SaaS is fast becoming the new enterprise operating system. Given the pervasiveness of SaaS app usage and the high degree of customizability within each SaaS app, there are bound to be customer-side SaaS app misconfigurations. These misconfigurations can include over-permissioned end-user roles and data exposed to the public internet.

In this regard, a recent article titled “Data Exposure and ServiceNow: The Elephant in the ITSM Room” discusses the risk of misconfigured ACLs that may lead to open or anonymous access to data in a ServiceNow instance. The article points out how data exfiltration can occur due to potential misconfigurations performed by customers in their ServiceNow deployments. There are no zero-day risks in the potential misconfigurations mentioned in the article.

While this research was published independently, many organizations have made inquiries to AppOmni on other detection and mitigation measures they can take to ensure their deployments are secured.

ServiceNow has issued the following guidance to their customers:

“ServiceNow works with customers on the ongoing safety of their security configurations, including Access Control Lists (ACLs), to ensure they are properly structured and aligned to their intended purpose. These protocols are built to be extensible so customers can configure them based on their unique security needs — from companies with public portals providing broad access to information to enterprise-specific use cases where access is restricted to select users.

ServiceNow recommends the following steps to address this potential issue:

1. Review Access Control Lists and widgets that are intended for public use cases to determine whether they align with specific business and security needs and if the underlying data should be publicly accessible. Please ensure that intended functionality supporting unauthenticated users was not impacted by this maintenance.
2. If the customer identifies any functionality intended to be public that was impacted by this change, please do one of the following:
   • Update the ACL(s) associated with the Table and Field to include the “public” role and remove the script that was added by the Maintenance; or
   • Create a new ACL for the associated Table and Field to include the “public” role
3. After updating the ACLs or creating a new ACL as explained above, please consider taking the following steps for any table that requires public access:
   • Reduce the number of rows to which the public table-level ACL grants access by adding a condition and/or script to the ACL, thereby filtering out rows available publicly.
   • Only apply the public role to specific fields that need unauthenticated access. All other fields that are not intended to be public should use a non-public role, which would require an authenticated session.
   • Reduce the number of fields that are available for public access by configuring only required field-level ACLs with the “public” role. For the rest of the fields, add another role (which would enforce an authenticated session) on a wildcard field level ACL.
   • In addition, the following script can be used in an ACL to require the user to be logged in: gs.isLoggedIn()
4. Review public widgets and consider setting the “Public” flag to false if they do not align with their use cases. If the customer determine that external user access or mobile access to the instance is not needed, apply IP Address Access Control within the instance to limit access to only known, trusted IP Addresses.”

ServiceNow has also issued guidance through an updated knowledge base (KB1553688) article that provides recommendations to address the potential misconfiguration.

As the leading SSPM solution, AppOmni detects unintended data exposures in ServiceNow and many other SaaS platforms arising due to customer-side misconfigurations. AppOmni Insights are derived from analyzing toxic combinations of misconfigurations, improper permissions, incorrect ACLs and IP restrictions, or exposed APIs and can help customers identify if they are impacted by this issue.

The potential misconfigurations mentioned in the article along with many similar SaaS access risks are detected by the AppOmni platform on a continuous basis. These SaaS access risks are displayed in the AppOmni console, enabling customers to analyze and triage each Insight. This enables timely, proactive SaaS threat detection, prevention and guided steps for remediation.

In addition, AppOmni has provided the following summary guidelines previously to address ServiceNow misconfigurations.

AppOmni Recommended Remediation Steps

Administrators should perform the following checks on a regular basis to ensure that access to sensitive information is not being provisioned to external unauthenticated users.

• Review ACLs that are absent of conditional and script based access evaluation, which have either no role, or the public role, assigned to them.
• Review User Criteria (UC) and the resources to which those criteria are granting access. In particular, focus on any UC in which the ‘Guest’ user is assigned to or contains the ‘public’ role. This includes the ‘Any User’ and ‘Guest’ built-in UCs.
• Review resources that can be directly assigned the ‘public’ role to grant access, or indirectly made accessible to the public through another mechanism (such as publishing a report).
• Review System Properties that may dictate access to records through a provided role or list of roles.

Addressing SaaS cyber risks requires adopting a SaaS Security Posture Management (SSPM) solution that importantly provides SaaS risk visibility across the SaaS estate, as well as guided steps to remediate and address this risk as it manifests. The AppOmni Platform’s SaaS cyber risk visibility, SaaS-to-SaaS app security management, threat detection, as well as the recently released Identity Fabric capabilities, enable customers to proactively fix these and any other SaaS access risks.

AppOmni has created a ServiceNow ACL misconfiguration assessment to detect potential misconfigurations in ServiceNow instances. Trusted by over 20% of the Fortune 100, AppOmni is best placed to help you analyze your ServiceNow deployment and provide guided remediation to address any SaaS access risk.

Click here to sign up for a risk assessment of potential ServiceNow misconfigurations.