Tanium Cloud Trust Center

Security is mission-critical for Tanium customers, and it’s top of mind at Tanium. Tanium is proud to have created an industry-leading security program to facilitate the development of secure code and to protect customers' data.

Secure service design and operation is the foundation of any cloud service offering. Tanium has built Tanium Cloud services from the ground up with the highest standards of security, resiliency and operational efficacy in mind. This section provides details about how Tanium operates its cloud services aligned with internationally recognized standards.

Tanium Cloud artifacts

Trust begins with being open with our customers. Besides the security and compliance information provided in this document, Tanium makes additional confidential documents related to security, compliance, and finance available to customers as Tanium Cloud artifacts directly within Tanium Cloud Management Portal (CMP). Among the available artifacts are third-party penetration test reports, security policy overviews, insurance certificates, and compliance certificates. CMP administrators can access these artifacts.

To access Tanium Cloud artifacts:

  1. Sign in to CMP as an administrator.
  2. From the CMP menu, go to Artifacts.
  3. To download one of the available documents, click Download beside that document.

Compliance

Tanium routinely engages with external professional audit entities to perform audits against the Tanium Cloud Information Security Management Service (ISMS), to help ensure our security and operational practices follow globally recognized standards.

Links are provided to publicly available compliance information in the following table. Prospects without an NDA in place can freely download and review any of the artifacts here. Confidential compliance artifacts, such as summary assessment reports, can be found in the Artifacts section of your Tanium Cloud Management Portal, as noted in the following table.

In addition to Tanium Cloud security and compliance certifications, Tanium maintains compliance with additional controls. For more information, see Security at Tanium.

Compliance Offering Description Tanium Cloud Tanium Cloud for U.S. Government

Cloud Security Alliance (CSA) STAR Level 1

The ability of Tanium to secure customer data in the cloud is further defined by its Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) Registry Level 1 Attestation, certified since July 2020. You can find the Consensus Assessments Initiative Questionnaire (CAIQ) spreadsheet that maps Tanium Cloud security controls to multiple security control frameworks in the CSA STAR Registry.

To learn more about CSA STAR, see Cloud Security Alliance: Security, Trust, Assurance and Risk (STAR).

  

ISO 27001

Tanium and Tanium Cloud are ISO 27001:2013 certified since 2017 and 2020 respectively, proving our expertise in securely managing information technology systems.

The Tanium ISO Certification can be verified in the BSI certificate directory (the third-party assessor), by searching for Tanium Inc as the organization.

  

PCI-DSS SAQ D*

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data.

Tanium has completed a PCI-DSS self-assessment questionnaire (SAQ D), which is available for review.

  

Canada Protected B

The Canadian Government's security guidance for cloud environments, known as the Security Control Profile for Cloud-based GC Services, outlines security controls and profiles from the IT Security Risk Management: A Lifecycle Approach (ITSG-33) publication.

The ITSG-33 publication has made Protected B Medium Integrity Medium Availability (PBMM) a key compliance measure for the Canadian Government and Crown Corporations.

Tanium Cloud has been compliant with Protected B since 2023.

  

StateRAMP Moderate

StateRAMP is a cybersecurity program established in 2021 to address the needs of procurement and security officials with state and local governments in the United States.

Tanium Cloud for U.S. Government has been StateRAMP Authorized since 2023.

  
FIPS Validated 140-2

Tanium platform software uses Federal Information Processing Standard (FIPS) 140-2 compliant cryptography modules.

To learn more about FIPS, see NIST Computer Security Ressource Center: FIPS 140-2.

  
* Compliance artifacts are available in the Artifacts section of your Tanium Cloud Management Portal.

Privacy

Data privacy and Tanium

For more information on Tanium’s role in processing customer personal data, including its role as a data processor under the GDPR, see the Tanium Data Processing Addendum (DPA). Additionally, the Tanium Privacy Policy details privacy practices at Tanium when processing personal data as a data controller.

Security

Data types

Customer Data is data that is loaded into Tanium Cloud by a customer and stored in that customer’s Tanium Cloud tenant. Customer Data might include summaries and analyses of information or files that reside on a customer’s endpoints, but Tanium Cloud does not copy or store the raw files themselves like an online file storage service might do. As the data owner and controller, the customer determines what types of endpoint metadata reaches the Tanium Cloud service, the data classification, and the data retention. For more detail on these data roles and responsibilities, see the Tanium Data Processing Addendum (DPA).

Systems Information is usage information generated by a customer’s interactions with Tanium Cloud. Systems Information might include the following items: usage and analytics information; metadata relating to the customer’s network, software, and applications; and device identifiers, network telemetry, endpoint telemetry, and system configuration. Because each customer’s endpoint environment is unique in configurations and naming conventions, the Systems Information could potentially include Personal Data.

For more information about Customer Data and Systems Information and how they may be used, see the Tanium Cloud Subscription Agreement

Data regions

Tanium Cloud enables customers to choose the region in which their Tanium Cloud tenant is hosted. Customers make a region choice prior to onboarding their Tanium Cloud instance. Once onboarded, the customer's Tanium Cloud tenant cannot be moved to another Tanium Cloud region.

Tanium commits to hosting Customer Data only within this single, customer-chosen region, thereby helping customers to meet any data residency requirements that customers might have. Customer Data, including redundant architectures and backups, remains in this single specified region. Tanium currently supports the following regions for hosting Tanium Cloud and Tanium Cloud for U.S. Government tenants.

Region name Tanium Cloud Data host country Tanium Cloud for U.S. Government Data host country
Americas United States United States
EMEA Germany N/A
Asia Pacific Japan N/A
Canada Canada N/A
United Kingdom England N/A
Oceania Australia N/A
South America Brazil N/A

Sub-processors

Tanium uses sub-processors to host and help provide our services. For more information, see Tanium: List of Sub-Processors.

Security policies

Tanium operates both of its cloud services in conformance with NIST 800-53 controls. The Tanium Cloud Information Security Management System (ISMS) includes, among others, the following control set families. The Tanium Cloud security policies are available for review as Tanium Cloud artifacts within your Tanium Cloud Management Portal.

  • AC – Access Control Policy

  • AT – Awareness and Training Policy

  • AU – Audit and Accountability Policy

  • CA – Security Assessment and Authorization Policy

  • CM – Configuration Management Policy

  • CP – Contingency Planning Policy

  • GP – Governance Policy

  • IA – Identification and Authentication Policy

  • IR – Incident Response Policy

  • MA – Maintenance Policy

  • MP – Media Protection Policy

  • PE – Physical and Environmental polocy

  • PL – Planning Policy

  • PS – Personnel Security policy

  • RA – Risk Assessment Policy

  • SA – System and Services Acquisition Policy

  • SC – System and Communications Protection Policy

  • SI – System and Information Integrity Policy

  • SR – Supply Chain Risk Management Policy

Security measures

  1. Logical access controls: Tanium employs the principles of least privilege and need-to-know to control access to Confidential Information and Customer Personal Data. User access privileges are restricted based on business need and job responsibilities, allowing only the minimum necessary access for users to accomplish their job functions. User access is revoked upon termination of employment or termination of relevant job duties, and owners of critical applications or systems are required to perform periodic privileged access reviews to ensure access is still required to perform current job duties. In addition, Tanium protects against unauthorized access by ensuring unique user IDs and passwords are in use. Tanium appropriately manages passwords including enforcing password complexity and by (a) requiring a password length of no less than 14 characters, (b) utilizing expiring first-time log-in temporary passwords, (c) requiring passwords to expire every 90 days, (d) limiting failed attempts before account lockout, (e) not allowing clear text on password entry, and (f) prohibiting password resets that are not subject to confirming credentials. Customer Confidential Information is retained in accordance with Tanium’s Record Retention and Destruction Policy, and the period of retention depends on the nature of the information. Customer Personal Data is retained in accordance with the terms of the Customer’s License Agreement.

  2. Information system access control: Access is strictly controlled by a formal provisioning cycle. Information systems are password-protected and have an owner responsible for managing and controlling access. Tanium controls access to the service through authentication that requires a unique user ID and password, and access is logged and audited. In addition, access to the service requires customers to provide their own unique user IDs and passwords with multi-factor authentication, which is the responsibility of the customer to manage.

  3. Physical access control: Tanium and its sub-processors secure their physical facilities with appropriate environmental and physical controls and restrict access to only authorized personnel. Tanium and its sub-processors maintain visitor access logs, appropriately credential and authenticate employees and visitors, and limit access to physical areas of facilities on a need-to-have basis. Tanium and its sub-processors store Customer Personal Data on secure servers maintained and protected in locked data cabinets within a secure facility.

    Tanium relies on sub-processor data centers that incorporate physical protection against environmental risks. Physical protection against environmental risks has been validated by an independent auditor engaged by each sub-processor and has been certified as being in alignment with ISO 27001 best practices. Tanium hosts Customer Personal Data in one of the regions offered by Tanium and selected by the Customer.

  4. Encryption: Customer Personal Data used within the service is encrypted in transit and at rest using industry-accepted encryption standards. The service encrypts using, at a minimum, Transport Layer Security (TLS) 1.2, 256-bit encryption, which is required when accessing the service and the API using HTTPS and for all client-to-client and client-to-server communications that use the Tanium-proprietary protocol. Tanium uses modern encryption standards and ciphers to encrypt all network traffic and requires all requests to be authenticated to its service. Furthermore, the Tanium-proprietary protocol digitally signs messages for authenticity, transmits hashed message responses for integrity, and uses mutual Transport Layer Security (mTLS) to authenticate all communications.

    For all infrastructure that Tanium manages on behalf of customers as part of the Service, Tanium manages the security of tenants using public key infrastructure (PKI) and data at rest encryption (DARE). Tanium leverages a sub-processor Key Management Service (KMS) to generate, manage, use, and annually rotate encryption keys following industry best practices, including using modern standards, ciphers, and strengths. Encryption keys for DARE for the service are used to perform storage-level encryption by the KMS of sub-processor data services, which includes operating system disks and data backups, using,at a minimum, Advanced Encryption Standard (AES) 256-bit encryption. Tanium recommends that customers use secure protocols that offer authentication and confidentiality, such as TLS, to reduce the risk of data tampering or loss when exporting data from the Service.

  5. Availability control: Tanium has adopted and maintains a Business Continuity and Disaster Recovery Plan to help ensure continuation of its business and ability to support its customers in fulfillment of its contractual obligations in the event of a disaster. Tanium conducts annual assessments to test the adequacy and operability of its plans, taking measures to update the plan whenever deficiencies are discovered. In addition, the Service is architected for high availability across multiple availability zones within a region. Lastly, Tanium has a documented process to restore customer environments in case of a prolonged outage that is outside of established or expected down times.

Data access

Tanium Cloud Customer Data resides within the Tanium Cloud boundary. By design and technical enforcement, data is not permitted to leave this boundary. Within the Tanium Cloud boundary, customer data is logically separated using techniques such as labeling, namespacing and unique encryption keys per tenant, helping to ensure that a cloud customer can see the data only from that customer's specific tenant.

Tanium automates most management operations while intentionally limiting its own access to the Tanium Cloud tenants. On rare occasions, a Tanium engineer may need limited and logged access to a tenant environment, including its data, for a brief duration, and only when necessary for normal service operations and troubleshooting, and only when approved by a senior member of the Engineering Team at Tanium.

Tanium requires each Tanium Cloud customer to bring its own SAML2-compliant Identity Provider. This gives the customer complete control over access, authentication, password policies, and procedures for access to Tanium Cloud service.

Network ingress

The following Tanium Cloud components are directly exposed to the public Internet:

  • Tanium Cloud Client Edge: necessary for Tanium Client communication from endpoints to the service. This traffic is always and only initiated by the Tanium Client, outbound to the Tanium Cloud service.

  • Cloud Management Portal: authenticated with organization-provided identity provider, following identity provider setup

For more detailed information on Tanium Cloud network requirements, see Host and network security requirements.

In Tanium Cloud, The Tanium Console and Tanium API have an upstream redirect to verify authentication against the organization-provided identity service before reaching these services. Therefore, no unauthenticated internet traffic reaches the Tanium Console or Tanium API.

Network egress

Most Tanium solutions are configured to fully function by default in Tanium Cloud. However, with certain Tanium solutions, such as Tanium Connect, all possible destinations cannot be predicted. Approved external destinations are listed in the CMP Network Egress Allow List page. Destinations on your network or otherwise external to Tanium Cloud must allow traffic from the egress IPs listed on that page.

You can add your own rules to the network egress allow list directly in the CMP. See Configuring network egress allow list rules in CMP.

Tanium does not support sending data over TCP ports 22, 25, 111, 3128, 3129, 3130, 4000, 5000, 6000, 9100, 9301, 9302, 9901, and 9902. Use encrypted communication ports TCP 465 or TCP 587 instead. If you create a rule with external access for an SMTP email server destination (default TCP port 465 or TCP port 587), you can associate the port with only one FQDN.

Data retention

While most of an organization’s data remains on the endpoints themselves and is queried by the Tanium user in real-time when needed, some data may be retained within the Tanium Cloud tenant. During normal operations of Tanium Cloud, Tanium customers manage the Customer Data that goes into the service, the data classification, and the data retention period within the service. Upon termination or expiration of the Tanium Cloud agreement, subject to any archived backups that will be retained until such time the backup system deletes such data ,or where data is retained as required by law, Customer Data will be destroyed 30 days after termination of the agreement.

Service availability

Tanium Cloud monitors all aspects of the Tanium Core Platform, solutions, and operating environment to ensure availability, security and performance of the service. Through this monitoring, and automated alerting and scaling, the service aims to achieve 99.9% uptime (RTO).

Tanium Cloud designs its services to operate across multiple availability zones within the customer-specified data hosting region. We use a combination of high availability replication with automatic fail-over, alongside regular data snapshots, to ensure recoverability of the service, in the rare event of an outage or a data loss event. These snapshots occur up to every 4 hours and are stored for up to 30 days, depending on the criticality of the service component (RPO).