Exploring the Key Management Framework

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring the Key Management Framework

    The Key Management Framework (KMF) in ServiceNow Yokohama release enables you to manage cryptographic operations effectively within your instance. It provides a structured approach to encrypting data by defining cryptographic modules, specifications, keys, and access policies. This framework helps safeguard sensitive data, maintain compliance with industry standards, and control access to encrypted information.

    Show full answer Show less

    Key Components

    • Cryptographic Modules: Define which data on your instance is encrypted and select the encryption method. Multiple modules allow different encryption standards to be applied to various data areas, such as using AES-CBC 256-bit encryption for HR data.
    • Cryptographic Keys: Keys are essential for encoding and decoding data. You can use ServiceNow-generated keys or upload your own keys via Field Encryption Enterprise.
    • Cryptographic Specifications: These define the encryption algorithms used by each module, determining how data is encrypted.
    • Module Access Policies (MAPs): Control which users and scripts can access encrypted data, providing fine-grained security over cryptographic modules.
    • Cryptographic Module Life-cycle Policies: Set limits on cryptographic modules, including key validity duration, to reduce risk and exposure.

    How to Use the Key Management Framework

    1. Assign KMF Roles: Administrators start by assigning themselves the snkmf.admin role to access KMF features.
    2. Configure KMF Settings: Set up field encryption by choosing between ServiceNow-supplied keys or customer-supplied keys (CSK).
    3. Create Cryptographic Modules: Select instance data to encrypt and later assign cryptographic specifications and access policies.
    4. Create Cryptographic Specifications: Define encryption methods that modules will use.
    5. Create Module Access Policies: Determine user and script permissions for accessing encrypted data.
    6. Create Cryptographic Module Life-cycle Policies: Manage key rotation and module lifetime to enhance security.

    Benefits for ServiceNow Customers

    • Data Protection: Secure sensitive and proprietary data across your instance with configurable encryption.
    • Compliance: Align with NIST 800-57 guidelines to reduce cybersecurity risks and meet regulatory requirements.
    • Key Management: Generate, upload, view, and manage encryption keys with support for manual or scheduled key rotation, enhancing cryptographic security.
    • Access Control: Use module access policies to ensure only authorized users and scripts can decrypt sensitive data.

    Additional Details

    The framework employs envelope encryption to protect all platform keys through a hierarchical key structure, including Customer Data Encryption Keys (CDEKs). This layered protection ensures robust security for cryptographic keys managed within the platform.

    Learn about the components of the Key Management Framework (KMF), and how to use them to manage how cryptographic operations are performed on your instance.

    Components of the Key Management Framework

    KMF configuration overview
    This graphic shows you the components that comprise the KMF.
    KMF cryptographic modules

    KMF is centered around managing Cryptographic modules. Use these modules to define what data on your instance is encrypted, and what method of encryption to use. By using multiple modules, you can encrypt different areas of your instance using different cryptographic specifications.

    For example, if you wanted to secure the data in your Human Resources application with an AES-CBC with a 256-bit symmetric key, you can create a module for that purpose. For more information on these modules, see Cryptographic module overview.

    Cryptographic keys

    Cryptographic keys are strings of characters used in cryptography. When used together with a cryptographic algorithm, they can encode or decode your data. These keys are used by the cryptographic specifications assigned to your modules. You can choose to use a key generated by ServiceNow, or upload your own key with Field Encryption Enterprise. For more information on keys, see Instance level keys in the Key Management Framework.

    Cryptographic specifications

    A cryptographic specification defines algorithms used to encrypt data. These algorithms use a cryptographic key to encode or decode your data. Assigning a cryptographic specification to the module determines how the data assigned to that module is encrypted.

    Module access policies

    Module access policies (MAPs) are the access controls you apply to your cryptographic modules. Use these policies to determine which users and scripts can access data encrypted by a cryptographic module. For more information, see Module access policy overview.

    Key Management Framework workflow

    1. Assign KMF roles
    Administrators must begin by assigning themselves the sn_kmf.admin role. This role enables you to use KMF features and assign KMF roles to other users.
    2. Configure KMF settings
    Configure your field encryption settings to select either supplied keys or your own customer-supplied keys (CSK) for encryption.
    3.Create cryptographic modules
    Use cryptographic modules to select a set of data on your instance to be encrypted. In later steps, you assign a cryptographic specification to determine how to encrypt this data, and a module access policy to determine who can decrypt the data.
    4. Create a cryptographic specification
    The cryptographic specification defines a method of encryption. Once assigned to a module, it defines how the data assigned to that module is encrypted.
    5. Create module access policies
    After creating modules to secure your data, create module access policies to control which users and scripts are able to access the encrypted data.
    6. Create a cryptographic module life-cycle policy
    These policies place limits on cryptographic modules, such as how long a cryptographic key is valid. These policies can safeguard your cryptographic modules by limiting their exposure.

    Key Management Framework benefits

    Benefit Feature Users
    Protect your sensitive and proprietary data. Encryption and key Management All
    Maintain compliance with NIST 800-57 guidelines. These guidelines are provided by the National Institute of Standards and Technology to reduce cybersecurity risk to your networks and data. Encryption and key Management Security administrators
    Use the Key Management Framework to generate, upload, view, and manage your cryptographic keys. Use key rotation for manual or scheduled rotation of your keys for increased security. Key Management Framework Security administrators