Tanium as a Service overview

Taniumâ„¢ as a Service (TaaS) is the full functionality of the Tanium platform delivered as a fully-managed, cloud-based service, with zero customer infrastructure required.

With TaaS, you can use Tanium without having to install software and maintain virtual or physical servers. The Tanium Core Platform and solutions are automatically configured and maintained, so that you can focus on using Tanium to manage endpoints. TaaS is governed by the TaaS Subscription Agreement.

Architecture

The TaaS architecture is provided in a single tenant. By isolating tenants, the data is secured for each Tanium platform instance.

With TaaS, the overall Tanium architecture is abstracted to a single service that you can connect to with a secure web browser. The underlying Tanium platform components (Module Server, Tanium Server, and so on) are managed by TaaS.

If a customer endpoint can reach two internet IP addresses on two TCP ports, the endpoint can be managed with the full capabilities of the Tanium platform.

Tanium as a Service Architecture

Responsibilities

With TaaS, you can use the Tanium platform and solutions, without worrying about performing updates or securing the environment.

Responsibility Customer Tanium as a Service
Software component management / Application level controls Use Tanium platform and solutions on demand, for desired use cases. Configure Tanium product solutions, and endpoint tooling configurations, as needed. Maintain Tanium service updates to ensure availability, security, and stability, without impacting customer solution configurations. Activate access to solutions as requested.
Tanium Client and endpoint protection Choose when and where to deploy Tanium Client to endpoints. Use controls to secure endpoints. Choose when to update endpoint tool configurations. Maintain security, stability, and reliability of Tanium Client and endpoint tooling. Provide controls for managing and securing endpoints.
Access and authorization Connect and manage identity and access provider, including the provisioning, deprovisioning, and protection of user accounts. Define the users, roles, and credentials that have access to the service. Provide controls for identity and access provider integration.
Data classification and accountability Identify, label, and classify data. Determine what data gets processed by TaaS, and how. Process TaaS data on the behalf of the customer.
Hosting environment management - Maintain service hosting environment, including management of the security, scalability, and performance of Tanium infrastructure.
Network controls Maintain any network controls not included in the TaaS infrastructure, including Tanium Client access to the service. Maintain network controls across TaaS infrastructure.
Security management - Manage security of instances through public key infrastructure (PKI) and data in transit and at rest encryption with unique keys for each tenant.
Physical security - Manage security of the physical cloud environment.

Data security

Data types

TaaS stores data about customer endpoints, such as endpoint metadata. TaaS does not store customer data files, such as PDF or Microsoft Word files, from endpoints, like online file storage services do. Customer data is data that is generated about how a customer uses the service, where customers retain control over platform and module functions that collect their endpoint metadata. For more information about data types that are allowed in TaaS, see the Tanium-as-a-Service (TaaS) Subscription Agreement.

Data residency

Customer data is stored only in the specific region that the customer chooses. Customer data remains in the specified region, unless requested or authorized by the customer. Tanium currently supports the following regions.

Region name Data host country
Americas United States
EMEA Germany
Asia Pacific Japan
Canada Canada
Northwest Europe England
Oceania Austrailia
South America Brazil

Subprocessors

Tanium uses subprocessors to host and help provide our services. For more information, see List of Sub-Processors.

Common questions

For answers to the following questions and more information, see Consensus Assessments Initiative Questionnaire (CAIQ).

How does Tanium secure my data?

Tanium individually isolates customer data for each tenant. Customer data in TaaS does not co-mingle with data from other customers. For customer data at rest, Tanium uses volume-level and file-level encryption. Customer data at rest is protected with keys that are unique to the tenant deployment, which are also stored within the specified region. For customer data in transit, traffic is encrypted by using multiple technologies, such as Transport Layer Security (TLS).

Does Tanium access my data?

Tanium automates most TaaS management operations while intentionally limiting our own access to customer data. A Tanium engineer might have limited and logged access to customer data for a limited amount of time, but only when necessary for normal service operations and troubleshooting, and only when approved by a senior member of Engineering at Tanium.

Does Tanium encrypt my data?

Yes. Data in transit and at rest is encrypted by using keys for each tenancy. TaaS is encrypted by using TLS 1.2, 256-bit encryption. SSL/TLS is required to access TaaS services and system API. Tanium provides open encryption methodologies and enables customers to encrypt and authenticate all traffic, and to enforce the latest standards and ciphers.

How does Tanium help ensure availability of the service?

Critical TaaS system components, including audit evidence and logging records, are replicated across multiple Availability Zones, which enables the goal of being available with 99.9+% uptime. Frequent backups are maintained and monitored, allowing for recoverability. Customers retain ownership of, and control classification of their data, where it is stored, used, and applicable retention policies.

How long does Tanium retain my data?

While the majority of customer data in Tanium is stored on the customer endpoints, and queried in real-time when needed, some data could be retained within the Tanium platform and solutions. Upon termination of the agreement, TaaS customers can make a request for transfer of their data from TaaS. Otherwise, customer data is irreversibly destroyed 30 days after termination.

What parts of the service are Internet exposed?

The following TaaS components are directly exposed to the public Internet:

  • TaaS Client Edge: necessary for Tanium Client communication from customer endpoints to the service
  • Cloud Management Portal: authenticated with customer identity provider, after identity provider setup

The Tanium Console and Tanium API have an upstream redirect to verify authentication before reaching these services. Therefore, no unauthenticated Internet traffic reaches the Tanium Console or Tanium API.

TaaS undergoes third-party security assessment and review. For a letter of attestation, Contact Tanium Support.

After a compliance audit, TaaS management processes achieved Cloud Security Alliance STAR Level 1 certification and is included in the Tanium annual ISO27001:2013 certification process. To compare how TaaS meets your own security standards, review the CAIQ.

Service level objectives

TaaS monitors all aspects of the Tanium platform, solutions, and operating environment to ensure availability, security and performance of the service. Through this monitoring, the service aims to achieve 99.9% uptime.

Custom content

Tanium reserves the Write Sensor privilege in TaaS for customers who have completed a Tanium Advanced Content Authoring class. Contact Tanium Support to gain access to this course.

After the Write Sensor privilege is granted, you can create custom content to extend Tanium solutions with TaaS. However, Tanium reserves the right to remove any custom content that is deemed unhealthy to the environment.

Proxy access

Most Tanium solutions are configured to fully function by default in TaaS. However, with certain Tanium solutions, all possible destinations cannot be predicted. If you need to add external destination access from a TaaS component, Contact Tanium Support to submit a request. Be specific with destination URL or IP and service port (for example: TCP443 to customer-abc.cloud.myservice.com).

Tanium platform and solutions

You can use Tanium solutions and platform with TaaS. Some configuration settings and functions are not available with TaaS by design, such as administrator roles, operational logs, and global server settings.

The user guides for the Tanium platform and solutions include a toggle so that you can view information specific to the TaaS environment:

User guide toggle