New Credential Security Model

The New Credential Security Model must be enabled for your subscription. Contact Qualys Support or your Technical Account Manager if you’re interested in this feature.

The New Credential Security Model (NCSM) improves the security of scan authentication credentials with end-to-end encryption of your credentials. The sensitive parts of scan authentication credentials (e.g. passwords, private keys, passphrases) will remain encrypted from the time you enter them into your authentication/vault records to when they are used by scanner appliances.

Start using NCSM

When enabled for your subscription, the Manager Primary Contact can opt in to the New Credential Security Model by going to Scans > Setup > New Credential Security Model.

You’ll see the number of records to be migrated. This includes only the records with sensitive login credentials like passwords, private keys and passphrases. Records that don’t have sensitive credentials will not be migrated.

Click Start to activate the new security model and migrate your existing records to NCSM. Click Yes when the confirmation window appears.

New Credential Security Model setup page - Start button

When migration is complete you’ll see a green success message. All of your migrated records will now be protected using the New Credential Security Model. Authentication records created after this time will also use NCSM.

Click Done to close the window.

New Credential Security Model setup page - Done button

What if some records aren't migrated?

You'll see a message informing you that one or more records are pending migration. Click Resume to continue the one time migration.

New Credential Security Model setup page - Resume button

Go to your authentication records list (Scans > Authentication) and your authentication vaults list (Scans > Authentication > New > Authentication Vaults). You’ll see Warning icon to indicate that NCSM migration failed  next to the records that were not migrated. All records must be migrated to use the New Credential Security Model.

Authentication records list with indicator that some records are pending migration

Will new authentication records use NCSM?

Yes, new authentication/vault records with sensitive login credentials created after you’ve activated NCSM will be protected using this new security model automatically.

Activate NCSM for other users

The New Credential Security Model is activated for the Manager Primary Contact. We’ll need to activate NCSM for each user who has permission to access authentication records. We'll activate NCSM the next time each user logs in to the Qualys UI after the migration is complete (all records have been migrated). Users will be blocked from making any record changes until migration is complete and their account is activated.

User Passwords Can Only be Reset by Managers

Once the New Credential Security Model is enabled, the Manager Primary Contact and other Manager users in the subscription have permission to reset user passwords. Unit Managers do not have this permission. This means, if a user has forgotten their account login password and follows the password reset workflow, the user must reach out to a Manager to get the password reset.