Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Understanding Edge Encryption

Log in to subscribe to topics and get notified when content changes.

Understanding Edge Encryption

Edge Encryption is a network encryption system that resides on your network and that encrypts and decrypts sensitive data as it travels between your data center and the ServiceNow cloud.

What is Edge Encryption

The Edge Encryption proxy server is a network encryption application that, through encryption in motion, encrypts data within your network before it is sent over the Internet to your instance, where it remains encrypted at rest. When requested, the encrypted data is sent back to the Edge Encryption proxy server, which in turn decrypts your data before serving it to your web browser.

Who uses Edge Encryption

Only a user logged into the instance through a proxy server on your network can view encrypted data in clear text. Likewise, only a security_admin user logged in to an instance through a proxy server in your network can configure and administer Edge Encryption.

Because the proxy server resides in your network, you own and manage the encryption keys, and they are never sent to the instance. As a result, ServiceNow never shows sensitive data in clear text.

Encryption and tokenization

Edge Encryption supports both encryption (through encryption configurations) and tokenization (through encryption patterns) as a means of protecting your sensitive information.

Encryption configurations
You can encrypt individual fields using encryption configurations. Edge Encryption supports AES 128-bit and AES 256-bit encryption keys. Edge Encryption supports standard, equality-preserving, and order-preserving encryption types.
In addition to attachments, you can encrypt the following field types:
  • String
  • Date
  • Date/Time
  • Journal
  • Journal Input
  • URL
If a Journal field marked for encryption is added to the activity stream, all user input to the field is encrypted in the activity stream.
Note: Multi-byte characters within supported field types can be encrypted.
Encryption patterns
You can use encryption patterns to tokenize strings that match regular patterns such as social security and credit card numbers. While encryption configurations should be the primary method of encryption, use encryption patterns as a supplement to secure sensitive information found outside of encrypted fields.
Note: The Edge Encryption proxy server requires a MySQL database in your network only if using order preserving encryption or encryption patterns. Clear text values are stored in the proxy database in your network. For this reason, it is critical that you secure and regularly back up your proxy database. For recommendations, see Edge Encryption components.
Flow of data using Edge Encryption.

Edge Encryption on the Now Platform

Edge Encryption acts as a gateway between your browser and your ServiceNow instance. Traffic from your browser passes through the gateway on its way to the ServiceNow instance. The gateway, in turn, is configured to encrypt outbound data that is marked for encryption. Inbound traffic is decrypted through the gateway, and the end user sees clear text in the browser. The advantage of this implementation from a security control perspective is that the encryption and key management are handled externally from ServiceNow.

What to know before you begin

Because encryption and tokenization change the nature of your data, Edge Encryption can affect other instance processes. Before using Edge Encryption, carefully consider the impact on your instance.

Because the proxy server is installed and maintained in your network, Edge Encryption requires network administration and management. Review the network requirements to ensure a smooth implementation.

Review the following topics to understand the impact of Edge Encryption on your instance: