ServiceNow Zero Trust Policy Based Session Access & Adaptive Authentication

Zero Trust is a cybersecurity strategy that operates on the principle of “never trust, always verify.” Unlike traditional security models that assume everything inside the network is safe, Zero Trust assumes that threats can come from both inside and outside the network. Here are the key principles of zero trust:

  1. Verify Explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, and more.
  2. Use Least Privilege Access: Limit user access with Just-In-Time (JIT) and Just-Enough-Access (JEA) policies, minimizing the risk of excessive permissions.
  3. Assume Breach: Design systems with the assumption that a breach has already occurred. This involves minimizing the impacted area and segmenting access to prevent lateral movement within the network

ServiceNow implements zero trust through a feature called Policy Based Session Access and Adaptive Authentication. This approach dynamically adjusts user privileges through a web session based on multiple factors and works in conjunction with your Identify Provider’s (IDP) conditional access policies. Below are some factors that can influence user privilege adjustments:

Contextual Factors

  • IP Address and Location: Access can be restricted based on the user’s IP address or geographic location. For example, users accessing from an unfamiliar location might face additional verification steps.
  • Authentication Method: The type of authentication used (e.g. password, MFA) influences access decisions. Multifactor Authentication (MFA) provides an extra layer of security, ensuring that even if a password is compromised, unauthorized access is prevented.
  • User Role and Group Membership: Access is tailored based on the user’s role within the organization and their group memberships. This ensures that users only have access to the resources necessary for their job functions.

Dynamic Privilege Reduction

  • Suspicious Activity: If unusual behavior is detected, such as accessing sensitive data at odd hours, the system can reduce the user’s access privileges or require re-authentication.
  • Session Attributes: Changes in session attributes, like switching to a different device, can trigger a reassessment of access permissions.

Integration with Identity Providers (IDP)

  • Attribute-Based Access Control (ABAC): Attributes provided by the IDP, such as user roles, department, security clearance, or risk score, are used to make fine-grained access control decisions.
  • Continuous Verification: The system continuously verifies user attributes throughout the session, ensuring that access remains appropriate as conditions change.

Benefits of Policy Based Session Access

  • Enhanced Security: By continuously verifying user trust and dynamically adjusting access, ServiceNow minimizes the risk of unauthorized access and potential breaches.
  • Flexibility and Scalability: The system can adapt to various organizational needs and scale as the organization grows, ensuring consistent security policies across all users and devices.
  • Compliance: Helps organizations meet regulatory requirements by enforcing strict access controls and maintaining detailed logs of access decisions.

A demo of ServiceNow Zero Trust Access can be viewed below from the ServiceNow Community YouTube Channel

An Enterprise Architecture Perspective

Zero Trust Architecture is the gold standard for cyber security and uses the zero trust principles mentioned at the beginning of this article. National Institute of Standards and Technology (NIST) published the zero trust article NIST Special Publication 800-207 Zero Trust Architecture. For more than a decade, Federal agencies have been urged to move to Zero Trust Architecture. In 2021, there was a  Federal Government mandate through the Executive Order on Improving the Nation’s Cybersecurity to adopt Zero Trust Architecture.

Zero Trust Architecture is not just about securing the ServiceNow platform. It impacts every cloud service, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). It also impacts on-premise infrastructure, network services, and mobile services as well.

ServiceNow’s Zero Trust Policy Based Session Access and Adaptive Authentication adds an extra security layer, enhancing control and flexibility. Typically, organizations use a mix of IDP’s conditional access policies, network policies, and architecture standards to implement zero trust. When applying the zero trust framework to a PaaS like ServiceNow, access becomes very restrictive in high-risk scenarios due to the number of applications and data that can be accessed. For example, an employee is using an up-to-date corporate owned device on a public Wi-Fi connection. In a zero-trust architecture, often, the employee would be denied access in this scenario due to the public Wi-Fi use. Based on human behavior, the employee would find a workaround either by using email, phone call, or other methods which could introduce more risk or create disruption in business operations.

ServiceNow’s Policy Based Session Access and Adaptive Authentication solves this challenge. It can allow limited access for users based on the previously mentioned factors. This means in the mentioned scenario; the employee could still have access to ServiceNow but potentially would be temporarily reduced to a non-role user while on public Wi-Fi. This would still allow the employee to submit a request or incident if, for example, they’re using public Wi-Fi because the corporate virtual private network (VPN) client isn’t connecting. 

One of the biggest challenges with implementing a Zero Trust Architecture is winning over the business. They may see zero trust as too restrictive for employees or requires a significant investment up front. Though zero trust can be broken down into smaller foundational initiatives for budget approval, it’s still difficult to overcome the “too restrictive” mindset. ServiceNow’s Policy Based Session Access would be a great example to show how zero trust policies can be enforced and still allow employees to perform actions even if certain factors would normally prevent them from accessing the platform all together.

Sources
Platform Privacy & Security Academy: Introduction to ServiceNow Zero Trust Access – YouTube

NIST Special Publication 800-207 Zero Trust Architecture

White House Briefing Room Executive Order on Improving the Nation’s Cybersecurity

What is Zero Trust? | Microsoft

Zero Trust Access – ServiceNow

What Is Zero Trust? | IBM

What Is a Zero-Trust Network? Definition, Pro & Cons – Forbes Advisor

 

While the above technical tip has been provided with care and consideration, it’s important to acknowledge that individual circumstances may vary. Always ensure compatibility and feasibility within your specific ServiceNow environment before implementing any suggestions. Additionally, back up your data and proceed with caution when making any changes to your instance or workflows. 

 

As with any change in ServiceNow, make sure you test any changes prior to moving to production.

 

Subscribe to Our Newsletter

info@pathwayscg.com

|

917-952-5004

Facebook-f Linkedin-in Instagram Youtube X-twitter

© 2024 Pathways Consulting. All rights reserved.

Website developed by beMarketing.