Deep Security Trust Center
As a global leader in security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. With more than 30 years of security expertise, we're recognized as the market leader in server security, cloud security, and small business content security.
Trend Micro Deep Security as a Service provides world-class security to cloud workloads. This offering is hosted through Amazon Web Services (AWS) and offers workload protection through the installation of Deep Security Agents.
Deep Security as a Service is committed to earning and preserving the trust of our customers. The following resources demonstrate our commitment to security, privacy, transparency, and compliance to industry-recognized standards.
Deep Security as a Service is certified as a PCI DSS level 1 service provider.
Coalfire, a Qualified PCI Auditor, has certified Deep Security as a Service according to version 3.2 of the PCI Data Security Standard. The Attestation of Compliance is available on request. AWS is also PCI certified.
For more information, see Meet PCI DSS requirements with Deep Security.
ISO 27001 is an internationally recognized security standard that outlines the requirements for information security management systems. Deep Security as a Service has been added to the Trend Micro ISO 27001 certification, as of December 2018. You can view the ISO 27001 certificate on the Trend Micro product certifications site.
Trend Micro and Deep Security as a Service were ready for, and have met, all of our obligations under GDPR for May 25th 2018. One key item to note for Deep Security as a Service is that, as a data processor under GDPR, our processing of 'personal data' is limited.
- Where appropriate, we implement Technical and Organization Measures (“TOMs”) to support our processing of data under GDPR.
- Details on the data processed by Deep Security as a Service, and the controls available to you over that data, are documented in the Deep Security as a Service Data Collection Notice.
Deep Security protection modules generate security events for the Deep Security as a Service production workloads. Security events collected from Deep Security as a Service are forwarded to a central SIEM. Security events are generated for all relevant protection modules: Anti-Malware, Firewall, Intrusion Prevention, Integrity Monitoring, Log Inspection. Additional AWS logs (CloudTrail, CloudWatch), system, and database logs are forwarded to the SIEM. Access to Deep Security event management console and SIEM is restricted based on roles.
Deep Security as a Service enables automated alerts and employs 24/7 on-call staff. Security logs are reviewed for all systems on a daily basis. If a security incident is suspected, it is immediately reported to the Trend Micro Security Operations Center (SOC). This potential incident is prioritized based on the severity of the suspected incident, and a team from the SOC, as well as technical experts, is assigned to investigate.
All Trend Micro employees undergo a security awareness training course upon being hired and on a yearly basis. All employees must adhere to Trend Micro's Internet, Computer, Remote Access and Mobile device acceptable use policies. Failure to comply with these policies may result in disciplinary actions which could include termination.
All new employees and contractors are required to complete a criminal background check.
Trend Micro adheres to the following password polices and standards:
- All passwords must be changed at least on a quarterly basis.
- Passwords must not be inserted into email messages or other forms of electronic communication.
- Passwords must not be shared or revealed to anyone.
- Passwords must be changed immediately if compromise is suspected.
- Passwords must be encrypted during transmission and stored hashed with a salt.
- Passwords must be at least eight alphanumeric characters long.
- Passwords must contain both upper and lower case characters (for example, a-z, A-Z).
- Password reuse prevention is enforced.
- Passwords must not be based on personal information, names of family, and so on.
Remote access to Trend Micro’s infrastructure is strictly controlled and monitored. All authentication methods use industry best practices and standards, and include such things as certificate based authentication and multi-factor authentication. Where appropriate, single sign-on (SSO) that leverages Trend Micro's Active Directory is used.
In relation to the Deep Security as a Service environment, Trend Micro primarily handles data that is collected through the protection policy and security events. Each tenant's information is separated using a dedicated database schema. Access and storage of this information is strictly controlled and is used for diagnostic and support purposes only. Client contact details, such as their email address, are retained encrypted at rest for client management purposes.
Application upgrades within the Deep Security as a Service environment are completed after meeting our quality objectives. Trend Micro uses best practices for changes, including full backups and approval processes. Deep Security as a Service has multiple dedicated development and testing environments.
Any changes requested are first reviewed by technical stakeholders to determine the urgency and potential impact of the changes. All changes require a documented back-out plan. These changes are tracked and recorded in a change control system.
All communication between customers, software, and infrastructure is encrypted using industry-accepted ciphers and algorithms. These ciphers and algorithms are reviewed continuously to determine whether adjustments should be made, such as the deprecation of old or insecure ciphers and cipher suites. To take advantage to these improvements, customers must ensure that their agents are updated regularly.
Encryption keys are stored in AWS KMS. Only a limited number of Deep Security as a Service team member have access to the KMS.
All access to Trend Micro offices and networks is strictly controlled to authorized or accompanied individuals only. Access is given through a key card system and approval is required before entry is granted into sensitive areas. The Deep Security as a Service infrastructure is hosted in AWS.
Trend Micro has a dedicated Information Security (InfoSec) team that is responsible for ensuring compliance with Trend Micro security policies. Deep Security as a Service engineers immediately contact the InfoSec team when a security incident is discovered. In addition, InfoSec independently monitors Deep Security as a Service environment logs.
If a security incident is discovered, the incident is prioritized based on severity. A dedicated team of technical experts is assigned to investigate, advise on containment procedures, perform forensics, and manage communication.
Following an incident, the team examines the root cause, and revises the response plan accordingly.
In the event of a breach involving customer data, Trend Micro will follow its obligations under GDPR. For more information, see https://www.trendmicro.com/en_ca/business/capabilities/solutions-for/gdpr-compliance/our-journey.html.
Vulnerability scans of the Deep Security as a Service production environment are performed weekly by a PCI authorized scanning vendor (ASV), Tenable.io. A PCI ASV attestation is obtained quarterly. The same vendor is used for automated weekly internal scans of the Deep Security as a Service Virtual Private Cloud (VPC).
Deep Security software and the Deep Security as a Service production environment undergo yearly penetration tests conducted by third-party security experts to detect and rectify common security issues. The scope of the third-party penetration tests includes application security tests, internal and external network scans, and network segmentation tests.
Trend Micro InfoSec conducts web application assessments of the Deep Security Manager application for any major release and at least annually using leading dynamic analysis security tools.
The Deep Security code base is scanned weekly using a leading static analysis security tool. The development team receives automated alerts if new issues are identified, and a clean scan is a requirement for each product release.
Third-party components included with Deep Security are monitored continuously using a leading software composition analysis tool. Scans are executed as part of nightly builds to automatically detect newly introduced third-party software.
Deep Security software developers are trained in secure coding practices using an industry-standard curriculum based on SANS 25/OWASP Top 10/PCI 6.5. Education campaigns are conducted on an annual basis and when an employee joins the company.
The Deep Security development team employs specialized staff to handle product security.
Security testing, secure code review, and threat modeling are part of the development lifecycle.
Vulnerabilities are continuously monitored and tracked. Each vulnerability is assigned a CVSS score. Patching requirements that specify time frames for addressing a vulnerability according to CVSS-based severity are included in the Secure Development Compliance Policy. The Deep Security software in the Deep Security as a Service environment is updated weekly to use the latest available code base, including vulnerability fixes.
The Deep Security as a Service team is responsible for patching the Deep Security software and supporting AWS services. The client is responsible for updating the Deep Security Agents deployed on client workloads.