The Tanium Team has more than 10 years of experience working with large Fortune 500 companies and understands what it takes to deploy solutions in large environments.

• Security
• Scalability
• Management Rights

Security

Tanium utilizes Kerberos authentication through the enterprise Active Directory infrastructure to ensure that console operators that log into the Tanium console are authorized. When a console operator first opens the Tanium console, they are prompted to supply their domain credentials. Tanium's Server then checks with Active Directory to ensure that their username/password is valid. Tanium's Server is able to perform that validation without needing any elevated Active Directory privileges.

Since Tanium uses the Active Directory credentialing to authorize the user, there is no need to enforce enterprise policies on Tanium passwords, including complexity or rotation - they are already enforced on the domain. Furthermore, users must only remember the credentials that they already use on an ongoing basis, simplifying the user experience.

Tanium relies on a fully automated, extremely strong digital signature verification process to validate messages that flow throughout the system.

When the Tanium Server is first installed, the Tanium Server automatically generates a Public Key/Private Key pair using the 512bit Elliptical Cryptography algorithm. The Private Key is kept exclusively on the Tanium Server. When each client is installed, a copy of the Public Key is installed with it.

Whenever a message is generated by the Tanium Server for distribution to the Clients (i.e. to communicate a new Action, Client Setting, Download, or Sensor), the Server automatically uses the Private Key to sign the message, and the signature is attached to the message. That signature travels along with the message throughout its communication. Whenever a Client receives the message, either directly from the server or from one of its peers, it validates the signature using the Public Key. Only if the signature is validated does the Client accept and process the message. Signature validation occurs before the client ever examines the contents of the message, substantially reducing the possibility of overflow or other data-level attacks.

Key rotation can be enabled to automatically rotate the key pair if desired.

By utilizing the FIPS 140-2 certified cryptography, Tanium can ensure the validity of content that reaches Tanium Clients, regardless of whether the data was received from the Server, or between Clients in the Tanium network.

If desired, deploying enterprises can elect to encrypt the data-stream between all components in the system utilizing either Shared Key or Kerberos IPSec encryption at the network level. The encryption can be enabled through Tanium if desired, or may be enabled using Group Policy Objects.

Scalability

The peer-to-peer nature of the Tanium communications architecture allows our solution to be extremely scalable. A single server can be used to manage hundreds of thousands of machines with the same near-instant response time for both questions and actions.

Our architecture also allows hundreds of Tanium Console users to concurrently ask questions and deploy actions at the same time.

Tanium is being used in production at some of the largest enterprises in the world. For more details on the necessary infrastructure to run Tanium, take a look at our system requirements page.

Management Rights

The Tanium Console allows you to limit Console users in numerous ways. For instance, you can limit access from:

• Asking questions
• Executing existing actions
• Authoring new actions
• Authoring new sensors
• Creating users
• Assigning management rights to other users

Tanium's natural language parser is also used in creating Groups. This provides an easy mechanism for limiting what machines users have access to. For instance, you could have a user only have access to:

machines where operating system contains "server"

This will effectively limit access for this user to servers only. You could also do this by locale, Active Directory properties, or any other property you can retrieve using a script!