Tanium Cloud overview

Taniumâ„¢ Cloud is the full functionality of the Tanium platform delivered as a fully-managed, cloud-based service, with zero customer infrastructure required.

With Tanium Cloud, you can use Tanium without having to install software and maintain virtual or physical servers. The Tanium Core Platform and solutions are automatically configured and maintained, so that you can focus on using Tanium to manage endpoints. Tanium Cloud is governed by the Tanium Cloud Subscription Agreement.

Architecture

The Tanium Cloud architecture is provided in a single tenant. By isolating tenants, the data is secured for each Tanium platform instance.

With Tanium Cloud, the overall Tanium architecture is abstracted to a single service that you can connect to with a secure web browser. The underlying Tanium platform components (Module Server, Tanium Server, and so on) are managed by Tanium Cloud.

If a customer endpoint can reach two internet IP addresses on two TCP ports, either directly or indirectly as explained in Host and network security requirements, the endpoint can be managed with the full capabilities of the Tanium platform.

Tanium Cloud Architecture

Responsibilities

With Tanium Cloud, you can use the Tanium platform and solutions, without worrying about performing updates or securing the environment.

Responsibility Customer Tanium Cloud
Software component management / Application level controls Use Tanium platform and solutions on demand, for desired use cases. Configure Tanium product solutions, and endpoint tooling configurations, as needed. Maintain Tanium service updates to ensure availability, security, and stability, without impacting customer solution configurations. Activate access to solutions as requested.
Tanium Client and endpoint protection

Choose when and where to deploy Tanium Client to endpoints. Use controls to secure endpoints. Choose when to update Tanium Client and endpoint profiles and configurations.

Maintain security, stability, and reliability of Tanium Client and endpoint tooling. Provide controls for managing and securing endpoints.
Access and authorization Connect and manage identity and access provider, including the provisioning, deprovisioning, and protection of user accounts. Define the users, roles, and credentials that have access to the service. Provide controls for identity and access provider integration.
Data classification and accountability Identify, label, and classify data. Determine what data gets processed by Tanium Cloud, and how. Process Tanium Cloud data on the behalf of the customer.
Hosting environment management - Maintain service hosting environment, including management of the security, scalability, and performance of Tanium infrastructure.
Network controls Maintain any network controls not included in the Tanium Cloud infrastructure, including Tanium Client access to the service. Maintain network controls across Tanium Cloud infrastructure.
Security management - Manage security of instances through public key infrastructure (PKI) and data in transit and at rest encryption with unique keys for each tenant.
Physical security - Manage security of the physical cloud environment.

Data security

Data types

Tanium Cloud stores data about customer endpoints, such as endpoint metadata. Tanium Cloud does not store customer data files, such as PDF or Microsoft Word files, from endpoints, like online file storage services do. Customer data is data that is generated about how a customer uses the service, where customers retain control over platform and module functions that collect their endpoint metadata. For more information about data types that are allowed in Tanium Cloud, see the Tanium-as-a-Service (Tanium Cloud) Subscription Agreement.

Data residency

Customer data is stored only in the single specific data hosting region that the customer chooses from the following list. Customer data remains in this single specified region, unless requested or authorized to be moved by the customer. Tanium currently supports the following regions for hosting customer Tanium Cloud instances.

Region name Data host country
Americas United States
EMEA Germany
Asia Pacific Japan
Canada Canada
Northwest Europe England
Oceania Australia
South America Brazil

Subprocessors

Tanium uses subprocessors to host and help provide our services. For more information, see List of Sub-Processors.

Common questions

For answers to the following questions and more information, see Consensus Assessments Initiative Questionnaire (CAIQ).

How does Tanium secure my data?

Tanium individually isolates customer data for each tenant. Customer data in Tanium Cloud does not co-mingle with data from other customers. For customer data at rest, Tanium uses volume-level and file-level encryption. Customer data at rest is protected with keys that are unique to the tenant deployment, which are also stored within the specified region. For customer data in transit, traffic is encrypted by using multiple technologies, such as Transport Layer Security (TLS).

Does Tanium access my data?

Tanium automates most Tanium Cloud management operations while intentionally limiting our own access to customer data. A Tanium engineer might have limited and logged access to customer data for a limited amount of time, but only when necessary for normal service operations and troubleshooting, and only when approved by a senior member of Engineering at Tanium.

Does Tanium encrypt my data?

Yes. Data in transit and at rest is encrypted by using keys for each tenancy. Tanium Cloud is encrypted by using TLS 1.2, 256-bit encryption. SSL/TLS is required to access Tanium Cloud services and system API. Tanium provides open encryption methodologies and enables customers to encrypt and authenticate all traffic, and to enforce the latest standards and ciphers.

How does Tanium help ensure availability of the service?

Critical Tanium Cloud system components, including audit evidence and logging records, are replicated across multiple Availability Zones, which enables the goal of being available with 99.9+% uptime. Frequent backups are maintained and monitored, allowing for recoverability. Customers retain ownership of, and control classification of their data, where it is stored, used, and applicable retention policies.

How long does Tanium retain my data?

While the majority of customer data in Tanium is stored on the customer endpoints, and queried in real-time when needed, some data could be retained within the Tanium platform and solutions. Upon termination of the agreement, Tanium Cloud customers can make a request for transfer of their data from Tanium Cloud. Otherwise, customer data is irreversibly destroyed 30 days after termination.

What parts of the service are Internet exposed?

The following Tanium Cloud components are directly exposed to the public Internet:

  • Tanium Cloud Client Edge: necessary for Tanium Client communication from customer endpoints to the service
  • Cloud Management Portal: authenticated with customer identity provider, after identity provider setup

The Tanium Console and Tanium API have an upstream redirect to verify authentication before reaching these services. Therefore, no unauthenticated Internet traffic reaches the Tanium Console or Tanium API.

Tanium Cloud undergoes third-party security assessment and review. For a letter of attestation, Contact Tanium Support.

After a compliance audit, Tanium Cloud management processes achieved Cloud Security Alliance STAR Level 1 certification and is included in the Tanium annual ISO27001:2013 certification process. To compare how Tanium Cloud meets your own security standards, review the CAIQ.

Service level objectives

Tanium Cloud monitors all aspects of the Tanium platform, solutions, and operating environment to ensure availability, security and performance of the service. Through this monitoring, the service aims to achieve 99.9% uptime.

Custom content

Tanium reserves the Write Sensor privilege in Tanium Cloud for customers who have completed a Tanium Advanced Content Authoring class. Contact Tanium Support to gain access to this course.

After the Write Sensor privilege is granted, you can create custom content to extend Tanium solutions with Tanium Cloud. However, Tanium reserves the right to remove any custom content that is deemed unhealthy to the environment.

Network egress

Most Tanium solutions are configured to fully function by default in Tanium Cloud. However, with certain Tanium solutions, all possible destinations cannot be predicted. Approved external destinations are listed in the CMP Network Egress Allow List page. External destinations must allow traffic from the egress IPs listed on that page.

You can add your own rules to the network egress allow list directly in the CMP. See Configuring network egress allow list rules in the CMP.

Tanium reserves the right to restrict FQDNs from receiving proxy exceptions for security reasons. Some examples include but are not limited to the following FQDNs:

  • www.github.com
  • aws.amazon.com/s3 (AWS S3 bucket not tied to your own domain)
  • www.dropbox.com
  • drive.google.com

Tanium does not support sending data over TCP ports 25 (SMTP) or 22 (SSH) outbound. Use encrypted communication ports TCP 465 or TCP 587 instead. If you create a rule with external access for an SMTP email server destination (default TCP port 465 or TCP port 587), you can only associate the port with 1 FQDN.

Tanium platform and solutions

You can use Tanium solutions and platform with Tanium Cloud. Some configuration settings and functions are not available with Tanium Cloud by design, such as administrator roles, operational logs, and global server settings.

The user guides for the Tanium platform and solutions include a toggle so that you can view information specific to the Tanium Cloud environment:

User guide toggle