Multi-tenant settings

Multi-tenancy is only available for Deep Security from AWS Marketplace with the Bring your own License (BYOL) payment option.

The Tenants tab appears only if you have enabled multi-tenant mode.

  • Multi-Tenant License Mode: The multi-tenant license mode can be changed after multi-tenant is setup, however it is important to note that switching from inherited to per-tenant will cause existing tenants to no longer have any licensed module.
  • Allow Tenants to use the "Backup" Scheduled Task: Determines if the Backup Scheduled Task should be available to tenants. In most cases backups should be managed by the database administrator and this option should be selected.
  • Allow Tenants to use the "Run Script" Scheduled Task: Scripts present a potentially dangerous level of access to the system, however the risk can be mitigated because scripts have to be installed on the Manager using file-system access.
  • Allow Tenants to run "Computer Discovery" (directly and as a Scheduled Task): Determines if discovery is exposed. This may not be desirable in service provider environments where network discovery has been prohibited.
  • Allow Tenants to run "Port Scan" (directly and as a Scheduled Task): Determines if port scans can be executed. This may not be desirable in service provider environments where network scan has been prohibited.
  • Allow Tenants to add VMware vCenters: Determines for each tenant if vCenter connectivity should be exposed. If the deployment is intended through a public service (internet), this option should most likely be disabled since there will not be a secured route to the vCenter from a hosted service.
  • Allow Tenants to add Cloud Accounts: Determines if tenants can setup cloud sync. This is generally applicable to any deployment.
  • Allow Tenants to synchronize with LDAP Directories: Determines if tenants can setup both User and Computer sync with Directories (LDAP or Active Directory for Computers, Active Directory only for users). If the deployment is intended to be made through a public service (internet), this option should most likely be disabled since there will not be a secure route to the directory from a hosted service.
  • Allow Tenants to configure SNMP settings: Allow tenants to forward System Events to a remote computer (via SNMP)
  • Show What's New to Tenants (Recommended only if all "add" and "synchronize" options are enabled): Automatically displays the introductory slide show to tenants when they first sign in. (The slide show can be accessed by clicking the Support link at the top right of the Deep Security Manager window and selecting Introduction.)
  • Show "Forgot Password?" option: Displays a link on the sign in screen which Users can access to reset their password. (Note that SMTP settings must be properly configured on the Administration > System Settings > SMTP tab for this option to work.)
  • Show "Remember Account Name and Username" option: Deep Security will remember the User's Account Name and Username and populate these fields when the sign in screen loads.
  • Allow Tenants to control access from Primary Tenant: By default, the primary tenant can sign in to a tenant's account by using the Sign In As Tenant option on the Administration > Tenants page. When the Allow Tenants to control access from Primary Tenant option is selected, tenants are given the option (under Administration > System Settings > Advanced in their ) to allow or prevent access by primary tenant to their Deep Security environment. (When this option is enabled, the default setting in the tenant's environment is to prevent access by the primary tenant.)
    Whenever the primary tenant accesses a tenant's account, the access is recorded in the tenant's System Events.
  • Allow Tenants to use the Relays in my "Default Relay Group": gives tenants automatic access to relays setup in the primary tenant. This saves tenants from having to setup dedicated Relays for Security Updates.
    Tenants can reject the usage of "shared" relays by going to the Updates tab on the Administration > System Settings page and deselecting the Use the Primary Tenant Relay Group as my Default Relay Group (for unassigned Relays) option. If tenants deselect this setting they must set up dedicated Relays for themselves.
    When relays are shared, it is the responsibility of the primary tenant to keep the relays up to date. This usually involves creating Download Security Update Scheduled Tasks for all relays at a regular intervals.
  • New Tenants automatically download the latest Security Updates: As soon as you create a new tenant account, it will check for and download the latest available security updates.
  • Lock and hide the following (all Tenants will use the options configured for the primary Tenant):
    • Data Privacy options on the "Agents" Tab: Allows the primary tenant to configure data privacy settings. (This setting only applies to "Allow Packet Data Capture on Encrypted Traffic (SSL)" in on the Administration > System Settings > Agents tab.)
    • All options on the "SIEM" Tab (All Tenants use the settings located on the SIEM tab for ALL event types and syslog is relayed via the Manager): Allows the primary penant to configure syslog for all tenants at once. All tenants will inherit the primary tenant's syslog settings. In CEF format the tenant name is included as TrendMicroDsTenant .
    • All options on the "SMTP" Tab: Locks all settings on the SMTP tab.
    • All options on the "Storage" Tab: Locks all settings on the Storage tab.

Database servers

By default, all tenants will be created on the same database server that Deep Security Manager was installed with. In order to provide additional scalability, Deep Security Manager supports adding additional database servers. For details, see Set up a multi-tenant environment.

New tenant template

The tenant template feature provides a convenient way of creating a customized "out-of-the-box" experience for new tenants.

The process is as follows:

  1. Create a new tenant.
  2. Log in as that tenant.
  3. Customize the example policies (adding, removing, or modifying) and the security update version (applying newer versions).
  4. Return to the primary tenant and run the tenant template wizard.
  5. Select the tenant to snapshot.

The following items are INCLUDED in the new template:

  • Latest Security Update rules (Updates that have been applied to the template when created. This includes intrusion prevention rules provided by Trend Micro, change monitoring rules, security log monitoring rules)
  • Policy Firewall rules
  • IP list
  • MAC list
  • Directory listing
  • File list
  • File extension list
  • Port list
  • Contexts
  • Schedule
  • Firewall Stateful Configuration
  • Malware scan settings

The following items are EXCLUDED from the new template:

  • Custom Intrusion Prevention rules
  • Custom Application Types
  • Custom Integrity Monitoring rules
  • Custom Log Inspection rules
  • Custom Log Inspection Decoders
  • Dashboard
  • Alert settings
  • System settings
  • Scheduled tasks
  • Event-based tasks
  • Users
  • Roles
  • Contact information

This feature may be useful in service provider environments where some of the examples are not applicable, or special examples need to be created.

As always the examples are meant to be a starting point. Tenants are encouraged to create policies based on their unique needs.

Creating a new template will not affect existing tenants.

Protection usage monitoring

Deep Security collects information about protected computers. This information is visible on the dashboard in the tenants widget and the Tenant Protection Activity widget. The information is also provide in the Tenant report and is available via the REST API.

In the most basic case, the monitoring can help determine the percentage usage of Deep Security Manager by hours of protection through the report or the API. Commonly called viewback or chargeback this information can be used in a variety of ways. In more advanced cases, this can be used for custom billing based on characteristics like tenant computer operating systems.

Use these options determine which additional tenant computer details are recorded.