Freshservice Hardening Guide
ITSM security for API tokens, CMDB access, and change management controls
Overview
Freshservice is an IT service management (ITSM) platform handling IT tickets, asset management, and change management. REST API, OAuth apps, and Freshworks Marketplace integrations access IT infrastructure data. Compromised access exposes asset inventory, configuration data, and potentially privileged access workflows.
Intended Audience
- Security engineers managing ITSM platforms
- Freshservice administrators
- GRC professionals assessing IT service security
- Third-party risk managers evaluating ITSM integrations
Table of Contents
1. Authentication & Access Controls
1.1 Enforce SSO with MFA
Profile Level: L1 (Baseline) NIST 800-53: IA-2(1)
ClickOps Implementation
Step 1: Configure SAML SSO
- Navigate to: Admin → Security → Single sign-on
- Configure SAML IdP
- Enable: Login with SSO only
Step 2: Enable 2FA
- Navigate to: Admin → Security
- Enable: Two-factor authentication
- Require for all agents
1.2 Role-Based Access
Profile Level: L1 (Baseline) NIST 800-53: AC-3, AC-6
ClickOps Implementation
Step 1: Define Roles
| Role | Permissions |
|---|---|
| Admin | Full access |
| SD Agent | Service desk functions |
| Asset Manager | CMDB access |
| Change Manager | Change management |
| Requester | Submit tickets only |
Step 2: Configure Agent Roles
- Navigate to: Admin → Agent Roles
- Create custom roles
- Assign minimum permissions
2. API Security
2.1 Secure API Keys
Profile Level: L1 (Baseline) NIST 800-53: IA-5
Description
Manage Freshservice API keys securely.
Rationale
Attack Scenario: Compromised API key exports CMDB; asset inventory and configuration data enable targeted attacks on infrastructure.
ClickOps Implementation
Step 1: Audit API Keys
- Navigate to: Profile → API Key
- Each agent has unique key
- Limit who needs API access
Step 2: Key Management
- Regenerate keys when agents leave
- Use dedicated integration accounts
- Monitor API usage
2.2 OAuth App Security
Profile Level: L1 (Baseline) NIST 800-53: CM-7
ClickOps Implementation
Step 1: Review Connected Apps
- Navigate to: Admin → Apps → Installed Apps
- Review all apps
- Remove unused integrations
3. Data Security
3.1 Protect Asset Data
Profile Level: L1 (Baseline) NIST 800-53: SC-28
ClickOps Implementation
Step 1: Configure CMDB Access
- Navigate to: Admin → Asset Management
- Limit CMDB visibility
- Restrict sensitive asset types
Step 2: Ticket Security
- Configure ticket visibility
- Limit agent group access
- Protect sensitive tickets
3.2 Change Management Security
Profile Level: L2 (Hardened) NIST 800-53: CM-3
ClickOps Implementation
Step 1: Approval Workflows
- Navigate to: Admin → Workflow Automator
- Require CAB approval
- Configure emergency change process
4. Monitoring & Detection
4.1 Audit Logs
Profile Level: L1 (Baseline) NIST 800-53: AU-2, AU-3
ClickOps Implementation
Step 1: Access Audit Logs
- Navigate to: Admin → Audit Logs
- Review agent activities
- Monitor configuration changes
Detection Focus
-- Detect bulk asset exports
SELECT agent_email, export_type, record_count
FROM freshservice_audit
WHERE action = 'export'
AND module = 'asset'
AND record_count > 100;
-- Detect unusual API activity
SELECT api_key, endpoint, COUNT(*) as calls
FROM api_log
WHERE timestamp > NOW() - INTERVAL '1 hour'
GROUP BY api_key, endpoint
HAVING COUNT(*) > 500;
Appendix A: Edition Compatibility
| Control | Starter | Growth | Pro | Enterprise |
|---|---|---|---|---|
| SAML SSO | ❌ | ✅ | ✅ | ✅ |
| Custom Roles | ❌ | ❌ | ✅ | ✅ |
| Audit Logs | ❌ | ❌ | ✅ | ✅ |
| IP Restrictions | ❌ | ❌ | ❌ | ✅ |
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-12-14 | 0.1.0 | draft | Initial Freshservice hardening guide | Claude Code (Opus 4.5) |