use. The Secrets Management Enterprise plugin is only available with a ServiceNow Vault v1, PROD18537 license. Contact Customer Support for assistance with the Secrets Management Enterprise plugin.
| Secrets Management Core | Secrets Management Enterprise |
|---|---|
| Secrets Management Core is available to activate on your instance at no additional cost. The plugin provides the ability to use secrets groups with criteria in non-custom tables provided in the ServiceNow platform that have been created by ServiceNow application engineering teams. | Secrets Management Enterprise includes additional functions to help admins create and manage secrets groups. Enterprise provides the following features in addition to the features listed in Core.
Note: Secrets Management Enterprise is a paid plugin that ServiceNow personnel must activate on your production instance. |
Use secret groups to organize your secrets
Use Secrets Management to organize your secrets into groups, and then apply access policies to those secrets at a group level.
- Basic secret group
- These groups apply to all secrets in a scope. These secrets are decrypted by a common cryptographic module and module access policies.
- Secret group with criteria
- Secret groups with criteria function the same as a basic secret group, but further refine what is included using criteria. These criteria include:
- Application scope
- Package
- Table
- Secret column
- Filter record
Secret groups of either type can be made instance accessible or client accessible.
- Instance side secret groups
- Instance side secret groups contain secrets that can be decrypted by your instance.
- Client-side secret groups
- Client-side secrets groups use a public and private key pair to ensure that secrets can only be decrypted by the client. When you create a client-accessible secrets group, you upload the public key to the instance, and retain the private key on your MID Server. The instance uses the public key to encrypt your secrets, but they can only be decrypted using the private key.
Use secrets groups for more granular control
While password2 is available on the ServiceNow platform, Secrets Management provides these additional features.
| Granular access controls |
|
| Secure Storage | For client-side secret groups, Secrets Management uses a new encryption scheme. In this encryption scheme, ServiceNow doesn’t save the encryption key. For this reason, the security of your data doesn’t depend on ServiceNow security. |
Apply module access policies to your groups
After you’ve grouped your secrets into a secret group, you can apply policies that determine how you can access them at a group level. Module access policies are the access control mechanisms that you apply to cryptographic modules to define instance-level controls, such as a validity time frame for the cryptographic key. For more information on module access policies, see Module access policy overview.
Tables installed with Secrets Management
Secrets Management adds or modifies these tables.
| New Tables | |
| [sn_sm_secret_group] | Stores secret groups |
| [sn_sm_secret_group_criteria] | Stores criteria secret groups |
| [sn_sm_secret] | Stores wrapped secrets |
| [sn_sm_identity_group] | Defines the identity group for mapping a group of identities to the public key |
| [sys_kmf_wrapped_module_key] | Stores the wrapped symmetric cryptographic keys |
| Modified Tables | |
| [sys_kmf_crypto_module] | Added cryptographic module type. (Identity cryptographic module or secret group cryptographic module) |
| [sys_kmf_module_key] |
|
| [sys_kmf_crypto_caller_policy] | Added new module access policy type |