Tanium Security Recommendations
Tanium provides various resources, including hardened appliances and documentation, to help customers implement a secure architecture and configuration of the Tanium Core Platform. This document provides an overview of these resources and recommendations.
There are two primary infrastructure options for deploying the Tanium Core Platform:
- Hardened physical or virtual Tanium appliance.
- Windows installation on customer-provided hardware.
Tanium recommends that you deploy a physical or virtual appliance when possible. Updates for the appliances are provided by Tanium. If an appliance is not practical, Tanium Core Platform software can be installed to customer-provided hardware, or to a cloud infrastructure with Windows virtual machines. Deployments on cloud infrastructure or customer-provided hardware require that the customer maintain and update the selected infrastructure.
Regardless of how Tanium is deployed, Tanium recommends the following security best practices.
Tanium recommends that you limit network access to the Tanium console to specific management networks and specific devices. In addition, user access should require multi-factor authentication (MFA). Tanium supports multi-factor authentication via RADIUS, TACACS+, X.509 based certificate authentication with Common Access Cards (CAC), and SAML.
- Tanium Core Platform Deployment Reference Guide: Smart card authentication
- Tanium Core Platform User Guide: Using SAML
User connections to the Tanium Console are encrypted using Transport Layer Security (TLS). A self-signed certificate is generated during the installation process. However, Tanium recommends that customers obtain and install a valid TLS certificate.
- Tanium Core Platform Deployment Reference Guide: SSL certificates
- Tanium Support KB: Tanium SSL/TLS Certificates and Keys (login required)
Tanium recommends that you use a Hardware Security Module (HSM) to provide a higher level of protection for key material. When you use an HSM, keys are stored on the HSM, rather than on the Tanium Server, and cannot be retrieved from the HSM. The Tanium Server interacts with the HSM, which signs valid Tanium requests.
- Tanium Console User Guide: Managing Tanium keys
- Tanium Support KB: Using an HSM to store cryptographic keys (login required)
Tanium recommends that you enable and use the action approval feature when possible. When action approval is enabled, any action deployed by a user must first be approved by a second employee. Action approval significantly mitigates the risk of an operator mistakenly issuing a potentially harmful action.
Tanium recommends that you enable audit logs and forward the logs to a centralized log management solution. Tanium supports logging of all actions performed by Tanium users, including user changes related to API tokens, computer groups, content sets, dashboards, keys, global settings, packages, plugin schedules, privileges, saved questions, scheduled actions, roles, sensors, users, and user groups.
- Tanium Support KB: Tanium User Audit Logs (login required)
Tanium supports fine-grained role-based access controls to allow your organization to implement the principle of least privilege. Tanium provides a number of granular roles with each product and supports creation of additional roles with custom privileges. In addition to role-based access controls, you can use computer groups to scope permissions to a limited set of endpoints. Tanium recommends leveraging these features to ensure that the appropriate roles are granted to existing users and new users to limit functionality according to the specific job requirements for a given user.
In addition to the general recommendations, Tanium recommends the following security considerations that are specific to each type of infrastructure.
Tanium recommends that you secure the virtual host to limit access to the guest Tanium virtual appliance. This includes applying appropriate hardening guides and, where possible, requiring MFA to access the host.
Tanium recommends that you subject cloud environments that host Tanium Core Platform servers to strict access controls to ensure that only a well-known and limited group of users may access and alter the cloud resources used by the Tanium deployment. Tanium recommends that you leverage the cloud provider’s access controls functionality to isolate the Tanium Core Platform servers from other internal or production systems:
- In Amazon Web Services (AWS) infrastructure, use Organizations and deploy in a Tanium-specific AWS account.
- In a Google Cloud Platform (GCP) infrastructure, deploy Tanium in a Tanium-specific Project.
- In Microsoft Azure infrastructure, deploy Tanium in a Tanium-specific Resource Group.
In addition, follow the security best practices available from your cloud provider and industry standards including, but not limited to, limiting network communications to and from their virtual network, ensuring MFA is enabled for cloud users, and monitoring cloud API activity.
When installing Tanium on a Windows Server, Tanium recommends that customers follow the Tanium hardening guide. The guide was developed in cooperation with the Defense Information Systems Agency (DISA) and provides recommendations on how to secure the Tanium Server in a Windows environment.
Tanium also recommends that customers implement strict access controls to mitigate the risk of a domain credential compromise impacting the security of a Tanium Windows installation. At a minimum, this should include:
- Restricting inbound access to Windows management protocols using a hardware or software-based firewall, especially those not protected by MFA. Access can also be limited by removing the Windows Server from the domain.
- Limiting the number of services accounts and permissions for service accounts to only the accounts and permissions that are required.
Last updated: 7/14/2020 10:00 AM | Feedback