Security Best Practices
This document provides actionable security recommendations for deploying and operating Squid. Following these practices will help ensure your data integration remains secure.
Initial Setup
1. Enable ACL Override
The most critical configuration decision:
System Property: x_a46gh_squidx.allowAclOverride
Value: true
Why: ACLs cause silent data loss. Squid's built-in security mechanisms provide equivalent protection with predictable behavior.
Required for Support
arc46 cannot provide support unless this property is set to true.
2. Review Predefined Configurations
Before granting access to predefined configurations:
- Review which columns each view exposes
- Understand what relations are available
- Verify no sensitive data is unexpectedly included
3. Plan Your Role Strategy
Design your role structure before deployment:
┌─────────────────────────────────────────────────────────────────┐
│ Role Planning Matrix │
├─────────────────────────────────────────────────────────────────┤
│ │
│ System/User Configurations Roles Needed │
│ ───────────── ────────────── ──────────── │
│ Monitoring All CMDB rest + defaultAccess │
│ Asset Mgmt alm_* configs rest + alm_access │
│ Network Team cmdb_ci_network* rest + network_access│
│ Reporting All (read-only) rest + defaultAccess │
│ │
└─────────────────────────────────────────────────────────────────┘
Service Account Security
Creating Service Accounts
Do:
- Create dedicated accounts per integration
- Use descriptive names:
squid_[purpose]_[system] - Assign minimal necessary roles
- Document the purpose and owner
Don't:
- Share accounts between integrations
- Use personal accounts for integrations
- Assign the
adminrole to service accounts
Service Account Template
Account: squid_cmdb_export_monitoring
Purpose: Export CMDB data to monitoring system
Owner: Infrastructure Team
Contact: infra@company.com
Roles:
- x_a46gh_squidx.rest # API access
- monitoring_cmdb_access # Custom role for specific configs
Configurations Accessed:
- cmdb_ci_server
- cmdb_ci_network_adapter
Review Schedule: Quarterly
Credential Management
- Store credentials securely - Use a secrets manager
- Rotate regularly - At least annually, or after personnel changes
- Use OAuth when possible - Tokens can be revoked
- Monitor for exposure - Check for credentials in logs/code
Configuration Security
Principle of Least Privilege
Configure each integration with minimal access:
# Bad: Overly permissive
Configuration: cmdb_ci
Roles: [] (empty = anyone with rest role)
Relations Restricted: false
# Good: Appropriately restricted
Configuration: cmdb_ci_server_monitoring
Roles: [monitoring_access]
Relations Restricted: true
Allowed Relations: [ci_to_ip_address, ci_to_network_adapter]
View Filter: base_install_status=1
Custom Configuration Checklist
When creating custom configurations:
- Define appropriate view (only needed columns)
- Set role requirements
- Enable
Relations Restrictedif not all relations should be allowed - Set
Restrict Encoded Queryto true unless operators are needed - Set appropriate
Limitfor inline configurations - Add a descriptive
Description - Document the configuration's purpose and users
View Design Security
When designing database views:
┌─────────────────────────────────────────────────────────────────┐
│ View Design Checklist │
├─────────────────────────────────────────────────────────────────┤
│ │
│ □ Include only columns actually needed │
│ □ Exclude sensitive fields: │
│ • comments / work_notes │
│ • u_sensitive_* custom fields │
│ • credentials / passwords │
│ • internal cost / financial data │
│ □ Consider View Fields for additional restriction │
│ □ Document the view's purpose │
│ │
└─────────────────────────────────────────────────────────────────┘
Query Security
For API Consumers
Educate API consumers on secure query practices:
# Efficient and secure
encodedQuery: base_sys_id=abc123def456...
encodedQuery: base_nameSTARTSWITHwebserver
encodedQuery: base_install_status=1
# Avoid when possible (if enabled)
encodedQuery: base_nameLIKE%server% # Performance impact
encodedQuery: base_nameENDSWITHprod # Performance impact
For Administrators
- Keep Restrict Encoded Query enabled - Disable only when necessary
- Use View Filters for complex queries - They're not restricted
- Monitor query patterns - Watch for abuse
Network Security
TLS/HTTPS
All Squid communication should use HTTPS (ServiceNow default):
- Verify certificate validity
- Use TLS 1.2 or higher
- Disable insecure cipher suites (ServiceNow configuration)
IP Restrictions
Consider restricting API access by source IP:
- Identify IP ranges of legitimate clients
- Configure ServiceNow IP access rules
- Monitor for access from unexpected IPs
API Gateway
For additional control, consider fronting Squid with an API gateway:
┌─────────────┐ ┌─────────────┐ ┌─────────────────┐
│ Client │────▶│ API Gateway │────▶│ ServiceNow │
└─────────────┘ │ │ │ (Squid) │
│ • Rate limit│ └─────────────────┘
│ • IP filter │
│ • Logging │
└─────────────┘
Monitoring and Alerting
Critical Alerts
Configure alerts for:
| Event | Threshold | Priority |
|---|---|---|
| Authentication failures | 5 in 5 minutes | High |
| Forbidden operator detected | Any | High |
| Unusual data volume | 2x baseline | Medium |
| After-hours access | Any (configurable) | Low |
Regular Reviews
| Review | Frequency | Focus |
|---|---|---|
| Access logs | Daily | Anomalies, failures |
| Service account usage | Weekly | Unexpected patterns |
| Configuration changes | Weekly | Unauthorized modifications |
| Role assignments | Monthly | Appropriate access |
| Service account audit | Quarterly | Still needed, proper owner |
Incident Response
Suspected Unauthorized Access
- Contain: Disable affected service account
- Investigate: Review logs for scope
- Remediate: Rotate credentials, patch vulnerability
- Document: Record incident and response
Data Exposure
- Assess: What data was potentially accessed?
- Contain: Restrict access immediately
- Investigate: How was access obtained?
- Notify: Inform stakeholders per policy
- Remediate: Fix vulnerability
Compliance Considerations
Data Classification
Map configurations to data sensitivity:
High Sensitivity:
- Configurations accessing PII
- Financial data exports
- Credentials or security data
Protections:
- Strict role requirements
- Enhanced logging
- Regular access reviews
Medium Sensitivity:
- General CMDB data
- Asset information
Protections:
- Standard role requirements
- Normal logging
Low Sensitivity:
- Reference data
- Non-identifying metadata
Protections:
- Basic access control
Audit Trail Requirements
For regulated environments:
- Enable INFO-level logging
- Retain logs per compliance requirements
- Ensure logs capture:
- Who accessed what
- When access occurred
- What query was used
- How much data was returned
Access Certification
Implement periodic access reviews:
┌─────────────────────────────────────────────────────────────────┐
│ Access Certification Process │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 1. Export list of service accounts with Squid roles │
│ 2. Send to account owners for certification │
│ 3. Owner confirms: Still needed? Access appropriate? │
│ 4. Remediate: Remove unnecessary access │
│ 5. Document: Record certification results │
│ │
│ Frequency: Quarterly or per compliance requirements │
│ │
└─────────────────────────────────────────────────────────────────┘
Security Testing
Regular Testing
| Test | Frequency | Method |
|---|---|---|
| Authentication enforcement | Monthly | Attempt access without role |
| Authorization enforcement | Monthly | Attempt access to restricted config |
| Query validation | Monthly | Attempt forbidden operators |
| View restriction | Quarterly | Verify only expected columns returned |
Testing Checklist
Authentication Tests:
- [ ] Access denied without rest role
- [ ] Access denied with expired session
- [ ] Admin override works correctly
Authorization Tests:
- [ ] Config access denied without required role
- [ ] Config access granted with required role
- [ ] Relations blocked when restricted
Query Validation Tests:
- [ ] ^NQ operator blocked
- [ ] LIKE operator blocked (if restricted)
- [ ] Valid operators work correctly
Data Access Tests:
- [ ] Only view columns returned
- [ ] View filter enforced
- [ ] User filter applied correctly
Summary Checklist
Before Production Deployment
-
allowAclOverrideset totrue - Service accounts created (not personal accounts)
- Roles assigned appropriately
- Configurations reviewed for sensitive data
- View filters configured where needed
- Relations restrictions set where needed
- Logging enabled at appropriate level
- Monitoring and alerting configured
- Documentation completed
Ongoing Operations
- Regular access reviews conducted
- Logs monitored for anomalies
- Credentials rotated on schedule
- Security testing performed
- Configurations audited for changes
- Incident response plan tested
Related Topics
- Security Overview - Security architecture summary
- Authentication - Service account setup
- Authorization - Role configuration
- Auditing - Monitoring setup