Changes to Trend Micro Cloud One accounts

August 4, 2021, Trend Micro Cloud One launched a new sign-in and accounts system. The new system separates the creation of users from accounts, allowing a single user to be a member of multiple Trend Micro Cloud One accounts. This allows you to more easily create and manage multiple Trend Micro Cloud One accounts for use across your organization, teams, and global regions.

Customers with new Trend Micro Cloud One accounts can more easily manage users and API keys through the Trend Micro Cloud One platform, instead of managing those features from the Workload Security console.

Any customers signing up for Trend Micro Cloud One on or after August 4, 2021 will use a new Cloud One account. Customers who created their accounts prior to the release will continue to use the legacy account and sign-in, and will be transitioned at a later date.

For more information, see the frequently asked questions below.

How do I know which sign-in method to use?

Trend Micro Cloud One detects which sign-in method you used previously and provides you the correct sign-in page. Both sign-ins are accessible from the Trend Micro Cloud One sign in page. If you are unsure, or if we are unable to detect which sign-in method you used previously, there are a few ways to know which sign-in method to use:

  1. Which fields did you use to sign in previously?

  2. Customers with the new method enter an email, password, and optional MFA token.

  3. Customers with the legacy method enter an account, username, password, and optional MFA token.

  4. Check the Trend Micro Cloud One banner at the top of the sign in page:

    • Customers with the legacy method see this version of the Trend Micro Cloud One banner after signing in, and should use the sign in page with the same banner:

      image of older banner

      If you previously signed in to Deep Security as a Service via app.deepsecurity.trendmicro.com you must also use this sign in page.

    • Customers with the new method see a new version of the Trend Micro Cloud One banner after signing in, and should use the sign in page with the same banner:

      image of new banner

What's the difference between a new account and a legacy account?

With legacy accounts, a user belongs only to the account where it was created. When signing in with a set of credentials, you must specify the account you belong to because your user ID only exists in that one account. You can create another identical user in a different account, but they are treated as two independent users belonging to two independent accounts. Because users belong to a single account, this means users also only exist in a single region.

In the new accounts, a user is not tied to a single account. A user can be granted access to an account by invitation, but the user still exists outside of the account if the account is deleted or if the user's access to it is revoked. When signing in, you are not authenticating into a Trend Micro Cloud One account; you authenticate as a user. Your user may have been granted access to multiple Trend Micro Cloud One accounts and once you've signed in, you can freely access those accounts. A user's unique identifier is its email address, and a given email address can only have a single user globally, across all Trend Micro Cloud One regions and all Trend Micro Cloud One accounts.

What's the difference between a user and an account in the new system?

An account is a container for your Trend Micro Cloud One services. Within each Trend Micro Cloud One account, you can create and manage the resources, deployment, configuration, and security policy for the Trend Micro Cloud One services. Each Trend Micro Cloud One account is locked to a single region, and is managed separately in terms of account administration, billing, and licensing. This ensures that security data stays in the region for the Trend Micro Cloud One security and protection resources deployed. However, you can still deploy and manage resources globally from any account.

A user is a unique identity that can be granted access to a Trend Micro Cloud One account. Each user authenticates with a set of unique credentials. Once authenticated, a user can see and make changes to one or more Trend Micro Cloud One accounts and their resources, based on the role assigned to the user.

Can I use the new sign-in with legacy credentials, or vice-versa?

No. The credentials are specific for each sign-in system.

What is the impact to users signing in through SAML single sign-on?

SAML SSO is not yet available for Trend Micro Cloud One; however, customers can continue to use this option to sign in directly to Deep Security as a Service (app.deepsecurity.trendmicro.com). Users authenticating through single sign-on do not have access to the other Trend Micro Cloud One services. The only way to access Trend Micro Cloud One is to sign in with credentials in Trend Micro Cloud One. There is no impact to users signing in through SAML as part of these changes.

List of differences between legacy accounts and new accounts

Activity Legacy account New account
Managing users (UI)

Users are managed from the Workload Security console, and a given user exists only in a single account.

  • When an administrator adds a user, they must send the credentials to the user so they can sign in.
  • A user can be locked out of an account by an administrator or if they have attempted to sign in too many times with incorrect credentials. This is not available in new accounts.

User authentication requirements:

Users are managed from the Account Management pages in the Trend Micro Cloud One console.

A user can be invited to join an account by another user with sufficient privileges. An account administrator can invite or remove users from the account but cannot delete another user or modify properties other than their role.

Each individual user creates and manages their own user properties and credentials. As a user, this means you only need to authenticate once with a single set of credentials to access all the Trend Micro Cloud One accounts you've joined, rather than needing a separate login for each individual account.

User authentication requirements:

  • Password rules are set by default for all Trend Micro Cloud One users and cannot be individually configured. Passwords must be at least 8 characters, and include uppercase, lowercase, numeric, and special characters.
  • An account administrator can require MFA to be enabled for a user before they can access the account.
  • Maximum session duration is set to 30 minutes for all users.
Managing users (API) Users can be managed programmatically from the Workload Security Administrators APIs. Users must be managed using the Trend Micro Cloud One Accounts APIs and Invitations APIs.
Managing roles (UI) Roles are managed and assigned to users from the Workload Security console. The structure and permissions of these roles across the other Trend Micro Cloud One services is described in Define roles for users. Roles are managed from the Account Management pages in the Trend Micro Cloud One console. Roles are assigned when inviting a user to an account or creating an API key, and can be modified later by an administrator with sufficient privileges. A role contains a set of permissions for each of the Trend Micro Cloud One services, as well as different administrative functions for the account.
Managing roles (API) Roles can be managed programmatically from the Workload Security Administrator Roles APIs Roles must be managed using the Trend Micro Cloud One Roles APIs
Managing API keys (UI) API keys are created and managed from the individual Trend Micro Cloud One security service consoles, and only grant permissions for that service.

Container Security and File Storage Security share the same API keys as Workload Security.

API keys can be expired and locked out. In new accounts, API keys cannot be expired, but can be enabled or disabled by an administrator with sufficient privileges.

API keys are managed from the Account Management pages in the Trend Micro Cloud One console. When you create an API key, it is assigned a role and a single API key can be used to manage all of the Trend Micro Cloud One services as well as the account's administrative functions.

Unlike users, API keys are locked to a single account and cannot be granted access to multiple Trend Micro Cloud One accounts.

Managing API keys (API) API keys can be managed programmatically from the Workload Security API Keys APIs API keys must be managed using the Trend Micro Cloud One API Keys APIs.
Managing accounts (UI)

Accounts were previously created at https://cloudone.trendmicro.com/trial. Legacy accounts can no longer be created, and all new sign-ups will be for new users and accounts.

Legacy accounts have 2 unique account identifiers:

  • The Account field, which users enter when signing in, must be globally unique and cannot be changed after it's created. This field is named Company/Account on the registration form and Company on the support form.
  • The globally unique 12-digit Account ID visible from the Subscription Management page./li>

Account properties are managed from the Account Management pages in the Trend Micro Cloud One console.

A Trend Micro Cloud One user can create a new account in Trend Micro Cloud One using the Create New Account button in the console header. Each user can create a maximum of 2 Trend Micro Cloud One accounts. If you require more accounts, please contact Trend Micro support.

Deleting an account does not free up another account. It's still counted in the 2-account limit.

Accounts have a single unique account identifier, which is a globally unique 12-digit Account ID visible from any of the Account Management pages and in the console header. When creating an account, the creator must also provide an Account Alias, which is a friendly name for the account. The alias does not need to be unique and can be changed at any time.

Managing accounts (API) Legacy Account Accounts can be managed programmatically using the Trend Micro Cloud One Accounts APIs
Free trials

Any new account created receives a 30-day free trial for all Trend Micro Cloud One services.

After the trial expires, users only have access to Workload Security with a 5 computer maximum, as explained here.

All new accounts receive a 30-day free trial for all available Trend Micro Cloud One services.

After the trial expires, users cannot access the Trend Micro Cloud One services but can continue to access administrative functions for a period of time.

Annual subscription/price list

For Workload Security, customers receive an Activation Code that must be entered in the Workload Security console, on the Account Details page.

For all other Cloud One services, the customers subscription is added directly to their account by the Cloud One product or support team after purchasing.

For Workload Security, customers receive an Activation Code that must be entered in the Workload Security console, on the Account Details page.

For all other Cloud One services, the customers subscription is added directly to their account by the Cloud One product or support team after purchasing.

AWS Marketplace subscription AWS Marketplace subscriptions are managed from the Workload Security console as described in Sign up with AWS - Pay as you Go billing

AWS Marketplace subscriptions are managed from the Subscription Management page, which is accessible from the main page in the Trend Micro Cloud One console.

If you subscribe to the AWS listing during the free trial period, or create your account directly from AWS Marketplace, you are granted a 30-day free trial and are not charged for any usage during that period.

Azure Marketplace subscription Azure Marketplace subscriptions are managed from the Workload Security console as described in Sign up with Azure - Pay as You Go billing.

As of April 2021, Azure Marketplace Pay as You Go billing is no longer offered to new customers.

This is not supported. As of April 2021, Azure Marketplace Pay as You Go billing is no longer offered to new customers.
System events (user authentication)

The following events are logged in the Workload Security system events for authentication and session creation across Trend Micro Cloud One.

  • 600 - User Signed In
  • 601 - User Signed Out
  • 602 - User Timed Out
  • 605 - User Session
  • 608 - User Session Validation Failed
  • 610 - User Session Validated
  • 650 - User Created
  • 651 - User Deleted
  • 652 - User Updated
  • 656 - API Key Created
  • 657 - API Key Deleted
  • 658 - API Key Updated
  • 675 - API Key Session Validation Failed
  • 676 - API Key Made Invalid Request

In Workload Security, events 600 (User Signed In), 601 (User Signed Out), and 652 (User Updated) will no longer appear. The other system events will continue to be logged in Workload Security for actions and sessions made to Workload Security. When viewing the events in the Workload Security console for users and API Keys, these will now reference the URN for the user (visible from the User Management page in Trend Micro Cloud One) and the ID for the API Keys (visible from the API Keys page in Cloud One).

Logging for all other actions related to user, role, and API Key management in Cloud One are logged in the Audit Log page in Cloud One. Event forwarding is currently not supported for the audit log.

If I have legacy account, what happens to my account? How do I use or access the new account features?

For existing customers with a legacy account, there are no changes or impacts to your account resulting from the release of the new Trend Micro Cloud One accounts and their features. However, you will no longer have the option of creating legacy accounts, and all new Trend Micro Cloud One accounts created will be a new account.

Existing accounts will be transitioned to new accounts at a future date. Currently, the only way to access the new accounts and their features is to create a brand new account at https://cloudone.trendmicro.com/trial.

What does 'region' mean for an account?

When you create a new Trend Micro Cloud One account, you must select the region where the data for your account will be hosted. All your security data stays in the region where your account was created, and the region of an account cannot be changed later.

While accounts are restricted to a single region, you can still manage assets globally from an account in any region. All Trend Micro Cloud One regions can be used and accessed globally by any customer, and can be used to protect assets globally.

All legacy accounts exist in the US-1 region, located in the United States, and existing accounts cannot be moved to another region; however, you can still manage assets globally from your account.

For a list of currently available Trend Micro Cloud One regions and the services available in each regions, see Trend Micro Cloud One regions.