Trend Micro, a global cybersecurity leader, helps make the world safe for
exchanging digital information. Fueled by decades of security expertise, global threat
research,
and continuous innovation, our cybersecurity platform protects hundreds of thousands
of
organizations and millions of individuals across clouds, networks, devices, and endpoints.
As a
leader in cloud and enterprise cybersecurity, our platform delivers a powerful range
of advanced
threat defense techniques optimized for environments like AWS, Microsoft, and Google,
and central
visibility for better, faster detection and response.
Trend Micro is committed to the security and privacy of our customers and
their data. The following Trend Vision One resources
are representative of our commitment to security, privacy, transparency, and compliance
with
industry-recognized standards. For more information see the Trend Micro Trust Center.
The latest information on the security, privacy, and compliance details for Trend Vision One is provided below.
 Privacy
|
 Security
|
 Compliance
|
Data privacy
For general information on how Trend Micro protects your data, see the Trend Micro Global Privacy Notice.
Depending on the nature of the protected environment and the object that is the
target of the security event (for example, files, memory, network traffic) there is
a risk that
personal information may be collected within a security event. Security policy configuration
and
module selection are provided to meet the requirements of your target environment
and minimize
this risk.
For more information on the data sent to Trend Micro and customer controls over
that data, please read the Trend Vision One Data Collection Notice.
GDPR
Trend Micro complies with applicable laws, including GDPR. For more information,
see the Trend Micro GDPR Compliance site.
-
Where appropriate, we implement Technical and Organization Measures (
TOMs
) to support our processing of data under GDPR. -
As a data processor under GDPR, our processing of
personal data
is limited in a number of cases. The details on the data processed by Trend Vision One and the controls available to you over that data are documented in the Trend Vision One Data Collection Notice.
Trend Vision One Data Collection Notice
Certain features available in Trend Vision One collect and send feedback regarding product usage and detection information
to Trend Micro. For more information, see the Trend Vision One Data Collection Notice.
Data security
Trend Micro adheres to industry standards for data security and provides an outline
of general
security practices. In addition, Trend Vision One uses industry-accepted best practices to secure your data. This
includes segregating individual customer data as well as encrypting data at rest and
data in
transit. Backup of customer data follows industry-defined best practices and our various
certifications such as ISO 27001 (for access control and cryptography) and ISO 27017
(for
monitoring of cloud services and segregation of environments) help define our processes
for
backup and data recovery.
Customers can choose an available Trend Vision One region to provision the Trend Vision One console, and store and process all data lake services and data.
Customers can assign roles to users which limit access rights to Trend Vision One, including but not limited to,
granting support access, initiating response actions, collecting files from endpoints,
and
limiting users to read-only access.
Data at rest is protected by the native cloud technologies in the cloud on which it
resides.
Customer data is tagged with a “Customer ID” during ingestion as part of the data
schema. The
internal data access layer of Trend Micro applications requires this “Customer ID”
parameter to
access the data. This measure protects the customer data from being accessed by any
other party
as queries may only access one “Customer ID” at a time. Customers do not provide the
“Customer
ID” directly when interacting with the service; it is handled by the application itself.
This
ensures that there is no way for a malicious actor to pass the wrong customer ID to
access
another data set.
Trend Vision One uses TLS 1.2 wherever
possible for data transmission.
Supported Ciphers:
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
-
TLS_RSA_WITH_AES_128_GCM_SHA256
-
TLS_RSA_WITH_AES_128_CBC_SHA256
-
TLS_RSA_WITH_AES_256_GCM_SHA384
-
TLS_RSA_WITH_AES_256_CBC_SHA256
Data segregation
All customer information is segregated to ensure that customers have access to only
their own
data. Customer data is tagged with a “Customer ID” during ingestion as part of the
data schema.
The internal data access layer of the Trend Micro application requires this “Customer
ID”
parameter to access the data. This measure protects the customer data from being accessed
by any
other party as queries may only have access to the specific “Customer ID” that the
customer is
authenticated to. Customers do not provide the “Customer ID” directly when interacting
with the
service, it is handled by the application itself. This ensures there is no way for
a malicious
actor to pass the wrong customer ID to access another data set.
Customer contact details, such as their email address, are encrypted at rest to ensure
confidentiality. Data collected by Trend Vision One is
listed in the Trend Vision One Data Collection Notice
Data encryption
Information processed by Trend Vision One is encrypted
both in transit, at rest and is sent to a Trend Vision One node in the region the customer selects during initial setup.
At Rest: Data at rest is protected by native cloud technologies to the cloud on
which it resides. For Azure SQL, the database is encrypted by Transparent Database
Encryption.
Trend Micro's proprietary architecture within AWS utilizes native AES 256 encryption
for the data
lake contents at rest.
In Transit: Trend Vision One uses TLS 1.2
wherever possible for data transmission. Trend Micro manages the management console
and
client-server communication encryption for the customer using cloud-native key management
infrastructure.
Data access
All access to Trend Micro offices and networks is strictly controlled to authorized
or
accompanied individuals only. Access is given through a key card system and approval
is required
before entry is granted into sensitive areas. The Trend Vision One platform and data lake infrastructure reside within Microsoft Azure and
AWS.
Trend Vision One is hosted in a highly
restricted subnet with no direct internet access. Only a limited set of administrators
have
access to Trend Vision One for maintenance
tasks. Operator access is done over secure encrypted connections and secured with
multiple layers
of network and access controls.
Access to information in Trend Vision One is
restricted to Trend Micro Site Reliability Engineers (SREs), the threat research and
analytics
teams, and, when explicitly enabled in the console, the customer support teams. Access
is allowed
for the purposes of troubleshooting, solving issues, and improving the effectiveness
of security
protections. All access is recorded and audited. Access privileges are managed and
approved by
the product leadership team. Information in Trend Vision One may be accessed/viewed by the above Trend Micro teams from physical
locations outside of the customer's deployed region.
Access is restricted to certain allowed IP addresses and is monitored in a SIEM. Alerts
are
generated for any suspicious access. Investigation of alerts is done according to
incident
management procedures.
Sub-contractors are not used in the development or operation of Trend Vision One.
Security logs
Trend Vision One uses the Trend Cloud One agent
to monitor: Anti-Malware, Firewall, Intrusion Prevention, Integrity Monitoring, and
Log
Inspection. All access to the infrastructure is monitored and recorded through native
security
services offered by the Cloud Service provider.
Trend Vision One enables automated alerts and employs
24/7 on-call staff. Security alerts are reviewed for all systems on a daily basis.
If a security
incident is suspected, it is immediately reported to the Trend Micro Security Operations
Center
(SOC). Potential incidents are prioritized based on the severity of the suspected
incident and a
team from the SOC, as well as technical experts, is assigned to investigate.
These logs remain in the region that is hosting the Trend Vision One account and customers do not have access to these logs. For more
information on what regions are covered by Trend Vision One, see Trend Vision One Data Center Locations.
Audit Logs are generated and stored for all user access and actions in Trend Vision One systems. Trend Vision One retains the audit logs for 180 days.
Customers can view customer access logs in their console, and can export them if needed.
Data retention
With regards to Log Retention, Trend Vision One applies retention policies that purge data once it is no
longer needed for the purpose for which it was collected. Trend Vision One retains the
collected raw information for 30 days by default, unless the customer purchases an
extended storage option (up to a maximum of 365 days). Trend Vision One also generates and
retains alert workbenches for 180 days to give customers time for
investigation/reporting. If a customer license expires, all data is deleted after
a
30-day grace period.
Data backup
Trend Vision One backups are conducted daily. Automated
tests are run weekly to validate the consistency of our backups and backups are stored
to
mitigate the risk of issues within a single region. Backups are kept for 35 days before
they are
destroyed.
Disaster recovery and business continuity (DR)
Trend Vision One has a disaster recovery (DR) and
business continuity plan (BCP). A Disaster Recovery (DR) simulation is executed at
least annually
to verify the backup data and RTO/RPO claims under ISO 27001.
Backups are stored to mitigate the risk of issues within a single region. DR simulations
are
executed periodically to verify the data and RTO/RPO claims.
The Trend Vision One platform and data lake reside
within Microsoft Azure and AWS. The Trend Vision One
platform utilizes service-to-service connections to facilitate the operations of an
advanced
detection and response system. For more information, please refer to Trend Micro Vision One Security and Privacy Overview.
Data deletion
To submit a request for data deletion, please visit:
ISO 27001 contains provisions for data destruction. Trend Vision One, Microsoft Azure, and AWS are ISO 27001 compliant.
Customers may start a data deletion request by sending an email to Trend Micro at
gdpr@trendmicro.com.
Employee training
Trend Vision One software developers are
trained in secure coding practices using an industry-standard curriculum based on
SANS 25/OWASP
Top 10. Education campaigns are conducted on an annual basis and when an employee
joins the
company. All employees must adhere to Trend Micro internet, computer, remote access,
and mobile
device acceptable use policies. Failure to comply with these policies may result in
disciplinary
actions, which could include termination. The Trend Vision One development teams employ specialized staff to handle product security.
Security testing, secure code review, and threat modeling are part of the development
life-cycle.
For more information about our secure coding best practices, see the Trend Micro Trust Center for Compliance.
Trend Micro adheres to the following password polices and standards:
-
All passwords must be changed at least on a quarterly basis.
-
Passwords must not be inserted into email messages or other forms of electronic communication.
-
Passwords must not be shared or revealed to anyone.
-
Passwords must be changed immediately if compromise is suspected.
-
Passwords must be encrypted during transmission and stored hashed with a salt.
-
Passwords must be at least eight alphanumeric characters long.
-
Passwords must contain both upper and lower case characters (for example, a-z, A-Z).
-
Password reuse prevention is enforced.
-
Passwords must not be based on personal information, names of family, and so on.
Change control
Ensuring that our customers continue to receive the latest security capabilities in
a safe, reliable way is a key priority for our team. In addition to the development
practices
around code review, functional testing, and scale testing, as well as our vulnerability
scanning
and penetration testing, we take a number of steps to ensure that any service updates
are
introduced in a safe and controlled way. All service updates are introduced in small,
incremental
updates that are rolled out first to a staging environment and then to production.
Each change is
closely monitored and multiple procedures are in place, both automated and manual,
to handle
situations that may arise. All updates to the service are introduced transparently
to customers,
and can be rolled back transparently, should any unforeseen issues arise.
Application upgrades within the Trend Vision One environment are completed after meeting our quality objectives. Trend Micro
uses best practices for changes, including full backups and approval processes. Trend Vision One has multiple dedicated development and
testing environments. Any changes requested are first reviewed by technical stakeholders
to
determine the urgency and potential impact of the changes. All changes require a documented
back-out plan. These changes are tracked and recorded in a change control system.
Vulnerability management
Vulnerabilities are continuously monitored and tracked. Each vulnerability is assigned
a CVSS
score. Patching requirements that specify time frames for addressing a vulnerability
according to
CVSS-based severity are included in the Secure Development Compliance Policy. The
Trend Vision One software in the Trend Vision One environment is updated once every two weeks
to use the latest available code base, including vulnerability fixes. Trend Vision One team is responsible for patching the Trend Vision One software and supporting AWS and Microsoft
Azure services.
Code analysis
Trend Micro source code is scanned using static code analysis using industry-standard
tools
like Fortify, BlackDuck, and more, which are deployed at every development stage or
phase. Also,
Third-party vulnerabilities are scanned by industry-leading software monthly. Security
testing,
secure code review, and threat modeling are also part of the development lifecycle
of all Trend
Micro products.
Trend Vision One goes through strict quality checks
from the development phase up to the GM release. After release, teams perform vulnerability
scans
weekly, in an automated fashion. The severity of vulnerabilities is rated using the
CVSS score.
Third-party penetration tests are conducted annually on the SaaS environment and cover
application, external and internal network, and segmentation tests. Critical vulnerabilities
are
required to be fixed within one month or addressed through mitigation or workaround.
Penetration testing
The Trend Vision One
platform undergoes regular security assessments, both automated and manual, including
external
3rd-party assessments.
The Trend Vision One platform undergoes
yearly penetration tests conducted by third-party security experts to detect and rectify
common security issues. The scope of the third-party penetration tests includes application
security tests, internal and external network scans, and network segmentation tests.
Trend Micro can provide the penetration test
certificate upon request. Trend Micro InfoSec
conducts web application assessments of Trend Vision One for any major release and at least annually using leading dynamic
analysis security tools.
For more information about our vulnerability response program, see the Trend Micro Vulnerability Response site.
Incidence response
Trend Micro has a dedicated Information Security (InfoSec) team that is responsible
for ensuring compliance with Trend Micro security policies. Trend Vision One engineers immediately contact the InfoSec
team when a security incident is discovered. In addition, InfoSec independently monitors
Trend Vision One environment logs. If a security incident is
discovered, the incident is prioritized based on severity. A dedicated team of technical
experts
is assigned to investigate, advise on containment procedures, perform forensics, and
manage
communication. Following an incident, the team examines the root cause, and revises
the response
plan accordingly. In the event of a breach involving customer data, Trend Micro will
follow its
obligations under GDPR. For more information, see the Trend Micro GDPR Compliance site.
If you suspect a security incident, please contact us at the Trend
Micro Technical Support site.
Certifications
ISO 27001, ISO 27014, ISO 27034-1, ISO 27017 and SOC2/3
Trend Micro and Trend Micro Cloud Services undergo yearly audits by trusted external
auditors
to ensure we're adhering to industry best practices. ISO 27001 is a global standard
and is used
to define the overall Information Security Management System for Trend Micro. ISO
27001 covers
items such as human resource security, access control, operations security, and information
security incident management. SOC Type II certification is used to validate the security
controls over our IT systems and includes Trend Micro internal systems as well as
its SaaS
offerings. SOC Type II controls include items such as security (firewalls, IPS, and
more),
availability (disaster recovery and incident handling), confidentiality (encryption
and access
control), privacy and processing integrity (quality assurance).
Trend Vision One is certified for ISO 27001, 27014,
27034-1, and 27017. You can find the compliance certificates on the Trend Micro Trust Center for Compliance.
Trend Vision One has completed a SOC 2 TYPE 2
evaluation and you can find the SOC 3 report and the request form for the SOC 2 report
on the
Trend Micro Trust Center for Compliance.