Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Understanding Edge Encryption

Log in to subscribe to topics and get notified when content changes.

Understanding Edge Encryption

Edge Encryption is a network encryption system that resides in your network that encrypts and decrypts sensitive data as it travels between your data center and the ServiceNow cloud.

What is Edge Encryption

The Edge Encryption proxy server is a network encryption application that, through encryption in motion, encrypts data within your network before it is sent over the Internet to your instance, where it remains encrypted at rest. When requested, the encrypted data is sent back to the Edge Encryption proxy server, which in turn decrypts your data before serving it to your web browser.

Who uses Edge Encryption

Encrypted data can only be viewed in clear text by a user logged in to the instance through a proxy server in your network. Likewise, Edge Encryption can only be configured and administered by a security_admin user logged in to an instance through a proxy server in your network.

Because the proxy server resides in your network, you own and manage the encryption keys—they are never sent to the instance. As a result, sensitive data is never displayed in clear text to ServiceNow.

Edge Encryption can encrypt or tokenize your data

Edge Encryption supports both encryption and tokenization as a means of protecting your sensitive information.

Encryption configurations

You can encrypt individual fields using encryption configurations. Edge Encryption supports AES with 128-bit and 256-bit encryption keys. Standard, equality-preserving, and order-preserving encryption types are supported.

In addition to attachments, the following field types can be encrypted:

  • String
  • Journal
  • Journal Input
  • URL

If a Journal field marked for encryption is added to the activity stream, all user input to the field is encrypted in the activity stream.

Note: Multi-byte characters within supported field types can be encrypted.
Encryption patterns
You can use encryption patterns to tokenize strings that match regular patterns such as social security and credit card numbers. While encryption configurations should be the primary method of encryption, use encryption patterns as a supplement to secure sensitive information found outside of encrypted fields.
Note: The Edge Encryption proxy server requires a MySQL database in your network only if using order preserving encryption or encryption patterns. Clear text values are stored in the proxy database in your network. For this reason, it is critical that you secure and regularly back up your proxy database. For recommendations, see Edge Encryption components.
Flow of data using Edge Encryption.

Edge Encryption on the Now Platform

Edge Encryption acts as a gateway between your browser and your ServiceNow instance. Traffic from your browser passes through the gateway on its way to the ServiceNow instance. The gateway, in turn, is configured to encrypt outbound data that is marked for encryption. Inbound traffic is decrypted through the gateway, and the end user sees clear text in the browser. The advantage of this implementation from a security control perspective is that the encryption and key management are handled externally from ServiceNow.

Because encryption and tokenization change the nature of your data, Edge Encryption can affect other instance processes. Before using Edge Encryption, carefully consider the impact on your instance by reviewing Planning for Edge Encryption.

What to know before you begin

Because the proxy server is installed and maintained in your network, Edge Encryption requires network administration and management. Review the network requirements to ensure a smooth implementation.

Learn more

This podcast offers more information about Edge Encryption.