Trust and assurance

FAQ

How does Tenable protect my data?

Tenable은 모든 고객 데이터의 기밀성, 무결성 및 가용성을 보호하기 위해 노력합니다. Tenable Vulnerability Management 데이터는 전송 중에 암호화되고 TLS 암호화를 사용하여 저장됩니다. 애플리케이션 인프라 계층에는 AES-256 암호화가 적용됩니다.

Tenable 클라우드 플랫폼은 격리된 프라이빗 네트워크에 구축되고 여러 네트워크 지점에서 컨테이너 격리, 인바운드/내부 트래픽 제한과 트래픽 속도, 소스 및 유형 모니터링과 같은 여러 네트워크 컨트롤을 사용합니다.

Tenable also implements multiple access controls to help customers control data access and performs frequent vulnerability, docker container and web application scans to conduct periodic security assessments.

For detailed descriptions of the applied security measures, review the Data Security and Privacy data sheet.

Which customer data does Tenable Vulnerability Management manage?

Tenable Vulnerability Management에서 관리하는 고객 데이터에는 궁극적으로 고객이 환경의 보안을 유지하기 위해 자산과 취약성을 관리할 때 탁월한 경험을 제공하는 하나의 목적이 있습니다. 이를 위해 Tenable Vulnerability Management는 3개 범주의 고객 데이터를 관리합니다:

1. 자산 및 취약성 데이터
2. 환경 성능 데이터
3. 고객 사용 데이터

Which customer asset and vulnerability data does Tenable Vulnerability Management manage?

Tenable Vulnerability Management는 고객의 네트워크에 자신을 인벤토리로 유지하며 IP 주소, MAC 주소, NetBIOS 이름, 운영 시스템 및 버전, 활성 포트 등을 포함할 수 있는 자산 특성을 관리합니다.

Tenable Vulnerability Management collects detailed current and historical vulnerability and configuration data, which may include criticality, exploitability and remediation status and network activity. Additionally, if customers enhance Tenable Vulnerability Management data with integrations to third-party products, such as asset management systems and patch management systems, Tenable Vulnerabilty Management may manage data from those products.

Tenable에서 고객 데이터를 분석하거나 사용합니까?

Tenable anonymizes and analyzes customer data for the purpose of determining trends in the industry, trends in vulnerability growth and mitigation, and trends in security events. For example, correlating the presence of a vulnerability with its exploitation has enormous benefits to Tenable customers. The data collected in our cloud does not include scan data that contains PII or personal data. Data that could potentially identify a customer is anonymized before being ingested into our analytics platform via a one-way salted hash using SHA-256. Additional benefits of Tenable’s data analysis include advanced analytics and improved correlation of customer data with industry and security events and trends. Collecting and analyzing such data also allows customers to baseline themselves against others in the industry or overall. Tenable provides a method for customers to opt out if desired.

고객은 상태 데이터 수집에서 옵트아웃할 수 있습니까?

Tenable Vulnerability Management 성능과 가용성을 유지하고 가능한 최고의 사용자 경험을 제공하기 위해 Tenable Vulnerability Management는 고객별 애플리케이션 상태 및 상태 정보를 수집합니다. 여기에는 스캐너가 플랫폼과 통신하는 빈도, 스캔된 자산 수 및 배포된 소프트웨어 버전 및 최대한 빨리 잠재적인 문제를 식별하고 해결하기 위한 기타 일반적인 원격 측정이 포함됩니다.

Tenable은 상태 데이터를 사용하여 잠재적인 문제를 적시에 탐지하고 해결하여 SLA 의무를 유지합니다. 따라서 고객은 이 데이터 수집에서 옵트아웃할 수 없습니다.

Which usage data does Tenable Vulnerability Management collect?

To evaluate and improve customer experience, Tenable collects anonymized user usage data. This data includes page access, clicks and other user activity that give the user a voice into streamlining and improving the user experience.

사용자는 사용 데이터 수집에서 옵트아웃할 수 있습니까?

Yes. A customer can request their container no longer be part of the collection process.

Where is customer data stored?

Tenable uses data centers and services from Amazon Web Services (AWS) to provide and deliver Tenable Vulnerability Management to customers. Collection and processing of customer scan data occurs inside the Tenable cloud platform within the geographic region where the customer’s account is hosted, unless the customer explicitly selects a different geographic region for the data to reside. 현재 위치는 다음과 같습니다.

• 미국 동부
• 미국 서부
• 미국 중부
• 런던
• 프랑크푸르트
• 시드니
• 싱가포르
• 캐나다
• 일본

Tenable will support additional countries in the future.

As all customer data is stored in secure, regional AWS services. The certifications for EU data protection that AWS maintains apply to the Tenable Cloud. More information is available at https://aws.amazon.com/compliance/eu-data-protection/.

고객이 데이터를 특정 위치/국가에 보관하도록 지정할 수 있습니까?

예. 데이터는 계정을 만들 때 선택한 국가에 저장됩니다.

어떻게 Tenable Vulnerability Management 내에서 고객 데이터를 보호합니까?

Tenable applies multiple security measures to deliver Tenable Vulnerability Management data security and privacy. For a detailed descriptions of the applied security measures, see the Data Security and Privacy data sheet.

Tenable은 어떻게 보안 개발을 수행합니까?

Comprehensive details can be found on the Data Security and Privacy data sheet.

Tenable has a dedicated cross-functional team that drives the Secure Software Development Lifecycle (SSDLC). To ship secure, high quality products at pace, Tenable leverages automated security testing to identify any potential vulnerabilities within source code, dependencies and underlying infrastructure before releasing to our customers. Tenable utilizes static application security testing (SAST), dependency and third-party library scanning, dynamic application security testing (DAST), and vulnerability testing on container images. Strict scoring criteria is adhered to and is enforced throughout the development process.

Which customer application security is available?

Tenable provides a number of mechanisms to help customers keep their data secure and control access, including:

• Data is encrypted in transit and in storage with AES-256 and TLS Encryption ciphers. Encryption keys are stored securely and access is limited. Encryption is applied to various application infrastructure layers and sharing of keys is prohibited.
• Tenable protects against brute-force attacks by locking accounts out after five (5) failed login attempts.
• Customers can configure two-factor authentication through services provided by Twillo.
• Customers can integrate Tenable Vulnerability Management with their SAML deployment. Tenable Vulnerability Management supports both IdP and SP initiated requests. Lastly, users can reset their password directly inside the application using their email address.
• Customers can build custom connections to Tenable Vulnerability Management using our documented APIs or SDKs. Access can be granted and controlled by the creation of specific APIs “keys.” 사용자 자격 증명을 공유하지 않아도 각기 다른 통합에 다른 키를 사용하는 것이 지원됩니다.
• The data collected in our cloud does not include any scan data containing PII or personal data. Data that could potentially identify a customer is anonymized via a one-way salted hash using SHA-256
• To protect from data interceptions, all communication to the platform is encrypted via SSL (TLS-1.2). Further, older insecure SSL negotiations are rejected to ensure the highest level of protection.

데이터는 어떻게 암호화됩니까?

All data in all states in the Tenable Vulnerability Management platform is encrypted with at least one level of encryption, using AES-256 and TLS encryption ciphers.

At Rest: Data is stored on encrypted media using at least one level of AES-256 encryption.

일부 데이터 클래스는 파일당 암호화의 두 번째 수준을 포함합니다.

In Transport: Data is encrypted in transport using TLS v1.2 with a 4096-bit key (this includes internal transports).

Tenable Vulnerability Management Sensor Communication: Traffic from sensors to the platform is always initiated by the sensor and is outbound-only over port 443. 트래픽은 4096비트 키의 TLS 1.2를 사용하여 SSL 통신을 통해 암호화합니다. 따라서 방화벽을 변경할 필요가 없으며 고객은 방화벽 규칙을 통해 연결을 제어할 수 있습니다.

• 스캐너-플랫폼 인증
• The platform generates a random key of 256 bit length for each scanner connected to the container and passes that key to the scanner during the linking process.
• Scanners use this key to authenticate back to the controller when requesting jobs, plugin updates and updates to the scanner binary.
• 스캐너-플랫폼 작업 통신
• Scanners contact the platform every 30 seconds.
• If there is a job, the platform generates a random key of 128-bits.
• The scanner requests the policy from the platform.
• The controller uses the key to encrypt the policy, which includes the credentials to be used during the scan.

In Backups/Replication: Volume snapshots and data replicas are stored with the same level of encryption as their source, no less than AES-256. All replication is done via the provider. Tenable does not back up any data to physical off-site media or physical systems.

In Indexes: Index data is stored on encrypted media using at least one level of AES-256 encryption.

Scan Credentials: Are stored inside of a policy that is encrypted within the container’s AES-256 global key. When scans are launched, the policy is encrypted with a one-use random 128-bit key and transported using TLS v1.2 with a 4096-bit key.

Key Management: Keys are stored centrally, encrypted with a role-based key, and access is limited. All the encrypted data stored can be rotated to a new key. The Datafile encryption keys are different on each regional site, as are disk-level keys. Sharing of keys is prohibited and key management procedures are reviewed on a yearly basis.

고객이 자체 키를 업로드할 수 있습니까?

Key management is not customer configurable. Tenable manages keys and key rotation.

Tenable은 프라이버시 실드 또는 CSA STAR와 같은 개인 정보 보호 인증이나 보안 인증을 취득했습니까?

Tenable has received the following certifications:

• Cloud Security Alliance (CSA) STAR
• Privacy Shield Framework
• ISO 27001
• National Information Assurance Program (NIAP)
• FedRAMP authorization for Tenable Vulnerability Management and Tenable Web App Scanning

How does Tenable protect Personally Identifiable Information (PII)?

The Tenable Vulnerability Management platform makes every effort not to collect PII data types in a format that would require additional certifications or security measures. The data collected in our cloud does not include any scan data that contains PII or personal data. Data that could potentially identify a customer is anonymized before being ingested into our analytics platform via a one-way salted hash using SHA-256. 여기에는 신용 카드 번호, 사회 보장 번호 및 기타 사용자 지정 검사가 포함됩니다. Tenable 플러그인이 중요한 정보나 개인 정보를 포함할 수 있는 문자열을 캡처하는 경우, 플랫폼은 자동으로 문자의 최소 50%를 난독 처리하여 민감할 수 있는 데이터를 보호합니다.

고객 데이터는 분리됩니까?

Each customer’s data is marked with a “container ID” that corresponds to a specific customer subscription. This container ID assures access to a customer’s data is limited to only that customer.

Which security controls protect Tenable Vulnerability Management?

Tenable leverages its own solutions to conduct daily, weekly or monthly scans of all corporate laptops, infrastructure and cloud environments. All findings are analyzed, ticketed and tracked in accordance with the Tenable Vulnerability Management policy. Tenable’s vulnerability management program encompases authenticed, agent, web application and database scanning. In addition, the following controls are in place:

• 방화벽 및 네트워크 세분화를 통해 액세스를 제어합니다.
• Automated tools and processes monitor the Tenable Vulnerability Management platform for uptime, performance and to detect anomalous behavior.
• 로그는 자동화를 통해 연중무휴 모니터링하며 Tenable 직원은 연중무휴로 이벤트에 응답할 수 있습니다.
• Third-party penetration tests of our applications, services and businesses as a whole.
• Tenable leverages a vulnerability report board to receive and respond to any weakness or vulnerabilities identified from the broad security researcher community. As identified reports are triaged and responded to, Tenable releases security advisories for the benefit of customers, prospects and the wider community.
• Tenable reviews every third-party vendor through a rigorous risk management program.

어떻게 Tenable Vulnerability Management 센서의 보안을 유지합니까?

플랫폼에 연결되는 센서는 고객의 보안, 취약성 및 자산 정보 수집에 중요한 역할을 합니다. Protecting this data and ensuring the communication paths are secure is a core function of Tenable Vulnerability Management. Tenable Vulnerability Management supports several sensors today: Nessus vulnerability scanners, passive scanners and Nessus Agents.

이런 sensors는 암호화로 인증하고 Tenable Vulnerability Management에 연결한 후에 Tenable Vulnerability Management 플랫폼에 연결됩니다. 연결되었으면 Tenable Vulnerability Management는 모든 업데이트(플러그인, 코드 등)를 관리하여 센서가 항상 최신인지 확인합니다.

센서에서 플랫폼으로 향하는 트래픽은 항상 센서에 의해 시작되며 포트 443을 통한 아웃바운드 전용입니다. 트래픽은 4096비트 키의 TLS 1.2를 사용하여 SSL 통신을 통해 암호화합니다. 따라서 방화벽을 변경할 필요가 없으며 고객은 방화벽 규칙을 통해 연결을 제어할 수 있습니다.

• 스캐너-플랫폼 인증
• The platform generates a random key of 256 bit length for each scanner connected to the container and passes that key to the scanner during the linking process.
• Scanners use this key to authenticate back to the controller when requesting jobs, plugin updates and updates to the scanner binary.
• 스캐너-플랫폼 작업 통신
• Scanners contact the platform every 30 seconds.
• If there is a job, the platform generates a random key of 128-bits.
• The scanner requests the policy from the platform.
• The controller uses the key to encrypt the policy, which includes the credentials to be used during the scan.

어떻게 Tenable Vulnerability Management의 가용성을 관리합니까?

The Tenable Vulnerability Management services strive to provide a 99.95% or better uptime, and have delivered 100% uptime on the majority of services. Tenable has published an SLA that describes our commitment to ensure the platform is available to all users and how we credit customers in the event of unplanned downtime.

“Up” status is determined simply by public availability tests hosted by a third party that regularly tests the availability of all services. The uptime for services (both current and historical) is available at https://status.tenable.com/.

Tenable Vulnerability Management makes extensive use of the AWS platform and other leading technologies to ensure our customers experience the best possible service and overall quality. Below is a partial list of the solutions deployed and benefits to customers:

• Elasticsearch Clusters: Elasticsearch clusters are highly available and can recover from the loss of master nodes, lb nodes and at least one (1) data node, without impacting service availability.
• Elastic Block Stores: Used to take daily snapshots and store eight (8) copies
• Kafka 에코시스템: Kafka 및 Zookeeper는 모두 클러스터 전반에서 데이터를 복제하여 노드에 재난적 장애 중에도 장애 복구를 제공합니다.
• Postgres Instances: Manage the back end microservice framework to keep 30 days of snapshots

데이터는 어디에 복제됩니까?

복제된 데이터는 동일한 리전 내에 저장합니다.

Which disaster recovery capabilities are in place?

재해란 하나 이상의 리전에서 복구할 수 없는 데이터 또는 장비의 손실이 발생하는 이벤트입니다.

Tenable Vulnerability Management 재난 복구 절차에는 여러 레벨이 있으며 5년에 한 번에서 50년에 한 번 발생할 수 있는 상황에 대응하도록 설계되었습니다. 재해의 범위에 따라, 복구 절차에 걸리는 시간은 60분에서 24시간까지 다릅니다.

누가 고객 데이터에 액세스할 수 있습니까?

고객은 직원에게 역할과 권한을 할당하고 Tenable 지원 팀 직원에게 임시로 액세스 권한을 부여하는 등 데이터에 대한 액세스 권한을 갖는 사용자를 제어할 수 있습니다.

사용자 역할 및 권한은 어떻게 관리합니까?

Tenable Vulnerability Management customer administrators can assign user roles (basic, scan operator, standard, scan manager, administrator and disabled) to manage permissions for major functions in Tenable Vulnerability Management such as access to scans, policies, scanners, agents and asset lists. Customers can also assign access groups to allow groups in their organization to view specific assets and related vulnerabilities in aggregated scan results and to run scans against specific targets and view individual scan results.

Tenable 직원은 고객 데이터에 액세스할 수 있습니까?

예. Tenable Technical Support restricts the Tenable Vulnerability Management impersonation privilege to a subset of authorized senior roles. With customer permission, authorized senior members of Tenable’s global support staff can impersonate user accounts, which allows them to perform operations in Tenable Vulnerability Management as another user without needing to obtain that user's password.

Tenable 지원 팀 직원 또는 고객은 이 기능을 활성화할 것을 요청할 수 있습니다. If Tenable Technical Support needs to impersonate a Tenable Vulnerability Management user, a ticket is opened and tracked until closure. Technical Support will send an email to the customer after identifying the business need to impersonate. The customer is required to confirm via email that Technical Support is approved to impersonate the user. Technical Support will not impersonate the user until approval is received from the customer. 지원 팀에 로그된 모든 문제에 대해 권한이 부여되어야 합니다. Approvals are tracked within the initial ticket. Tenable은 어떤 경우에도 모든 문제에 대한 "승인"에 따라 운영하지 않습니다.

Tenable에는 채용 및 고용 종료 프로세스가 규정되어 있습니다. 모든 직원은 채용의 일부분으로 기밀유지 계약에 서명해야 하며 고용 종료 시 모든 계정과 액세스 키가 즉시 철회됩니다.All Tenable Vulnerability Management operations staff are also required to pass a third-party background check.

누가 가장 기능을 사용할 수 있습니까?

Only the account administrator and authorized Tenable senior support staff members are allowed to use the impersonate function. All accounts with the ability to perform impersonations require two-factor authentication for security purposes. Tenable audits impersonations internally and each customer can also audit impersonations performed to their account. All impersonations are logged in audit logs, and all Tenable Vulnerability Management customers can audit impersonations through the API. Tenable documents how to pull the audit logs in the following public document, https://developer.tenable.com/reference#audit-log. Please note that there is an automated account, ([email protected]), that may show at times in these audit logs.

Tenable이 기술적인 문제를 해결할 때 데이터가 해당 국가 밖으로 나가게 됩니까?

Tenable is making every effort to ensure that customer data is protected and we ensure that their policies are being followed by working with customers to ensure data remains in the region required. However, user impersonation may result in data leaving the primary location. There are instances where cases need to use the Follow-the-Sun process when casework needs to continue beyond local business hours. There are also instances where customers could email a report to Tenable or otherwise break their own policy by emailing outside of their region.

For customers using a FedRamp authorized Tenable product, this data always stays within the U.S.

Tenable 지원 팀 직원은 고객의 내부 네트워크에 대한 액세스 권한을 갖게 됩니까?

No. All traffic is initiated by the scanner and is outbound only. The scanners are installed behind the customer’s firewall and customers can control access of the scanners via their firewall.

What is the Tenable Vulnerability Management Data Retention Policy?

The data retention policy for Tenable Vulnerability Management and other Tenable-hosted products is 12 months of retention for existing customers. For customers that terminate a product subscription, customer data will be retained for 30 days from the termination date. Tenable’s data retention policy with respect to PCI scans matches then-current requirements set forth by the PCI Security Standards Council.

액티브 스캔 데이터는 얼마 동안 유지됩니까?

The ability to measure progress over time is a core function of the Tenable Vulnerability Management platform. Tenable Vulnerability Management will automatically store customer data for 12 months to allow customers to report over a one (1) year period of time.

고객이 Tenable Vulnerability Management 서비스를 중단하는 경우 얼마나 오래 데이터를 유지합니까?

Should a customer's account expire or terminate, Tenable will retain the data, as it was at the time of expiration, for no more than 30 days. After that time, this data may be deleted and cannot be recovered.

PCI 관련 데이터는 얼마 동안 유지됩니까?

Data involved in a PCI compliance validation process is not deleted until at least three years after the date of the PCI attestation, as required by PCI regulations. Tenable retains this data for this time period, even if the customer chooses to delete their scans or account or terminates their Tenable Vulnerability Management service.

Tenable Vulnerability Management 사용 데이터를 얼마나 오래 유지합니까?

To ensure the best possible experience, Tenable collects this information as long as a customer container remains active. Once a customer discontinues the service, the data will be retained for no more than 30 days.

Tenable Vulnerability Management에는 Common Criteria 인증이 있습니까?

Common Criteria certification is generally not applied to a SaaS solution, as the frequency of updates does not lend itself to a certification process that takes six to nine (6-9) months to complete. Tenable has achieved Common Criteria certification for Tenable Security Center, Nessus Manager, Nessus Agents and Log Correlation Engine (LCE).