Cloud Encryption logging

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Cloud Encryption logging

    Cloud Encryption logging in ServiceNow provides detailed tracking and auditing of encryption key lifecycle management and key operations. This logging enables administrators to monitor key states, transactions, and changes to encryption-related records to ensure transparency and control over key management processes.

    Show full answer Show less

    Key Features

    • Cloud Encryption Metadata [darekeymetadata]: Captures key lifecycle metadata including state, version, origin, and activation dates. This table is updated after every key operation and is essential for understanding the current and historical status of encryption keys.
    • Key Management Transactions [darekeyrequest]: Logs detailed transaction steps for key operations, including errors and statuses. It records each request's progress and completion status, which helps in tracking operations such as key rotations.
    • Sys Audits [sysaudit]: Tracks all inserts and updates to audited records, including changes to Cloud Encryption Metadata. It records who made the change, when, and details of the updated fields, providing an audit trail for compliance and troubleshooting.

    Practical Use for ServiceNow Customers

    • Monitoring Key Rotation: Use the darekeymetadata table to track key lifecycle states during rotations, such as changes from active to rotated or retired. The darekeyrequest table shows transaction details for each rotation step, and sysaudit logs reveal precise record updates and user actions.
    • Tracking Key Withdrawal: Key withdrawal operations update lifecycle states from generated or active to destroyed and retired. These changes are logged in sysaudit, providing visibility into who initiated the withdrawal and when it occurred, along with detailed record change history.
    • Audit and Compliance: Administrators can rely on the combined logging tables to maintain a comprehensive audit trail of encryption key management, facilitating compliance with security policies and simplifying forensic analysis.

    Learn about logging options for Cloud Encryption.

    Cloud Encryption logging tables

    Use these tables to find logging information related to Cloud Encryption transactions on your instance.

    Table Description
    Cloud Encryption Metadata [dare_key_metadata] Cloud Encryption Metadata captures key life-cycle management metadata. On this table you can find key life-cycle, state, and version information. This table is updated after each key operation.
    Key Management Transactions [dare_key_request] Key Management Transactions captures key management transaction information. On this table you can find logging for each step of a transaction. The table records any error information for a transaction in the error message field.
    Sys Audits[sys_audit] The Sys Audits table captures inserts and updates to all audited records on your instance. On this table you can find changes to records on your instance, when the changes were made, and which user account initiated the change.

    Monitor key rotation operations

    Use the Cloud Encryption Key Metadata [dare_key_metadata] table to find information on the life-cycle of your key. In this table you can find information like the origin, activation date, state, and version of your keys.

    Use the Key Management Transactions [dare_key_request] table to monitor transactions of key operations. In this table you can find all requests relating to your keys, including the state, status, and which step in the process the request is in. Completed requests are retained on this table with the Completed status.

    This example shows a key rotation operation. During this operation, the old key life- cycle state updates from active to rotated, and the version state updates from active to retired.

    Figure 1. Key definition for a rotated key
    Key definition for a withdrawn key

    Looking at the Sys Audits[sys_audit] table, admins can see changes made to records on the Cloud Encryption Key Metadata [dare_key_metadata] table. Admins can see which records were updated and when. The log entries also record the field that was changed, and the old and new values.

    Figure 2. Audit logs for a withdrawn key
    Key definition for a withdrawn key

    Admins can view the records on the Cloud Encryption Key Metadata [dare_key_metadata] table. In the audit records below, the request status was changed from processing to completed.

    Figure 3. Audit logs for a withdrawn key
    Key definition for a withdrawn key

    Logging for key withdrawal operations

    Logging information on key withdrawal is stored in the Audits [sys_audit] table. This logging information contains information on who initiated the key withdrawal and when the withdrawal took place.

    This example shows a key withdrawal operation. During this operation, the key lifecycle state updates from generated, to active, to destroyed. The key version updates from unknown, to active, to retired.

    Figure 4. Key definition for a withdrawn key
    Key definition for a withdrawn key

    Looking at the Sys Audits[sys_audit] table, admins can the Cloud Encryption Key Metadata [dare_key_metadata] table changes.

    Figure 5. Audit logs for a withdrawn key
    Key definition for a withdrawn key