Exploring Column Level Encryption

  • Release version: Xanadu
  • Updated October 21, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Column Level Encryption

    Column Level Encryption (FE) is a foundational feature in ServiceNow that enables encryption of specific database fields and stored files within your instance using AES-128 or AES-256 algorithms. Encryption contexts define what data is encrypted, the encryption algorithm used, and the encryption key stored within the instance. Access to encrypted data is controlled by associating these contexts with user roles, making role management a critical aspect of administering encrypted data access.

    Show full answer Show less

    Key Features

    • Role-Based Access: Access to encrypted data is granted based on assigned user roles, ensuring secure and controlled data visibility.
    • Encryption Algorithms: Supports AES-128 and AES-256 encryption standards for strong data protection.
    • Module Access Policies (MAPs): Standard FE supports up to five modules and MAPs, which extend role-based access to include system users, scripts, and resource exchanges. Enterprise edition supports more MAPs.
    • Field Type Support: Standard FE encrypts common field types such as string text, date, date/time, attachments, and URLs. Enterprise extends support to additional types like HTML, journal, and translated fields.
    • Equality Preserving Encryption: Enables encrypted fields to support equality comparisons and group-by operations by ensuring consistent ciphertext for identical plaintext values.
    • APIs for Encrypted Fields: Use getDisplayValue() and setDisplayValue() APIs to manage cleartext retrieval and encrypted data insertion in encrypted fields.

    Enterprise Edition Enhancements

    • Support for additional field types beyond the standard offering.
    • Ability to manage more than five modules and MAPs, providing finer control over data access.
    • Configurable automatic rotation of encryption keys via key vault integration to enhance security and reduce administrative workload.
    • Full lifecycle management of data encryption keys, including secure key exchange and support for customer-supplied keys.
    • Use of ephemeral cryptographic keys generated per session for enhanced security.
    • Updated APIs for improved handling of encrypted data insertion and retrieval.

    Practical Application

    ServiceNow customers can use Column Level Encryption to protect sensitive data within their instances effectively. By configuring encryption contexts and associating them with roles, organizations can tightly control who accesses encrypted information. The Enterprise edition offers advanced capabilities such as extended field support, automated key management, and enhanced security features that help meet stringent compliance and security requirements.

    Additional Resources

    A guided tour is available to help administrators understand the setup process for encrypting table fields and attachments. This includes creating Field Encryption Modules, Module Access Policies, and Encrypted Field Configurations, accompanied by links to detailed documentation and training courses.

    Learn more about Column Level Encryption.

    Column Level Encryption overview

    Column Level Encryption (FE) is a base system feature that permits encryption of data stored within an instance using AES128, or AES256.

    FE enables you to encrypt selected database fields and stored files through the use of encryption contexts. In these contexts you define what is encrypted, choose which algorithm to use, and supply the encryption key, which is stored within your instance.

    After the context is created, you can associate it to a user role. Users assigned to this role, either directly of through a group, are able to access the encrypted data.

    Because FE bases access to data on role assignment, it’s important to be familiar with administering roles on your instance. For more information, see Managing roles.

    Column Level Encryption benefits

    Benefit Feature Required Roles
    Configure access to your encrypted data based on assigned user roles. Role-based access to encrypted data security admin
    Protect your data using the Advanced Encryption Standard (AES). You can choose to use either the AES-128 or AES-256 encryption algorithms. AES Encryption security admin
    Create up to 5 modules and module access policies (MAP)s using the standard version of FE. MAPs expand on role-based access to allow considerations for:
    • System users
    • Scripts
    • KMF Resource Exchange
    Column Level Encryption Enterprise supports additional MAPs.    		 Support for up to 5 modules and module access policies (MAP)s security admin
    Encrypt common field types using the standard version of Column Level Encryption. Column Level Encryption Enterprise supports additional field types. Encryption for String text, Date and Date/Time fields, attachments, and URLs security admin
    Choose between standard and equality preserving encryption. When enabled, equality preserving encryption ensures that the encrypted value of a field is the same when the field value remains the same. This type of encryption enables equality comparisons and group by operations on a field.
    Note:
    Non-deterministic encryption isn’t supported.
    		 Equality preserving encryption support security admin
    Use getDisplayValue() and setDisplayValue() APIs to return cleartext values and insert encrypted data for encrypted fields. getDisplayValue() and setDisplayValue() APIs security admin, developer

    Column Level Encryption Enterprise benefits

    Column Level Encryption Enterprise (FEE) builds on the existing Column Level Encryption framework and provides these additional features after you purchase a subscription.

    Benefit Feature Required Roles
    Encrypt additional field types. Support for additional field types:
    • HTML
    • Journal
    • Translated
    		 security admin
    FEE supports more than 5 modules and module access policies to provide more options for access to secured data. Support for additional modules and MAPs security admin
    Keys from a key vault can be rotated on an automated schedule you configure. Using automatic key rotation can improve security while reducing administrative overhead. Configurable automatic key rotation security admin
    Manage the full life cycle of your data encryption keys. Optionally, you can securely exchange data encryption keys generated within your environment. Customer supplied keys security admin
    Ephemeral keys are cryptographic keys that are generated for each execution of a cryptographic process. These keys more secure because they’re generated for use in a single session. Ephemeral cryptographic keys security admin
    Updated setDisplayValue() and setDisplayValue() APIs can insert encrypted data for encrypted fields. Updated getDisplayValue() and setDisplayValue() APIs security admin, developer