Database Encryption with Customer-Controlled Switch (DBE-CCS) is an encryption solution that encrypts all data-at-rest when not in use in the database.

Overview

Database Encryption with customer-controlled switch uses industry standard AES encryption, with no impact to functionality. The database encrypts data as it is written to the disk and decrypted by the database as it is read from the disk. Applications always have the data in an unencrypted state to perform the necessary logic and functions.

DBE-CCS utilizes technology native to the database, often called Tablespace Encryption or Transparent Data Encryption. For more details on the technology, refer to the MariaDB website under "Tablespace Encryption."

DBE-CCS requires you to set up an HTTPS REST service endpoint that periodically provides the secret key to the ServiceNow instance. The CCS endpoint then returns the customer secret key encrypted with the public key of the database instance.

Customer endpoint

Important: Your organization is solely responsible for setting up and maintaining your CCS endpoint. The customer endpoint specification is provided in KB0789788.

A ServiceNow technology partner, Fortanix, is available to implement your customer endpoint for you. Contact the technology partner directly for details of the integration. For details, see Using Fortanix Data Security Manager with ServiceNow.

Multiple ServiceNow version support

Important: Database Encryption is a paid infrastructure offering that is release agnostic. It can be applied to any supported release and to new or existing instances.

Other references

Refer to these references for additional information about DBE with CCS:

Reference Description
KB0993681 Architecture of Database Encryption Customer Controlled Switch
KB0789788 Implementation guide for DBE with CCS
Note: To access KB articles, you must first authenticate into Now Support.