Tanium Cloud overview
Tanium™ Cloud is the full functionality of the Tanium platform delivered as a fully-managed, cloud-based service.
With Tanium Cloud, you can use Tanium without having to install software and maintain virtual or physical servers. The Tanium Core Platform and solutions are automatically configured and maintained, so that you can focus on using Tanium to manage endpoints. Tanium Cloud is governed by the Tanium Cloud Subscription Agreement.
For most customers, Tanium Cloud requires zero customer infrastructure. Some customers might need to add on-premises infrastructure to Tanium Cloud deployments, such as when customer endpoints are not allowed to communicate with an internet-hosted service such as Tanium Cloud.
Architecture
The Tanium Cloud architecture is provided in a single tenant. By isolating tenants, the data is secured for each Tanium platform instance.
With Tanium Cloud, the overall Tanium architecture is abstracted to a single service that you can connect to with a secure web browser. The underlying Tanium platform components (Module Server, Tanium Server, and so on) are managed by Tanium Cloud.
If a customer endpoint can reach two internet IP addresses on two TCP ports, either directly or indirectly as explained in Host and network security requirements, the endpoint can be managed with the full capabilities of the Tanium platform.
Responsibilities
With Tanium Cloud, you can use the Tanium platform and solutions, without worrying about performing updates or securing the environment.
| Responsibility | Customer | Tanium Cloud |
|---|---|---|
| Software component management / Application level controls | Use Tanium platform and solutions on demand, for desired use cases. Configure Tanium product solutions, and endpoint tooling configurations, as needed. | Maintain Tanium service updates to ensure availability, security, and stability, without impacting customer solution configurations. Activate access to solutions as requested. |
| Tanium Client and endpoint protection | Choose when and where to deploy Tanium Client to endpoints. Use controls to secure endpoints. Choose when to update Tanium Client and endpoint profiles and configurations. | Maintain security, stability, and reliability of Tanium Client and endpoint tooling. Provide controls for managing and securing endpoints. |
| Access and authorization | Connect and manage identity and access provider, including the provisioning, deprovisioning, and protection of user accounts. Define the users, roles, and credentials that have access to the service. | Provide controls for identity and access provider integration. |
| Data classification and accountability | Identify, label, and classify data. Determine what data gets processed by Tanium Cloud, and how. | Process Tanium Cloud data on the behalf of the customer. |
| Hosting environment management | - | Maintain service hosting environment, including management of the security, scalability, and performance of Tanium infrastructure. |
| Network controls | Maintain any network controls not included in the Tanium Cloud infrastructure, including Tanium Client access to the service. | Maintain network controls across Tanium Cloud infrastructure. |
| Security management | - | Manage security of instances through public key infrastructure (PKI) and data in transit and at rest encryption with unique keys for each tenant. |
| Physical security | - | Manage security of the physical cloud environment. |
Data security
Data types
Customer Data is data that is loaded into Tanium Cloud by the customer and stored by Tanium Cloud. Systems Information is generated by Tanium Cloud, such as metrics, usage information, and related metadata about how each customer uses Tanium Cloud. Tanium Cloud does not copy or store customer data files, such as PDF or Microsoft Word files, that reside on customer endpoints, like online file storage services do.
For more information about data types that are allowed in Tanium Cloud and what Systems Information is collected, see the Tanium-as-a-Service (Tanium Cloud) Subscription Agreement.
Data regions
Customer Data is stored only in the single specific data hosting region that the customer chooses from the following list. Customer Data remains in this single specified region. Tanium currently supports the following regions for hosting customer Tanium Cloud instances.
| Region name | Data host country |
|---|---|
| Americas | United States |
| EMEA | Germany |
| Asia Pacific | Japan |
| Canada | Canada |
| Northwest Europe | England |
| Oceania | Australia |
| South America | Brazil |
Subprocessors
Tanium uses subprocessors to host and help provide our services. For more information, see List of Sub-Processors.
Common questions
Tanium Cloud is regularly audited by external entities and performs internal assessments against globally recognized security standards and frameworks. See https://www.tanium.com/security for more details.
How does Tanium secure my data?
Tanium individually isolates customer data for each tenant. Customer data in Tanium Cloud does not co-mingle with data from other customers. For customer data at rest, Tanium uses volume-level and file-level encryption. Customer data at rest is protected with keys that are unique to the tenant deployment, which are also stored within the specified region. For customer data in transit, traffic is encrypted through multiple technologies, such as Transport Layer Security (TLS).
Does Tanium access my data?
Tanium automates most Tanium Cloud management operations while intentionally limiting our own access to customer data. A Tanium engineer might have limited and logged access to customer data for a limited amount of time, but only when necessary for normal service operations and troubleshooting, and only when approved by a senior member of Engineering at Tanium.
Does Tanium encrypt my data?
Yes. Data in transit and at rest is encrypted with keys for each tenancy. Tanium Cloud is encrypted with TLS 1.2, 256-bit encryption. SSL/TLS is required to access Tanium Cloud services and system API. Tanium provides open encryption methodologies and enables customers to encrypt and authenticate all traffic, and to enforce the latest standards and ciphers.
How does Tanium help ensure availability of the service?
Critical Tanium Cloud system components, including audit evidence and logging records, are replicated across multiple Availability Zones, which enables the goal of being available with 99.9+% uptime. Frequent backups are maintained and monitored, allowing for recoverability. Customers retain ownership of, and control classification of their data, where it is stored, used, and applicable retention policies.
How long does Tanium retain my data?
While the majority of customer data in Tanium is stored on the customer endpoints, and queried in real-time when needed, some data could be retained within the Tanium platform and solutions. Upon termination of the agreement, Tanium Cloud customers can request a transfer of their data from Tanium Cloud. Otherwise, customer data is irreversibly destroyed 30 days after termination.
Are customers able to pen test Tanium Cloud?
Customers who want to perform penetration testing must contact Tanium Cloud Security for written pre-authorization to run penetration tests for the requested scope, duration, and targets. Tanium reserves the right to refuse testing under the Tanium-as-a-Service (Tanium Cloud) acceptable use policy (AUP) if the testing impacts services to other customers, or to prevent any impact with sub-processors. Penetration testing is restricted to once per calendar year.
What parts of the service are Internet exposed?
The following Tanium Cloud components are directly exposed to the public Internet:
- Tanium Cloud Client Edge: necessary for Tanium Client communication from customer endpoints to the service
- Tanium Cloud Management Portal (CMP): authenticated with customer identity provider, after identity provider setup
The Tanium Console and Tanium API have an upstream redirect to verify authentication before reaching these services. Therefore, no unauthenticated Internet traffic reaches the Tanium Console or Tanium API.
Tanium Cloud undergoes third-party security assessment and review. For a letter of attestation, Contact Tanium Support.
After a compliance audit, Tanium Cloud management processes achieved Cloud Security Alliance STAR Level 1 certification and is included in the Tanium annual ISO27001:2013 certification process. To compare how Tanium Cloud meets your own security standards, review the CAIQ.
Service level objectives
Tanium Cloud monitors all aspects of the Tanium platform, solutions, and operating environment to ensure availability, security and performance of the service. Through this monitoring, the service aims to achieve 99.9% uptime.
Custom content
Tanium reserves the Write Sensor privilege in Tanium Cloud for customers who have completed a Tanium Advanced Content Authoring class. Contact Tanium Support to gain access to this course.
After the Write Sensor privilege is granted, you can create custom content to extend Tanium solutions with Tanium Cloud. However, Tanium reserves the right to remove any custom content that is deemed unhealthy to the environment.
Network egress
Most Tanium solutions are configured to fully function by default in Tanium Cloud. However, with certain Tanium solutions, all possible destinations cannot be predicted. Approved external destinations are listed in the CMP Network Egress Allow List page. External destinations must allow traffic from the egress IPs listed on that page.
You can add your own rules to the network egress allow list directly in the CMP. See Configuring network egress allow list rules in the CMP.
Tanium does not support sending data over TCP ports 22, 25, 111, 3128, 4000, 5000, 6000, 9100, 9301, 9901, and 9902. Use encrypted communication ports TCP 465 or TCP 587 instead. If you create a rule with external access for an SMTP email server destination (default TCP port 465 or TCP port 587), you can only associate the port with 1 FQDN.
Tanium platform and solutions
You can use Tanium solutions and platform with Tanium Cloud. Some configuration settings and functions are not available with Tanium Cloud by design, such as administrator roles, operational logs, and global server settings.
The user guides for the Tanium platform and solutions include a toggle so that you can view information specific to the Tanium Cloud environment:
Last updated: 6/1/2023 11:14 AM | Feedback