Cloud Native
Maintain File Security during Compliance Scanning
Learn how to integrate security into the build process to protect downstream workflows from risk.
File security is important, and organizations need applications that can protect a wide range of file types and vast amounts and formats of data they are receiving at an increasing rate.
Their files might range from videos (such as .mp4 and .avi files) to images (such as .jpg and .tif files) to documents and scripts (such as HTML files for the web, word processor files, and plain text files). They might also have geospatial files and files for quantitative data (for example, .csv files for delimited text and .xsl files for data in XML format). Security and compliance of all this data and the infrastructure that houses it are vital.
So how can businesses scan and validate their data without compromising security and compliance? In this article we look at how developers can quickly and easily integrate Trend Micro Cloud One – File Storage Security into their build processes to meet the organization’s need for scanning cloud storage services and protecting downstream workflows from risk.
Background on Major Platforms with File Compliance Scan Requirements
Many applications born in cloud infrastructure such as Amazon Web Services (AWS) are built to ingest, secure, and process files in large quantities. Organizations spend a lot of time securing and verifying compliance requirements of these applications. A common compliance workflow involves moving data from Amazon Simple Storage Service (Amazon S3) buckets for compliance scanning.
Developers are now tasked with meeting shifting business needs by ensuring that their applications will keep files and data safe while meeting compliance. To mitigate any issues of files gone awry, File Storage Security can scan and remediate malicious files at the source in near real time. This keeps data in the appropriate AWS account, as File Storage Security scans files alongside your application. You can also quarantine those files within another location in that account but away from your application. All in all, using File Storage Security helps to automate compliance scanning and maintain data sovereignty with security designed for your Amazon S3 buckets. Think of it as two birds, one stone (but less gruesome).
Demo of File Compliance Scan Requirements and Security
For this demo, we will be using the free trial of File Storage Security. To start, create a free trial account. After creating your account, you’ll see the Trend Micro Cloud One dashboard, offering several solutions. File Storage Security is just one of seven solutions that make up Trend Micro Cloud One, a SaaS-based platform that simplifies your security strategy by providing enhanced cloud security across your entire infrastructure.
Once you click on File Storage Security, you’ll see the console with a Stack Management dashboard.
Let’s create a new stack by clicking “Deploy.” We get the choice between “Scanner Stack” and “Scanner Stack and Storage Stack.” We'll pick the latter here to create an all-in-one stack.
Note: You can also create a Scanner Stack only, but you will have to add a Storage Stack to it later since you need one Storage Stack per Amazon S3 bucket to scan. A Scanner Stack can also have multiple Storage Stacks associated with it. The role of the Storage Stack is to monitor its associated Amazon S3 bucket for uploaded files and to send them to the Scanner Stack. The Scanner Stack executes the scan and publishes the results to Amazon Simple Notification Service (Amazon SNS) so they can be handled by, for example, AWS Lambda functions. More information can be found in the Architecture and flow documentation.
Now we’re presented with an interface that guides us through deploying the stack.
Start by signing into AWS in another browser tab. The Storage Stack must be in the same region as the Amazon S3 bucket to scan, so pick the appropriate region in the dropdown and click “Launch Stack.” A new tab will open with a partially filled-in form to create the stack on AWS CloudFormation. Under “Parameters” fill in the name of the Amazon S3 bucket to scan.
The other parameters are optional. When you’re done, tick the checkboxes at the bottom and click “Create Stack.”
This will redirect you to a new AWS CloudFormation stack. You can always find the stack again later using Services >AWS CloudFormation. It may take a little while for the creation of the stack to finish. Once it’s done, head to the “Outputs” tab.
Steps 3 and 4 of the Cloud One interface ask for the values of ScannerStackManagementRoleARN and StorageStackManagementRoleARN. Copy them from the “Outputs” tab, paste them into the text boxes, and click “Submit.” Note: An ARN, or Amazon Resource Name, is a unique identifier for an AWS resource. Here, it refers to the identify and access management (IAM) role that has the permissions to manage the stacks.
The Stack Management dashboard will now show your newly created stack. The left pane shows all your Scanner Stacks. When you select a Scanner Stack, its associated Storage Stacks will show up on the right pane. For more details about creating new stacks, refer to the Add stacks documentation.
Scanning Files
Deploying the stack creates a new topic on Amazon SNS. You can create a subscription for this topic to get notified of the result of a scan. Amazon SNS offers several ways to notify you, such as by requesting an HTTP(S) endpoint, sending an email, or calling an Lambda function. APIs are available for just about all your File Storage Security needs, including viewing scan results in Amazon CloudWatch.
Deploying the stack automatically deploys a couple of Lambda functions and automatically adds an Amazon SNS subscription. The subscription endpoint has “PostScanActionTagLambda” in its name, which you can find by going to Services > Lambda > Functions. When an Amazon S3 object's security scan completes, the “PostScanActionTagLambda” function adds tags to that object containing the results of the scan. Try uploading the Eicar anti-malware test file, then check the properties of the new object:
In case you’d like to add another subscription, you can go to the relevant Amazon SNS topic (Services > Simple Notification Service > Topics), then click “create subscription” and fill out the subscription form.
Let's try out “Email.” You’ll be asked to enter an email address, and upon creating the subscription, you’ll receive a confirmation email there. Confirm the subscription and try uploading a file to your Amazon S3 bucket. The screenshots below show the email for a clean file and for a malicious file.
While you can review particular scan results in an email, you may prefer text message, or defining your own notification in Amazon SNS to a third party service. This example just shows what kind of information is sent out by Amazon SNS.
Here’s an example more practical in the real world: You could set up a subscription to use the Promote or Quarantine function to promote clean files to one bucket and quarantine malicious files into another. This requires creating a new Lambda and then adding a subscription, similar to the process above. All steps are described on the linked page.
Next Steps
Ensuring your applications can help organization meet its data compliance issues is key to meeting business requirements. By making sure that scanning and storage of files remains with your applications, the data is kept together and compliant. File Storage Security helps meet compliance needs and protects downstream workflows from upstream risks with malware scanning of the files uploaded in specificized Amazon S3 buckets.
Sign up for a free 30 day Trend Micro Cloud One trial to gain access to File Storage Security and many other services in the Trend Micro Cloud One platform.
