Views:

Securely store and reuse the credentials you need to run network vulnerability scans that require authentication.

Important
Important
  • This is a "Pre-release" feature and is not considered an official release. Please review the Pre-release disclaimer before using the feature.
  • Use of the Credential Vault requires the Network Vulnerability Scanner service version 1.1.3 or later. Update the service in Service Gateway Management.
The Credential Vault provides a central location for you to create and manage credential profiles for use with vulnerability scans in Network Vulnerability Scanner. Credential profiles contain all the authentication information necessary to sign in to a target network device during a vulnerability scan. You need authentication information when scanning devices that cannot have an agent installed, like routers or switches, or when scanning endpoints you do not want to manage directly.
After you configure and store a credential profile in the Credential Vault, you can select the profile when you create a new vulnerability scan. You do not have to specify the same information again, and other users can create new scans without knowing the actual authentication information.
Important
Important
User accounts must have the Access Credential Vault permission under Cyber Risk Exposure ManagementVulnerability Management to use credential profiles and theManage Credential Vault permission to create, modify, or delete credential profiles.
To ensure your sensitive authentication information is protected, Trend Vision One secures both credential profiles and authentication information specified in scans in the following ways:
  • Access control: Once a credential profile is configured and stored, no user can view the authentication information in clear text in the Trend Vision One console. Only users with the Manage Credential Vault permission can modify information in a credential profile.
  • End-to-end encryption during transmission: Authentication information sent between the Trend Vision One back end and the Network Vulnerability Scanner service is encrypted end to end. End-to-end encryption ensures no other component, even within Trend Vision One, can access the information.
  • Clear-text duration minimization: The Network Vulnerability Scanner service only retrieves stored authentication information when an associated scan starts. The back-end database briefly decrypts the information and re-encrypts the information using the current Network Vulnerability Scanner key before transfer to the service. After the scan completes, all retrieved authentication information is deleted and never stored by the service or in the Service Gateway.
  • Regular key rotation: All cryptography keys used when handling authentication information are rotated on a regular basis.
Credential Vault credential profiles support the following authentication methods:
  • Secure Shell (SSH) with private key or password
    • Private keys can consist of up to a maximum of 4,096 characters.
  • SNMPv2c with community string and port
  • SNMPv3 with one of the following security levels:
    • Authentication and encryption
    • Encryption only
Manage credential profiles directly in the Credential Vault. Use credential profiles when configuring the authentication credentials in a vulnerability scan. View the name of the credential profile used in a scan by drilling down from the scan ID in Scan reports.
Related information