Tenable Cloud Platform Data

Data Isolation

Data is logically isolated from other customer data in the Tenable Cloud Platform. Data integrity is not affected by other platform users.

Data Encryption

All data in all states in the Tenable Cloud Platform is encrypted with at least one level of encryption, using no less than AES-256.

At Rest – Data is stored on encrypted media using at least one level of AES-256 encryption.

Some data classes include a second level of per-file encryption.

In Transport – Data is encrypted in transport using TLS v1.2 with a 4096-bit key (this includes internal transports).

Tenable Vulnerability Management Sensor Communication – Traffic from the sensors to the platform is always initiated by the sensor and is outbound only over port 443. Traffic is encrypted via SSL communication using TLS 1.2 with a 4096-bit key. This removes the need for firewall changes and allows customers to control the connections via firewall rules.

  • Scanner-to-platform authentication

    • The platform generates a random key of 256-bit length for each scanner connected to the container and passes that key to the scanner during the linking process

    • Scanners uses this key to authenticate back to the controller when requesting jobs, plugin updates, and updates to the scanner binary

  • Scanner-to-platform job communication

    • Unless congestion is observed, scanners contact the platform every 30 seconds.

    • If there is a job, the platform generates a random key of 128-bits

    • The scanner requests the policy from the platform

    • The controller uses the key to encrypt the policy, which includes the credentials to be used during the scan

In Backups / Replication – Volume snapshots and data replicas are stored with the same level of encryption as their source, no less than AES-256. All replication is done via the provider. Tenable does not back up any data to physical off-site media or physical systems.

In Indexes – Index data is stored on encrypted media using at least one level of AES-256 encryption.

Scan Credentials – Are stored inside of a policy which is encrypted within the container's AES-256 global key. When scans are launched, the policy is encrypted with a one-use random 128-bit key and transported using TLS v1.2 with a 4096-bit key.

Key Management – Keys are stored centrally, encrypted with a role-based key, and access is limited. All the encrypted data stored can be rotated to a new key. The datafile encryption keys are different on each regional site, as are the disk-level keys. Sharing of keys is prohibited, and key management procedures are reviewed on a yearly basis.

For more information, see How Tenable Encrypts Data.

Data Handling and Export

Data is kept in the region your container is deployed in. Customers may provision regional containers under a single license for multi-region requirements.

Data sent to the Tenable platform is analyzed, indexed and stored to provide functionality in the cloud. Data is ingested via Nessus Scanners of all types, product-specific connectors, integrations, and APIs. Additional details on current storage management and retention are below.

General Data Retention

  • The default retention period for processed and indexed scan data is six months. Although not recommended, administrators can configure it for up to 15 months. This is configured via age-out time in the networks setting.

  • Upon expiration or termination of a product subscription, customer data will be deleted. Currently, this data is retained for up to 30 days from the termination date.

  • Raw data from individual scan results (ScanDB files) is retained for 45 days.

PCI Data Retention

Tenable’s data retention policy concerning PCI scans will match then-current requirements set forth by the PCI Security Standards Council. Customers can also refer to the Tenable Master Agreement. (see Tenable Master Agreement).