okay good afternoon everybody and thank you for joining this service now security webinar uh on what you need to know to secure your instances uh so I'll start by introducing uh myself and my co-presenter for this webinar my name's Dan gley I'm part of uh service now's customer security and Trust team I've been with service now for um about 11 months um so recently joined uh prior to that a 20y year career in technology more than half of which has been in um in security both as a a cloud provider and a cloud consumer as well uh so I'm joined today by Sebastian Sebastian do you want to give yourself an intro yes thank you Dan so same as Dan also um in service now since uh October 20122 so near two years now and my care was more in Security operation and um since 20 years SE uh so this is um going to be delivered in a traditional webinar format so that means um participants your microphones and video will will be switched off uh if you wish to ask us questions throughout the presentation you are free to do so please use the uh Q&A function uh that should be available to you through Zoom um SE will be managing the um the question and responses through most of the uh most of the presentation so should be able to answer as we go where I find my slides won't advance there we go right so uh for anyone who's attended a um a service now presentation or webinar before you'll probably be familiar with our standard Safe Harbor notice um in summary what it says is that we may make some forward-looking statements uh around features of the application that may be coming in future releases um where we do so you should not use that um as a basis for making a kind of purchas purchasing decision um as we can't guarantee that anything that we speculate about in terms of future capability uh will come as promised so on to the actual presentation so uh there's three main learning outcomes that we're looking um for you to to take away from this webinar um number one is knowing more about how to um secure your service no instance as the topic suggests um number two is recognizing where you are in your security journey and how you move forward and number three is understanding what tools and resources are available to you to help you in that Journey so just to make sure that we're all speaking the same language um we're going to just confirm what we mean by a service now instance because it's something that we're going to refer to multiple times um throughout the presentation um so service now operates using a a single tenant architecture meaning that each customer gets their own copy or multip multiple copies um of the now platform running in the cloud and each one of these copies is known as an instance each instance can run multiple applications side by side so a single instance could potentially be hosting your itm your HR your CSM tools um a common way that customers use multiple instances is to separate different environments for production um and development and test processes purposes sorry so again each one of these would be referred to as a single instance of the now platform so moving on to how service now delivers our services um we operate a paired data center hosting model in which all of your production instances are replicated across a primary and a secondary data center in your chosen region so in this model your production instances are kept in sync using asynchronous database replication in the event of A disruption service now initiates a failover process which redirects all traffic transparently to the secondary DC and we refer to this as our Advanced High availability architecture and within each data center customers share physical Hardware without the use of virtualization but where you have a dedicated database and application services for your instance only what this results in is a logical single tency model whereby all customers data is isolated from each other and it's impossible for your information to co-mingle with that of any other customer in terms of physical security our Hardware is hosted within collocation data centers operated by top tier providers like equinex Vantage and digital realy these operators provide service now with a secure and reliable space to operate in and the data centers are highly secure facilities with 24x7 security guards CCTV uh multiple levels of Entry controls very strict procedures for physically entering the facility service now data centers are highly available facilities uh we have redundant Network electrical and mechanical systems as you might expect and they feature a hardened exterior perim with defense and depth provided by various Access Control boundaries like fences bards and man traps within each of the data centers all service na equipment is stored in uh one or more dedicated Anonymous cage spaces or private Suites where only service now Personnel have access to these the details of the individual data centers may vary slightly um but all facilities have very similar operating characteristics and in all cases by contract the data center providers must be either ISO 27,1 accredited uh and or they must conduct regular sock two type 2 audits so what you see here is a a map of our hosting locations so we have 18 data center pairs around the globe to service our customers in different geographic regions and to help them meet their Regulatory and Sovereign here requirements we rotate support operations from our offices around the world and a follow of the sun model meaning we can offer 24x7 by 365 truly Global Technical support this in combination with our Advanced higher B availability architecture and our highly available infrastructure means we've got an extremely high measured up time and we're able to offer a contractual uptime commitment of 99.8% over to se for the next couple of slides you're on M yeah okay thank you then uh so on this um slide you can see how it in fact architectures um service now platform regarding all the security capabilities so service now provide comprehensive Bo of set of security controls and configuration you can keep uh your service now platform extremely secure and compliant with security regulation so on this page you can see uh for example Basics security controls like um login authentication ACL audit logs and uh a lot of Basics feature a lot of things regarding authentication and uh authentication and authorization and also audit and monitoring with the monitoring and logs and audit capabilities and for encryption and Key Management uh service now provide out of the box encryption but also provide uh options regarding Secrets management um multi-level encryption application Level and uh Cloud ention also uh as an option so first question we have for you today is uh what is your level of confidence in securing a new service now instance so are you extremely confident somewhat confident not all not very confident or I have no idea where to begin somewhere in the middle so far oh someone's extremely confident great I'll invite that person to carry on the rest of the presentation for us so yeah fairly good uh nobody yet saying they' no idea where to begin so that's kind of a positive indication so we'll leave that poll running just for a sec but we'll carry on with the slides so each customer is on their own path with their service now security Journey it sounds a little bit cliched but that's it's a security is not a one-sized fits all that's why we use this phrase security is a journey um and it's one that each customer takes at their own pace so to that end we've broken uh the recommendations in this webinar down into a logical progression from crawl through walk to run beginning with basic resources and best practices in the CW stage through to more advanced features and capabilities that you can explore in the Run stage so let's get started with CW and here we're going to talk about uh security resources you have um you have access to and how you follow our best practices to begin your security Journey so beginning with resources we have a collection of different Services targeted potential customers wishing to do some initial due diligence existing customers who need to the breast of patching and security matters as it relates to the platform and as us and to us as a supplier or Partners looking to assist uh and onboard new customers so these are the trust site on service now.com the trust Center on now support and the service now partner portal respectively so for this webinar I'm going to focus on the trust Center because this is a resource that um both existing customers and Prospects can can access uh and it gives you access to some really key information to help you stay informed about security matters that affect your instance as well as providing you access to information about service now that can really help streamline your supply chain Assurance process and it's that point specifically that we address using the core compliance portal the service Nows core compliance portal enables customers to self- serve documentation to help support internal audit and assessment requirements prepare for on-site audits and address regulatory requirements so uh core is a fantastic resource um and it's one that se and I probably refer to at least a few times daily um you will find that we are incredibly transparent about um our processes and procedures um and we shared that through core so core includes um to name a few things our certifications and our tations our soop one type two and so two type two reports many of our internal policy and standard operating procedures um the certifications of our data center providers and a number of pre-filled vendor risk questionnaires that should help you um really kind of get a jump start on your own uh vendor Assurance process the core access is um for customers and partners um and it's provisioned to the now support account holders by the customers primary customer administrator who manages your service now instance so you can provide access to core um to people within your own or own organization at your discretion um best news is call comes at no cost to you it's completely free moving on to another free resource so created for customers prospects Partners um and service now support staff the service now security best practices guide is an easy to follow Guide to the main security features provided by the service now platform and how best use to use them to secure your instance so the guide is specifically aimed at those who are tasked with the responsibility of keeping your service Nance secure um the guide covers many of the same topics that we're going to cover in this presentation and it's in a similar um cor walk run format beginning with a getting started section on essential tools and guidance and it's from that section I'm going to pick out a couple of items to talk through today in this webinar so firstly a very important topic patching um as with any software application service now instances must undergo regular patching to maintain security and performance and address emerging um vulnerabilities the service now patching program helps you ensure your platform software is kept up toate and you can take advantage of our automated patching service to assist you with this patching remediates known security vulnerabilities and it's an essential component of any vulnerability management process of course U but it also enables you to confirm with the service now end of life policy so service now usually releases two major version updates per year um and we only support the current version and one prior release versions so n and n minus one older versions are considered end of life we no longer support them and we and they must be upgraded by um a specific deadline to ensure the security of both uh the customer instance as in your customer instance and those of all other customers as well um if after this date if the customer inance has not been updated it will be upgraded automatically to to protect you and our other customers so the second item um from the best practice guide I'm going to mention is um around maintenance of your security contacts uh so your security contacts are who we will reach out to in your organization in the event that we need to communicate information in relation to security issues security alerts uh or details about important software updates these are also the first people we would contact in the event of a security instant affect in your instance so it's really key that you keep these contacts up Tod date and ensure that the individuals named have the authority to act on the information they may be receiving from us our recommendations regarding the contacts are that you include at least two information security Personnel who are authorized by your organization to discuss security matters uh or security related information and events um if you have an em distribution list for your security team we recommend that you add that as well the name contact should have the ability to quickly reach out to business owners and leadership as required have a familiarity um and understanding of the service now of the service now platform and how your organization is actually utilizing it and of course they need to be aware of the types of data and the associated security concerns around that data that's that's hosted in your service now instance and perhaps most importantly these are people who are are willing to accept security security related emails and phone calls from service security team which could be in the middle of the night so these are people who must be prepared for that um and please please remember this is not a once andone activity you should regularly review the contacts youve provided in case of um staff joiners and levers and changes over time so now we're moving on to the walk stage of the security Journey we're going to build on that previous stage by going a little deeper into some of the security Concepts features and tooling that's available to you so we'll start this section off by talking about the shared responsibility model so uh this is a concept I'm sure many of you will be familiar with uh if you're um familiar with with um cloud services um as it's a commone concept across all cloud service providers when you buy a cloud service depending on the nature of the service you buy I.E whether it's software platform or infrastructure as a service there always security controls that are the responsibility of the cloud service provider so in this case us and some are the responsibility of the cloud service consumer this case you the levels of responsibility shift between provider and consumer based on the nature of the service procured uh what you see on the screen now is the service now shared responsibility model which identifies uh which controls are the responsibility of the customer to manage which are the responsibility of us to se now and which sit with our collocation data center operators and also which are shared across one or more parties employee vetting for example is a shared responsibility in that all parties need to ensure their employees are trusted as all play a part in the delivery and operation and ultimately the security of the service it's really important that you take time to read and understand the shared security model so that you recognize where you as a customer are responsible for implementing the controls necessary to keep your instance secure and you'll find that there's a a link to the full document in the presentation which you'll be able to access later so just to follow on from that point of little uh in this slide we cover the security capabilities that exist within the platform um and we've broken them down into three categories firstly Invisibles the things that service and outputs in place to keep the platform secure configurables the security capabilities available to you as the customer as part of the core platform capability and then enhance bles the additional capabilities that specific customers may choose to procure to meet their individual use cases I'll hand over now to set for our next couple of slides yes um so why we are discussing about this topic this items today with you is uh in fact we can mention three main purposes uh first is of course to reduce common security risk uh the second one is more how to understand roles in meeting compliance to to Industry standard and legal regul regulation for example with the G pdpr data privacy and so on and of course all the privacy concerns and the last one is one of the the best thing about it about this is of course to keep your instance available in all circumstance so it's why we take time with you today to take to to check everything all the security controls so stability is for you and for us the best the most important thing so second question what is your experience with service now security Center never heard of it heard um of it but never used or use it regular regularly apologies I forgot to share the the results from the first poll there so just brutally put them up on the screen hopefully our next poll will be coming up shortly oh there we go Okay so we've got few people have heard of it never used it one person using it regularly expect that's our expert from the first question as well so we're kind of somewhere around the heard of it but never used it think probably are here we go that poll and showare the results there we go right so 33% never heard of it 44% heard of it but never used it 22% use it regularly so good time to start talking about it then so for those of you who are not familiar with security Center um it's actually a collection of different features security Center is a free tool again um it's available from the utar release onwards and it's automatically installed from Vancouver onwards um security Cent is intended for use by your service now platform and security admins rather than your wider security team so um there are six tools included and these include the uh security hardening feature uh which provides guidance on how to reduce the attack surface of your instance by configuring it as securely as you can while still enabling the functionality that you need there's the security scanner which looks for potential misconfigurations and insecure behaviors to enable you to address these and reduce risk as a result best practices which combines both service now and wider industry best practices into a format that allows you to track and manage your application of these over time critical updates which highlights important upcoming updates for the platform helps you prepare for these and helps you track them to completion security metrics which gives you near realtime monitoring your VI instant activity for any insecure behaviors or potential security threats and finally security learning which brings together a whole host of published resources to assist your administrators in learning the features of the platform as well as making them aware of the external regulatory requirements that you might have to meet security Center is being continually developed um and we're seeing new features launch almost every few months at the moment and there's some really big updates planned for the X and Y releases of the now platform so i' really encourage you uh to check out if you haven't already um and also look for our dedicated webinars on security Center which go into the features in much more depth back to C for next couple slides so regarding login and monitoring uh if you can switch then to the sorry next thank you so regarding login and monitoring it's also an important part uh and uh in fact uh it occurs at two layers in the environment uh first on the customers uh customer side and second on service now and managed by service now on the left the customer part in the the instance uh there is a lot of detailed transaction log uh when our customer can check who access to the instance what is used what is what page what export what data are exported for example what form which form is cons if you buy a user and it's provided the very detail um log available and store in the database so it's protected uh not modif not modifiable by user or administrator and by default available of by your administrator on the instance uh of course you also have the capability to connect uh the service now instance to your CM uh or export in fact files to integrate and to import the file in your monitoring system or login system through CIS log for example um so it was the first part the second part is uh what we manage internally at service now of course we also have uh log monitoring uh on the infrastructure uh it permits to uh of course detect and uh takech uh also things uh perform action in case of a security um threat for example and for to give you example we have uh also uh our proper cm and uh we all our security capability like uh IDs and firewalls and all the things of course for forward the logs in our M so it's possible for us uh to monitor that and to detect for example security attack so next uh topic is also very important topic uh it's uh all the identification authentication and authorization part and as odan show just before it's this part is really on customer responsibility in the share responsibility metrix and the first step is of course to authenticate your user and your administrator on the platform uh so two possibilities uh the first is to use an external uh SSO for example and to connect uh the service now instance uh to your IDP or uh Lup or uh another system to in fact delegate and use an external uh things to authenticate your your user of course it's also possible to use a local database authentication uh on the service now platform and of course it's possible to use external SSO for some users and local authentication for for ad RoR users for example admin users um of course in case of the local database authentication is used service now provide also MFA and security controls to secure uh the connections so it's the first step and the second part is the autorization authorization is also very important to give the user the proper role and access to the instances depending of which application they need uh itm or other application uh so it's possible of course to segregate uh all the users depending on their business and what they need and for that the arback is used and also in the last release we um we have added capability around um you AB a to have more security attributes also to manage more precisely the the user and the access so I is very very important and we recommend to start uh with this topic uh at the beginning regarding email security uh there is two posibilities by default you can use service now uh email infrastructure and capabilities and when you use service now infrastructure of course it's also possible to secure for example to restrict file T types or restrict domain to set up filters and of course to activate and use uh SPF uh d and DeMark the other the second possibility is uh we offered is to use your EMA infrastructure so it's very easy to to change and to use for inbound or inbound or inbound and outbound your uh email infrastructure and uh manage your security and and so on Direct directly on your infrastructure on your imain infrastructure thank you SE so moving into the final stage of our security Journal Journey now uh the Run stage um so here we're going to review some of the capabilities you can leverage to meet those explicit security policy requirements that we typically find customers have um in place in relation to cloud services um there are also controls which you may leverage to meet um specific compliance or um legislative legis requirements for your industry um and gain more control over data access lastly we'll cover the penetration test program in place to give you the assurance that your instance and a platform as a whole is configured securely so um first we're going to cover a couple of features that fall under the uh configurables category which we talked about a few slides back uh meaning these are things that are available to you as part of the call platform uh the first of these provide you with the ability to classify the personal data or any sensitive data in fact um within your instance which of course is a key part of being uh compliant with data protection regulations um and other things is you need to know exactly where uh that sensitive data exists uh and how much of it you have in order to be able to apply the necessary and appropriate controls to protect it so the data classification engine uh allows you to use assign and create your own classifications in additions to uh the out of the boox ones that are provided as standard so some fields are classified out of the box for you where it's obvious that they will be holding personal data so like names in customer records for example um and as you can see uh in the screenshot here you've got the ability to visualize that classified data to give you that necessary intelligence of the volumes you have in your instance the data classification also enables uh some of the enhanceable features uh related to data privacy uh which we'll talk about um in a bit so it's really worth exploring um if you're if you are processing personal data within your instance the use of both classification tools so uh on to another core capability now column level encryption or CLE is an application Level encryption product that's available as part of the Cor platform capability now C is used to permit and deny access to encrypted data at the field level based on a user's role the core version of CLE can be used to implement simple encryption use cases where there's no encryption of data used in automation of reporting um as encrypted fields are not supported for those kinds of use cases C can be used to encrypt a limited number of field types and create up to five Mo module access policies which are used to determine which roles can access which data those encrypted fields are completely invisible to the users um if they don't have the role that grass and access to the data so we find it's typically used to maintain confidentiality around sensitive data fields within tables which users would otherwise need to be able to access to do their job now we're moving into features which fall within the enhanceable category that we referenced earlier so the most Comm comprehensive of these comes in the form of the service now Vault bundle now vault is a collection of different premium security features aimed at customers who require more stringent security controls in place um because they process very sensitive data in their instance uh or they need to meet tougher legislative regulatory or internal policy requirements than the average service now customer would we're not going to go into all of the features of vault in detail in this webinar as we normally offer um our customers a dedicated session to discuss these which you can request via your account team if you feel that it's something of Interest so we're going to cover three of the more popular features in the next few slides um and these are all features that can be purchased um as a stand loone capability as well as part of the VA bundle so the first of these features is platform encryption which is itself a bundle of two products Cloud encryption and column level encryption Enterprise the cloud encryption provides transparent database volume level encryption at rest with um minimal impact on the now platform user experience Cloud encryption leverages the now platform's encryption key management framework which Roots the encryption keys in our fits 142 compliant HSM customers can choose to use either a service now manage key or provide their own and when using their own key customers can also utilize the withdraw and resupply feature which enables you to fully lock your instance by withdrawing your key that effectively shuts out everyone including service now from being able to access the instance column level encryption Enterprise um as you may expect from the name brings enhanced capability to the core CLE feature by increasing the number of supported Fields lifting the limit on the number of different um module access policies that can be applied and it reduces the impact on Automation and orchestration uh because these things are are supported with C Enterprise it also uh supports the customer manage key feature as is the case with Cloud encryption so service now data privacy uh provides a tool to protect sensitive data like pii and Phi by combining three functions data Discovery data classification and data anonymization these these ensure the privacy of confidential data and increase your Regulatory Compliance data Discovery allows customers to use out of the box or custom regular Expressions to search your instance for sensitive data which is then cataloged so that you can take action those actions could be to delete update even ignore uh or might more likely um apply a classification to that data so that you can better manage it using the inbuilt classification engine that we discussed previously data anonymization works with that classified data allowing you to obate or remove sensitive data um at the field level to meet use cases such as um right to be forgotten requests or where you need to clone data into a sub production environment without copying the sensitive information but also preserving the structure and the format of that data to facilitate testing and development activities and lastly uh the VA bundle also includes zero trust access so zero trust access brings additional capability to the Adaptive authentication feature which is available as part of the core platform tooling adaptive authentication allows customers to establish policy criteria shown here on in white on the left side of the diagram uh such as IP address filters they are executed either pre or post user authentication to determine whether they are allowed or denied access or required to provide an additional factor of authentication zero trust access enhances this feature by adding the additional feature criteria shown on the left in red and an additional outcome of the policy decision which is to allow access to the instance but dynamically reduce the access so remove some of the roles that the user have so moving on from Vault features another important aspect of a comprehensive security strategy is conducting regular independent penetration tests to gain verification that your instance is secure service now engages independent penetration testers to assess the security of the platform as a whole testing is carried out at the same Cadence as our family release schedule uh meaning that this takes place at least twice a year in the interest of full transparency we share the executive summary of every test we carry out with our customers these test reports can be accessed via the core compliance portal customers are also permitted to carry out um a penetration test of their own instance once a year uh and this can be done um by sorry this is to ensure that you get the best value from that activity um you must ensure that you have followed our hardening guide U and applied all of the latest patches prior to conducting the tests tests need to be requested in advance and scheduled so that we are prepared to manage the resulting alerts this may cause our protective monitoring tools um and the scope of this testing includes unauthenticated scanning and assessments of our mobile app more information is provided in the customer penetration testing policy which again is available via the core compliance portal so that wraps up our discussion around the security journey and we have another poll question for you now um to see where our audience f as they currently are on that Journey okay thank you for answering uh we've got 67% feel there in craw and 33% in walk none in run um so hopefully this is the the right level of information that you need then to progress your way through through this um this journey to you sir yes thank you uh it's um here's a static example of what might look like an instance hardening process using many topics we have discussed before um to do that we recommend that you use the security Center to perform this a achievement uh service now follow the best practices in particular defense inep that means uh it's normal to find many recommendation for many topics in line with the best practices so on this example you can see the first step is for example to restrict access to the application for that you can use IP range based authentication adaptive authentication Zer access also strong authentication with MFA um enable also um service now Access Control plugin if you would like to control and authorize service now to access to your instance only for um the in case of incident or if you need help uh the Second Step can be to restrict access within the application so the an important part is ACL uh because by default service now provide one configuration but uh each customer can need to manage and restrict control of course the ACL configuration to adapt that on each um purpose business purpose and business need the third part is operational security uh using the service now using the security Center but also using the logs and monitoring for example uh using the log and to connect to your cm and import this log in in your system so also the the next topic integration with existing existing tools and after uh there is can be a topic um about data security with encryption with uh data privacy data disc Discovery data anonymization and of course a lot of other in integration about security uh security of the mid server security about certificate about Cod signing to uh sign your configuration and verify that the the signature is uh valid before using a configuration or run a script for example after there is also client site configuration regarding TLS Cipher configuration or other optional um capabilities for example we provide in the vault bundle so to do that there is it's very easy with the security Center you have guided action and um Step there is of course different level of maturity to help you to start with the first level and increase your level of security on the instance so a new question after this presentation what is the like like sorry you will use the security Center moving forward not likely possibly I need to understand more or I can't wait to use a security Center well we're definitely seeing a trend towards people being unable to wait to use the security Center which is which is great it's exactly what we want to see so 60% um nobody saying they don't want to use it which is even better so thank you for that so here's the call for Action uh in your in if you're in the CW stage we want you to understand where to find your security docs if you're in the walk stage we want you to use those basic outof the boox security features and if you're in the Run stage we want you to be able to explore and determine whether you want to use any of those Advanced security features leverage our resources use those things that we make available to you for free and follow those best practice security guides as best as you can one more poll question going back to the question that we asked at the beginning of the presentation now that you've seen this webinar what's your level of confidence in securing a service now instance oh even split there between extremely confident somewhat confident oh no we' moved up so we're in the somewhat confident I'll take that I'll take that as an improvement there we go 67% you somewhat confident nobody and they not very confident or no idea where to begin so that's good so SE do we have any unanswered questions um no I don't um have U more question at this time okay so just remains then for uh from SE to thank you for joining us today for giving up your time to listen to us talk