Cloud Native
Cloud Storage Security Keeping You Up at Night?
Malicious files could be lurking in AWS S3 buckets - learn how to stay protected.
Do you lie awake worrying about your buckets? No, not the ones you use to wash your car.
We’re talking about your organization’s cloud storage buckets, where malicious files could be lurking if not properly protected.
Cloud storage buckets are similar to file folders storing your important data. However, rather than file folders on a local server, this data lives in a public cloud storage resource. Examples of cloud storage services would be Amazon Simple Storage Service (Amazon S3), Microsoft® Azure Blob storage, and Google Cloud Storage™.
All too often, we hear stories of cloud storage services left insecure or unencrypted. These instances leave terabytes of sensitive data open to the whole world to download or infected with viruses and malware. As more organizations move their applications to the cloud, this form of storage introduces a new attack vector that’s vulnerable to malicious files and requires its own security layer.
How to Keep Your Cloud Storage Data Protected
Securing cloud-native development, runtime environments, and applications introduce new challenges for security engineers and architects.
Trend Micro Cloud One™ – File Storage Security is built entirely using AWS resources (AWS Lambda, Amazon Simple Notification Service (Amazon SNS), and Amazon Simple Queue Service (Amazon SQS)). When a user uploads or adds an object/file to an Amazon S3 bucket that has been defined as a “scanning bucket”, a malware scan is initiated. Once the scan is complete, three tags will be generated on the object/file: Scan Date, Scan Results (clean or malicious), and Scanned (true or false).
Custom plugins or Lambda functions can be created to deal with objects/files that receive certain tags. For example, you can create a function to move objects/files tagged as “malicious” to a quarantine bucket so no one can open or access that object/file, or if the object/file is “clean”, move it to a promote bucket so it can be accessed. Support for Microsoft Azure Blob and Google Cloud Storage is coming soon.
5 Cloud Storage Security Components
There are multiple components to File Storage Security.
- Scanning Bucket: An Amazon S3 bucket that File Storage Security monitors for added objects/files and scans them.
- Storage Stack: Watches the scanning bucket for added objects/files and triggers the scanner stack to perform a scan.
- Scanner Stack: Scans objects/file and publishes the results (clean/malicious) to the SNS topic and File Storage Security console. The scanner stack connects to the Trend Micro™ Smart Protection Network™.
- SNS Topic: Amazon SNS is part of the storage stack and publishes its results. You can subscribe your Lambda function to this topic to be alerted of new scan.
- Console: File Storage Security web interface. Here, you can deploy the “stacks” and see scan results.
Recommendations for Implementing Cloud Storage Security
There are multiple ways to deploy File Storage Security, but we recommend and provide instructions for the all-in-one stack deployment scenario. This type of deployment provides everything needed to implement File Storage Security, by deploying both the Storage Stack and Scanner Stack at once.
Using CloudFormation templates, that can be deployed through the File Storage Security console or through our robust set of APIs, this deployment model deploys a Storage Stack, a Scanner Stack, and a Scanning Bucket.
File Storage Security monitors the Scanning Bucket, which is created within the Storage Stack, for incoming files and scans them for malware. The malware scanner is built as an AWS Lambda function that sends a hash of the file to the Smart Protection Network. The Smart Protection Server is then able to detect if the file contains malware, such as viruses, trojans, and spyware. Additional Storage Stacks can be deployed that also have the central Scanner Stack available to perform the scans.
There is one scan per Lambda function. Depending on what region you are running in, AWS allows up to 500-3000 Lambda functions to launch at one time. If there is an uptick in files that need to be scanned, the objects/files will be queued to Amazon SQS, which allows for scaling based on load. All file types are supported to be scanned, including compressed files and Microsoft OLE objects.
Conclusion
With the world continuing to take advantage of the cloud, we must never forget that there are malicious attackers taking advantage of the new attack vectors it presents. File Storage Security is a much-needed anti-malware scanning service for your cloud storage containers to protect your buckets and allow you to sleep well at night. Now, go wash your car.