Using Fortanix Data Security Manager with ServiceNow

Introduction

The purpose of this article is to describe the methods to configure and integrate Fortanix Data Security Manager SaaS (DSM SaaS) solution with a ServiceNow instance for Customer managed encryption keys.

Prerequisites

• An account on Fortanix DSM SaaS.
• ServiceNow instance with Database Encryption and Customer-Controlled Switch feature (Refer: https://docs.servicenow.com/bundle/tokyo-platform-security/page/administer/encryption-database/concept/dbe-css.html)

Setting up the ServiceNow Instance

Please refer to ServiceNow documentation on how to set up your ServiceNow instance and enable external KMS functionality.

Fortanix DSM SaaS service is globally available in North America, European Union, United Kingdom, Asia Pacific, and Australia regions. 

Setting up Fortanix Data Security Manager

1. Sign up at https://smartkey.io/.
2. Log in to the Fortanix DSM UI.
3. Click the Integration tab in the left panel.
4. On the Integration page, click ADD INSTANCE on the ServiceNow wizard.  Figure 1: Integration tab
5. Enter the details as shown in the following screenshot. 
   Figure 2: ServiceNow details
   1. Instance Name: This is your active ServiceNow instance name. Please provide the exact instance name. Any error in the name may result in unsuccessful integration.
   2. Key expires after: Enter the period after which the key expires.
   3. API Gateway: Use Fortanix managed API gateway. Option to set up your own API Gateway is coming soon.
6. Click SAVE INSTANCE to complete creating the application.
7. You can view all the instances by clicking View All on the integration wizard.  Figure 3: View all integrations
8. To edit the Key Expiry Duration, click the Edit icon for a ServiceNow instance. Figure 4: Edit instance
   
                                             Figure 5: Edit instance
9. After the setup please contact ServiceNow support (support@servicenow.com) and provide your endpoint in the following format:
   https://servicenow.fortanix.com/kek/<instance name>/1

   The service now Support team will then enable the Customer Control Switch for your instance.

Disabling the Key (Kill switch)

In case the key is compromised, you can disable the key using the steps below:

1. In the Fortanix ServiceNow wizard, change the "Key expires after" field to 0.

2. After 15 mins, the ServiceNow database should crash and you will not be able to access it via ServiceNow UI. 

3. Raise a ticket with ServiceNow support team to inform the same. 

Enabling the Key (Kill switch)

1. Change the "Key expires after" field to a value greater than 0 (recommended value: 2 days).

2. Raise a ticket with ServiceNow support team to re-enable the database.