Edge Encryption

Who:

Scripps Health
8925 Rehco Road
San Diego, CA 92121 

When:

January 2017 

What:

The client needed to ensure all data from its ServiceNow Platform was encrypted before leaving its data center.



The Challenge

Replace Remedy on premise solution with ServiceNow Software as a Service (SaaS) solution while ensuring all sensitive information within ServiceNow is encrypted before the information leaves the Scripps Health network. Since encryption and tokenization change the nature of the data, the potential of the solution could affect instance processes. Therefore, before moving forward the client had to carefully consider the impact on their instances by reviewing all aspects of encryption involved. 

The Solution

Implement ServiceNow's Edge Encryption network encryption system which resides on the clients network and decrypts sensative data as it travels between the clients data center and the ServiceNow cloud instance. 

The Edge Encryption proxy servers were setup within a load balancing configuration.  Through encryption in motion, all identified fields with sensitive data were configured to be encrypted within the network before the data was sent over the Internet to the client's ServiceNow instance, where it remained encrypted at rest.  When requested, the encrypted data was sent back to the Edge Encryption proxy server, which in turn decrypts the data before serving it to the web browser.

Specific individual fields were created and configured for encryption using AES 256-bit encryption keys and order-preserving encryption types.   Encryption patters were used as a supplement for matching tokenized strings with regular patters such as social security and Medical Record Number (MRN) found outside identified encryption fields.  All attachments were encrypted.

All of this ensured the encrypted data can only be viewed in clear text by a user logged in to the instance through a proxy server in on the network.  Since the proxy server resided in the client network, the client owned and managed the encryption keys.  As a result, sensitive data is never displayed in clear text to ServiceNow.  


The Result

The Edge Encryption gateway between user browsers and the ServiceNow instance ensured traffic from the browser passes through the gateway on its way to the ServiceNow instance. The gateway, configured to encrypt outbound data that is marked for encryption and decrypt inbound traffic allowed end user to see clear text in the browser. The advantage of this implementation from a security control perspective is that the encryption and key management are handled externally from ServiceNow. Ultimately, this allowed the client to move forward contractually while ensuring its customers data was safe when leaving its data center.


About Scripps

Scripps is a private, nonprofit health system in San Diego, California that includes four hospitals on five campuses, dozens of outpatient clinics, thousands of affiliated physicians, home health and hospice care.  Scripps provides audiology, behavioral health, cardiology, cosmetic surgery, critical care, elbow surgery, foot care, hand therapy, heart failure treatment, x-rays and other medical services.