What is Edge Encryption

The Edge Encryption proxy server is a network encryption application that, through encryption in motion, encrypts data within your network before it is sent over the Internet to your instance, where it remains encrypted at rest. When requested, the encrypted data is sent back to the Edge Encryption proxy server, which in turn decrypts your data before serving it to your web browser.

Who uses Edge Encryption

Only a user logged into the instance through a proxy server on your network can view encrypted data in clear text. Likewise, only a security_admin user logged in to an instance through a proxy server in your network can configure and administer Edge Encryption.

Because the proxy server resides in your network, you own and manage the encryption keys, and they are never sent to the instance. As a result, ServiceNow never shows sensitive data in clear text.

Encryption and tokenization

Edge Encryption supports both encryption (through encryption configurations) and tokenization (through encryption patterns) as a means of protecting your sensitive information.

Encryption configurations

You can encrypt individual fields using encryption configurations. Edge Encryption supports AES 128-bit and AES 256-bit encryption keys. Edge Encryption supports standard, equality-preserving, and order-preserving encryption types.

In addition to attachments, you can encrypt the following field types:

• String
• Date
• Date/Time
• Journal
• Journal Input
• URL

If a Journal field marked for encryption is added to the activity stream, all user input to the field is encrypted in the activity stream.

Note: Multi-byte characters within supported field types can be encrypted.

Encryption patterns

You can use encryption patterns to tokenize strings that match regular patterns such as social security and credit card numbers. While encryption configurations should be the primary method of encryption, use encryption patterns as a supplement to secure sensitive information found outside of encrypted fields.

Edge Encryption on the Now Platform

Edge Encryption acts as a gateway between your browser and your ServiceNow instance. Traffic from your browser passes through the gateway on its way to the ServiceNow instance. The gateway, in turn, is configured to encrypt outbound data that is marked for encryption. Inbound traffic is decrypted through the gateway, and the end user sees clear text in the browser. The advantage of this implementation from a security control perspective is that the encryption and key management are handled externally from ServiceNow.

What to know before you begin

Because encryption and tokenization change the nature of your data, Edge Encryption can affect other instance processes. Before using Edge Encryption, carefully consider the impact on your instance.

Because the proxy server is installed and maintained in your network, Edge Encryption requires network administration and management. Review the network requirements to ensure a smooth implementation.

Review the following topics to understand the impact of Edge Encryption on your instance:

• Planning for Edge Encryption
• Edge Encryption system requirements
• Sizing your Edge Encryption environment
• Calculate the order-preserving and tokenization database size
• Edge Encryption limitations
• Key management for Edge Encryption