Overview of Field encryption in Cherwell 9.1
Download as PPTX, PDF1 like316 views
The document provides an overview of field encryption in Cherwell, highlighting the use of AES 256 encryption to secure key fields and ensuring only authorized users can access decrypted data. It outlines the procedure for creating encrypted fields, the importance of an audit trail, and key management practices, emphasizing the separation of encryption keys for different data types. The document also notes limitations regarding the use of encrypted fields and the necessity of careful planning and security settings.
Overview of Field encryption in Cherwell 9.1
- 1. Field Encryption An overview & demo Cherwell Rocky Mountain Users Group
- 2. • Chris’ Excellent training course on Video Learning Library • https://www.cherwell.com/video-learning-library/course/enabling- field-level-encryption-2/ • Also a great 3-minute video on Encryption in VLL by Jessica Adams • Also Useful links on Community Site • https://www.cherwell.com/community/f/administration/4572/how-to-encrypt- a-field-in-Cherwell • Links to documentation on Encrypted Fields: • https://www.cherwellsupport.com/WebHelp/en/9.1/content/suite_features/business_objects/fields.html First, a shout-out to Chris Wiggins @ Cherwell 2
- 3. A. Secure fields on Major Objects through AES 256 Encryption • “Data at Rest” encryption B. Field values can only be seen in decrypted form by authorized users in Cherwell Client User Interface • Everywhere else field value is either encrypted or not even visible C. Field values are encrypted/decrypted by the Application Server • Keys are stored securely on application server D. Cherwell maintains an audit trail of any activity related to encrypting/decrypting field values In a Nutshell 3
- 4. • Creating the “Key” • Check prerequisites of object • Create Encrypted Fields • Add to form • Set up security • Test/Use! • API view (time allowing) DEMO 4
- 5. Also: • Can’t encrypt attachments • Can’t use encrypted fields on portal, reports, widgets Limitations & Constraints 5
- 6. • Two forms of “Audit trail” for encrypted fields • Via Journals (“View Level Auditing”) • Via Splunk (“Compliance Level Auditing”) • Field Encryption Compliance • But often plays an important and necessary role Auditing and Impact on Compliance 6
- 7. • Create separate keys for separate set/types of encrypted fields • (e.g. Customer PII vs. Financial Info) • Important if different groups of people/users need access separate sets of encrypted (separation of roles) • Cherwell suggests One key per BO • Need CSM Admin and Access to Server Manager to set up • SaaS - Contact Cherwell Support to get set up • Optional: Set up key for "Compliance Level Auditing“ (via Splunk) • Export Keys and Back them up (offline and in safe storage) • Separate Keys from CZAR files/backups • Password to encryption Keys - DOES NOT CONFIRM - So test it out • Lose the Keys - YOU LOSE THE ABILITY TO DECRYPT! • SEPARATE SETS OF KEYS FOR DEV, TEST, and PROD Environments! (But this also means…) • Install Keys on Application Servers (if running multiple) Suggested practices for setting up Encryption Keys 7
- 8. Identify Business Object and Fields you want to encrypt • Recommended to Encrypt New Fields Only Understand the tradeoffs and constraints of encrypting Make sure it's a Major Business Object Business Object is using Journals (has relationship) Make sure Field Tracking is Turned on for the Business Object • History properties are enabled for all Views Plan out Security Group settings for each BO and field Abbreviated Checklist before encrypting field(s) 8
- 9. • Masking of field on screen/page is visual only • Invokes decryption; encryption only takes place on object save • Support for Multilingual configurations • Use of Windows DPAPI under the covers • Seems to use DataProtectionScope.LocalMachine • Not the same as “password storage” • Can be used in conjunction with file system (BitLocker) or DB level encryption (SQL Server TDE) Other tidbits 9T4S Proprietary & Confidential