Improve the security of your ServiceNow instance to expand to all business lines

Vincent Guiheneuc - 3rd September 2019

ServiceNow is a cloud provider with security at its heart. Its architecture is at the highest level of security by design, and it has been so since ServiceNow's launch in 2004. ServiceNow's emphasis on security meant that they could appeal to key decision makers such as CIO and CSOs; something not found in other cloud based solutions on the market today.

Even as a market leader, ServiceNow have created best practice guidelines to tighten security levels and provide solutions, helping to expand the platform for even the most sensitive and ever-changing organizations.

I will be highlighting some of the key principles that will be important across various enterprises. 

Complying with ServiceNow best practice in order to customize each instance 

ServiceNow gives detailed guidelines on all possibilities, it is for the administrator to find the relevant guideline to see if they are complying correctly. To check for compliance, the ServiceNow Product Owner should focus on the security compliance score; displayed on the Security Dashboard and easily accessible within the instance itself. One does not have to achieve necessarily 100% compliance - justified exceptions can exist - and the dashboard is a very efficient way of checking the instance security level and monitor all the various elements in one click. 

Implement ITOM specific securities 

To implement ServiceNow's ITOM suite, notably the Discovery and Orchestration modules (through IntegrationHub), ServiceNow requires server local admin credentials. Logically, Security Managers forbid sharing of credentials with third parties. How do we overcome this? A Privileged Access Management system. If this is not already in place, it must be installed and integrated with ServiceNow. The two world leaders, compatible of course with ServiceNow (distributed by Engage ESM), are CyberArk et BeyondTrust. Their respective integration is available from the ServiceNow store

98% of sensitive data is stored in attached files 

Sensitive and confidential data is stored in the attached files, found inside ServiceNow. Is it really 98%? The estimation is thought-provoking, and my guess is that the two other percent (some fields in the forms like IP addresses for instance) can be encrypted using the Edge Encryption solution of ServiceNow. For example, incident description or even requestor details are generally not confidential. However, a screenshot from an employee's mailbox can be confidential. Many organizations do not transfer such data through the internet (even in https), and even fewer choose to  host their datacenter in a public cloud (regardless of its level of security). Therefore, in order to expand the platform into banking or the health industry, we deployed an OnSiteFile solution (developed by Atlantic Puffin), in order to avoid any files to be sent outside the customer network, whilst retaining the advantages of ServiceNow's SaaS architecture. The files are simply hosted on a document management system such as SharePoint or Alfresco for instance. No file is trasmitted through the Internet, and so we reduce the risk of data leak by 98%.

As aforementioned, these points are only some to be considered. In addition, ServiceNow will build upon and improve platform security in the New York release, expected by the end of 2019.