Column Level Encryption Enterprise

Washington DC Platform security

Release

washingtondc

ft:locale

en-US

ft:publication_title

Washington DC Platform security

ft:clusterId

psec

bundleId

psec

workflow

Platform

Column Level Encryption Enterprise

Release version: Washingtondc

Updated August 1, 2024

5 minutes to read

Summarize

Summarized using AI

Summary of Column Level Encryption Enterprise

Column Level Encryption Enterprise enhances data security by utilizing the Key Management Framework (KMF) for managing encryption and decryption of fields and attachments in your ServiceNow instance. A subscription is necessary to access this enterprise-level feature, which offers key-protection and lifecycle management in compliance with NIST standards.

Show full answer Show less

Key Features

Key Management: Includes capabilities such as key life-cycle management, key rotation, customer-supplied keys (CSK), and auditing of key access.
Field and Attachment Encryption: Supports both field and attachment encryption via Encrypted Field Configurations, allowing administrators to choose encryption types for various fields.
Non-Deterministic Encryption: Enhances security by ensuring that identical data encrypts to different ciphertexts, available with AES encryption using Cipher Block Chaining (CBC).
Resource Exchange: Securely exchanges keys between instances using KMF cryptographic APIs, ensuring data confidentiality and integrity.

Key Outcomes

Implementing Column Level Encryption Enterprise allows ServiceNow customers to achieve a higher level of data security through customizable encryption policies and robust key management. Customers can opt to use their own keys, control key lifecycles, and ensure compliance with industry standards. Furthermore, with the capability to encrypt attachments by default, organizations can significantly reduce the risk of data breaches while maintaining user access through defined access policies.

Column Level Encryption Enterprise utilizes the Key Management Framework (KMF) to enable you to customize and manage how fields and attachments are encrypted and decrypted on your instance. A subscription is required to utilize Column Level Encryption Enterprise.

Important:

This topic covers the enterprise version of Column Level Encryption. For information on the standard version of Column Level Encryption, or to learn the differences between the two versions, see .

Column Level Encryption Enterprise is premised with Column Level Encryption and uses the Key Management Framework and its full support of key management functions. Column Level Encryption Enterprise provides key-protection and key life-cycle management for application-level field encryption. All keys are protected with a key-wrapping hierarchy ultimately rooted in FIPS 140-2-L3 Hardware Security Modules (HSM).

Column Level Encryption Enterprise gives you the ability to manage how supported fields are encrypted and decrypted in accordance with NIST 800-57 practices. It also uses the most updated version of field-level encryption, including integration for proper key protection and management.

Specifically, Column Level Encryption Enterprise utilizes the KMF encryption modules, granting you more control of server-side encryption. KMF ensures proper data encryption key protection using key hierarchy and envelope encryption. Your instance encrypts data through cryptographic modules that you configure. You can create an access policy for each module then configure cryptographic specifications and access policies and control key life-cycle management control.

Column Level Encryption Enterprise supports module access policies based on:

Scope
Role
Script
Resource Exchange
System User

See Create a module access policy for additional information.

Note:

For details on the supported features of Column Level Encryption and how to upgrade and subscribe to the Column Level Encryption Enterprise entitlement refer to Encryption and Key Management subscription bundle.

Encryption terms


Term	Description
Figure 1. Key management	Support for key management Fundamental to Column Level Encryption Enterprise is the Key Management Framework (KMF). Gain the following capabilities: Key life-cycle management. Key rotation. See Rotate keys for details. Key protection and key generation with FIPS 140-2-L3 Hardware Security Modules (HSMs). Segregation of roles and duties. The secure transfer of data encryption keys between instances, such as production and non-production instances. Customer Supplied Keys (CSK) with key-wrapping. Non-deterministic encryption. Mass encryption/decryption. Auditing of key access/use. See Key Management Framework Reference for details.
Figure 2. Customer-supplied key	Support for customer supplied keys One of the biggest benefits of Column Level Encryption Enterprise is that you can use your own keys for encryption. Administrators have the choice to use ServiceNow supplied keys or your own customer-supplied keys (CSK) for encryption on the ServiceNow AI Platform®. You can also manage the key life cycle and decide when to revoke, rotate, and inactivate the keys. After you enable customer-supplied keys and create a cryptographic module, you download a token and public ephemeral key. You use the token and public key to wrap your key and then upload to the instance. To use customer-supplied keys, see Configure field encryption settings to select key type and .
Figure 3. Column Level Encryption	Support for both field encryption and attachment encryption Both field encryption and attachment encryption utilize cryptographic modules and access policies through Encrypted Field Configurations. The Encrypted Field Configuration form is used to choose an encryption type of column or attachment encryption. See Set encrypted field configurations for more information and supported field types.
Figure 4. Non-deterministic encryption	Support for non-deterministic encryption Column Level Encryption Enterprise supports non-deterministic encryption for enhanced security. If the system encrypts the same data more than once, the ciphertexts are different each time. Non-deterministic encryption is available with AES encryption with Cipher Block Chaining (CBC). You can enable this feature through the Equality Preserving option on the Algorithm Definition stage of the cryptographic specification. Create a cryptographic specification for a crypto module and define an algorithm for encryption and generate the key. See Create a cryptographic module to define the mechanisms used for cryptographic operations and for more information on enabling non-deterministic encryption.
Figure 5. Resource Exchange	Resource Exchange Column Level Encryption Enterprise keys instance to instance in a secure manner using the KMF cryptographic APIs to provide confidentiality, integrity, authentication, and non-repudiation. Resource Exchange is a KMF feature that gives you the capability to exchange resources between instances in a secure manner. See Key Management Framework Resource Exchange for details.

Note:

If you choose not to activate Column Level Encryption Enterprise, you can still use Column Level Encryption. See for information.

Column Level Encryption Enterprise supports on-premise customers. It doesn’t support Domain Separation.

Support for additional modules and module access policies

The standard version of Column Level Encryption is limited to five modules and module access policies (MAP). Column Level Encryption Enterprise supports a larger number of modules and MAPs.

Supported field information

The following field types can be encrypted:

Attachments
Date
Date/Time
Email
HTML
Journal
Journal Input
Journal List
Phone
String text
Translated Field
Translated HTML
Translated Text
URL

Attachment Encryption

Attachment encryption by default

Customers using Column Level Encryption have attachments encrypted by default in tables that have an active Encrypted Field Configuration (EFC) type of Attachment.

This default encryption defined by the EFC configuration means that admins don’t need to manually declare that an attachment should be encrypted on upload for these tables.

Administrators can disallow users from attaching unencrypted files

For details, see Prevent users from attaching unencrypted files.

Opt out of default encryption

If you don’t want attachments encrypted by default based on EFC configuration, you can opt out of this option by contacting ServiceNow support.

To opt out of this feature, create a support case with ServiceNow support, and include this statement in a comment on the case record:

"I [customer name], understand that I am asking ServiceNow to turn off a recommended security best practice for attachments, and that [customer company] assumes any additional risk related to their configuration and use of unencrypted
                     attachments in the ServiceNow application."

API support

Column Level Encryption Enterprise updates the setDisplayValue() and setValue() APIs so they can insert encrypted data for encrypted fields. It also enables getDisplayValue() and getValue() to return cleartext values.

The following script illustrates these API changes when the Incident short description is encrypted:


var gr = new GlideRecord('incident'); //creates a new incident
gr.setValue('short_description','test123'); //sets the value to test123
var sys_ID = gr.insert(); //inserts the record in the Incident table.
gs.info(gr.getValue('short_description')); //displays the unencrypted value

When using getValue() to get encrypted text, your script no longer returns the ciphertext. Your script returns the plaintext, assuming that the user has access to the cryptographic module. getValue() returns the ciphertext for users who don't have access to the cryptographic module.