Exploring Edge Encryption

  • Release version: Zurich
  • Updated July 31, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Edge Encryption

    Edge Encryption is a network encryption system for ServiceNow customers that encrypts and decrypts sensitive data traveling between your data center and the ServiceNow cloud. It operates through a proxy application installed and maintained on your own infrastructure, ensuring that encryption keys remain within your network and are not accessible to ServiceNow or its AI platform. This client-side encryption solution provides end-to-end data protection, making sensitive data unreadable to ServiceNow personnel and systems.

    Show full answer Show less

    Key Features

    • Full Control Over Encryption Keys: Keys are stored and managed solely on your proxy server, granting you exclusive control without sharing with ServiceNow.
    • Data Encryption and Tokenization: Supports encrypting various field types (e.g., String, Date, Date/Time, Attachments, Journals, URLs) using AES-128 or AES-256 encryption, including standard, equality-preserving, and order-preserving encryption.
    • Encryption Patterns: Allows tokenization of sensitive patterns such as social security and credit card numbers to secure data not stored in encrypted fields.
    • Proxy-Based Architecture: The proxy encrypts data before sending it to the ServiceNow instance and decrypts data only within your network, ensuring data remains encrypted in transit and at rest within ServiceNow.
    • Customizable Encryption Rules: Enables scripting within the proxy to define specific encryption behaviors tailored to your data structure.
    • Integration with ServiceNow AI Platform: Acts as a secure gateway, ensuring encryption and key management are handled externally, preventing ServiceNow from accessing plaintext data.

    Important Considerations

    • Only users accessing the instance through your network proxy can view decrypted data, and only securityadmin users through the proxy can configure Edge Encryption.
    • Maintaining the proxy server requires standard network administration tasks such as hosting, routing, backup, and DNS configuration.
    • The proxy server requires a MySQL database if using order-preserving encryption or encryption patterns; securing and backing up this database is critical.
    • Encryption can impose functional limitations on ServiceNow instance features and data processing, especially because data is not decrypted within the platform itself.

    Pros and Cons

    • Pros:
      • Absolute control over sensitive data and encryption keys.
      • Data is encrypted before leaving your environment and remains encrypted in transit and at rest.
      • Supports strong encryption algorithms and multiple data types.
      • Custom encryption rules and tokenization enhance data security.
    • Cons:
      • Introducing the proxy adds a network hop and processing overhead, potentially causing slight delays.
      • Managing encryption keys is complex and time-consuming.
      • Limited to two active encryption keys at a time without granular key assignment per data subsets or roles.
      • Some ServiceNow functionalities relying on decrypted data may be restricted.

    What ServiceNow Customers Should Know Before Starting

    • Edge Encryption impacts instance processes and requires careful planning to address these changes.
    • Network administration knowledge is necessary to install and maintain the proxy server correctly.
    • Customers should review system requirements, sizing, limitations, and key management procedures before implementation.
    • Edge Encryption requires installation of both the proxy server in your network and the corresponding ServiceNow plugin on your instance.

    Edge Encryption is a network encryption system that resides on your network and that encrypts and decrypts sensitive data as it travels between your data center and the ServiceNow cloud.

    What is Edge Encryption

    Also referred to as ‘client-side’ encryption, Edge requires all bi-directional user traffic to pass through proxies that are maintained on your infrastructure. You have the full control over your key management because the keys are stored within your proxy on your infrastructure. The ServiceNow AI Platform can’t decrypt your ciphertext to access your keys.

    The Edge Encryption feature is an additional cost option that provides you with the ability to control the end-to-end encryption of your data and key management. Edge Encryption uses a proxy application, provided by ServiceNow and installed by you within your own network. This proxy application tokenizes specified data patterns or encrypts string fields, Date fields, Date/Time fields, and attachment data before it’s sent from your environment to your instance. The proxy application also decrypts the same data, again only within your own network, using keys stored only within your own network.

    The relevant encryption keys and configuration exist only on the Edge proxy within your network and aren’t visible to ServiceNow. The data is encrypted from the moment that it leaves your environment and is only decrypted upon retrieval. At no point is the data accessible in plaintext by ServiceNow systems or personnel.

    Who uses Edge Encryption

    Only a user logged in to the instance through a proxy server on your network can view encrypted data in clear text. Likewise, only a security_admin user logged in to an instance through a proxy server in your network can configure and administer Edge Encryption.

    Because the proxy server resides in your network, you own and manage the encryption keys, and they’re never sent to the instance. As a result, ServiceNow never shows sensitive data in clear text.

    In addition to the Edge proxy configuration and management of rules, you’re responsible for the usual requirements of operating a server within your environment (including hosting, routing, backup, DNS configuration, and so on) to enable and support your Edge proxies.

    Encryption and tokenization

    Edge Encryption supports both encryption (through encryption configurations) and tokenization (through encryption patterns) as a means of protecting your sensitive information.

    Encryption configurations
    You can encrypt individual fields using encryption configurations. Edge Encryption supports AES 128-bit and AES 256-bit encryption keys. Edge Encryption supports standard, equality-preserving, and order-preserving encryption types.
    In addition to attachments, you can encrypt the following field types:
    • Date
    • Email
    • Date/Time
    • IP Address
    • Journal
    • Journal Input
    • Multi-line text
    • Single-line text
    • String
    • URL
    Note:

    If a Journal field marked for encryption is added to the activity stream, all user input to the field is encrypted in the activity stream.

    Multi-byte characters within supported field types can be encrypted.

    You can also encrypt the following service catalog variable types:
    • String Types
      • Single-line text
      • Multi-line text
      • Wide single-line text
    • Date
    • Date/Time
    • URL
    • Email
    • HTML
    • IP Address
    Encryption patterns
    You can use encryption patterns to tokenize strings that match regular patterns such as social security and credit card numbers. While encryption configurations should be the primary method of encryption, use encryption patterns as a supplement to secure sensitive information found outside of encrypted fields.
    Note:
    The Edge Encryption proxy server requires a MySQL database in your network only if using order preserving encryption or encryption patterns. Clear text values are stored in the proxy database in your network. For this reason, it is critical that you secure and regularly back up your proxy database. For recommendations, see Edge Encryption components.

    Flow of data using Edge Encryption.

    Edge Encryption on the ServiceNow AI Platform

    Edge Encryption acts as a gateway between your browser and your ServiceNow instance. Traffic from your browser passes through the gateway on its way to the ServiceNow instance. The gateway, in turn, is configured to encrypt outbound data that is marked for encryption. Inbound traffic is decrypted through the gateway, and the end user sees clear text in the browser. The advantage of this implementation from a security control perspective is that the encryption and key management are handled externally from ServiceNow.

    Pros and cons

    As with Field Encryption Enterprise and Field Encryption, Edge Encryption imposes some functional limitations within an instance as a result of the additional security. The local Edge proxy does, however, also provide some additional functionality relating to sorting when compared to column-level encryption.

    Pros:
    • Edge Encryption provides absolute control of who sees your information and prevents data breaches.
    • Information remains on your proxy server and never leaves your network unencrypted.
    • Information is encrypted in transit, before it even reaches the ServiceNow instance.
    • You hold and manage all your own encryption keys. No one else, not even ServiceNow personnel, can access your keys.
    • You can choose the strength of the encryption algorithm: AES-128 or AES-256.
    • Edge Encryption includes the ability to encrypt String text, Date and Date/Time fields, attachments, URLs, and journals.
    • Edge Encryption provides Standard, Equality Preserving, and Order Preserving encryption of data at rest within the database and instance.
    • Encryption rules enable you to write custom scripts that tell the proxy server specifically what to encrypt and where to put that encrypted information in the instance. These scripts are useful when the data structure doesn't exactly match the ServiceNow instance.
    • Encryption patterns enable you to tokenize information such as passwords.
    Cons:
    • Edge Encryption requires an extra network hop through the Edge proxies cluster, and extra processing, which can add delay to traffic. The added processing delay of the Edge Encryption application is negligible compared to the network hop.
    • Maintaining your own encryption keys can be complex and time-consuming.
    • A maximum of two encryption keys can be active at any given time. You cannot assign different keys to specific subsets of columns, data categories, user roles, or access scopes. However, one key can encrypt certain columns while a different version of the same key can be used to decrypt others.
    • Edge Encryption has the side effect that the server or platform can't decrypt the data to perform any manipulation of the decrypted data. As a consequence, functionality and data processing on the ServiceNow AI Platform may be restricted when encrypting columns with Edge Encryption.

    What to know before you begin

    Because encryption and tokenization change the nature of your data, Edge Encryption can affect other instance processes. Before using Edge Encryption, carefully consider the impact on your instance.

    Because the proxy server is installed and maintained in your network, Edge Encryption requires network administration and management. Review the network requirements to ensure a smooth implementation.

    Review the following topics to understand the impact of Edge Encryption on your instance: