Encryption configurations and patterns
Summarize
Summary of Encryption configurations and patterns
Edge Encryption enables you to secure sensitive data within ServiceNow by encrypting individual fields and tokenizing strings. It supports robust encryption standards, including AES 128-bit and, if JCE Unlimited Strength Jurisdiction Policy files are installed, AES 256-bit encryption keys. This functionality helps protect data both at rest and in transit, ensuring compliance and data privacy.
Show less
Encryption Configurations
You can apply encryption to individual fields using different encryption types, each balancing security and functionality:
- Standard Encryption: Produces different encrypted values each time, even for identical data. It is the most secure but does not support sorting, grouping, or filtering on encrypted fields.
- Equality-Preserving Encryption: Generates consistent encrypted values for the same input, allowing equality comparisons and grouping. However, mixing encrypted and unencrypted data in the same field may impact group-by operations.
- Order-Preserving Encryption: Supports sorting, grouping, and equality filtering by using tokens and encryption. This type requires a MySQL database configured for the Edge Encryption proxy server. Note that if the proxy database is down, sorting and grouping will be inaccurate until an order token repair job is run after the database is restored.
The encryption types are available in AES 128-bit and AES 256-bit variants, with AES 256 offering stronger security. The choice of encryption type affects what operations (filtering, sorting, grouping) can be performed on encrypted fields.
Encryption Patterns
Encryption patterns allow you to tokenize sensitive string data found outside of encrypted fields by identifying data matching regular expressions, such as social security numbers or credit card numbers. When an encryption pattern matches a string in a request, the clear text is stored securely in the proxy database and replaced with a token in the instance. Encryption patterns serve as a supplemental method alongside encryption configurations.
Important Considerations
- Use encryption configurations as the primary encryption method and encryption patterns as a supplement.
- The Edge Encryption proxy server requires a MySQL database only when using order-preserving encryption or encryption patterns.
- Clear text values are stored in the proxy database; therefore, securing and regularly backing up this database is critical to maintain data security and integrity.
With Edge Encryption, you can encrypt fields and tokenize strings.
Encryption configurations
You can encrypt individual fields using encryption configurations. Edge Encryption supports AES 128-bit encryption keys. If the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files are installed, Edge Encryption supports AES 256-bit encryption keys for each encryption type. Edge Encryption supports the following types of encryption configurations.
- Standard encryption
- The encrypted value of a field is different each time the field is encrypted, even when the field value remains the same. Standard encryption is the most robust form of encryption. Fields using standard encryption cannot be sorted, grouped by, or filtered on.
- Equality-preserving encryption
- The encrypted value of a field is the same when the field value remains
the same. Supports equality comparisons and group by operations on a
field.Note:When equality-preserving encryption is selected for a field that already contains data, performing a group by action on the field may not group fields with the same value if one is encrypted and the other is not.
- Order-preserving encryption
- Uses tokens and encryption to secure data in your proxy database.
Supports equality comparisons, group by operations, and the ability to
sort data. The order preserving encryption type is only supported if
there is a MySQL database configured for the Edge Encryption proxy
server.Note:When using order-preserving encryption and the proxy database is down, updates can be made to fields using order-preserving encryption. However, the sort order will not be correct when trying to sort data based on those fields. Groups also will not work as expected. When the proxy database is again operational, schedule an order token repair job to repair missing tokens.
| Encryption type | Description |
|---|---|
| Standard AES 256 | Fields cannot be filtered, sorted, or compared. |
| Standard AES 128 | Fields cannot be filtered, sorted, or compared. |
| Equality preserving AES 256 | Fields can be filtered using equality comparisons. |
| Equality preserving AES 128 | Fields can be filtered using equality comparisons. |
| Order preserving AES 256 | Fields can be sorted and equality comparison filtering can be used. Requires the use of a MySQL database in your network. |
| Order preserving AES 128 | Fields can be sorted and equality comparison filtering can be used. Requires the use of a MySQL database in your network. |
Encryption Patterns
You can secure sensitive data found in strings using encryption patterns. Once an encryption pattern is stored and activated, the Edge Encryption proxy server identifies strings that match the pattern in requests. Once located, the clear text string is stored in the proxy database and replaced on the instance with a token. Use encryption patterns to tokenize strings that match regular patterns such as social security and credit card numbers. While we recommend that encryption configurations be the primary method of encryption, use encryption patterns as a supplement to locate and secure sensitive information found outside of encrypted fields.