how_sc_works
SecureCloud provides a data encryption layer within a virtual machine image to decrypt customer data in real-time after the appropriate credentials have been validated. Likewise, SecureCloud encrypts customer data in real-time when putting the information back into data storage.
When the virtual machine image boots up, it uses the Runtime Agent to provide its credentials to SecureCloud and request an encryption and decryption key along with the appropriate information to connect to data storage. For example, a virtual machine image could provide such integrity information as pattern file version, and location of the instance to SecureCloud during the request. The integrity and credential information helps to ensure that the instance meets the policy criteria set by the administrator in order to run certain applications.
SecureCloud provides and maintains your encryption keys. The virtual machine image does not store encryption or decryption keys. SecureCloud also provides other management capabilities such as reporting and auditing functions.
SecureCloud for Managed Service Providers is installed in a Windows environment. The application consist of three components: Database Server, Application Server, and Web Server. All of these components can be installed on the same computer or each component can be installed on separate computers.
SecureCloud for Managed Service Providers is an On-Premise product where a Managed Service Provider (MSP) hosts the Database, Application, and Web Servers along with the Runtime Agent. From the hosting environment of the MSP, tenant customers subscribe to SecureCloud. SecureCloud has a multi-tenant environment where multiple organizations can be served.
Tenant accounts for SecureCloud are managed from the Trend Micro License Management Platform (TMLMP) Console and the default ID Provider (IdP) is Trend Micro Single Sign-on (TMSSO). If you choose not to use TMSSO, SecureCloud enables you to use a popular third-party (external) IdP. (The external IdP is configured by the Trend Micro Configuration Tool.)
The MSP sets up and manages SecureCloud using the Central Management Console. This console is where you specify the settings necessary for tenant customers to use the core functions of SecureCloud, which is done through the Web Console. For instance, from the Central Management Console the MSP defines system settings like the database security and authentication. SecureCloud provides clear separation of duties whereby the MSP cannot define the criteria on which instances can receive encryption/decryption keys. Only the tenant customer is able to login to the SecureCloud Web Console to manage their encryption keys. The tenant customer can create a user account for the MSP to login to the SecureCloud Web Console. From within the SecureCloud Management Console, one is able to define policies. For example, criteria can include the location of the application, host name, the latest operating system patch, and/or the latest Trend Micro engine and pattern file. In addition, you can get report and audit information about your account. The tenant customers have no access to the Central Management Console.
How SecureCloud for Managed Service Providers functions
The vCloud API is used by SecureCloud to determine the identity of a machine image in the vCloud environment. The Configuration Tool uses the vCloud API to learn what data storage devices in the vCloud environment are available for encryption.
The SecureCloud Runtime Agent uses the vCloud API to learn the identity and integrity of the vCloud machine image. This information is retrieved from the vCloud API and sent to the Management Server where the user can either grant or deny an encryption key to the requesting machine image, based on the identity and integrity credentials of the vCloud machine image.
How SecureCloud functions in the vCloud Environment