Encryption configurations and patterns
Summarize
Summary of Encryption configurations and patterns
Edge Encryption enables ServiceNow customers to secure sensitive data by encrypting individual fields and tokenizing strings. It supports multiple encryption configurations to protect data in transit and at rest, ensuring compliance and enhancing data security.
Show less
Encryption Configurations
Customers can encrypt fields using different encryption types, each offering varying levels of security and functionality:
- Standard encryption: Uses AES 128-bit or AES 256-bit keys (with JCE Unlimited Strength installed). It produces different encrypted values for the same input each time, providing the strongest security. However, fields encrypted this way cannot be sorted, filtered, or grouped.
- Equality-preserving encryption: Produces consistent encrypted values for the same input, allowing equality comparisons and group by operations. Note that mixed encrypted and unencrypted data in existing fields may affect grouping accuracy.
- Order-preserving encryption: Supports sorting, equality comparisons, and group by operations by using tokens and encryption. This is only available when a MySQL database is configured for the Edge Encryption proxy server. Customers should be aware that sorting and grouping may be disrupted if the proxy database is down, requiring a repair job after restoration.
The encryption types differ in security quality, with standard AES 256-bit encryption being the most secure but least functional in data operations, and order-preserving encryption enabling sorting and filtering with slightly less security.
Encryption Patterns
Encryption patterns allow customers to tokenize sensitive information embedded within strings based on regular expression matches, such as social security or credit card numbers. This supplements field encryption by securing sensitive data found outside of designated encrypted fields.
Note that use of encryption patterns requires a MySQL proxy database to store clear text values before tokenization, making it essential for customers to secure and regularly back up this database.
Practical Considerations for ServiceNow Customers
- Choose encryption types based on the balance between security needs and data operation requirements (filtering, sorting, grouping).
- Use encryption patterns to protect sensitive data not captured by field encryption, especially for pattern-based sensitive data.
- Ensure the Edge Encryption proxy database (MySQL) is securely configured, especially when using order-preserving encryption or encryption patterns, and maintain regular backups.
- Be mindful of the operational impact if the MySQL proxy database is unavailable, as it affects sorting and grouping functionalities.
With Edge Encryption, you can encrypt fields and tokenize strings.
Encryption configurations
You can encrypt individual fields using encryption configurations. Edge Encryption supports AES 128-bit encryption keys. If the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files are installed, Edge Encryption supports AES 256-bit encryption keys for each encryption type. Edge Encryption supports the following types of encryption configurations.
- Standard encryption
- The encrypted value of a field is different each time the field is encrypted, even when the field value remains the same. Standard encryption is the most robust form of encryption. Fields using standard encryption cannot be sorted, grouped by, or filtered on.
- Equality-preserving encryption
- The encrypted value of a field is the same when the field value remains
the same. Supports equality comparisons and group by operations on a
field.Note:When equality-preserving encryption is selected for a field that already contains data, performing a group by action on the field may not group fields with the same value if one is encrypted and the other is not.
- Order-preserving encryption
- Uses tokens and encryption to secure data in your proxy database.
Supports equality comparisons, group by operations, and the ability to
sort data. The order preserving encryption type is only supported if
there is a MySQL database configured for the Edge Encryption proxy
server.Note:When using order-preserving encryption and the proxy database is down, updates can be made to fields using order-preserving encryption. However, the sort order will not be correct when trying to sort data based on those fields. Groups also will not work as expected. When the proxy database is again operational, schedule an order token repair job to repair missing tokens.
| Encryption type | Description |
|---|---|
| Standard AES 256 | Fields cannot be filtered, sorted, or compared. |
| Standard AES 128 | Fields cannot be filtered, sorted, or compared. |
| Equality preserving AES 256 | Fields can be filtered using equality comparisons. |
| Equality preserving AES 128 | Fields can be filtered using equality comparisons. |
| Order preserving AES 256 | Fields can be sorted and equality comparison filtering can be used. Requires the use of a MySQL database in your network. |
| Order preserving AES 128 | Fields can be sorted and equality comparison filtering can be used. Requires the use of a MySQL database in your network. |
Encryption Patterns
You can secure sensitive data found in strings using encryption patterns. Once an encryption pattern is stored and activated, the Edge Encryption proxy server identifies strings that match the pattern in requests. Once located, the clear text string is stored in the proxy database and replaced on the instance with a token. Use encryption patterns to tokenize strings that match regular patterns such as social security and credit card numbers. While we recommend that encryption configurations be the primary method of encryption, use encryption patterns as a supplement to locate and secure sensitive information found outside of encrypted fields.