Tenable Cloud Platform Data

Data Isolation

Data is logically isolated from other customer data in the Tenable Cloud Platform. Data integrity is not affected by other platform users.

Data Encryption

All data in the Tenable Cloud Platform is encrypted with at least one level of AES-256 encryption.

At Rest — Data is stored on encrypted media using at least one level of AES-256 encryption. Some data classes include a second level of per-file encryption.

In Transport — Data is encrypted using TLS v1.2 with a 4096-bit key, including internal transports.

Sensor Communication — Traffic is always initiated by the sensor and is outbound only over port 443. Traffic is encrypted using SSL communication with TLS 1.2 and a 4096-bit key. This removes the need for firewall changes and lets you control connections through firewall rules.

  • Scanner-to-platform authentication:

    • The platform generates a random 256-bit key for each scanner connected to the container and passes that key to the scanner during the linking process.
    • Scanners use this key to authenticate back to the controller when requesting jobs, plugin updates, and updates to the scanner binary.

  • Scanner-to-platform job communication:

    • Unless congestion is observed, scanners contact the platform every 30 seconds.

    • If there's a job, the platform generates a random 128-bit key.

    • The scanner requests the policy from the platform.

    • The controller uses the key to encrypt the policy, which includes the credentials to be used during the scan.

In Backups and Replication — Volume snapshots and data replicas are stored with the same level of encryption as their source, no less than AES-256. All replication is done through the provider. Tenable doesn't back up any data to physical off-site media or physical systems

In Indexes — Index data is stored on encrypted media using at least one level of AES-256 encryption.

Scan Credentials — Scan credentials are stored inside a policy that is encrypted within the container's AES-256 global key. When scans are launched, the policy is encrypted with a one-use random 128-bit key and transported using TLS v1.2 with a 4096-bit key.

Key Management — Keys are stored centrally, encrypted with a role-based key, and access is limited. All encrypted data can be rotated to a new key. Encryption keys for data files differ on each regional site, as do the disk-level keys. Sharing keys is prohibited, and key management procedures are reviewed annually.

For more information, see How Tenable Encrypts Data.

Data Handling and Export

Data is kept in the region where your container is deployed. You can provision regional containers under a single license for multi-region requirements.

Data sent to the Tenable Cloud Platform is analyzed, indexed, and stored to provide functionality in the cloud. Data is ingested through Tenable Nessus scanners of all types, product-specific connectors, integrations, and APIs.

General Data Retention

  • The default retention period for processed and indexed scan data is six months. Administrators can configure it for up to 15 months, though this isn't recommended. This setting is configured through the age-out time in the networks setting.

  • Customer data is retained for up to 30 days after the expiration or termination of a product subscription.

  • Raw data from individual scan results (ScanDB files) is retained for 45 days.

PCI Data Retention

Tenable's data retention policy for PCI scans matches the then-current requirements set forth by the PCI Security Standards Council. For more information, see the Tenable Master Agreement.