Cloud Encryption logging
Summarize
Summary of Cloud Encryption logging
Cloud Encryption logging enables ServiceNow customers to monitor and track key management operations within their instance. It provides detailed logging of encryption key life cycles, key management transactions, and record changes associated with encryption keys. This capability is essential for maintaining security, compliance, and operational transparency of encryption processes.
Show less
Logging Tables and Their Functions
- Cloud Encryption Metadata [darekeymetadata]: Captures key life-cycle metadata such as origin, activation date, state, and version. Updated after every key operation, it allows monitoring of key status changes over time.
- Key Management Transactions [darekeyrequest]: Logs each step of key management transactions, including requests, their states, statuses, and any error messages. Completed transactions remain recorded for auditing purposes.
- Sys Audits [sysaudit]: Tracks inserts and updates on all audited records, including changes to the Cloud Encryption Metadata table. It records who made changes, when, and details of old and new values.
Monitoring Key Operations
Administrators can use the darekeymetadata table to monitor key life-cycle events such as activation, rotation, and withdrawal. For example, during a key rotation, the old key’s life-cycle state changes from active to rotated, and its version state from active to retired.
The darekeyrequest table provides visibility into the progress and status of each key management transaction, helping ensure that operations complete successfully or reveal errors for troubleshooting.
Audit Logging for Security and Compliance
The sysaudit table offers granular audit trails of changes to key metadata records, including field-level changes, timestamps, and user accounts responsible for modifications. This is critical for compliance and forensic analysis.
Specifically for key withdrawal operations, audit logs detail who initiated the withdrawal and when it occurred. During withdrawal, key life-cycle states progress from generated to active to destroyed, and version states from unknown to active to retired.
Practical Benefits for ServiceNow Customers
- Gain comprehensive visibility into encryption key management activities.
- Enhance security posture through detailed transaction and audit logs.
- Support compliance requirements by retaining complete records of key life-cycle changes and user actions.
- Quickly identify and troubleshoot errors in key management processes.
Learn about logging options for Cloud Encryption.
Cloud Encryption logging tables
Use these tables to find logging information related to Cloud Encryption transactions on your instance.
| Table | Description |
|---|---|
| Cloud Encryption Metadata [dare_key_metadata] | Cloud Encryption Metadata captures key life-cycle management metadata. On this table you can find key life-cycle, state, and version information. This table is updated after each key operation. |
| Key Management Transactions [dare_key_request] | Key Management Transactions captures key management transaction information. On this table you can find logging for each step of a transaction. The table records any error information for a transaction in the error message field. |
| Sys Audits[sys_audit] | The Sys Audits table captures inserts and updates to all audited records on your instance. On this table you can find changes to records on your instance, when the changes were made, and which user account initiated the change. |
Monitor key rotation operations
Use the Cloud Encryption Key Metadata [dare_key_metadata] table to find information on the life-cycle of your key. In this table you can find information like the origin, activation date, state, and version of your keys.
Use the Key Management Transactions [dare_key_request] table to monitor transactions of key operations. In this table you can find all requests relating to your keys, including the state, status, and which step in the process the request is in. Completed requests are retained on this table with the Completed status.
This example shows a key rotation operation. During this operation, the old key life- cycle state updates from active to rotated, and the version state updates from active to retired.
Looking at the Sys Audits[sys_audit] table, admins can see changes made to records on the Cloud Encryption Key Metadata [dare_key_metadata] table. Admins can see which records were updated and when. The log entries also record the field that was changed, and the old and new values.
Admins can view the records on the Cloud Encryption Key Metadata [dare_key_metadata] table. In the audit records below, the request status was changed from processing to completed.
Logging for key withdrawal operations
Logging information on key withdrawal is stored in the Audits [sys_audit] table. This logging information contains information on who initiated the key withdrawal and when the withdrawal took place.
This example shows a key withdrawal operation. During this operation, the key lifecycle state updates from generated, to active, to destroyed. The key version updates from unknown, to active, to retired.
Looking at the Sys Audits[sys_audit] table, admins can the Cloud Encryption Key Metadata [dare_key_metadata] table changes.