Scribd
Upload
249 views41 pages

ServiceNow Encryption Options

Overview of key management and encryption

Uploaded by

MarcusVinícius
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
249 views41 pages

ServiceNow Encryption Options

Overview of key management and encryption

Uploaded by

MarcusVinícius
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

TechNow

The web series for ServiceNow admins, builders and


developers on a variety of Now Platform topics

Navigating encryption options


Episode 89

Chuck Tomasi Kreg Steppe Jeremy Duncan Pierre Rohel Gray Williams
Sr. Developer Sr. Staff Platform Architect Sr. Manager Sr. Principal Product Mgr.
Advocate Enterprise-wide ServiceNow Platform Security Platform Security
ServiceNow App/Sys Developer ServiceNow ServiceNow
ServiceNow
Safe harbor notice for forward-looking statements
This presentation may contain “forward-looking” statements that are based on our beliefs and assumptions
and on information currently available to us only as of the date of this presentation. These statements are
intended to be covered by the safe harbor provisions contained in the U.S. Private Securities Litigation
Reform Act of 1995. Forward-looking statements involve known and unknown risks, uncertainties, and other
factors that may cause actual results to differ materially from those expected or implied by the forward-
looking statements. Further information on these and other factors that could cause or contribute to such
differences include, but are not limited to, those discussed in the section titled “Risk Factors,” set forth in our
most recent Annual Report on Form 10-K and Quarterly Report on Form 10-Q and in our other Securities
and Exchange Commission filings. We cannot guarantee that we will achieve the plans, intentions, or
expectations disclosed in our forward‐looking statements, and you should not place undue reliance on
our forward‐looking statements. The information on new products, features, or functionality is intended to
outline our general product direction and should not be relied upon in making a purchasing decision, is
for informational purposes only and shall not be incorporated into any contract, and is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality. The development, release, and
timing of any features or functionality described for our products remains at our sole discretion. We
undertake no obligation, and do not intend, to update the forward-looking statements.
Chuck Tomasi

• Senior Developer Advocate


• 35+ years IT experience
⎼ Software developer, PM, IT manager
• ServiceNow customer 2008-2010
• ServiceNow since 2010
⎼ PS implementations, enablement, and pre-sales
• First Innovation of the Year Award @K10
• Co-host of TechNow since 2013
• Live Coding Happy Hour guest
• ServiceNow Community leader
• Hobbies:
⎼ Podcasting, golf, skiing, martial arts, cosplay

© 2021 ServiceNow, Inc. All Rights Reserved. 3


Kreg Steppe

• Sr Staff Enterprise-wide Apps/Sys Developer


⎼ Support training cloud infrastructure
• Specializing in cloud automation
• ServiceNow 2014-present
⎼ Prior experience in PS Orchestration
• Co-host of TechNow 2016-present
• Hobbies:
⎼ Podcasting, photography, Linux

© 2021 ServiceNow, Inc. All Rights Reserved. 4


Jeremy Duncan

• Platform Architect at ServiceNow


• 16 years of experience as enterprise
engineer/architect
• ServiceNow experience since 2011 (pre-Aspen)
• Enterprise, federal and commercial implementations
• ServiceNow Certified Master Architect
• Degree: BBA in IS at MTSU
• Personal
⎼ Volunteer police officer and camping with
wife and kids

© 2021 ServiceNow, Inc. All Rights Reserved. 5


Pierre Rohel

• Sr Manager in Platform Security


⎼ In charge of Data Protection
⎼ Encryption and Key Management
• 8 years of experience
• ServiceNow since 2014
• Core Platform and Security
• Bootcamp instructor, Internship program facilitator
• Hobbies:
⎼ Hiking, cooking, traveling

© 2021 ServiceNow, Inc. All Rights Reserved. 6


Jeff Sun

• Staff Systems Engineer in Platform Security Data


Protection
⎼ Secrets Management, Column Level Encryption
• 15 years of experience in security
• ServiceNow since March 2020
• Hobbies:
⎼ Gaming, basketball (playing), baseball (watching),
movies, chess

© 2021 ServiceNow, Inc. All Rights Reserved. 7


Gray Williams

• Sr Principal Product Manager in Platform Security


⎼ Cryptography, Encryption & Key Management
• 27 years of experience
• ServiceNow since Feb 2020
• Founded Gartner-MQ MSSP challenger that grew to
support ~600 of the global 5000
• Ran global PKI and Identity divisions at Cybertrust (now
Verizon)
• Led SafeNet’s global Encryption, Identity and VPN
business divisions (now Thales)
• Hobbies:
⎼ Skiing, motorcycles, rafting, travel, cooking

© 2021 ServiceNow, Inc. All Rights Reserved. 8


Agenda

• Announcements
• Overview of key management and encryption
• Demo
• Q&A

Note: Ask a question in the Q & A – if we


cannot answer it live, we’ll post answers
on the community
devlink.sn/technow (Ep 89)

© 2021 ServiceNow, Inc. All Rights Reserved. 9


Subscribe Now
10
devlink.sn/break-point
© 2020 ServiceNow, Inc. All Rights Reserved.
https://developer.servicenow.com/blog.do?p=/tags/knowledge/
© 2021 ServiceNow, Inc. All Rights Reserved. 11
MARK YOUR CALENDAR

Workflow a
better world
October 13 –14
Learn how our Now Platform Rome release
adds more capabilities to help you thrive in
the new world of hybrid work.

servicenow.com/now-at-work.html
Get Updates

• Speaker name
© 2021 ServiceNow, Inc. All Rights Reserved. 12
Key management
and encryption

© 2021 ServiceNow, Inc. All Rights Reserved. 13


Today’s goals

Discuss customer challenges, the role of cryptography,


encryption and the importance of key management

Explain how cryptography can be leveraged

Touch upon how cryptography and security are evolving

© 2021 ServiceNow, Inc. All Rights Reserved. 14


Digital workflows
create great
experiences and
unlock productivity

© 2021 ServiceNow, Inc. All Rights Reserved. 15


However, as more digital
workflow use cases
process regulated data,
new challenges
emerge…
Identity & Access Control

Encryption Sensitive Data

Key Management

Authorization

Audit logging

Monitoring Personal Data


Regulated Data

Rapid Detection &


Incident Response

Restoration & Recovery


© 2021 ServiceNow, Inc. All Rights Reserved. 16
Data protection and privacy challenges

How do I protect sensitive and regulated data?

How do I stay compliant with data protection regulations and avoid


massive financial penalties?

How do I securely open up my instance to non-employees, partners


and customers?

© 2021 ServiceNow, Inc. All Rights Reserved. 17


Platform security’s north star
Enabling customers to deliver their legal duty of care

For the right purpose

To the right identity

Every time

The right data Be able to prove it

© 2021 ServiceNow, Inc. All Rights Reserved. 18


Role of cryptography

Confidentiality – Preserving authorized restrictions on information access and


disclosure, including means for protecting privacy and proprietary information

Integrity – Guarding against improper information modification or destruction,


and includes ensuring information non-repudiation and authenticity

Authentication – Verifying the identity of a user, process, or device, often as a


prerequisite to allowing access to resources in an information system

© 2021 ServiceNow, Inc. All Rights Reserved. 19


All about protecting keys

• Key management = security Key management:


• Without key protection, there is no security • Makes cryptography an effective control

• How are keys protected on platform? • Enables encryption’s security benefits

Key Management Framework Got key management?

Regulatory mandates compel


customers to encrypt effectively
threats compel customers to
manage keys effectively

© 2021 ServiceNow, Inc. All Rights Reserved. 20


NIST 800-57: idea of a crypto toolbox
Key Management Framework

• Users Include:
⎼ Customers
⎼ Internal ServiceNow developers
• Crypto agility
⎼ Crypto purposes, crypto algorithms, key sizes
• Essential key management functionalities
⎼ Creation, rotation, suspension, etc.
• Define key lifecycles
• UI configurations and metadata records vs. code changes
⎼ Easy button

© 2021 ServiceNow, Inc. All Rights Reserved. 21


Idea of a custom crypto tool
KMF Cryptographic Module

• KMF Cryptographic Modules are the centerpiece of KMF


• Abstract object, consists of several related cryptographic
configurations
⎼ Cryptographic specifications (algorithm, lifecycle, etc.)
⎼ Cryptographic key(s) (aka Module Key)
⎼ Linked to Module Access Polices to allow access to key
• Users can create one or more KMF cryptographic modules
• Audit
⎼ Also captures usage information

© 2021 ServiceNow, Inc. All Rights Reserved. 22


KMF dependencies workflow

© 2021 ServiceNow, Inc. All Rights Reserved. 23


HSMs + KMF’s key wrapping hierarchy = key protection
Stored on HSM

Root Key
Root
Key

Instance
Instance Root Key Root Key
Unique per
Instance
Instance Key Instance Instance
Instance Internal Keys Instance Encryption Asymmetric Signature
HMAC Key Key Encryption Key Key

Password2 IDR Data


Module Encryption
Customer/App Keys Keys Keys Key

© 2021 ServiceNow, Inc. All Rights Reserved. 24


Different encryption options for different risk appetites
DBE (& Cloud Encryption in SD)
Edge – Client-Side Encryption CLE_Ent – Server-Side Encryption
Server-Side Encryption
• Best Practices • The CSP has the key PRO: Transparent The CSP has the key
• Data • Complexity
Architecture DBE/CE: Data is in clear
Custodianship • Doesn’t break
• Application impact • Administrative OH the user space during runtime
• NIST 800-57 Key
• Strongest security:
Proxy: Infrastructure to Management CCS: instance closes
ServiceNow does • Low/No
not have the key maintain QUEBEC: ALL NEW Administrative encrypted if key (or
• FIPS 140-2-L3 Key endpoint) becomes
Rebuilt with key Overhead
Bi-Directional traffic Protection unavailable
QUEBEC: management, key
Engineering • CSK/BYOK/CMK
• Resource Exchange protection & QUEBEC: DBE Key
Performance Multiple latency performance Rotation
• Segregation of Duties improvements
and stability chokepoints
improvements SAN DIEGO:
Customer owns key • CSK/BYOK ROME: System & Cloud Encryption
management Script MAPS
ROME: FIPS 140 uses KMF

Key Management

Quebec: OOB PRO: Built to Best Practice Guidelines CON Increases Complexity & Administrative
Overhead
• NIST 800-57 - FIPS 140-2-L3
• Requisite for strong encryption

© 2021 ServiceNow, Inc. All Rights Reserved. 25


© 2021 ServiceNow, Inc. All Rights Reserved. 26
What’s behind the big increase in encryption use cases?

>70 global data protection and privacy regulations in motion, many with
severe financial penalties

ServiceNow use cases increasingly process regulated data

Encryption is a data protection control that can theoretically lessen the risk of
unintentional or unlawful exposure

© 2021 ServiceNow, Inc. All Rights Reserved. 27


Encryption use cases and examples
Industry Verticals

Retail & Consumer Industries

Financial Services

Healthcare & Life Sciences

Government & Defense

Legal

High Tech, Media

Education

© 2021 ServiceNow, Inc. All Rights Reserved. 28


Encryption use cases and examples
Industry Verticals Enterprise Functions

Retail & Consumer Industries Human Resources

Financial Services Finance

Healthcare & Life Sciences Customer support

Government & Defense Healthcare

Legal Security

High Tech, Media Compliance

Education Product Development


Encryption use cases and examples
Industry Verticals Enterprise Functions Regulated Data Examples
• Public Co Financial Data
Retail & Consumer Industries Human Resources • Export Controlled Tech Data

• Direct Identifiers e.g., Name, Address, login IDs,


Financial Services Finance TIN/SSN, PAN, passport, license, photos, signature,
email…

• Indirect Identifiers e.g., Title, Age, Origin, Region,


Citizenship, City, State, Zip, rare health condition,
Healthcare & Life Sciences Customer support phone, email, cookies, beacons, pixel tags, IP
addresses, account names…

Biometric data e.g., face, retina, fingerprints, DNA,


Government & Defense Healthcare •
voice recordings, health data…

• Geolocation data e.g., location history via devices

Legal Security • Internet activity such as browsing history, search


history, data on interaction with a webpage,
application or advertisement

• Sensitive information such as personal characteristics,


behavior, religious or political convictions, sexual
High Tech, Media Compliance preferences, employment and education data,
financial & medical information, vaccination history…

• Probabilistic Identifiers – order history, Netflix history,


Education Product Development Google maps history – literally anything that can be
used to ID a particular consumer or device

© 2021 ServiceNow, Inc. All Rights Reserved. 30


Thoughts on putting it all together

• What are your data protection compliancy requirements?


• What resources can you dedicate for engineering overhead?
• Where’s your trust boundary?
• Do you need to be your own key custodian?

© 2021 ServiceNow, Inc. All Rights Reserved. 31


Thoughts on putting it all together

• What are your data protection compliancy requirements?


• What resources can you dedicate for engineering overhead?
• Where’s your trust boundary?
• Do you need to be your own key custodian?

From an internal ServiceNow developer context


• Do you have sensitive data that requires encryption?
• Which crypto libraries are you using?
• How are you protecting your keys?
• What kind of access controls do you have in place on the key?

© 2021 ServiceNow, Inc. All Rights Reserved. 32


Seeing security in buckets

Full control Trust in the platform Too many trusted parties

• Security by architecture • Consistent auditing and • Disjoint implementations


reporting
• Zero trust security model • Too many applications
• Entrust access to keys in
place • Maintenance issues

• Safeguard data

© 2021 ServiceNow, Inc. All Rights Reserved. 33


Seeing security in buckets

Full control Trust in the platform Too many trusted parties

• Security by architecture • Consistent auditing and • Disjoint implementations


reporting
• Zero trust security model • Too many applications
• Entrust access to keys in
place • Maintenance issues

• Safeguard data

© 2021 ServiceNow, Inc. All Rights Reserved. 34


Back to the future

• Modus operandi: customers need to implicitly (by default) trust the cloud provider
• Challenge assumptions:
⎼ Does the cloud provider need access to the keys (to decrypt data)?
⎼ Are instance-side access controls the best we can do?
⎼ Edge encryption is one step towards this, that but has limitations
• Points of failure with edge encryption proxies/hardware
• Application functionality sacrificed

© 2021 ServiceNow, Inc. All Rights Reserved. 35


Back to the future 2

• Client-side – investigate on how we can do better on this


⎼ Lesson learned: edge encryption shows some pitfalls (e.g., Application functionality)
• Let’s flip it
⎼ By default, ServiceNow does not have access to the key unless supplied by the client
⎼ Implies that functionality that exists instance-side can be split
• Some functionality migrate to client side
• Some functionality remain on the server side (structural computation on the
ciphertext data)
⎼ Let’s head towards zero trust

© 2021 ServiceNow, Inc. All Rights Reserved. 36


Sr. Developer
Advocate
ServiceNow

Get Connected with IoT and Now

Sr. Staff enterprise-


wide app/sys
developer
ServiceNow

Tuesday, September 28, 2021


8 am PT | 11 am ET

devlink.sn/tn90reg
Reference information
Available in the Resource widget (at the bottom of your screen)

ServiceNow
• docs.servicenow.com

• community.servicenow.com

• developer.servicenow.com

• devlink.sn/technow

• nowlearning.servicenow.com

© 2021 ServiceNow, Inc. All Rights Reserved. 38


Reference information
Available in the Resource widget (at the bottom of your screen)

ServiceNow
• docs.servicenow.com Remember:
Questions and
• community.servicenow.com answers will be
posted to the
• developer.servicenow.com community
• devlink.sn/technow

• nowlearning.servicenow.com

© 2021 ServiceNow, Inc. All Rights Reserved. 39


Q&A
Thank you for joining us

Follow us on the community

[email protected]

@ServiceNow or @NOWCommunity

youtube.com/user/ServiceNowCommunity

Chuck Tomasi Kreg Steppe Jeremy Duncan Pierre Rohel Gray Williams
Sr. Developer Sr. Staff Platform Architect Sr. Manager Sr. Principal Product
Advocate Enterprise-wide ServiceNow Platform Security Manager
ServiceNow App/Sys Developer ServiceNow Platform Security
ServiceNow ServiceNow

© 2021 ServiceNow, Inc. All Rights Reserved. 40


On-demand webinars
Check out our on-demand webinars at
www.servicenow.com/events/on-demand-webinars.html

© 2021 ServiceNow, Inc. All Rights Reserved. 41

You might also like