WHITE PAPER

Data Encryption
Technologies for data protection
on the Now Platform
 WHITE PAPER

Table of contents
Introduction............................................................................................ 3
Default protection.................................................................................. 3
Secure communication with the instance..........................................................3
Email in-transit encryption.......................................................................................4
File transfer integration.............................................................................................4
Customer-configurable protection......................................................4
Direct database query..............................................................................................4
Web services integration..........................................................................................4
Single sign-on integrations......................................................................................5
ServiceNow MID Server.............................................................................................5
Premium protection options................................................................. 6
Cloud encryption.........................................................................................................6
Database Encryption.................................................................................................6
Three-level hierarchy: Cloud and database encryption..............................6
Premium encryption at rest and in use solutions............................... 7
Platform Encryption.................................................................................................... 7
Column Level Encryption Enterprise (CLEE)........................................................ 7
CLEE cryptographic module....................................................................................8
CLEE access control...................................................................................................8
Usage and restrictions...............................................................................................9
Edge Encryption......................................................................................................... 10
Types of edge encryption.......................................................................................12
Edge Encryption vs Column Level Encryption Enterprise.............................12
Full Disk Encryption...............................................................................13
FDE usage and restrictions.................................................................................... 13
Managing encryption keys................................................................. 14
Encryption keys in the ServiceNow cloud infrastructure.............................. 14
Tokenization................................................................................................................. 15
Tokenization examples............................................................................................ 15
Three-level key hierarchy: Cloud and database encryption..................... 16
Further reading........................................................................................................... 16
Appendices............................................................................................17

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 2
 WHITE PAPER

Introduction
At ServiceNow, protecting customer data is a top priority. Different customers have different use cases, so we provide a range
of encryption options for maximum security and flexibility. This document provides an overview of these options and is broken
into three sections:

Default protection: Features built into the Now Platform that work automatically without any configuration requirements.

Customer-configurable protection: Features available in the Now Platform that can be configured to meet Customer-specific
requirements.

Premium protection options: Features available at additional cost that provide enhanced protection and security to meet
customer needs.

Please note that references to TLS 1.2 include proposed TLS 1.3 suites, i.e., ECDHE-ECDSA (perfect forward secrecy)

Default protection Customer-configurable protection Premium protection options

• Encryption in transit • Column-level encryption • Managing Encryption Keys
• Secure communication with the • Direct Database Query • Encryption at rest and in use
instance solutions
• Web Services Integration
• Email in-transit encryption • Platform Encryption (a commercial
• Single Sign-on Integrations
bundle of CLE Enterprise and Cloud
• ServiceNow MID Server Encryption)
• Column Level Encryption Enterprise
• Cloud Encryption
• Edge Encryption
• Database Encryption
• Full Disk Encryption

Default protection
The following encryption features are built into the Now Platform and work automatically, without additional configuration. See
the table in Appendix A titled ‘Summary of data in transit features’ for additional information.

Secure communication with the instance

Customer instances of the Now Platform are designed to be accessible via the internet, providing maximum flexibility in how,
when, and from where they are accessed. The internet, however, is a public network and therefore communications can
potentially be intercepted if they are not encrypted or otherwise protected.
Customers access their instances via a web browser using Transport Layer Security (TLS) encryption using AES with 128-bit or
256-bit cipher suites.
Negotiated ciphers are subject to customer browser versions and may be influenced by customer internet proxy infrastructure.
Customers can force specific cipher suites via their own browsers or proxies if desired.
All end-user access requests to a ServiceNow instance attempted over HTTP are redirected to HTTPS.
For additional security, customers are also able to use IP range-based authentication to restrict the public networks used to
access their Now Platform instances.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 3
 WHITE PAPER

The standard contractual clauses are applicable as a data transfer mechanism,

as per section 9 (international data transfers) of ServiceNow’s Data Processing
Addendum.
Encrypting all data at
Email in-transit encryption
Customers commonly configure ServiceNow instances to generate emails in relation
rest provides a layer of
to service management tasks, such as requesting approval for a change or to security in cases where
notify a user of service request status. ServiceNow instances provide additional
confidentiality in this respect by supporting opportunistic TLS for email sent or much of the data in
received, and as such will negotiate TLS 1.2 encryption during the SMTP handshake your enviornment is
and will fall back to plaintext SMTP where a secure channel cannot be negotiated.
Additional related email security controls including Sender Policy Framework (SPF),
considered sensitive
DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, or could potentially be
Reporting, and Conformance (DMARC) are also provided at no additional cost.
considered sensitive in
File transfer integration the future
Instances of the Now Platform support a variety of file transfer protocols, including
FTPS, SFTP, and SCP. These are for instance- initiated communication out to
external systems only and support TLS 1.2. There is no inbound file transfer facility
beyond HTTPS/ web services uploads.

Customer-configurable protection
Direct database query
Now Platform instances support direct Java Database Connectivity (JDBC) queries
out to external systems. JDBC connections are not encrypted but can be securely
proxied via a customer management, instrumentation, and discovery (MID) Server.
The communication to the MID Server in the customer environment is secured, as
described in the ServiceNow MID Server section below.

Web services integration

ServiceNow supports web services using SOAP (Simple Object Access Protocol) and
REST (Representational State Transfer) for integration, with all traffic encrypted using
TLS. Web service security is enforced using the combination of basic authentication
challenge/response and system-level access using contextual security. Additionally,
a set of web service-specific roles may be granted to the web service user.
For incoming SOAP requests, support for WS-Security 1.1 in the form of WSS
X.509 token profile and WSS username token profile are available. In this context,
“incoming” means requests targeting a web services resource in a customer
ServiceNow instance.
ServiceNow instances support outbound-only web services mutual authentication
by defining a protocol profile for connections that require mutual authentication.
Protocol profiles allow you to associate a specific certificate record with a protocol,
such as HTTPS. Requests made to an endpoint whose domain is defined in a profile
are then mutually authenticated.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 4
 WHITE PAPER

Mutual web services authentication is only possible for outbound HTTPS connections, such as SOAP, REST, or direct HTTPS calls. A
ServiceNow instance does not support mutual authentication for inbound requests or for outbound requests sent through a MID
Server.
Secure signing of SOAP requests for message integrity purposes is also available.

Single sign-on integrations

Instances of the Now Platform support single sign-on (SSO) via the multiple provider SSO or security assertion mark-up language
(SAML) 2.0 plugins. These options allow integration with your own compliant SAML 2.0 identity providers (IDPs), and benefit from
transport layer encryption. Additionally, customer-provided certificates are used to verify a SAML assertion is properly signed by
the correct IDP.
Now Platform instances include LDAP client functionality and can access multiple LDAP v3 compliant directories according to
customer configuration. Both standard and secure LDAP (LDAPS), which use TLS, are available.

ServiceNow MID Server

The ServiceNow Management, Instrumentation, and Discovery (MID) Server is an optional, free ServiceNow component. The
MID Server facilitates data communication between customer instances and external applications, data sources, and services.
Customers use MID Servers in conjunction with their instances for enterprise application and service monitoring, integration,
orchestration, and discovery.
The MID Server is a Java application provided to customers via a download link within their instance and installed on a
suitable host system within their environment and is compatible with Windows or Linux operating systems. MID Servers are
cryptographically paired with an individual instance during installation and must be approved by the Customer ServiceNow
administrator before they can be used.
At a Customer-defined interval, a MID Server securely initiates an outbound session to a customer’s instance over HTTPS using
TLS 1.2, looking for activities to perform. The activity is retrieved and executed, and any output or resulting data is returned to
the originating instance. This outbound, or ‘pull’ approach negates the need to permit inbound access through a customer’s
perimeter or firewalls directly to the Internet.

SNMP
Optional External Network Devices
Credential Storage

PowerShell
Windows Servers

SSH
Job Queue HTTPS:443 Linix Server

API
Hypervisor
MID Server

Lightweight Java application that CIM

collects data and makes only Storage
OUTBOUND connection to the
ServiceNow instance.

Internet Customer Network

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 5
 WHITE PAPER

Premium protection options

ServiceNow offers several features, available at additional cost, to protect data at
rest and data in use.

Cloud encryption
Cloud Encryption provides block encryption of the full database host with industry-
standard, customer-controlled, key lifecycle management built into the ServiceNow
user interface. It encrypts data at rest in the database using symmetric AES 256-bit
encryption with no impact to functionality. Any new or changed data as it is entered
into a table and associated activity log files (e.g., bin, redo, undo, and error) are also
encrypted.
When this feature is used, all related instances are encrypted, together with
associated replication traffic and backups, and instance cloning is still possible.
Both new and existing instances on supported releases of the Now Platform can
take advantage of Cloud Encryption.
ServiceNow Cloud Encryption also gives customers the option to use a ServiceNow-
generated key, or a key created and supplied by the customer (Customer Managed
Key). Key rotation operations are completely managed by customers from within
their ServiceNow instance, providing flexibility and autonomy, as well as avoiding
the need to involve ServiceNow Customer Support.

Database Encryption
Database Encryption enables data to be protected with symmetric AES 256-
bit encryption. It mitigates the same risk as Cloud Encryption, but without the
additional customer-controlled key management built into the ServiceNow user
interface. It encrypts data at rest in the database with no impact to functionality.
Any new or changed data is encrypted as it is entered into a table, and associated
activity log files (e.g., bin, redo, undo, and error) are also encrypted.
When this feature is used, all related instances are encrypted together with
associated replication traffic and backups, and instance cloning is still possible.
Both new and existing instances on supported releases of the Now Platform can
take advantage of Database Encryption, however, there is a minor performance
impact of up to 5% when using Database Encryption
For customers who require hosting and management of their encryption key while
using Database Encryption, please see the Appendix E.

Three-level hierarchy: Cloud and database encryption

Both Cloud Encryption and Database Encryption use a three-level key hierarchy.
The first two keys are customer-specific and are created by the database engine,
while the third key is instance-specific. For Cloud Encryption, this instance-specific
key may be generated and managed by ServiceNow (ServiceNow Managed Key) or
by the customer (Customer Managed Key). For Database Encryption, the instance-
specific key is created and managed by ServiceNow.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

6
servicenow.com
 WHITE PAPER

Premium encryption at rest and in use solutions

ServiceNow offers three options for encrypting data at rest, the use case of protecting data in an instance database from being
unreadable if the disk is physically stolen from the ServiceNow data center: Cloud Encryption, Database Encryption, and Full
Disk Encryption.
The most common use case for encrypting all data at rest is to provide a layer of security in cases where much of the data in the
customer environment is considered sensitive (or could potentially be considered sensitive in the future), due to regulations or
changes in the customer’s business environment. Data at rest encryption is useful in cases where it is critical that functionality is
not impacted, and application tier encryption is unnecessary.
Data at rest encryption can be coupled with application tier encryption for a layered security approach. Highly sensitive fields
that need to be encrypted at the application tier can be secured with CLEE or Edge Encryption. Layering encryption allows all
data to be protected when not in use. It also allows highly sensitive fields, such as personally identifiable information (PII) and
protected health information (PHI), to be protected from additional attack vectors.

Platform Encryption
Platform Encryption is a comprehensive encryption offering that provides a balance between advanced data protection and
platform usability for data in use and at rest; it includes Column Level Encryption Enterprise (CLEE), Cloud Encryption, and
Database Encryption

Column Level Encryption Enterprise (CLEE)

Column Level Encryption Enterprise provides field-level and attachment-based data encryption within instances of the Now
Platform. With CLEE, users can configure which specific data to encrypt within a specific table. The data is then stored in
encrypted form.
Encryption keys are stored and maintained within the ServiceNow instance and managed through the key management
framework.
The main features of CLEE are:
• Encryption of supported field types of string, date/time, URLs, HTML, journal, and translated
• Employs AES-CBC with 256-bit keys
• Offers both deterministic and non-deterministic encryption options
• Allows user with access to perform limited searching and filtering operations on data that has been encrypted
• Can be used on file attachments
• Allows user to supply their own encryption keys (bring your own keys, BYOK) or have keys randomly generated on the Now
Platform
• Offers several access controls based on role assignment and application scope

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc.
in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 7
 WHITE PAPER

Common use case

* * * * *
Mitigating the risk of exposing sensitive data Enabling customers to comply with Limiting access to sensitive data based on defined
as either the result of a direct attack or of governmental and industry certification roles, defined script assignments, application
compromised data stored in the cloud requirements and regulations scope, and domain membership

CLEE cryptographic module

CLEE encryption keys are managed via the key management framework (KMF), specifically through CLEE cryptographic modules,
which are created by users assigned with the KMF cryptographic manager role. Once a CLEE cryptographic module is created, it
can be associated to a field within a given table, thus enabling CLEE for the given field.
Whether generated by the ServiceNow instance or customer supplied (BYOK), the keys are stored in the same unique customer
instance database where the data encrypted by them is stored. As part of the KMF, the encryption keys themselves are stored in
encrypted form and are encrypted by the instance key-encryption key (IKEK), an instance-unique key generated by KeySecure.
This mitigates direct access to the encryption key, either by an instance administrator or ServiceNow.
Encryption keys provided by customers for use with Column Level Encryption Enterprise (CLEE) are backed up within the
database for the customer instance where they are used. Customers should also back up encryption keys prior to applying them
to their instances. For CLEE, customer keys are re-encrypted using a wrapper key, commonly referred to as a key-encryption-key
(KEK), which is stored and managed from a key management appliance.
CLEE does not enable customers to store encryption keys in their own hardware security modules (HSM), key storage appliances,
or services.

CLEE access control

Within the CLEE cryptographic module, KMF cryptographic managers can grant access to the module based on:
• Role: access is based on the role for the user session.
• Application Scope: access is based on being in the targeted application scope.
These access controls are not mutually exclusive; multiple access controls can be configured for a CLEE cryptographic module to
provide flexibility.
Access control example 1
The access control example below illustrates single access control implemented (role-based):
User 1 is a member of Role 1, which provides access to CLEE cryptographic module 1; this allows User 1 to see the contents of Field
A and Field B.
User 2 and User 3 are members of Group 1. Group 1 is a member of Role 1, which allows everyone in Group 1 access to
cryptographic module 1 and allows User 2 and User 3 to see the contents of Field A and Field B.
User 4 is not a member of any group or role and has no access to CLEE cryptographic module 1; User 4 does not have access to
Field A or Field B.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 8
 WHITE PAPER

Access control example 2

User 1 is a member of Role 1 and is currently in Domain 1. Access to CLEE Cryptographic Module 1 is granted due to an access
control that allows access to Role 1. Thus, User 1 can see the contents of Field A and Field B. This demonstrates access based on
role (like the previous example).
User 2 is member of Role 2 (i.e., not a member of Role 1) and is currently in Domain 2. Access is allowed since an access control
for Domain 2 exists for CLEE cryptographic module 1. As a result, User 2 can see the contents of Field A and Field B. This
demonstrates access based on domain membership.
User 3 is neither a member of Role 1 nor in Domain 2. As a result, User 3 cannot see the contents of Field A and Field B.
Furthermore, User 3 will not see that these fields exist.

Usage and restrictions

Column Level Encryption Enterprise (CLEE) can be used to process specific sensitive data sets in the ServiceNow environment.
The data is only decrypted by a user/script with authorized access to the associated CLEE cryptographic module.

CRYPTOGRAPHIC
MODULE 1

USER 1 DOMAIN 1 ROLE 1

FIELD A

USER 2 DOMAIN 2 ROLE 2

FIELD B

USER 3 DOMAIN 1 ROLE 2

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 9
 WHITE PAPER

Controlling access to sensitive data often means limiting access in a controlled fashion or granting it on an as-needed basis.
ServiceNow accomplishes this through a just-in-time process where an ephemeral java object displays a decrypted copy of the
encrypted value only for as long as the user or process with the correct access level acts on the data (e.g., viewing within the UI
or using the value in an automation step). Once the user or process finishes, the ephemeral copy is then flushed in accordance
with the platform’s normal garbage collection features.
CLEE-encrypted data is maintained throughout the backup process.

Edge Encryption
Edge Encryption gives customers the ability to control the end-to-end encryption of their data and key management. Edge
Encryption uses a proxy application provided by ServiceNow and installed by customers within their own network. This tokenizes
specified data patterns or encrypts string fields and attachment data before it is sent from a customers’ environment to their
ServiceNow instance. It also decrypts the same data again only within the customer’s own network, using keys stored only within
the customer’s own network.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 10
 WHITE PAPER

The following diagram illustrates the Edge Encryption process – a field storing social security numbers (SSNs) being encrypted
within a customer’s network by an Edge Encryption proxy. As shown below, the data in the SSN field is converted from plaintext
to ciphertext.

CUSTOMER PREMISES

Edge Encryption proxy

Target table

Field 2: Plain text

SSN SSN SSN
[...]000-00-0000[...] [...]QUVTXE2X2J[...] [...]QUVTXE2X2J[...] Field 2: Plain text

SSN: [...]QUVTXE2X2J[...]

In addition to the Edge Encryption proxy configuration and management of rules, customers are responsible for the usual
requirements of operating a server within their environment (including hosting, routing, backup, DNS configuration) to enable
and support their Edge proxies.
Edge Encryption is rule-based; specific fields are identified for encryption or tokenization based on a customer’s business
requirements. Data in fields encrypted by the Edge Encryption proxy will be accessible to any end user whose roles or other
access rights allow them to read or write to that field.
Access to Edge-encrypted data must be made through the proxy application, which functions as a web application with a
unique customer-defined URL. Attempting to access Edge-encrypted data directly from an Edge Encryption enabled instance
without first passing through the relevant proxy will result in only the encrypted version of the data being visible. Edge Encryption
proxies are hosted by customers at their own preferred URL, such as edgeproxy.customerdomain.com.
The following example shows an incident record which has Edge Encryption applied to the Short Description field. This illustrates
how it would appear to an appropriately credentialed user accessing that record via the customer’s Edge Encryption proxy (i.e.
in plaintext).

Below is the same record and field when it is accessed directly at the customer’s instance. Because this form of access bypasses
the customer’s Edge Encryption proxy, the data is inaccessible to any user, including administrators.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 11
 WHITE PAPER

The relevant encryption keys and configuration exist only on the Edge Encryption
proxy within the customer’s network and are not visible to ServiceNow. The
data is encrypted from the moment it leaves the customer environment and is
only decrypted upon retrieval. At no point is the data accessible in plaintext by
ServiceNow systems or personnel.

Types of edge encryption

Edge Encryption provides three options that support the advanced encryption
standard (AES), for key lengths of 128 and 256 bits, that you can apply to data fields
within an instance: standard, equality-preserving, and order-preserving encryption.
For a side-by-side comparison of these encryption options, see Appendix B. Edge
Encryption vs Column Level Encryption Enterprise
This section serves as a guide to help determine when to opt for Edge Encryption or
Column Level Encryption Enterprise (CLEE).
At a high level, if an enterprise wants maximum control over the encryption of its
data, Edge Encryption is the choice over CLEE. With Edge Encryption the customer
owns and controls the encryption key outside of their ServiceNow instance. However,
depending on your requirements, using Edge Encryption could result in impacted
functionality.
CLEE can decrypt an encrypted column used in a server-side business rule when
that rule is executed by a logged-in end-user assigned the appropriate encryption
context. However, Edge Encryption would not have this capability since the data
needs to be decrypted on the instance to run the business rule.
The table below shows a side-by-side comparison of the differences between Edge
Encryption and CLEE functionality.

Edge Encryption vs Column Level Encryption Enterprise

This section serves as a guide to help determine when to opt for Edge Encryption or
Column Level Encryption Enterprise (CLEE).
At a high level, if an enterprise wants maximum control over the encryption of its
data, Edge Encryption is the choice over CLEE. With Edge Encryption the customer
owns and controls the encryption key outside of their ServiceNow instance. However,
depending on your requirements, using Edge Encryption could result in impacted
functionality.
CLEE can decrypt an encrypted column used in a server-side business rule when
that rule is executed by a logged-in end-user assigned the appropriate encryption
context. However, Edge Encryption would not have this capability since the data
needs to be decrypted on the instance to run the business rule.
The table below shows a side-by-side comparison of the differences between Edge
Encryption and CLEE functionality.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 12
 WHITE PAPER

Functionality Edge Encryption Column Level Encryption Enterprise

Encryption key hosted by customer YES NO1
Multiple levels of functional encryption YES NO2
for equality, filtering, grouping, and
sorting operations
Data tokenization based on defined YES NO
encryption pattern
Built-in encryption key rotation YES YES
Encryption of standard out-of-the-box YES YES
fields
REST/SOAP API encryption support YES YES
Built-in mass encryption/decryption YES YES3
support
Automatic attachment encryption YES YES
Customer maintains additional YES NO
infrastructure in their network to
control encryption keys and encryption
processing
Decryption by server-side business rules NO YES4
Encryption/decryption based on user NO YES5
roles
1
CLEE supports BYOK
2
CLEE supports only equality filtering
3
CLEE supports mass encryption with a single CLEE cryptographic module, and mass decryption with a single CLEE cryptographic module or multi-CLEE
cryptographic modules
4
Supported only when business rules are executed by an entity assigned the appropriate access to the CLEE cryptographic module context
5
CLEE supports access controls based on role, script, system, and application scope

Full Disk Encryption

Full Disk Encryption (FDE) mitigates the same risk as Cloud Encryption and Database Encryption: protecting against sensitive
data being exposed in the event of the physical theft of a disk drive used in a cloud instance. FDE is a hardware-based
approach that includes the entire disk, which can only be decrypted by the operating system. This encryption also does not
impact the performance or functionality of the application.
Provided via self-encrypting hard drives with AES-256-bit encryption, FDE delivers at-rest protection only and is focused on
preventing data exposure through the loss or theft of hard disks holding customer data. It does not provide application tier
protection for data in transit or against unauthorized access while the drive is operational.
Measures in place by ServiceNow to mitigate the risk of loss or theft of storage devices may also be a factor when considering
FDE.

FDE usage and restrictions

FDE is a high-speed encryption method integrated into ServiceNow’s Advanced High Availability (AHA) architecture that provides
encryption of customer data at rest. FDE decrypts the data when actively being used or accessed by the server’s operating

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 13
 WHITE PAPER

system. The hard drive models used by ServiceNow comply with the Trusted Computing Group (TCG) enterprise specifications
and are secured using a passphrase generated from a key stored in our SafeNet key management appliance.

Managing encryption keys

Backed by FIPS 140-2 Level 3 validated hardware security modules, the ServiceNow Key Management Framework (KMF) provides
customers with the essential cryptographic tools to enable data security through confidentiality, integrity, and authentication.
At its core, KMF provides an interface for the following:
• Lifecycle management of cryptographic keys
• Configuration of the managed cryptographic keys to a specific cryptographic usage and algorithm (e.g. AES-GCM with
256-bit key for data encryption purposes)
• Access controls for the managed cryptographic keys (i.e., Module Access Policy)

KMF CRYPTOGRAPHIC
MODULE

KEYS CRYPTOGRAPHIC MODULE

ALGORITHMS ACCESS POLICY
AND USAGE

KMF supports encryption on the Now Platform in the creation and management of cryptographic modules specific to each
type of encryption. Encryption keys within the cryptographic modules can be created, rotated, revoked, and configured for
automated lifecycle settings (e.g. automated deactivation or automated rotation).
Starting in the Quebec release, KMF is available out of the box on the Now Platform. In addition to the core functionality
described above, KMF also supports other functionalities and features within the Now Platform

Encryption keys in the ServiceNow cloud infrastructure

Encryption keys used within ServiceNow’s cloud infrastructure are managed by ServiceNow. Keys are stored in redundant secure
key storage appliances. Dual controls are required for essential functions such as generating, deleting, or exporting keys. Key
custodian forms are required as part of the generation of new keys. Cryptographic management is undertaken by a specific
team within the security group, including appliances used to store the per customer instance wrapper key.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 14
 WHITE PAPER

Standard operating procedures are used for the procurement, generation, and configuration of key appliances. Work
instructions are used for configuration and backup with logs from these forwarded to the ServiceNow internal SIEM infrastructure.
As illustrated below, the External Key (Level 3) is the key being managed by operations provided in Cloud Encryption. The
External Key is stored in a ServiceNow HSM while the Service and Master keys persisted deeper in infrastructure.

Tokenization
Another layer of data protection that Edge Encryption provides is tokenization. During this process, Edge Encryption uses a
randomly generated token to mask a predefined pattern of characters within a data field when the pattern is matched.
While encrypting specific fields or tokenizing embedded strings of data is beneficial from a data security perspective, having
ciphertext in place of actual data can lead to functionality impact or operational challenges within an instance of the Now
Platform. To avoid these challenges, follow the implementation considerations and suggested capability and configuration
approaches provided in detail in Appendix C.

Tokenization examples
The examples below illustrate tokenization from the user experience perspective.
In the first example, the patterns for a credit card and Social Security number were configured for tokenization. When the
user connects through the Edge Encryption proxy, the content for those two values is displayed in plaintext but the data is
tokenized in the instance.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 15
 WHITE PAPER

However, if the user were to bypass the Edge Encryption proxy and access the same incidents directly, the corresponding
values within the short description field would be represented as a token as shown below.

Three-level key hierarchy: Cloud and database encryption

Both Cloud Encryption and Database Encryption use a three-level key hierarchy. The first two keys are Customer-specific,
and the third key is instance-specific. For Cloud Encryption, this instance-specific key may be generated and managed by
ServiceNow (ServiceNow Managed Key) or by the Customer (Customer Managed Key). For Database Encryption, the instance-
specific key is created and managed by ServiceNow.
Cloud Encryption
The keys are stored and managed by ServiceNow as follows:
• 1st level: An AES-512 key is used to encrypt the data.
• 2nd level: Another AES-512 key is used to protect the 1st level key.
• 3rd level: An additional AES-256 key, used to protect the 2nd level key, is created by, and stored within, our FIPS 140-2
compliant key management appliances in the ServiceNow data centers.
Database encryption
The keys are stored and managed by ServiceNow as follows:
• 1st level: An AES-256 key is used to encrypt the data.
• 2nd level: Another AES-256 key is used to protect the 1st level key.
• 3rd level: An additional AES-256 key, used to protect the 2nd level key, is created by, and stored within, our FIPS 140-2
compliant key management appliances in the ServiceNow data centers
The first two keys are customer-specific and are created by the database engine. The third key is unique per customer instance.

Resources
Encryption-specific resources:
• Product Documentation

• Platform encryption technical implementation and configuration

• Edge Encryption technical implementation and configuration

Further reading resources:

• Trust and Compliance Center

• CORE (Compliance Operations Readiness Evidence) platform

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 16
 WHITE PAPER

Appendices
Appendix A – Summary of encryption in transit features
Default encryption in transit features

Element Encryption Method Summary

Interactive end-user sessions TLS 1.2*
Email TLS 1.2* opportunistic TLS
File transfers Inbound to instance via HTTPS only
Retrieved by instance, from external Highest publicly available ratified
location: TLS 1.2* over FTPS (implicit or encryption where mutually supported,
explicit), SFTP, SCP with cleartext FTP option for legacy
integration
Web services integration TLS 1.2* supporting outbound
certificate-based mutual authentication encryption when initiated from
Highest publicly available ratified
encryption
Highest publicly available ratified
encryption where mutually supported,
with fallback to cleartext
Highest publicly available ratified
ServiceNow instance, but does not
currently support inbound mutual
authentication

Configurable encryption in transit features

Element Encryption Method Summary

Single sign-on (SSO) TLS 1.2* Highest publicly available ratified
encryption
MID Server TLS 1.2* plus additional application- level Highest publicly available ratified
public key pair encryption between MID encryption, with double encryption
Server and instance of credentials used for discovery and
orchestration

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 17
 WHITE PAPER

Appendix B - Edge Encryption options

Operations Standard Equality-preserving Order-preserving*

AES-128 or AES-256 AES-128 or AES-256 AES-128 or AES-256
AES-128 or AES-256

Group by X X

Is empty X X

Is not empty X X

Equal X X

Not equal (excludes empty X X

fields)

Is not X X

Sort by X

Is greater than X

Is greater than or equal X

Is less than X

Is less than or equal X

Contains

Starts with

Ends with

Operators that imply the

right side of the clause is a
field

Text search
*MySQL is required for order-preserving encryption.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 18

Appendix C - Functionality and encryption implications for Edge Encryption
Functionality
Reporting
Business rules and logic
Encrypted text exceeding
table column widths
Encrypted text exceeding
table column widths
Workflows
© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.
servicenow.com
Implication
Reporting operates on column data values. Because
the ServiceNow application must use the column’s
values to generate reports, there is the potential a
report will not generate correctly because it does
not have access to the plaintext. This is only an issue
if the report being generated uses columns that
have been encrypted using Edge Encryption.
ServiceNow runs all business logic on the back end,
so any business rule that needs to read from or write
to an encrypted column may have trouble executing
the rule.
Encryption algorithms often create ciphertext that
is longer than the plaintext. For example, the name
“King George III,” which is 15 bytes long, might
be encrypted to “#j&_ xz|[~`K@6_69FExñ$$4n\
{2*)c,” which is 30 bytes long. If the column in the
ServiceNow instance is limited to 20 characters,
the full length of encrypted text will not be stored,
causing it to become invalid and incapable of
decryption.
Similar to business rules, workflows often operate
from a column’s value. A workflow that depends on
the ability to examine plaintext in a table column
will fail to function because it only has access to
encrypted versions of the text.
Similar to business rules, workflows often operate
from a column’s value. A workflow that depends on
the ability to examine plaintext in a table column
will fail to function because it only has access to
encrypted versions of the text.
WHITE PAPER
Mitigation
Review the columns you need to include in the
report that may benefit from equality-preserving
or order-preserving encryption, and use those
supported functions where necessary. Do not export
reports that contain encrypted columns since the
report is generated on your instance without access
to the encryption key.
Review the columns included in business rules that
may benefit from equality-preserving or order-
preserving encryption, and use those supported
functions where necessary. If this is not possible, do
not use the encrypted columns.
Examine each column you plan to encrypt (either
programmatically or by hand) and widen them
to ensure each can store the longest possible
encrypted value for that column.
Review the columns from your workflows that
may benefit from equality-preserving or order-
preserving encryption, and use those supported
functions where necessary. If this is not possible, do
not use the encrypted columns.
Review the columns from your workflows that
may benefit from equality-preserving or order-
preserving encryption, and use those supported
functions where necessary. If this is not possible, do
not use the encrypted columns.
19
 WHITE PAPER

Functionality Implication Mitigation

Searching ServiceNow executes all searches on the back- end
database, which means all searches use the data
within the columns. If the search is being executed
against columns with ciphertext values rather than
plaintext values, a user may not receive the desired
results. However, searches for exact matches will
still work because the search term will be converted
into ciphertext by Edge Encryption-this only applies
to equality- preserving and order-preserving
encryption. This enables the back-end search
function within ServiceNow to effectively search for
the desired term. “Contains” searches on free-
form text fields are the most difficult to implement
because the search text cannot be found in the
body of the encrypted text.
Sorting ServiceNow does all sorting on the back-end server.
As an application, ServiceNow deals with large
data sets and generally returns the Top N to the
user based on some form of sorting. Because the
application always sorts on the back end, and the
application always sorts on the ciphertext values,
when a user initiates the sorting of encrypted data,
the results may appear incorrectly.
Bulk import/ export ServiceNow does all export and import activities
on the back-end servers. As such, any exported
data—Excel, XML, CSV, PDF, or other— exports the
ciphertext values of any encrypted columns.
Likewise, because these data formats are not
supported, any attempt to import data into an
encrypted column will result in unencrypted values
being written into the column, unless the process
that is sending data to the instance is configured to
proxy communications through the Edge Encryption
proxy.
Mobile access To see any data that has been encrypted using
Edge Encryption, a mobile browser must access the
ServiceNow instance through the Edge Encryption
proxy.
Tokenization can make “contains” searches possible.
For example, a word or character string can be
tokenized individually, so the encrypted search text
finds a matching tokenized word in the body of
the field. Equality-preserving and order-preserving
encryption provide a technique that partially
addresses the “contains” search with strong
encryption.
Apply order-preserving encryption to implement
a technique that addresses this issue (while
maintaining strong encryption) using a stored subset
of plaintext table data as a token to prepend to the
ciphertext for sorting purposes before it is sent to
the instance.
Some vendor solutions are capable of intercepting
exported data files, such as XML or CSV, and
decrypting them prior to being delivered to the user.
Check with your vendors to ensure they can encrypt
and decrypt the file types you need. If they can, a
web service integration is necessary.
Ensure that mobile access to the ServiceNow
instance goes through the company’s network so all
access is granted via the Edge Encryption proxy. Be
selective about which columns

Actions allowed via mobile devices need the

ability to see the plaintext data for the ServiceNow
application. to function correctly. This includes
workflow approvals via mobile devices and other
actions available to the user through the mobile
interface.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 20
 WHITE PAPER

Functionality Implication Mitigation

Inbound/ outbound email and SMS notifications
When ServiceNow triggers a notification, it could Edge Encryption does not support inbound nor
send an email or SMS that contains a mixture of outbound email. Taking this into account, be
hard-coded plaintext and encrypted field text. selective about which columns you encrypt.
For example, an email template that looks like this:
Modify any SMS text message that uses encrypted
Dear ${name}, we have changed your shirt size
columns and remove them from the message.
from ${old_ size} to ${new_size}. Will be rendered
Provide a URL in the message that leads to a
with field substitutions, so it looks like this if the
ServiceNow page that shows the contents of the
corresponding columns are encrypted: Dear
message—this way, the Edge Encryption proxy can
Bob Baker, we have changed your shirt size from
decrypt the text.
6^SD[&%T to H7asdh78.

Reference fields Reference fields are not supported by Edge
Encryption because the sysid that is being used to
make the link between your form and the actual
field needs to be in the clear.
Web services integrations ServiceNow can integrate with outside data sources
using industry-standard web service protocols like
REST and SOAP. A third-party integration, which
is usually software running on a computer inside
your network, can retrieve and insert data into
ServiceNow automatically, but
Use a secondary field, encrypt it, and hide the
reference from the form. The actual source field must
be a string type and will need to be
Configure all automated processes to send or
receive data from the ServiceNow instance using
encryption rules so the Edge Encryption proxy
can identify the columns in the payload with the
encrypted instances.

if that data is not properly encrypted, plaintext can

be inserted into columns that are expected to be
encrypted. As a result, the Edge Encryption proxy
attempts to decrypt text that was not encrypted
in the first place. This leads to data inconsistencies
within the ServiceNow instance and could impact
what the user sees.

Legacy data ServiceNow customers may have amassed large You can run a mass encryption job on a per- column
amounts of data within their ServiceNow instances and attachment basis. Plan when you want to run
within various columns. The amount of data these this type of operation carefully
customers need to encrypt could contain millions of
so you can accommodate for the volume of columns
records. Because encryption keys and algorithms
and attachments you plan to encrypt.
cannot be held within ServiceNow, encrypting large
amounts of data using Edge Encryption can take a
long time.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 21
 WHITE PAPER

Appendix D - Comparison of encryption at rest and in use solutions

Column- level Encryption Enterprise Order-preserving* AES-128 or AES-256

Description Equality Preserving Encryption of data at rest Standard, Equality Preserving, and Order Preserving
within the database based on user role in encryption of data at rest within the database and
the instance instance. Data sent to ServiceNow already encrypted
by customer

Field types • String Text • String Text

Supported for
• Attachment • Attachments
Encryption
• URL • URL
• Date • Journal
• Date/Time • Date
• Date/Time

Encryption Types AES-128 and AES-256 AES-128 and AES-256

Tokenization No Yes, for pattern-matched data

Encryption Key Managed by ServiceNow and the customer Customer

Creation

Additional None • On-premises encryption proxy

Requirements
• Encryption key store
• Optional on-premises MySQL database for
tokenization and order preserving encryption

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 22
 WHITE PAPER

Appendix E - Comparison of encryption at rest solutions

Cloud Encryption (CE) Database Encryption (DBE) with

Customer Controlled Switch (CCS)
Cipher strength? AES 256-bit key AES 256-bit key

Any effect on upgrades? No No

Any effect on ServiceNow workflow No No

products?

Any effect on in-transit activities? No No

How do you activate encryption? License Cloud Encryption No

How long does it take to activate Cloud Encryption will be provisioned Need two maintenance windows, each
product? within 60-days of an accepted order with 14-day advanced notice for a total
(maximum infrastructure provisioning of 28 days) and time to implement CCS
time) endpoint

How can you tell when encryption is in Cloud Encryption navigation for Key ServiceNow Support will have access
use? Management Operations and Key to check if an instance is encrypted but
Management Transactions to see customers does not
information about keys

Customer Managed Key (CMK)

How does key rotation work? Use the Key Management Key rotation available for DBE by
Operations sub-module to initiate a contacting support; no support for key
key rotation rotation with CCS

Can the key be stored separate from the Yes, CMK stored in ServiceNow HSM Yes for CCS
DB instance?

Is there a custom endpoint? No No

HSM integrations for key management? Customer choice; need to provide Yes; partners Fortanix and Llave.io
wrapped key to ServiceNow

Any downtime risk compared with If withdraw key and unable If withdraw key and unable to resupply it,
ServiceNow managed key? to resupply it, instance will be instance will be inaccessible.
inaccessible.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

servicenow.com 23