Trend Micro Cloud One™ Trust Center

As a global leader in security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. With more than 30 years of security expertise, we are recognized as the market leader in server security, cloud security, and small business content security.

Trend Micro is committed to earning and preserving the trust of our customers. The following resources demonstrate our commitment to security, privacy, transparency, and compliance to industry-recognized standards.

certificate icon
Compliance
lock icon
Privacy
shield icon
Security

PCI DSS

ISO 27001

GDPR

Trend Micro Cloud One Data Collection Notices

Privacy Policy

FAQ

PCI DSS

Coalfire, a Qualified PCI Auditor, has certified that Trend Micro Cloud One - Application Security, Trend Micro Cloud One - Network Security, and Trend Micro Cloud One - Workload Security completed the PCI Data Security Standards 3.2 assessment as a Level 1 Service Provider.

The Trend Micro Cloud One PCI Attestation of Compliance (AOC) is available on request. AWS is also PCI certified.

Trend Micro Cloud One service PCI DSS level 1 service provider
Workload Security
Network Security
Application Security
Container Security  
File Storage Security  

ISO 27001

ISO 27001 is an internationally recognized security standard that outlines the requirements for information security management systems. You can view the ISO 27001 certificate for Trend Micro Cloud One on the Trend Micro product certifications site.

GDPR

Trend Micro Cloud One is ready for and has met all of our obligations under GDPR.

  • Where appropriate, we implement Technical and Organization Measures (“TOMs”) to support our processing of data under GDPR.
  • As a data processor under GDPR, our processing of 'personal data' is limited in a number of cases. The details on the data processed by Trend Micro Cloud One and the controls available to you over that data are documented in the Data Collection Disclosure for each Trend Micro Cloud One service.

For more information, see the Trend Micro GDPR Compliance site, privacy whitepapers, and Privacy and personal data collection disclosure for each Trend Micro Cloud One service.

Protection of records

All communication between customers, software, and infrastructure is encrypted using industry-accepted ciphers and algorithms. These ciphers and algorithms are reviewed continuously to determine whether adjustments should be made, such as the deprecation of old or insecure ciphers and cipher suites. For more information on how we protect records that are gathered and stored, see the following documents:

FAQ

Trend Micro Cloud One
How are Trend Micro employees trained?

All Trend Micro employees undergo a security awareness training course upon being hired and on a yearly basis. All employees must adhere to Trend Micro Internet, Computer, Remote Access and Mobile device acceptable use policies. Failure to comply with these policies may result in disciplinary actions, which could include termination. All new employees and contractors are required to complete a criminal background check.

What are the Trend Micro password policies and standards?

Trend Micro adheres to the following password polices and standards:

  • All passwords must be changed at least on a quarterly basis.
  • Passwords must not be inserted into email messages or other forms of electronic communication.
  • Passwords must not be shared or revealed to anyone.
  • Passwords must be changed immediately if compromise is suspected.
  • Passwords must be encrypted during transmission and stored hashed with a salt.
  • Passwords must be at least eight alphanumeric characters long.
  • Passwords must contain both upper and lower case characters (for example, a-z, A-Z).
  • Password reuse prevention is enforced.
  • Passwords must not be based on personal information, names of family, and so on.

How is access to Trend Micro infrastructure controlled?

Remote access to Trend Micro infrastructure is strictly controlled and monitored. All authentication methods use industry best practices and standards, and include such things as certificate based authentication and multi-factor authentication. Where appropriate, single sign-on (SSO) that leverages Active Directory is used.

What change control practices does Trend Micro Cloud One follow?

Application upgrades within the Trend Micro Cloud One environment are completed after meeting our quality objectives. Trend Micro uses best practices for changes, including full backups and approval processes. Trend Micro Cloud One has multiple dedicated development and testing environments. Any changes requested are first reviewed by technical stakeholders to determine the urgency and potential impact of the changes. All changes require a documented back-out plan. These changes are tracked and recorded in a change control system.

How does Trend Micro handle physical security?

All access to Trend Micro offices and networks is strictly controlled to authorized or accompanied individuals only. Access is given through a key card system and approval is required before entry is granted into sensitive areas. The Trend Micro Cloud One infrastructure is hosted in AWS.

What is the Trend Micro incident response plan?

Trend Micro has a dedicated Information Security (InfoSec) team that is responsible for ensuring compliance with Trend Micro security policies. Trend Micro Cloud One engineers immediately contact the InfoSec team when a security incident is discovered. In addition, InfoSec independently monitors Trend Micro Cloud One environment logs. If a security incident is discovered, the incident is prioritized based on severity. A dedicated team of technical experts is assigned to investigate, advise on containment procedures, perform forensics, and manage communication. Following an incident, the team examines the root cause, and revises the response plan accordingly. In the event of a breach involving customer data, Trend Micro will follow its obligations under GDPR. For more information, see https://www.trendmicro.com/en_ca/business/capabilities/solutions-for/gdpr-compliance/our-journey.html.

Does the development team follow secure coding practices?

Trend Micro Cloud One software developers are trained in secure coding practices using an industry-standard curriculum based on SANS 25/OWASP Top 10/PCI 6.5. Education campaigns are conducted on an annual basis and when an employee joins the company. The Trend Micro Cloud One development teams employ specialized staff to handle product security. Security testing, secure code review, and threat modeling are part of the development lifecycle. For more information about our secure coding best practices, see https://www.trendmicro.com/en_ca/about/legal/product-certifications.html.

How are vulnerabilities and patches handled?

Vulnerabilities are continuously monitored and tracked. Each vulnerability is assigned a CVSS score. Patching requirements that specify time frames for addressing a vulnerability according to CVSS-based severity are included in the Secure Development Compliance Policy. The Trend Micro Cloud One software in the Trend Micro Cloud One environment is updated weekly to use the latest available code base, including vulnerability fixes. The Trend Micro Cloud One team is responsible for patching the Trend Micro Cloud One software and supporting AWS services. The client is responsible for updating the Deep Security Agents deployed on client workloads.

How is data backed up and protected?

All sensitive data elements are protected with database agnostic, application level encryption using AES 256 GCM. Automated tests are run weekly to validate the consistency of our backups.. Backups are stored to mitigate the risk of issues within a single region. Backups are kept for 35 days before they are destroyed. A Disaster Recovery (DR) simulation is executed at least annually to verify the backup data and RTO/RPO claims under ISO 27001.

Is clock synchronization relevant to using Trend Micro Cloud One? How should customers synchronize local clocks with the cloud service clock?

Yes, clock synchronization is relevant. In the event of a cybersecurity investigation, it is necessary to have a synchronized time to understand the event timeline. Trend Micro Cloud One uses NTP with public time sources. Time settings on systems used with Trend Micro Cloud One should also be synchronized with public time sources to ensure alignment. For more information about NTP and public time sources, see http://www.ntp.org/.

How are security incidents handled?

If a security incident occurs, Trend Micro will follow its obligations under GDPR: www.trendmicro.com/en_ca/about/legal/privacy-whitepapers.html?modal=wp-deep-security-saas-gdprpdf and https://www.trendmicro.com/en_ca/business/capabilities/solutions-for/gdpr-compliance/our-journey.html, as well as the responsibilities outlined in the terms of service document: http://www.trendmicro.com/en_us/about/legal.html?modal=en-english-cloud-services-terms-of-servicepdf#t4.

How do I report a security incident? What if I have questions about a security incident?

Please contact us at https://success.trendmicro.com/technical-support.

Can I report a vulnerability? Do you have vulnerability response program?

Yes we do. For more information about our program, see https://success.trendmicro.com/vulnerability-response.

Does Trend Micro Cloud One conduct vulnerability and penetration testing?

Vulnerability scans of the Trend Micro Cloud One production environments are performed weekly by a PCI authorized scanning vendor (ASV), Tenable.io. A PCI ASV attestation is obtained quarterly. The same vendor is used for automated weekly internal scans of the Trend Micro Cloud One environments. Trend Micro Cloud One Security software and the Trend Micro Cloud One Storage Security production environments undergo yearly penetration tests conducted by third-party security experts to detect and rectify common security issues. The scope of the third-party penetration tests includes application security tests, internal and external network scans, and network segmentation tests. Trend Micro InfoSec conducts web application assessments of Trend Micro Cloud One for any major release and at least annually using leading dynamic analysis security tools. The Trend Micro Cloud One code base is scanned weekly using a leading static analysis security tool. The development team receives automated alerts if new issues are identified, and a clean scan is a requirement for each product release. Third-party components included with Trend Micro Cloud One are monitored continuously using a leading software composition analysis tool.

Workload Security
How does Workload Security monitor security logs?

Workload Security protection modules generate security events for the Workload Security production workloads. Security events collected from Workload Security are forwarded to a central SIEM. Security events are generated for all relevant protection modules: Anti-Malware, Firewall, Intrusion Prevention, Integrity Monitoring, Log Inspection. Additional AWS logs (CloudTrail, CloudWatch), system, and database logs are forwarded to the SIEM. Access to Workload Security event management console and SIEM is restricted based on roles.

Workload Security enables automated alerts and employs 24/7 on-call staff. Security logs are reviewed for all systems on a daily basis. If a security incident is suspected, it is immediately reported to the Trend Micro Security Operations Center (SOC). This potential incident is prioritized based on the severity of the suspected incident, and a team from the SOC, as well as technical experts, is assigned to investigate.

How does Workload Security handle sensitive information?

Each tenant's information is separated using a dedicated database schema. Access and storage of this information is strictly controlled and is used for diagnostic and support purposes only. Client contact details, such as their email address, are retained encrypted at rest for client management purposes.. Data sent to Trend Micro and customer controls over that data can be found in our Workload Security Data Collection Disclosure.

How do you protect data in transit?

A minimum of TLS 1.2 is used for all internal network communication. A minimum of TLS 1.2 is used for communication between the Deep Security Agent and Workload Security: https://cloudone.trendmicro.com/docs/workload-security/crypto-tls-version/. Customers are responsible for ensuring that the Deep Security Agent is kept up to date to make use of the latest available cryptography and security fixes. Details on ciphers used by the Deep Security Agent and connections to Workload Security can be found here: https://cloudone.trendmicro.com/docs/workload-security/communication-manager-agent/.

How do you protect data at rest?

All sensitive data elements are protected with database agnostic, application level encryption using AES 256 GCM. Each tenant has an encryption key generated by Trend Micro. The tenant keys are in turn encrypted with a master key which is protected using the AWS Key Management Service (KMS). Only a limited number of Workload Security team member have access to the KMS.

Application Security
How does Application Security monitor security logs?

Security events collected from Application Security are identified using Amazon GuardDuty and Amazon Cloudwatch, alerting is restricted based on roles and enables automated alerts, employing a 24/7 on-call staff. Security logs are reviewed for all systems on a daily basis. If a security incident is suspected, it is immediately reported to the Trend Micro Security Operations Center (SOC). This potential incident is prioritized based on the severity of the suspected incident, and a team from the SOC, as well as technical experts, is assigned to investigate.

How does Application Security handle sensitive information?

By design, Application Security does not handle personal data. Data sent to Trend Micro and customer controls over that data can be found in our Application Security Data Collection Disclosure.

Container Security
How does Container Security monitor security logs?

AWS logs (CloudTrail, CloudWatch), system, and security logs are monitored continuously. Container Security enables automated alerts and employs 24/7 on-call staff. If a security incident is suspected, it is immediately reported to the Trend Micro Security Operations Center (SOC). This potential incident is prioritized based on the severity of the suspected incident, and a team from the SOC, as well as technical experts, is assigned to investigate.

How does Container Security handle sensitive information?

Each customer's information is separated using a dedicated database partition. Access and storage of this information is strictly controlled and is used for diagnostic and support purposes only. Personally identifiable information (PII) is not collected by the Container Security service directly. Data sent to Trend Micro and customer controls over that data can be found in our Container Security Data Collection Disclosure.

Network Security
How does Network Security monitor security logs?

Security events collected from Network Security are identified using Amazon GuardDuty and Amazon Cloudwatch, alerting is restricted based on roles and enables automated alerts, employing a 24/7 on-call staff. Security logs are reviewed for all systems on a daily basis. If a security incident is suspected, it is immediately reported to the Trend Micro Security Operations Center (SOC). This potential incident is prioritized based on the severity of the suspected incident, and a team from the SOC, as well as technical experts, is assigned to investigate.

How does Network Security handle sensitive information?

Application secrets are stored in an Amazon S3 bucket that is encrypted using a customer KMS key. The applications are allowed to decrypt the data, using envelope encryption.Data sent to Trend Micro and customer controls over that data can be found in our Data Collection Disclosure.

File Storage Security
How does File Storage Security monitor security logs?

We have alerting systems in AWS (Amazon GuardDuty and Amazon CloudWatch) and also a Slack channel where possible security events are reported.

How does File Storage Security handle sensitive information?

By design, File Storage Security does not handle personal data. Data sent to Trend Micro and customer controls over that data can be found in our File Storage Security Data Collection Disclosure.