okay so before we begin we'll also hit Safe Harbor um we'll do a little housekeeping so this presentation may contain forward looking statements that reflect um the the current beliefs of service now and are based on current information that is available these forward looking statements should not be relied upon by making purchasing decisions um the majority of this isn't but in the event that we get into a Q&A or get into some conversations we might run into that we'll try to highlight that as part of it all right so when we think about security uh it is a partnership uh between the provider as well as the customer and both of us have specific responsibilities service now provides uh customers with a secure Cloud environment and the tools within the Now application to secure your instances and your workflows now service now provides its customers with extensive capabilities configure these instances to meet your own security policies and requirements however overall security responsibilities again or share between us you guys the customers as well as our collocation data center providers now the table that you see on the right hand side of this uh this slide it shows the a list of those key responsibilities within the service now shared responsibility uh model uh I'll also point out and you'll get a copy of this uh presentation on the left hand side there is a link to get the full document here uh highly recommend you taking an opportunity to go ahead and click on that link it will provide this uh material but also the ability to dig in at another level and does a really good job of of listing out some more details regarding what service now is responsibility as well as what is the customer responsibility especially in those areas where you see uh that we both have responsibilities for a particular line onm right so a lot of good context there definitely uh hit that but when we think of the shared responsibility model this is obviously it's a good representation of how to do that but uh sometimes we we like to talk about this in a you know a different way right and so with that being said I'm going to hand this over to Will and he's going to take this through again a different way to look at it thanks Jimmy yeah so you know when you look at the platform that you get from service now there's a couple of different perspectives that we want to look at so one right we provide a secure instance to our customers or the ability to secure your instance right um in a in a couple different capabilities so when you look at the left of this slide you'll see that in that dotted line box this is what all customer customers get no matter what products or Solutions they've purchased on the platform as part of the core platform so on the left side of that you see the Invisibles that's something that you know basically from a from a manag service or from a sorry from a service provider perspective in the way that service now goes to Market with our platform as a service these are things that are managed by service now on the back end we have a core compliance portal via our support site that allows you to access a plethora of very detailed documentations operating processes Etc to validate and and understand service now's processes right and how we help secure the platform on the back end from an infrastructure perspective outside of that right you have the aspect because of the shared responsibility Matrix there are a number of areas of the platform that require configuration right especially for those of you that are new customers on boarding into service now it's really important to understand from a best practices perspective you're dealing with a platform right there's a lot of aspects to the platform but it's also another Enterprise application within your environment and there's a certain set of security controls that need to be applied on on top of that and kind of additionally what we what we've called out on the right side of this slide is the concept of enhan bles and and what we really mean by that is the idea that if some of the basic security controls and capabilities that we provide on the platform and and by the way we're going to spend our time on the left side don't cover your needs right there are some additional capabilities that can be purchased next slide and so again kind of as I as I mentioned you know most of our talk track today is going to really focus in on the configurables aspect of the platform excellent so today we have about 18 different scenarios that uh we're going to bring to you uh and and all those 18 different scenarios really fit Within These these six buckets right so we're going to focus a little bit on restricting access to the Now application itself restricting access within the application we'll talk a little bit about data security and data privacy logging and monitoring obviously a very important one instance hardening again very critical and then one of our favorite topics which is encryption and so to get started we're really going to almost talk combine the first two because it's all about access controls right and access management so we're going to start off with uh talking a little bit about single sign on most organizations are going to want to integrate with single sign on and we'll talk about that uh concept we call adaptive authentication as well as skim if you aware of that uh multiactor authentication access controls and dynamic data access filters right so let's dig in and and before I walk through the scenario just want to let you know that that this is the format that all these slides are going to look like they're all going to follow the same component on the top hand on the top part up on the right hand side it's really about we're calling out what's the Persona right that we're who really talking to uh it's not inclusive or all inclusive is just that persona but we try to identify who's the the individual or the Persona that uh uh we're really trying to focus as part of this on the left- hand side we're going to talk about the the user scenario and a recommendation and then we've got some visuals and and some information on the middle so with that being said first scenario number one will is my company needs to comply with our security policies which state we must utilize single sign on and limit local logins to individual systems so how would you how do you respond to that will yeah thanks for that use case Jimmy so this is a real key one right especially as newer potentially new customers new platform in your environment um you know service now is really built to form to follow in line with your Enterprise uh authentication strategy right so so service now has the plethora of support for different single sign on Services we strongly encourage customers to use this as your authentic key authentication right it keeps in in concert and kind of consistent with your Enterprise policies around your authentication that you already have in place so using what we call the multi-provider single signon capability once you enable that that does also then bring into play um a little bit of a our our onboard policy engine that we're going to talk a little bit more about with adaptive authentication in leveraging in concert enabling SSO the other thing we do is we turn on the capability called um account recovery right and and what account recovery is used for is really for you guys to be able to support the SSO connection and to have that local capability of logging on so defining local accounts that are local to the service now database but limiting their access and capabilities right so that you don't have a significant amount of exposure from local accounts um and this will also then remove the ability for uh you know your other accounts to log in right so so keeping that in mind that you don't have local usage it's all done through your single sign on so this is is just a really good best practice it's called out as well in our best practice guide but one of the key scenarios we wanted to bring up right away out of the box for new customers thank you will and and just to clarify that that account recovery uh capability that's really a break glass kind of scenario right if if can be utilized if your integration with your single sign on provider right goes south it's the ability for somebody to be able to get in and actually fix that right and get you back up and run yeah it's it's yep it is and it's leveraging uh a key component of the policy engine that we're going to bit more in detail on so um definitely good good call out Jimmy all right thank you sir all right the next scenario my company needs to allow contractors and employees access to the now platform only from trusted Network IP ranges yeah so we're going to talk about this concept to um so when we look at authentication with service now uh you have your single sign on your identity provider Solutions right I know we have a mix of service now admins and security Personnel on on the on the call today so you know we're going to want to integrate obviously if we're integrating with your single sign on your identity provider internally we're taking advantage already of policy evaluation that you've made internally right so things like where's this login coming from right what's the risk of this session and those are really important aspects when you look at the next layer the next layer is service now as the application how do I take some of that context or continue to apply context down at the application Level right so a couple key things we're going to talk about with these these initial use cases really the idea of pre-authorization capabilities or post sorry pre-authentication or post authentication sorry um and basically the concept here right is if you want to build a true trusted model with service now and and just you don't have a use case that extends to allow a significant type of use users externally into the platform you can just completely from a pre-authentication perspective restrict your IP addresses right so you can basically do what we call Global IP address access lists now outside of that right so if you have use cases that go beyond that there is ability to do that at a post authentication element as well but just kind of keeping in mind the key difference differences and kind of to understand that is again if your use cases are very limited the people that are touching the platform are coming from a trusted set of space you know that maybe you're make forcing your users to VPN to access service now no problem you can reduce the attack surface on the service now interface by you know leveraging this IP white listing fantastic will all right well let's let's bring a little complexity to this in our next scenario which is very similar which is my company needs to allow access via the now mobile applications because I want to take advantage of that but I also want to utilize IP whitelisting so those are kind of in conflict how do we how do we deal with that so I look at this like an onion right so we're starting to peel back the layers and so the first layer is if I can put pre authentication filters in place and I can limit the exposure of who's going to connect great not always does that work right and that's okay right so the platform does a lot of things so depending on how you're using it we'll kind of dictate that so the next tier is if I've chosen to put that pre-authentication capability in place and I've blocked access but then I determine oh darn I need mobile use cases right I I've got mobile devices that are coming from who knows where right maybe I'm not MDM or like M mobile device management proxies or things like that I don't want to deal with that so the benefit to this trusted mobile component is I can have all that blocking that we talked about at our pre-authentication and still register mobile devices and store them in the user profile associated with the user so you still have control to deactivate them but still allowing them to come in with a different set of attributes that allows them to be more flexibly on a cell network somewhere that you don't control the IP space fantastic fantastic great capabilities all right so let's get a little more granular so my company wants to enable different Step Up authentication requirements for various types of high-risk users and then there was there was a question in the Q&A that came up I did respond quickly but this one I think we we'll dig into that a little bit as well so uh will how do we how would you respond to this one yeah so this is where we again we're kind of pulling the onion back so now we're looking at more post authentication type flexibility right so now once a user has done the initial authentication which ideally right it's coming from your SSO anyways um then at that point right I can apply various types of policies to whether or not that user should have access to the system right maybe that type of user because of the role that they're in on service now like they're an administrator right perfect example based on the question I might say hey because it's an administrative user I want to have another additional level of MFA and it's not that your MFA wasn't good the first time it's just because now we're talking about application Level right so we want to do an additional level of validation so this allows you to have different types of policies within the Adaptive authentication capability to look at each different type of user based on where they're coming from look at maybe groups that they're in like for example another good use case would be if I have a a group of so if I'm using the platform for business use cases that might involve sensitive data right I might have a user that has a role to a HR app or a you know a financial services app or something where that's going to give them greater access I can do things like adding multiactor authentication or maybe I want to restrict access conditions if I'm if they have a role that's sensitive data right I might have a requirement says if you're going to access service now and you're going to access HR data I want want you to be on the corporate VPN right and so I can have a very specific policy that says because that user is in a role that has access to HR if I'm going to give them access they have to meet that condition so it a lot of flexibility with this tool built into the platform provided out of the box absolutely thank you will and yeah there's and you know there's a couple things to this right I think we all recognize that some of the idps out there also do some of these things especially you know in the in the preo uh component or perspective and that's fine if that's where you want to have some of these security controls that's that's that's perfect but there are situations there can be situations where it needs to be down at the application Level and especially when you start digging into you know roles and and privileged users and maybe not providing them privilege access into the platform uh after they log in based off of certain conditions so certain things that we can do there and also we we talked a little bit previously about you know we've got the configurables which is all the free out of the box capabilities and we have the concept of enhan bles uh this is also one of those where there's a list of enhanceable so again for more advanced use cases and things that nature um there's more offerings available to this one but we're not going to dig into those details all right so next scenario I want to leverage Azure ad as the authoritative source for user IDs with an our now instance so this is a great example Jimmy of of capability you know so we Prov wow we we we support skim right which is an industry standard capability for syncing kind of identity management elements right and so what we what we believe in right is that customers ideally right if you do have a great access governance user governance product or solution inhouse that you should can be consistent with service now right and so what what skim allows you to do is be able to right away when you're establishing your framework for Access Control be able to say hey I want to set up my in this case right Azure ad is my authoritative source for groups and roles and things that kind of Define what users in my environment should have access to what things and so you can map that down into service now and bring those attributes with again also understanding that service now can also be a provider that information back as well so it is a two-way street and we think it's super important but not to dismiss this at all because the key piece here is having this capability following your corporate identity governance strategy and giving both your security team and your platform admin team the comfort that these things are being done in an automated fashion very nice very nice thank you will all right let's dig into we we've talked a lot about which which I kind of config or look at as initial configuration right core configuration get me set up in my my access access control and access management environments be able to take certain capabilities or whatever so that you can get started but now let's dig into certain components within the application so in this scenario I need to restrict access to specific data to any user including admins unless they are part of a specific group based on unique conditions yeah this is a great question so one of the things we get asked a lot from customers is you know I I have a specific set of data or I have a record condition right thinking that high priority type event you know we had a lot of customers that use like our security operations Solutions or other types of sensitive data Solutions where in a certain scenario I might have a case that's related to uh a sensitive Anonymous employee report or I might have you know a sensitive data type scenario on the security incident or even an IT incident that becomes sensitive because of the content that it's related to we have this capability that we embed out of the box called Data filtering and what data filtering allows you to do is be able to do exactly what I just described so Define the condition that defines what is making this record sensitive right so understanding it's not so much data Centric right now it's really more focused on the record itself right what the record contains and then defining who is allowed explicit access to that record so this runs uh outside of the ACL evaluation and it runs before that so this gives you a power and control to be able to make this type of a configuration give you a quick example would be something like uh we've seen it before with um like our our irm solution right and audit data you have audit elements that you're running audit processing through service now where you might be collecting evidence and it should be very specific that nobody necessarily has access to that evidence other than privileged people and so we would you could Define a data filter on top of the already good controls that you have in place a data filter can be an extra layer to ensure and even block admin access right to that data so this is explicit and that's the key I want to make sure that is really clear to the team as they leave here is this is a really great tool that that that changes the access to an explicit definition when it matches this filter right meaning that that whatever you specify access to that data that record is the only thing only user only role right that can access that data awesome and and and will as a followup I mean this is a this is a capability that can extend really to any of the service now modules right or capabilities right because it's a core platform Centric configuration right you can use it to any table any field within a table in service now system tables are a little bit of an exception there are some ways to get on that again but at the end of the day um it's primarily focused on data related tables functional uh application tables awesome good job will all right the next scenario I need to ensure the right users and groups have the proper access while preventing unintended access to sensitive data now obviously this is a this is a sensitive or a really good capability that's been top of mind and so uh yeah let's dig into it yeah so this is a this is a great tool that our teams determined they needed to develop something to help both our admins can help our Security Professionals right from an auditing or validation perspective but basically this tool is again it's provided as as with everything we're kind of discussing today provided for you on the platform it's called access analyzer um you the benefit of running this tool is it really gives you that fine grained gooey quick easy capability to identify what a user might have access to or when you're trying to troubleshoot access or validate access uh and then some new capabilities were added to this as well to allow you to compare roles too so I can look at it and say Hey you know Cris what does Chris have access to she should have this access in my business and I want to make sure that uh you know Jimmy is set up similar to Chris and I want to compare those users access right CU they're in similar roles this tool will also now let you compare side by side that as well so um some really great capability for troubleshooting as well as visibility into what a user and what's applying the access is it coming from a business rule is it coming from an ACL what's actually enforcing the access yeah I love it you know access management you know really any system is is you know never a completely easy task and I love the fact that our teams are building out these capabilities just to provide better tooling better visibility uh in different ways to analyze these components so uh well said well well done all right so that wraps up the first two components and again when we talk about res restricting access to apps and restricting access within the app we covered single sign on we covered adaptive authentication skim as a standard in the capabilities there multiactor authentication as part of a dep of authentication Access Control lists and then Dynamic uh data access filters all right so let's dig into the next topic which is data security and privacy we're going to get into cloning security data classification as well as sensitive data handling all right so cloning obviously is a big thing and including is something that you're going to be doing on a regular basis taking your production data bringing it down to your sub production data for you know development testing purposes things of that nature uh but one of the common scenarios that comes up with that is well when when you know when I perform these clones I need to exclude certain company data or certain sensitive data and in this example this scenario is company table data uh from production when I clone down to development so will what are the capabilities that we have uh listed on that one yeah so we're going to talk a little bit about this I will give you a disclaimer going into this section there's a little bit more capability offered in our um paid Solutions in this area just because there's a lot of intelligence around identifying sensitive data you know and being able to drive Automation and Remediation so just kind of note that as a side item again not something we're going to talk about today but along the way there are a lot of capabilities we step through some of the data privacy pieces where you can use the tools that are out of the box to do what you need to do so big one for customers right is this scenario of I want to be able to clone down a production environment to a sub production environment and I want to minimize the risk right and so again I can get a a little bit more granular caveat with the paid Solutions because I can get more specific into the data however with these tools right out of the box I am able to do things like exclude different tables Fields within the table or even set up different scripts to exclude certain data if I want to get to that granularity so there is power and capability built into these capabilities around clone scripts and and and clone profiles um so you definitely can meet your needs there and then also using things like cleanup scripts which we mentioned here as well to really help you excuse me post clone be able to go through and run any formal tasks to remediate any minim you know minimize any data risk absolutely perfect will thank you very much all right we will go to the next scenario and that scenario is I need the ability to classify pii data or really any type of sensitive data within my instance all right what are the capabilities there will yeah so out of the box we we we include what we call data classification and this is really kind of foundational so this is important because you can go through here and use this tool to help you identify any fields that you know sensitive data should be within right so keep in mind this tool is much more of a static tool where I'm defining the data that I know should be coming in I have an application or a table or I'm creating Fields where I want sensitive data to be and it really helps you kind of track and manage where that is this is not meant for kind of the structured discovery of data not with the what's included here um again another side note that is really part of the the paid solution that can do that but this tool is foundational for where my sensitive data is within the platform right and building your classifications awesome awesome thank you and then the next one which is I would like to mass sensitive data within chat interfaces because chat interfaces you know they're getting pretty popular these days so what do we do with that yeah I love this one because this one uh you know one of the big things about chat is it's really hard to control what an end user is going to put in a little easier when you're in a structured interface or you can run rules against it stuff so chat chat has built into it out of the box a sensitive data Handler capability that can be enabled and the benefit of this is that it kind of does two things one is there's a built-in outof the Box profanity filter for things like that that you probably just don't want in writing in your organization but on the the flip side or maybe you make people mad when you work with them and then you don't want them to say bad words to you but anyway um the other side of it is really this redx capability where there's a there's a outof the- boox rule set that all comes with sensitive data Handler and then some additional rejects you obviously you can create your own you can kind of customize and tweak them so that it can identify if there's like a social security number pattern or some some special um you know pii related element that you want to make sure doesn't get into the system right it gives you the ability to manage that on the chat side awesome so you know you know I like when I'm working within chat and I'm I'm interacting with somebody and they need my credit card information and I put that in there so you're telling me that it can uh you know help uh you know protect people like me it can and it also helps people protect people like me because Jimmy does sometimes use bad words so it helps kind of keep that profanity to a minimum too I appreciate that all right well thank you so those are the three scenarios that we went over with data security and data privacy which is again we talked a little bit about cloning security and and as we'll stated that is the kind of the Baseline capability there's additional capabilities that we have in that space um data classification as well as sensitive data Handler all right logging and monitoring we know this is a this is always an important one and we we have a lot of conversations about this um and so the the areas that we're going to focus on are around security Center uh and some metrics within security Center very important capability so we're definitely going to highlight that um and then we'll talk through a couple different ways that you can either see log events on platform um as well as the ability to follow some of the best practices and and Export those logs right into your own security environment your sim all right so with that being said the scenario is how can I monitor critical security metrics to capture potential security threats within the application thanks Jimmy this is a good one and so since I've since everybody knows now on the call that I like onions we're going to start with another onion here so kind of logging is is that same thing so just kind of keeping in mind when we look back at the Shared responsibility Matrix Service now manages the logs related to the infrastructure the management of the platform as a service provider right so keeping that in mind right when it comes to the application and anything that goes within the application access data Etc right that that is not something that service now monitors that's not something that we manage on behalf of customers so what's really important is to understand right that this is an application just like any other application in your environment any other Enterprise application there's logs there's data there's elements of monitoring access control and making sure that from a security perspective right this solution is meeting your requirements um and of course right you're monitoring it in the same way you'd monitor monitor other applications so when I talk about the onion I'm going to start with the fact that we provide a tool on platform right so Jimmy talks kind of so nicely about this but the reality is security Center is a ma is an amazing tool that we've built on platform that has a ton of metrics I think the numbers up to to 160 plus metrics that we provide out of the box for dashboards you can customize the dashboards you can work with that we've got some uh so under the Safe Harbor comment we've got some notification framework coming out here shortly in a release I believe next month um but basically giving you full capability to manage and monitor the platform from within the platform the roles for security Center can also be delegated right if you've got security Partners in your business that want to help you right that's also something that can be done so that's a good start let's go to the next part of the onion Jimmy yeah let's do it so this scenar is I need to browse various log events uh to identify potential malicious activity all right so pulling back a layer here this is where from an admin perspective even from a potentially from a security perspective it's a little bit more raw and heavy but there is all of the logs can be looked at on platform and can be searched and and so essentially if you're troubleshooting or trying to look for certain values or data points based on a period of time the log file browser does give you full access to all the logs sitting within the system in a raw format that allows you some general filtering fantastic all right and then the next one is so you know we recognize that you know there's a lot of logs there's a lot of really good information within those logs within the application but you know we also recognize that your security teams have invested a lot of money and a lot of into a lot of capabilities right and so instead of having just the service Now application as a one-off right where we got to go over here to go look at different types of alerts different types of events we want to provide those capabilities and what we talked about previously and again security Center is definitely important but from a best practice perspective we want to provide you the ability to export your application logs bring them into your own security ecosystem so your security teams can do what they do best and and set up with their monitoring their alerting and all the capabilities they have in there and and it's all you know again within their ecosystem so the biggest question is how do I do that well so in this particular scenario I need to export my instance logs to my on Prem Sim yeah so this is the first part of the let's get logs out of the system right so there's basically two ways we're going to cover this is the first one this is the um I would call it the tried and true it's been around forever service now pretty much has supported this model for a while uh a lot of flexibility right in how you decide to export log but in the end right it's leveraging what we call the mid server which is the on-prem component that you can install in your environment for service now to essentially take and pull down the logs right in in in a in a sense right and again depending on how you want to send and what logs you're trying to bring down pull them down in a CIS log format to allow your sim or your existing Enterprise security tools to go ahead and grab that log file data from a mid server in your environment so the again this has been around for a long time there's no no additional cost associated with this solution this is just um it does have you know it's CIS log so CIS log is what it is um and that's why we'll talk about the next solution that we've made available as well absolutely all right so to follow on to that part of the onion so I'm on to export instance logs to my SIM utilizing Kafka streaming services or you know I'm from Dallas I Kafka Kafka I don't know how you say it but will how would you respond to this I I still don't I I'm from the Midwest too so calling it Kafka you know I don't have an answer for that either but so this is a newer capability that we released on platform uh so all of our customers if they choose to can have take advantage of what we call it's a starter skew which is a no zero uh order but if you if you work with your account teams right they can make sure that you have this uh it's called log export service is the name of it um and there is again a starter skew what I mean by that is that the only thing it limits you on is not capability it limits you on capacity because what happens here in this model is this leverages the Hermes messaging bus and it stores data on a Hermes server right so we create each individual stream gets its own unique server node storage right and and on that node you get 500 gigabytes per month of storage for included in that starter skew now again some some you know average customers probably just fine you won't need to worry about that you can monitor it through your subscription uh through your instance in the subscription monitoring area um so you know if you're at near that capacity or going over you can also then purchase multiple uh chunks of storage right above beyond that so that's kind of the caveat the purchasing caveat the benefit to this though ultimately in the end is it's a streaming service that leverages a lot of filtering capability so I can kind of get more granular with how I want to send logs it also does not put the same stress on the instance because of the way that CFA works it's smoother for the instance to be able to once you configure these rules to send this data without putting overhead on a highly used system um and then again storing those data that that that log data on that CFA endpoint right allows you to either set up a consumer or a push model uh with your other SIM type Services right so thinking of things like elastic or Splunk or other things you might be using in-house and it's a much more consistent stream so it's a little bit more near real time um so ultimately at the end of the day right this is the direction we'd love to see customers move to the only reason we license right really is a capacity it's a cost of storage right so it's not a a functional reason it's it's more of a a capacity thing yeah absolutely and and uh yeah and again from a security perspective I I I can't emphasize enough when you when you think of it being near real time streaming capabilities versus you know the mids server U syis probe capabilities there think about in that scenario You' got to download it into your local environment maybe do some massaging or whatever and then and then you know shift it off via sis log to your Sim in this scenario again near real time you know streaming capabilities straight into your sim which means Securities monitoring near real time alerting capabilities because we know in the world of security uh time definitely matters right all right abolutely so that was logging and monitoring again security Center we touched on we're going to touch on it again because it is that important um but we also talked about how to look at log events within the application itself we talked about the CIS log probe export capabilities as well as the log export service again to to be able to consume those logs within your own security ecosystem into your sim and let your security teams do the great things that they do all right let's move to instance hardening again we talked about the shared responsibility model right and there are components right that again are the customer responsibility so we want to be able to provide some visibility into those things so we're going to dig into security Center again this very critical application that if you aren't aware of it and if you never utilized it please after the session if you don't do anything else please install it get your hands on it and and start uh you know getting value out of it all right so the first scenario I need the ability to scan my instance to detect potential insecure settings yeah this is a this is a good start here and just so the folks on the phone know as a Vancouver uh security Center should be in installed by default so um if you're on pretty much at this point should probably be on one of those releases you probably will have security Center already within your instance just FYI um but security scan is really valuable because it does allow you to be able to go out and establish a foundation for scanning the instance to identify configurations that you want to address maybe above and beyond some of the stuff we're going to talk about in the next slide that's by default um this is a very comp comprehensive tool we've released actually some uh knowledge based articles on how customers can create their own checks and run scans against their own checks so if there are certain configurations that are critical to your business your security team from a monitoring auditing validation perspective uh this is a very flexible capability in security Center Again by default it really allows you to be able to go in our huge library of checks set up the checks that you really care about that that are interesting to you schedule them set them to run um and then be able to do some trending and and Analysis on where are we at with this stuff right where are we at with these security risks that we're coming back with and again keeping in mind that any of these findings that you come back with when you're running these checks allow you a full workflow to help you work through the check and remediate that particular finding from that scan fantastic all right and the next one is I need to keep my instances secure by following service now best practice recommendations yeah again this is another one it's related to what we just talked about with the checks rather this one's a little bit more specific because in the base hardening dashboard and and scoring that we look at we've made sure that the service now checks that we think are the most important and critical roll up into that now understanding kind of Jimmy made a point right around I think I'm sorry maybe you didn't make this point Jimmy but baselining for this um will be somewhere in that you know 85 to 90% if you can get higher than that that's great the reason why is because there's some checks we really don't want you to be able to suppress and at the end of the day like it can kind of boat against your store a little bit but if it's not relative to you it allows you to put comments on there and kind of track that um but we kind of keep the scoring consistent so that we don't have customers deviating significantly from the outof the boox library that we want you to measure to so again this is a great tool to really out of the box help you look at some of the and critical components of configuration that we really want you to focus on for Best Practices yeah and well you you you read my mind because it was definitely something that I want to bring up which is that compliance score you know and Will's Point look everyone this this is not grade school we're not trying to hit a 100 right we're not going to get a 100 if you if you configure your instance to get to a 100 you're probably not going to have anybody accessing it I mean it's just the way it is the goal of this is to go through and look at all do a scan where are you aligned where do you have gaps with you know the documented best practices right I and analyze those those gaps right and we we give criticality we have them all in different you know domains different types of buckets right but go through and and analyze each one of those and start to determine which one of these makes sense for us and which one of these may not make sense for us because at the end of the day every customer is unique every customer has different business requirements and H and that's going to translate to how you're going to utilize the platform and so some of those configurations you just won't be able to align yourself with right but the goal is to go through that analysis get that Baseline compliance score and then over time continue to monitor that yeah every once in a while we're going to bring out more checks right which is a good thing and that's going to cause it to deviate a little bit but anytime it deviates go check it out analyze it understand why it deviated understand are there new things that we need to go analyze and figure out right and and and see what makes sense going forward so that's really the intent awesome thanks for that Jimmy yeah absolutely and so again security Center use it use it use it uh we went through the security uh Center scan and we talked about the security Center compliance score as well all right so last section of the day you doing all right will you gonna be able to handle it oh I got it I got it I'm excited for this section yeah this is your favorite so we're going to talk about some encryption capabilities and again these are the aox capabilities right as part of the configurables there's multiple Advanced capabilities we've have in the paid for stuff but that's not today's session what we're talking about is free so we're going to talk about you know how do I encrypt certain data within an application right and then attachments that's we get that often and so let's dig into that um I need the ability to to encrypt sensitive pii data within my HR application I want that additional level of crypto control above and beyond ACLS how would we do that yeah and this is uh this is one we get all the time right from customers when they start looking at different workflows or bringing maybe a a tidbits of sensitive data on the platform so I think that definitely um the key piece here to understand is this is the encryption that we provide out of the box it's part of the contract it does require you guys to enable it so when you want to achieve the data at rest right this does need to be set up on fields that are critical to you to be able to have that data at rest encryption um what it also is is as Jimmy alluded to right is this is Access Control based encryption so this is a pretty robust set of encryption it's not just a like check in the box right we encrypted things at some data at rest standpoint um this is truly Access Control level encryption meaning that you're going to define the different user roles and requirements to who's going to get access to that data when these uh these field configurations are set up um so for example right if you have a again we'll use HR right as the example where if you have the HR application installed we have really good security with the scoped application and separation we talked about tools like data filtering and how we can look at it from an ACL or a data access perspective but let's say you have a requirement that says hey this data just needs to be encrypted and and from the workflow right you're bringing data in I would then use column level encryption but not only does it encrypt the data at rest it encrypts at the application Level and provides that access control that additional access Access Control level requirement as well so if somebody for some reason gets access to run a report on some data gets some sort of access maybe that they didn't necessarily you didn't intend for them to have they're not going to see that data because they don't have access to the crypto policy to decrypt it right so this think of this as your extra insurance level data protection and again can meet your encryption as Jimmy mentioned in part of our Advanced security offerings we do have a couple other offerings and we do have an expansion of this offering in our Enterprise version um happy to go through that in separately reach out to your account teams if that's something you want to engage on but at this point right this is what's provided for customers to use out of the box absolutely thank you will and last user scenario of the day we're doing really good on time which is great I need the ability to encrypt attachments within my incident tickets yes this one uh is a good one right because a lot of customers are concerned about files that get put in the platform that maybe you don't have as much control you know you can do some file type controls and things like that but this allows you to set up a uh what we call the module policy right or granular Access Control encryption policy on those attachments so by default you can encrypt all attachments and and by default I believe on the new installations uh attachment encryption is enabled by default but this allows you a little bit of granularity so I can say hey you know what for attachments on the HR table I want to use a different access policy than ENC attachments on the incident table in maybe it service management so just kind of keeping in mind right this is really around a a granularity because we use a a uh you know an industry standard uh Key Management framework to help manage the overarching policies and and the cryptography behind this right so you can truly get into a role-based separation as well with this capability again this all is the same these last two slides same capability called column level encryption um again leveraging our key management framework and fully supporting delegated roles and responsibility around who can manage the crypto who can manage the policies those types of things so awesome thank you will so to wrap up that was encryption we did the two main use cases that we talked about that are you know covered within the free capabilities out of the box so encrypting uh sensitive data within a particular application so we did pii with HR as well as encrypting attachments right um call to action oh yeah here we go good good animation call to action uh again get in and start using security Center um can't say it enough uh it's going to bring a lot of visibility a lot of information to you and it's going to bring a lot of value and we're going to continue to innovate and we're going to continue to bring more value uh to you as part of that solution so definitely get in get used to it get comfortable with it build it into your normal processes please uh familiarized yourself with that shared responsibility Matrix and again on that first presentation we had where we got the little link you can click on that it'll take you to a website and you can dig into the details um or more details as part of that uh Matrix and and make sure that we've got Clarity on the roles right and what what are the areas where you have responsibilities what are the areas that that you know service now has responsibilities so that we're all in an alignment right and together making sure that uh your service now uh instance is secure of course review the security best practices guide I think we put that in the chat um within here which is good y i put both links in the chat as well as they're hyperlink in this doc when you get a hold of the doc fantastic thank you will and then of course for additional questions you know will and I uh we're part of a larger Global team that's called the office of the ceso um please work with your uh account teams uh that can either you know get technical questions done within support uh or they can reach out to us if we want to talk about you know security requirements that you have and are there capabilities that you can utilize to you know ensure that you're meeting those security requirements uh your account teams can reach out to us Office of the ceso we're more than happy to jump in and have those types of conversations with you yeah and I I will just say you know I really want to thank everybody um for the the participation too um please you know if you can give us some valuable feedback we'd love to know uh so Jimmy and I spent quite a bit of time trying to create this presentation really for personas like you guys right as new customers even existing customers arguably right the some of the stuff we you know we we deal with every day right the asks and the questions but I think what what helps us build a really great partnership Foundation from the start is understanding you know roles and responsibilities any questions you have around that and kind of what what what am I responsible for how do I deal with that right and and again we can help you navigate you know again we have a mix of Security Professionals as well on the but we can help you navigate and align your security teams with your service now teams uh and help understand and do some of the translation because you know understanding that you know a lot of times the security folks in your organization their Charter isn't to be a service now expert and so you know it's it's a lot of times falls on the now platform Architects the now admins to help articulate now capabilities and so again um my team and and Jimmy is as he mentioned right are is happy to help support that initiative um as well as please digging into these documentation we my team spends a lot of time um updating this documentation and trying to keep it relevant and keeping it updated so that uh it can provide more valuable to your team so again really appreciate any feedback again I can't say enough how important this feedback is to us we take it uh absolutely internally and try to work with it to try to drive uh delivery of better more valuable uh assets to you as the customer fantastic yeah absolutely we've got the Q&A is still open we'll give uh everybody another minute if you would like to either provide information back on the polling question again um be extremely valuable for us and uh if there's any additional questions we'll do that if not we'll uh we'll shut things down give you some time back going once going twice all right I think we're good again thank you everybody so much