Exploring Field Encryption
Summarize
Summary of Exploring Field Encryption
Field Encryption in ServiceNow provides robust encryption for data fields to ensure sensitive information remains protected. By default, it blocks access to encrypted data from all users, scripts, and system processes until explicitly authorized. Access is controlled through a combination of Field Encryption Modules, Encrypted Field Configurations, and Module Access Policies (MAPs), allowing precise control over who or what can access specific encrypted fields.
Show less
Access Control and Module Access Policies
Field Encryption uses Module Access Policies to define which users, scripts, or system processes (accessors) have permission to access encrypted fields. Multiple MAPs can be configured to apply distinct access rules across different sets of fields. For example, MAP A may govern access to certain columns with specific role and script permissions, while MAP B controls others with different rules. This layered approach enhances security by tailoring access to meet organizational requirements.
Differences Between Field Encryption Starter and Enterprise
- Field Encryption Starter:
- Supports encryption of up to 5 fields (limit applies to fields, not modules or contexts)
- No attachment encryption
- No native key management; key rotation requires ServiceNow Support involvement
- Supports all data types and unlimited modules and MAPs
- Field Encryption Enterprise:
- No limit on the number of encrypted fields
- Supports attachment encryption
- Enables key management directly within the instance without requiring ServiceNow Support
- Supports all data types and unlimited modules and MAPs
Roles and User Responsibilities
Specific roles manage Field Encryption configuration and operations:
- Key Management Framework (KMF) Admin or Cryptographic Manager: Configure Field Encryption modules, keys, policies, encrypted field settings, Module Access Policies, and manage customer-supplied keys (Enterprise only). Also responsible for scheduling encryption tasks and reviewing Access Observer logs.
- KMF Cryptographic Operator: Manages properties for customer-supplied keys.
Additional Considerations
- Changes to encrypted fields are not recorded in the activity stream or record history, affecting audit trails.
- Encryption does not support fields or attachments on system tables (tables starting with sys).
Next Steps
To implement and manage Field Encryption effectively, explore configuration guides and best practices under Configuring Field Encryption and Using Field Encryption within ServiceNow documentation.
Learn the details of Field Encryption Starter and Field Encryption Enterprise
Encryption-backed access control
By default, Field Encryption blocks all users, scripts, and system processes from accessing encrypted data. However, Field Encryption has an access control feature that is used in combination with, but also separate from, Access Control Lists (ACLs) to ensure only the correct users, scripts, or system processes can access encrypted data.
You can configure the access of the Field Encryption control feature through a combination of Field Encryption Modules, Encrypted Field Configurations, and Module Access Policies. The next image shows how these three components work together.
By default, encrypted data is locked down from all access. A MAP defines which accessor (users, scripts, and system processes) can be authorized to access the data.
You can configure multiple MAPs to apply different access rules to different encrypted fields. In this diagram, Module Access Policy A covers columns A, B, C, and D, and Module Access Policy B covers column E — each with its own rules per accessor.
Access rules can differ between two policies for each accessor type. The following table reflects the access rules defined for Module Access Policy A, applied to columns A, B, C, and D, and Module Access Policy B, applied to column E.
| Accessor | MAP A Columns A, B, C, D |
MAP B Column E |
|---|---|---|
| Role A | Allow | Block |
| Role B | Allow | Block |
| Role C | Block | Allow |
| Script A | Allow | Block |
| Script B | Block | Block |
| Script C | Block | Allow |
| System Context Processes | Block | Allow |
Differences between Field Encryption Starter and Field Encryption Enterprise
The feature-set is different between Field Encryption Starter and Field Encryption Enterprise.
| Feature | Field Encryption Starter | Field Encryption Enterprise |
|---|---|---|
| Number of encrypted fields | Up to 5 encrypted fields Note: Field Encryption Starter limits the number of encrypted fields, not encryption modules or contexts. Field Encryption replaces the deprecated Column Level Encryption product, which used a module and context-based limit. |
No restriction on number of encrypted fields |
| Attachment encryption | No | Yes |
| Key management | None (Contact ServiceNow Support for key rotation) | Manage keys from your instance with no involvement from ServiceNow Support |
| Supported data types | All supported data types | All supported data types |
| Number of Field Encryption Modules | No restriction | No restriction |
| Number of Module Access Policies | No restriction | No restriction |
Field Encryption users
| User | Description |
|---|---|
| Key Management Framework (KMF)Admin or KMF Cryptographic Manager | These roles are used to configure elements of Field Encryption.
|
| KMF Cryptographic Operator | Configures properties for customer supplied keys |
Field Encryption and record history
Changes to fields encrypted with Field Encryption are not tracked in the activity stream for the record or in the record history [sys_history_set] table.
Encryption on system tables
Field Encryption currently doesn’t support the encryption of fields and attachments of system tables (tables that begin with sys_).