Many applications and processes today are based on files uploaded by external users. Users upload financial documents for loans, resumes for job applications, images for insurance claims, and more. However, PDF, Microsoft Word, Microsoft Excel, image, and video files, along with other file types, can all harbor malware or other malicious content.
It’s critical to detect infected files without disrupting your workflow. This article will explore how you can approach this issue while maintaining balance between protecting systems and running operations.
A Scenario: Customer Files on Amazon Web Service (AWS)
For example, let’s take a web application that allows customers to upload files via a portal. In many cases, the application will place a file in temporary cloud storage such as a Amazon Simple Storage Service (Amazon S3) bucket (similar to a file folder) hosted by AWS. An automated system might then pick up the file and forward it to an additional storage bucket or possibly an employee for processing.
Cloud storage can be created quite easily. Development teams need scalable low-latency storage and retrieval of data between corporate public web pages and internal systems. In some cases, it may seem to a user that their file storage is safe and protected internally by compliance checks on the storage unit, allowing the files to move freely without concern. However, malware landing in the storage unit can mean a file is travelling to other systems untouched and spreading across the company’s enterprise environment.
A single file could have a real impact on the security of the business as well as its workflow. What if a file is identified as a risk—will the sender or recipient be made aware of this potential issue? For example, if a customer’s uploaded insurance claim file is flagged as suspicious but neither the customer nor the intended recipient is notified. The customer may have no idea that their insurance company didn’t receive their claim documents. Meanwhile, the company representatives have no idea these documents were intended to be filed on time. Although the systems are safe from malicious files, the user experience fails. A proper security setup must ensure protection against threats without introducing potential problems for users.
Secure Your Infrastructure
The solution to this problem starts with securing and correctly configuring your file infrastructure, including your storage buckets. Your first line of defense is to implement best practices across your application infrastructure and ensure your systems are hardened. Both Trend Micro and AWS take security seriously. Trend Micro provides compliance and misconfiguration checks on your infrastructure with Trend Micro Cloud One™ – Conformity. AWS provides exceptional guardrails that combines its built-in protection with monitoring and notifications, along with Amazon Well Architected Framework best practices, to protect your systems from human-introduced risks.
You can lock down your AWS security manually using reference guides, but services like Conformity help you automate the process. Conformity also enables you to monitor these resources after initial setup to ensure any configuration changes or drift don’t introduce vulnerabilities later on.
Scan Your Files
Picture a file being uploaded through a web application: the person uploading the file is unaware that the file came from a template with malware embedded, or possibly the user has malicious intent and is fully aware that the file containers malware. In either case, scanning the file when it lands in the storage bucket protects the downstream path which the file will take as other applications and services direct it onwards. The system should quickly perform a scan and let the user know whether the upload was successful, along with any issues detected. This helps keep front-line storage safer and gives users an opportunity to immediately resolve potential problems by uploading alternate files.
Trend Micro Cloud One™ – File Storage Security is a cloud-based service that delivers cloud-native designed scanning of your AWS S3 buckets for malware and vulnerabilities. With simple guided deployment, and APIs, this lightweight, flexible serverless service enables file scanning as well as customizable post-scan actions.
Don’t Forget Your Process
With all this scanning it’s important to remember that the objective is to protect your downstream workflows.
Inevitably, not every file that enters your storage stack will be free from malware. So, you’ll also need to ensure there is a process for quarantined malicious files. File Storage Security can send files to various buckets as needed and helps create your post-scan actions. You can configure the AWS Simple Notification Service (SNS) to notify you when a scan occurs. The notification can be an email, text message, or another type of notification that you define in Amazon SNS. Letting someone know there is a problem helps move the process forward. When a customer’s file does not reach its intended recipient, the customer must be notified promptly so they can upload a different file or send the information another way. Otherwise, they are left thinking that step is complete. Staff members may also need to be notified, so they can reach out to customers or investigate potential issues.
For end-to-end compliance, it is best to ensure that internal systems are scanned, and processes are followed. You need a system that doesn’t leave any gaps, preventing potential threats or any loose ends to cause user friction. Together, proper planning and automation achieve both of these goals and is part of the shared responsibility model for cloud security.
How File Storage Security Enables Innovation
This solution leverages cloud-native application architectures to secure your services. Protect your downstream workflows and decrease potential threats to your organization with reliable malware scanning on all file types and sizes. File Storage Security uses anti-malware signatures to protect against known threats like viruses and spyware. It also looks for obfuscated or polymorphic malware variants using fragments of previously seen malware and detection algorithms.
The serverless architecture makes File Storage Security fast and flexible to deploy. Automate file scanning with a secure, custom workflow that is tailored to your organization’s structure and needs. You can deploy a multi-bucket promotional model, which scans files and then automatically moves them to either a quarantine bucket or a clean bucket. Or, you can select an efficient single-bucket architecture. Plus, take advantage of cloud-deployment templates designed specifically for AWS and its Amazon S3 buckets.
File Storage Security enables you to maintain efficient processes and ensure a smooth user experience.
Next Steps
Accepting digital documents and file objects through applications and event-driven requests is growing exponentially as businesses expand customer and service application development and processes. Ensuring your infrastructure is compliant and secure, as well as scanning files for malware, is a critical strategy to keep your systems safe and avoid workflow disruptions.
Viruses and malware have become standard threats on the internet. While no business or its cybersecurity teams want to overlook these risks, manual intervention is unfeasible given the daily volumes of data businesses ingest. You need layered security approaches like File Storage Security, which adds a critical line of defense for the growing number of applications orchestrating data transfer and downstream processes.
Trend Micro integrates compliance and security into your cloud-based systems, ensuring a safe environment throughout your processes. To begin boosting your cloud safety in just a few minutes, start your 30-day free trial of File Storage Security.