Cloud Encryption with Key Management

  • Release version: Xanadu
  • Updated August 16, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Cloud Encryption with Key Management

    ServiceNow® Cloud Encryption provides encrypted database storage using block encryption combined with advanced key management capabilities. It is included with the ServiceNow® Platform Encryption subscription bundle and supports both production and non-production instances using MariaDB and RaptorDB databases. The solution is available in ServiceNow Commercial Cloud, Government Customer Cloud (GCC) pod 101, and ServiceNow Protected Platform – Australia (SPP-AU).

    Show full answer Show less

    Cloud Encryption enhances data security by offering segregation of duties, rotation of ServiceNow-managed keys, and an option for customer-managed keys. The customer-managed key option is ideal for organizations needing to use their own cryptographic keys generated via enterprise key management systems or hardware security modules (HSMs).

    Key Features

    • Key Management Operations: View and manage encryption keys, perform key rotations, and request key withdrawals when using customer-managed keys.
    • Key Management Transactions: Review all transactions related to encryption keys within the ServiceNow instance for audit and compliance.
    • Customer-Managed Keys: Allows use of your own encryption keys. Key withdrawal functionality can be enabled with an optional add-on license and requires activation by ServiceNow support.
    • Quorum Control Policy: Configures the minimum approvals required for customer-managed key withdrawal, enhancing governance controls.
    • Tamper Detection: Improves security by detecting unauthorized changes to quorum control policy settings.
    • Cloud Encryption UI: Accessible by users with the securityadmin role and snkmf.admin role, providing a centralized interface to manage encryption keys and monitor encryption status.

    Enabling and Licensing

    Cloud Encryption requires the Platform Encryption subscription bundle. New licensed instances are provisioned with Cloud Encryption by default. For existing instances, customers with admin roles can request activation through ServiceNow’s Service Catalog, which requires a one-hour maintenance window.

    Practical Benefits for ServiceNow Customers

    • Ensures data confidentiality through robust encryption and key management.
    • Supports compliance requirements by segregating duties and providing audit trails of key usage and transactions.
    • Offers flexibility to use ServiceNow-managed keys or integrate your own enterprise key management tools.
    • Provides governance controls through quorum policies and tamper detection to safeguard encryption key operations.
    • Enables secure key rotation and withdrawal to maintain encryption integrity over time.

    ServiceNow® Cloud Encryption offers encrypted storage for the database using block encryption, along with enhanced key management. Cloud Encryption is available with the ServiceNow® Platform Encryption subscription bundle.

    Cloud Encryption offers:
    • Segregation of duties.
    • Rotation of ServiceNow Managed keys.
    • Customer-Managed keys option.
      Note:
      Consider this option if your organization requires you to use key material generated by your own cryptographic tools or libraries, an enterprise key management system, or a hardware security module (HSM). See Key management operations for details.

    The following diagram shows how Cloud Encryption works.

    Figure 1. Cloud Encryption Overview
    Cloud Encryption overview diagram.
    The Cloud Encryption Key Management module consists of the following submodules:
    • Key management operations:
      • Access the list of keys.
      • Perform key rotation operations.
      • Withdraw customer-managed key.
    • Key management transactions:

      Reference all transactions that have occurred for the keys that have been used.

      Use your own customer-managed key for encryption.

    In certain circumstances, you may opt for a key withdrawal request when using a customer-managed key. To do so, you must license the Cloud Encryption Withdraw and Resupply optional add-on SKU and then request the key withdrawal functionality be activated by a Customer Service and Support team member.

    The Quorum Control Policy Settings option becomes available when the withdrawal feature is activated, otherwise the module isn’t visible on the menu. This feature can be activated only when using customer-managed keys. This policy enables settings to be configured regarding quorum when the withdrawal feature is activated. For more details on this feature, see Quorum Control Policy.

    Cloud Encryption supports production and non-production instances for MariaDB and RaptorDB databases. Cloud Encryption is supported in the ServiceNow Commercial Cloud, Government Customer Cloud (GCC) pod 101, and ServiceNow Protected Platform – Australia (SPP-AU).

    Licensing and enabling Cloud Encryption

    For information about licensing Cloud Encryption, see Encryption and Key Management subscription bundle.

    For licensed customers with new instances, the new instance provisioning will include Cloud Encryption.

    For licensed customers with existing instances, to request an instance be moved to Cloud Encryption, follow the instructions in KB1117369. You must have the customer admin or partner admin role to request the Service Catalog item to Enable Cloud Encryption on your instance. Enabling this feature requires a one-hour maintenance window.

    Cloud Encryption UI

    When Cloud Encryption is enabled, the Cloud Encryption user interface (UI) is visible to the security_admin user when this user has the sn_kmf.admin role.

    To access the Cloud Encryption UI by searching for Cloud Encryption Key Management in the navigation bar. Navigate to the Key Management Operations section to see information about encryption keys, such as details of the active key, and whether Cloud Encryption is enabled for the instance.