Understanding Edge Encryption Edge Encryption is a network encryption system that resides in your network that encrypts and decrypts sensitive data as it travels between your data center and the ServiceNow cloud. What is Edge Encryption The Edge Encryption proxy server is a network encryption application that, through encryption in motion, encrypts data within your network before it is sent over the Internet to your instance, where it remains encrypted at rest. When requested, the encrypted data is sent back to the Edge Encryption proxy server, which in turn decrypts your data before serving it to your web browser. Who uses Edge Encryption Encrypted data can only be viewed in clear text by a user logged in to the instance through a proxy server in your network. Likewise, Edge Encryption can only be configured and administered by a security_admin user logged in to an instance through a proxy server in your network. Because the proxy server resides in your network, you own and manage the encryption keys—they are never sent to the instance. As a result, sensitive data is never displayed in clear text to ServiceNow. Edge Encryption can encrypt or tokenize your data Edge Encryption supports both encryption and tokenization as a means of protecting your sensitive information. Encryption configurations You can encrypt individual fields using encryption configurations. Edge Encryption supports AES with 128-bit and 256-bit encryption keys. Standard, equality-preserving, and order-preserving encryption types are supported. In addition to attachments, the following field types can be encrypted: String Journal Journal Input URL If a Journal field marked for encryption is added to the activity stream, all user input to the field is encrypted in the activity stream. Note: Multi-byte characters within supported field types can be encrypted. Encryption patterns You can use encryption patterns to tokenize strings that match regular patterns such as social security and credit card numbers. While encryption configurations should be the primary method of encryption, use encryption patterns as a supplement to secure sensitive information found outside of encrypted fields. Note: The Edge Encryption proxy server requires a MySQL database in your network only if using order preserving encryption or encryption patterns. Clear text values are stored in the proxy database in your network. For this reason, it is critical that you secure and regularly back up your proxy database. For recommendations, see Edge Encryption components. Edge Encryption on the Now Platform Edge Encryption acts as a gateway between your browser and your ServiceNow instance. Traffic from your browser passes through the gateway on its way to the ServiceNow instance. The gateway, in turn, is configured to encrypt outbound data that is marked for encryption. Inbound traffic is decrypted through the gateway, and the end user sees clear text in the browser. The advantage of this implementation from a security control perspective is that the encryption and key management are handled externally from ServiceNow. Because encryption and tokenization change the nature of your data, Edge Encryption can affect other instance processes. Before using Edge Encryption, carefully consider the impact on your instance by reviewing Planning for Edge Encryption. What to know before you begin Because the proxy server is installed and maintained in your network, Edge Encryption requires network administration and management. Review the network requirements to ensure a smooth implementation. Edge Encryption system requirements Sizing your Edge Encryption environment Edge Encryption limitations Key management Learn more This podcast offers more information about Edge Encryption. soundcloudhttps://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/285885322&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&visual=true- topic/object file:/mnt/jenkins/workspace/dita/zoominV4_2.4.4_KCodeFreezebranch_004-test-sn-kingston-build/doc/source/administer/edge-encryption/concept/c_EdgeEncryptionOverview.ditaobject:1;125:225 Edge Encryption componentsEdge Encryption is comprised of the Edge Encryption proxy server that runs on a server in your network, and the Edge Encryption plugin that must be installed on your ServiceNow instance. If using order-preserving encryption types or encryption patterns, a proxy database must also be installed in your network. Key managementYou are responsible for providing and managing the encryption keys used by Edge Encryption.Encryption configurations and patternsWith Edge Encryption, you can encrypt fields and tokenize strings. Installed with Edge EncryptionEdge Encryption installs tables to store encryption-related data, system properties to configure default behavior, and the edge_encryption role to administer Edge Encryption.