Strengthening Your ServiceNow Platform Security Posture

The relentless rise in high-profile breaches involving sensitive PII highlights just how important platform security has become. As ServiceNow continues to enhance its capabilities and, consequently, store more organisational and customer data, it’s vital to make sure your instance is implemented and managed with the right level of protection.

As ServiceNow partners, we see it as our responsibility to help customers understand and make the most of the platform’s built-in security capabilities, ensuring that their setup aligns with both current and future needs.

ServiceNow comes equipped with several features to help strengthen your security baseline, including:

• Security Centre
• Secure Authentication including Adaptive Authentication (SSO, MFA, etc.)
• Cross-Scope Privileges
• IP Access Controls
• Column Level Encryption (excluding Enterprise)
• Log protection and SIEM integration

For those needing an extra layer of protection, advanced controls are available too, such as:

• ServiceNow Vault
• ServiceNow Protected Platform (AU), FedRAMP (US)
• Encryption options like Full Disk Encryption, Platform Encryption, and Edge Encryption

However, not every organisation has the experience to fully understand or implement these features effectively. So, let’s look at some of the key ones and how they fit together.

Security Centre is the best place to start when hardening your instance. It provides best practice recommendations and calculates a Security Score based on how these are implemented. It also provides security checks using Security Scanner, to which you can also add your own checks if required. Security Metrics allow you to monitor for pre-configured security events and then trigger email notifications.

Security Centre is a simple but powerful way to provide a basic level of secure configuration for your platform.

ServiceNow supports local logins with MFA, however most organisations prefer Single Sign-On (SSO) for its security and convenience, with benefits including:

Centralised Authentication – minimises the number of passwords/passphrases that a user needs to keep track of, reducing the risk of weak or re-used passwords. It also makes it easier to enforce password/passphrase standards and reduces effort for on-boarding and off-boarding users.

Auditability and Compliance – particularly in high-governance environments, this will enhance an organisation’s ability to audit access to systems.

Reduced Attack Surface – by locking out local sign-on capabilities, the potential entry points for attack are minimised, therefore reducing the risk of unauthorised access, credential theft and other threats associated with managing local accounts.

Adaptive Authentication takes this further by allowing or denying access based on factors such as user role, device type, or login location. For example, you might enforce MFA for admins but not for standard users already challenged by your identity provider (IdP).

Regardless of your setup, it important to always maintain strong password policies, regularly review inactive or departed users, and have processes in place to ensure that access to sensitive data is always minimised. If you are using local accounts, you can configure a password exclusion list in ServiceNow to prevent users from using known bad passwords and even better, ServiceNow does support the use of Passkeys to avoid using passwords at all and make local accounts a little more secure.

If you’re subscribed to ServiceNow Vault, you can enable Zero Trust Access which allows for additional conditions and actions. For example, if your IdP performs a security posture assessment of the user’s device, those attributes can be passed across to ServiceNow. You can also leverage Continuous Authentication to enforce step-up authentication or re-authentication based on what data the user is accessing or what tasks they are performing.

ServiceNow has several forms of encryption, but the only one included with your standard platform subscription is Column Level Encryption (Standard). The exception to this is with ServiceNow Protected Platform (for AU), where the instance is hosted in a secure Azure data centre and includes Full-Disk encryption.

Column Level Encryption provides the ability to encrypt data in individual columns (for some data types), requiring users to be granted access to the encryption key via roles. This provides application layer protection for your most sensitive data.

Cloud Encryption is applied at the host level on the database server, which means that the operating system and everything in the database is encrypted at rest. This is great for satisfying some regulatory requirements; however, it does not provide protection for the data at the application layer, as Column Level Encryption does.

Platform Encryption (additional subscription) includes Column Level Encryption (Enterprise) and Cloud Encryption. The enterprise version of Column Level Encryption adds support for more field types, as well as the ability to use more encryption contexts. With the combined forms of encryption, you get the peace of mind that everything in the instance is encrypted-at-rest with the additional benefit of being able to apply encryption within the application layer also.

Full-Disk Encryption is encryption at the storage layer. While the performance overhead is minimal, Full-Disk Encryption requires dedicated hardware which can add complexity to your solution and may slow down some instance maintenance activities.

Edge Encryption leverages a proxy to encrypt data as it leaves the network. This means that data is encrypted in transit as well as in the ServiceNow data centres. It is only decrypted when it hits the proxy on the way back into the network. This provides the assurance that the data cannot be compromised outside of your network but also limits the ability to run any server-side processing that uses the encrypted data.

Log Protection is possibly an often-overlooked feature. It allows you to prevent any kind of log tampering, ensuring that you can accurately report on activity within your instance, which can be important from a compliance point of view. Following the Utah release, Log Protection is now available by default; however, it does need to be enabled, which is strongly recommended to ensure auditability of your instance activity.

ServiceNow’s system logs can seamlessly feed into your SIEM via ServiceNow APIs. You will not need to rely solely on email notifications from the Security Centre. Additionally, configuring the Log Export Service (for ServiceNow Vault customers) achieves streamlined data flow. If your organisation also uses ServiceNow Security Incident Response, security incidents from the SIEM will feed back into ServiceNow, with potential to automate response and remediation.

Vault is a reasonably new subscription which wraps up multiple ServiceNow security tools including:

• Platform Encryption
• Data Anonymisation
• Zero Trust Access
• Secrets Management
• Log Export Service
• Code Signing

The combined features of these tools help strengthen both platform and operational security. For instance, Data Anonymisation can automatically identify and mask sensitive information like credit card and account numbers, while Secrets Management restricts credential use to authorised functions. Code Signing ensures only verified scripts can run on MID Servers, reducing the risk of malicious code execution.

ServiceNow’s Protected Platform is an option for Australian Government customers where data sovereignty is critical. It has been assessed by the Information Security Registered Assessors Program (IRAP) to Protected level. Hosted in Azure, and segregated from the ServiceNow Commercial Cloud, Protected Platform has a different support model in place to ensure that all data – and ServiceNow support activities – remain onshore. Full-Disk Encryption is also a part of the standard offering.

Whether you’re using out-of-the-box features or advanced options like Vault and Protected Platform, ServiceNow offers an impressive range of tools to secure your environment. The key is understanding how to configure them effectively for your organisation’s unique risk profile.

With deep ServiceNow expertise and a strong focus on security best practice, AC3’s team can help you take control of your platform’s risk posture. Whether you’re looking to implement advanced controls, get more value from the features you already have, or designing a roadmap for continuous improvement, we can guide you towards a more secure and resilient ServiceNow environment.