Zero Trust overview

With Zero Trust, support your zero trust architecture by sending trust data for managed endpoints to your Identity and Access Management (IAM) provider.

Use Zero Trust to:

  • Strengthen your security capabilities through a zero trust architecture.
  • Identify potentially risky endpoints in your environment.
  • Receive alerts when events occur that result in data sent to your IAM provider.
  • Audit zero trust events through the Tanium Console.

Zero Trust supports Microsoft Entra ID. With Entra ID, you can enable conditional access to Microsoft products through extension attributes.

Zero Trust provides data regarding risky or misconfigured endpoints that can be used to limit access to support other authentication and authorization flows. Zero Trust is intended to be used as a defense-in-depth measure and should not be used as a primary access control.

Rules

In Zero Trust, a rule defines a set of targeted endpoints for which to send trust data from Tanium to your IAM provider.

Zero Trust continuously monitors endpoints that are targeted by rules. A rule triggers when an event occurs that causes an endpoint to match the rule, such as if an endpoint has not restarted within the last 7 days, if an endpoint is missing a critical patch, or if an endpoint has a known vulnerability. When a rule triggers, Tanium applies or removes trust data to send to your IAM provider.

Targeted endpoints

For each rule, you can select one or more sensors that targeted endpoints must match to be subject to the rule.

After you create a rule, Zero Trust immediately begins to monitor endpoints for the rule conditions. Rules are subject to the computer management group permissions of the user who owns the rule. The initial owner of a rule is the user who creates the rule. A rule can target different endpoints depending on who created the rule. If you want a rule to target different endpoints, you can change the owner of the rule to a user with the desired computer management group permissions.

Sensor data is sourced through Tanium Data Service.

ClosedAbout Tanium Data Service

Tanium Data Service stores sensor results for endpoints when you issue a question. After you register sensors for collection, the service queries all managed endpoints to collect the results of those sensors and stores the data. To keep the results current, Tanium Data Service periodically reissues questions that contain the registered sensors.

Modes

Rules run in either enforcement mode or audit mode.

  • Enforcement mode: When an event triggers the rule, Zero Trust logs the event and sends data to the IAM provider. Rules in enforcement mode are sometimes referred to as enforce rules.
  • Audit mode: When an event triggers a rule, Zero Trust logs the event but does not send data to the IAM provider. Rules in audit mode are sometimes referred to as audit rules. Use this mode to test rules.

Prioritization

An event might cause an endpoint to match more than one rule. An event can match multiple rules, but only one rule can trigger for each extension attribute for each endpoint.

For example, consider an event that matches three rules: Rule 1, Rule 2, and Rule 3. Rule 1 assigns a string to extension attribute 1, Rule 2 assigns a string to extension attribute 3, and Rule 3 removes a string from extension attribute 3. The rules are prioritized in order: Rule 1 is priority 1, Rule 2 is priority 2, and Rule 3 is priority 3. When the event occurs, Rule 1 always triggers for the endpoint, because that rule has no conflicts with other rules (and it is also the highest priority rule). However, Rule 2 and Rule 3 affect the same extension attribute, and thus only Rule 2 triggers due to the order of priority.

You can prioritize rules to determine which rule triggers when an event occurs. See Prioritize rules.

Events

An event occurs when an endpoint matches a rule, or when a user manually updates an extension attribute for an endpoint. Zero Trust triggers the rule and applies or removes the trust data that is specified in the rule. Zero Trust maintains a log of events that you can view in the user interface.

When an event occurs that matches a rule in audit mode, Zero Trust checks for an existing audit log entry that matches the same rule, endpoint, and trust data. If a match is found with a rule that is in audit mode, Zero Trust replaces the older entry with the new event entry. By upserting entries for audit rules, Zero Trust minimizes the size of the logs while maintaining the latest data.

Zero Trust does not upsert entries for rules in enforcement mode.

For more information, see Auditing events.

Supported IAM providers

Zero Trust supports conditional access for endpoints through Microsoft Entra ID.

Microsoft Entra ID was previously known as Microsoft Azure Active Directory or Microsoft Azure AD.

Microsoft Entra ID

You can configure Zero Trust to send trust data for your endpoints through extension attributes to Entra ID. Extension attributes are properties that you can set for each endpoint. An extension attribute string is the value that you assign to an extension attribute. Through Entra ID, you can manage 15 extension attributes for each endpoint. When an endpoint matches a configured rule, Zero Trust either applies an extension attribute string to an extension attribute for the endpoint, or Zero Trust removes the extension attribute string from an extension attribute. If the mode for the rule is set to Enforcement, Zero Trust sends the updated extension attribute to Entra ID.

To use Zero Trust to monitor endpoints in Entra ID, endpoints must be managed by Tanium and registered in Entra ID with device IDs.

For additional information about extension attributes and device IDs, see the following:

Interoperability with other Tanium products

Connect

Configure a Taniumâ„¢ Connect destination to export audit entries outside of Tanium. For more information, see Send logs through Connect.