Edge-based Encryption and ServiceNow. White Paper

Transcription

1 Edge-based Encryption and ServiceNow

2 Executive Summary Edge-based encryption is a proxy-based technology that sits between a customer s browser and a ServiceNow instance. Users of cloud-based software are constantly looking for new and improved ways to secure their data within the cloud. One of the newest technologies to attempt to address this need is an edge-based encryption proxy like those offered by companies such as CipherCloud or SkyHigh. An edge-based proxy can be used against a ServiceNow instance, and it will properly encrypt data. However, there are significant pieces of application functionality that either do not work at all, or do not work as expected against encrypted data. Specifically, the following functions are impacted: Sorting Searching Import/Export Business Rules and Logic The functional impact of each varies and, in some cases, there are mitigation strategies that can be implemented. However, the fact remains that the use of these proxies does not result in a seamless user experience. Understanding the Technology Edge-based encryption is a proxy-based technology that sits between a customer s browser and a ServiceNow instance. Traffic from a customer s browser passes through the proxy on its way to the ServiceNow instance. The proxy, in turn, is configured to encrypt specific columns of data on its way through. The traffic in the other direction is decrypted, and the end user sees plaintext. Figure 1: Edge-based Proxy Deployment ServiceNow 2

3 Edge-based Encryption and ServiceNow Barring a vulnerability in the encryption protocol itself, there is no way any employee at ServiceNow can read the encrypted data. The advantage of this solution, from a security standpoint, is that all encryption is handled externally from the vendor (in this case ServiceNow), as is all key management. Barring a vulnerability in the encryption protocol itself, there is no way any employee at ServiceNow can read the encrypted data. Likewise, a series of infrastructure attacks, up to and including stealing instance backups or taking control of the hosts on which the instance runs, cannot reveal the secret data. The best way to understand what this means in practical terms is to use a side by side example of what a list of data looks like both from an end user s perspective and from the ServiceNow instance s perspective. In this example, assume that there is a list table of soldiers, each of whom has a name, rank, and serial number. Let s further assume that we have deployed an edge encryption device to encrypt the rank and serial number fields of the table. Abe Abel Captain Bob Baker Lieutenant Carl Casey Captain Don Draper Colonel Ed Earl Major Abe Abel $%$%! SDSD# Bob Baker ^SD^&% A%$SA$ Carl Casey $%$%! C^D#$% Don Draper 9ASD&(*A G%$^$ Ed Earl H7asdh78 H%#D# Figure 2: What the user sees Figure 3: What the ServiceNow instance sees From a security standpoint, the above is great; ServiceNow doesn t see anybody s rank or serial number, instead we see encrypted gobblygook. If we happened to know that Carl Casey was a captain, we could probably deduce that Abe Abel was also a captain since he had the same cypher text as Carl Casey; setting aside those sorts of known plaintext attacks the data is secure from us. A point worth making here is that, as far as the ServiceNow instance is concerned, there s no encryption going on at all, it just thinks that Abe Abel s rank is literally $%$%!. The same functional encryption could be implemented by the end user typing all of their ranks into an encryption device on their desktop, and then copying the output of that into the system. Naturally, that s not a reasonable work experience outside of the classified world, but it s functionally equivalent from the back end s perspective. That, in turn, leads to a series of challenges when the application tries to operate over this data. Sorting ServiceNow does all sorting on the back end server. As an application, ServiceNow deals with large data sets and generally returns the top N to the end user based on some form of sort. Asked for a list of users sorted by last name, for example, ServiceNow will ServiceNow 3

4 Edge-based Encryption and ServiceNow ServiceNow does all sorting on the back end server. sort all 100,000 users in the customer s database to find the first 100 and return those to the user. Depending on the presence or absence of an index, ServiceNow may, in fact, be able to avoid physically sorting that many rows. However, the point remains that the top N rows that match your sort are returned rather than, say, returning all possible rows and letting the user s browser do the sort. Since the application always sorts on the back end, and the application always sorts on the cypher text values, any user-initiated sort of encrypted data will produce results that appear wrong to the end user. Example: Sorting the list of soldiers by serial number. The end user expects to see Abe Abel atop the list of soldiers since his serial number, is the first serial number sequentially. In terms of cypher text though, the cypher value of his serial number, SDSD#, collates last in the list, leading to the end user thinking sorting is not working properly. Bob Baker Lieutenant Carl Casey Captain Don Draper Colonel Ed Earl Major Abe Abel Captain Bob Baker ^SD^&% A%$SA$ Carl Casey $%$%! C^D#$% Don Draper 9ASD&(*A G%$^$ Ed Earl H7asdh78 H%#D# Abe Abel $%$%! SDSD# Figure 4: User this is sorted incorrectly Figure 5: Back end this is sorted correctly In some edge-based encryption products, it is possible to use an order preserving hash instead of a classical encryption function. In doing so, all encrypted values are replaced with cypher text, but the cypher text values are chosen such that the collation values of each entry are retained. While this option sounds attractive, and does solve the sorting problem, it also introduces a cryptographic weakness into the system. Any user who can add data to the system and observe its collation order, or introduce somebody else to do so on their behalf, can quickly determine the plaintext value of any cypher text element via a binary search. Alternately, sorting can be disabled for any encrypted column by adding the: no_sort=true attribute to that column s dictionary entry. ServiceNow 4

5 Edge-based Encryption and ServiceNow ServiceNow executes all searches on the back end database, which means all searches will be executed against cypher text values, rather than plaintext values. Searching Like sorting, searching is limited for similar reasons. ServiceNow executes all searches on the back end database, which means all searches will be executed against cypher text values, rather than plaintext values. End users who enter searches (who only see plaintext) will perceive the product to be broken as regards to searching. For example, assume that users want to search all soldiers for those whose rank begins with C (presumptively they want both captains and colonels and potentially corporals). The back end will happily look at this table of users and look for those whose rank begins with C. Bob Baker ^SD^&% %$SA$ Carl Casey $%$%! ^D#$% Don Draper 9ASD&(*A G%$^$ Ed Earl H7asdh78 H%#D# Abe Abel $%$%! SDSD# Figure 6: There are no users whose rank begins with C The end user will be told that there are zero records matching the search, which will be, as far as they are concerned, wrong. Searches specifically for equality, or inequality, will still work since the search term for a particular plaintext will be turned into a search for a predictable cypher text as well. For example, searching for the soldier whose serial number is will be turned into a search for the soldier whose serial number is SDSD$, and will correctly return Abe Abel. None. Import/Export ServiceNow does all export and import activities on the back end servers. As such, any exported data, be it Excel, XML, CSV, or other, will export the cypher text values of any encrypted columns. Likewise, since ServiceNow physically cannot encrypt the data, any attempt to import data into an encrypted column will result in unencrypted (plaintext) values being written into the column. None. ServiceNow 5

6 The use of edge-based encryption with ServiceNow is an impactful decision that can lead to a degraded or surprising user experience for many common activities. Business Rules and Logic ServiceNow runs all business logic on the back end as well, so any business rule that wants to either read from or write to an encrypted column will run into problems. When reading values from an encrypted column, the business rule will read only cypher text. When writing values into an encrypted field, ServiceNow will overwrite the encrypted column with whatever plaintext value we stored. Example, a business rule which wants to test the value of the rank field on a soldier and send them an inviting them to the Officers Ball if they are a commissioned rank cannot do so. Likewise a business rule that wants to issue a field commission to anybody whose commanding general nominates them for one cannot do so since it cannot properly set the rank value. None. Summary The use of edge-based encryption with ServiceNow is an impactful decision that can lead to a degraded or surprising user experience for many common activities. Making parallel configuration changes between the encryption proxy and the ServiceNow instance can mitigate some of these issues, but for many others there is no mitigation strategy. As a vendor, ServiceNow neither recommends nor discourages the use of this technology as a whole, but we do want to ensure that ServiceNow customers understand the pros and cons of this approach. Using this class of technology will protect sensitive data, but due to the functional deficits associated with this approach, we recommend its use only for columns which: Have no back end workflow requirement Do not require import/export Are used in relatively well understood product areas where appropriate end user training can be implemented 2014 ServiceNow, Inc. All rights reserved. ServiceNow believes information in this publication is accurate as of its publication date. This publication could include technical inaccuracies or typographical errors. The information is subject to change without notice. Changes are periodically added to the information herein; these changes will be incorporated in new editions of the publication. ServiceNow may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time. Reproduction of this publication without prior written permission is forbidden. The information in this publication is provided as is. ServiceNow makes no representations or warranties of any kind, with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. ServiceNow is a trademark of ServiceNow, Inc. All other brands, products, service names, trademarks or registered trademarks are used to identify the products or services of their respective owners. SN-WP-EdgebasedEncryption