Exploring Column Level Encryption
Summarize
Summary of Exploring Column Level Encryption
Column Level Encryption is a core feature in ServiceNow that allows for the encryption of data within your instance using AES128 or AES256 algorithms. This functionality enables the encryption of specific database fields and files through defined encryption contexts, which specify what to encrypt, the encryption algorithm, and the associated encryption key. Access to encrypted data is controlled through user role assignments.
Show less
Key Features
- Role-Based Access: Control access to encrypted data based on user roles, enhancing security. Required Role: security admin
- AES Encryption: Utilize either AES-128 or AES-256 for data protection. Required Role: security admin
- Module Access Policies (MAPs): Create up to 5 MAPs for more nuanced access control. Required Role: security admin
- Field Types: Encrypt various field types, including strings, dates, attachments, and URLs. Required Role: security admin
- Equality Preserving Encryption: Allows for equality comparisons in encrypted fields, although non-deterministic encryption is not supported. Required Role: security admin
- APIs Usage: Employ getDisplayValue() and setDisplayValue() APIs for handling encrypted fields. Required Roles: security admin, developer
Key Outcomes
- Expanded Capabilities in Enterprise: Column Level Encryption Enterprise offers additional field types, support for more than 5 MAPs, and advanced key management features. Required Role: security admin
- Automatic Key Rotation: Schedule automatic key rotations to enhance security and reduce management effort. Required Role: security admin
- Customer Supplied Keys: Manage the lifecycle of encryption keys and exchange them securely. Required Role: security admin
- Ephemeral Keys: Utilize session-specific keys for improved security. Required Role: security admin
For a practical walkthrough, the Column Level Encryption Guided Tour provides setup instructions for encrypting fields and attachments, covering the creation of Field Encryption Modules, MAPs, and configurations, along with links to further documentation and training resources.
Learn more about Column Level Encryption.
Column Level Encryption overview
Column Level Encryption is a base system feature that permits encryption of data stored within an instance using AES128, or AES256.
Column Level Encryption enables you to encrypt selected database fields and stored files through the use of encryption contexts. In these contexts you define what is encrypted, choose which algorithm to use, and supply the encryption key, which is stored within your instance.
After the context is created, you can associate it to a user role. Users assigned to this role, either directly of through a group, are able to access the encrypted data.
Because Column Level Encryption bases access to data on role assignment, it’s important to be familiar with administering roles on your instance. For more information, see Managing roles.
Field Encryption benefits
| Benefit | Feature | Required Roles |
|---|---|---|
| Configure access to your encrypted data based on assigned user roles. | Role-based access to encrypted data | security admin |
| Protect your data using the Advanced Encryption Standard (AES). You can choose to use either the AES-128 or AES-256 encryption algorithms. | AES Encryption | security admin |
Create up to 5 modules and module access policies (MAP)s using the standard version of Column Level Encryption. MAPs expand on role-based access to allow considerations for:
|
Support for up to 5 modules and module access policies (MAP)s | security admin |
| Encrypt common field types using the standard version of Column Level Encryption. Column Level Encryption Enterprise supports additional field types. | Encryption for String text, Date and Date/Time fields, attachments, and URLs | security admin |
| Choose between standard and equality preserving encryption. When enabled, equality preserving encryption ensures that the encrypted value of a field is the same when the field value remains the same. This type of encryption
enables equality comparisons and group by operations on a field. Note: Non-deterministic encryption isn’t supported. |
Equality preserving encryption support | security admin |
Use getDisplayValue() and setDisplayValue() APIs to return cleartext values and insert encrypted data for encrypted fields. |
getDisplayValue() and setDisplayValue() APIs |
security admin, developer |
Column Level Encryption Enterprise benefits
Column Level Encryption Enterprise builds on the existing Column Level Encryption framework and provides these additional features after you purchase a subscription.
| Benefit | Feature | Required Roles |
|---|---|---|
| Encrypt additional field types. | Support for additional field types:
|
security admin |
| Column Level Encryption Enterprise supports more than 5 modules and module access policies to provide more options for access to secured data. | Support for additional modules and MAPs | security admin |
| Keys from a key vault can be rotated on an automated schedule you configure. Using automatic key rotation can improve security while reducing administrative overhead. | Configurable automatic key rotation | security admin |
| Manage the full life cycle of your data encryption keys. Optionally, you can securely exchange data encryption keys generated within your environment. | Customer supplied keys | security admin |
| Ephemeral keys are cryptographic keys that are generated for each execution of a cryptographic process. These keys more secure because they’re generated for use in a single session. | Ephemeral cryptographic keys | security admin |
Updated setDisplayValue() and setDisplayValue() APIs can insert encrypted data for encrypted fields. |
Updated getDisplayValue() and setDisplayValue() APIs |
security admin, developer |