Migrate On-Premises Data to AWS and Secure it from Malware Using Trend Micro Cloud One – File Storage Security
By Harshil Shah, Partner Solutions Architect – AWS
By Justin Perkins, Solutions Architect, AWS Alliances – Trend Micro
A lot of companies need to migrate their on-premises data to the cloud and choose Amazon Web Services (AWS) to identify a simple, easy-to-deploy, and cost-effective solution to move and secure their data.
Customer use cases for AWS can include:
- Migration: Some customers have large datasets that are in a constant state of flux. There is no natural break or stopping point they can use to affect a one-time transfer.
- Upload and process: Other customers regularly generate massive datasets on premises for processing in the cloud. This includes customers in media and entertainment, oil and gas, and life sciences industries.
- Security: While the data is processed in the cloud, customers also want to ensure uploaded data is free of malware and ransomware, and that it’s safe to be used by downstream workflows.
- Backup and disaster recovery: Some customers copy their precious on-premises data to the cloud for safekeeping and to ensure business continuity.
One-time or periodic transfers of tens or hundreds of terabytes are routine. At this scale, making effective use of network bandwidth and achieving high throughput is essential, with reliability, security, and ease of use being equally important.
In addition, customers also find moving this data to Amazon Simple Storage Service (Amazon S3) helps them build different workflows based on S3’s highly durable storage and bring this data to use.
Organizations use Amazon S3 to build data lakes, run cloud-native applications, backup and restore critical data, and archive data at low cost. This functionality has made S3 the foundation of many cloud computing workloads, but it‘s become equally critical for customers to validate their workloads are not consuming infected data in any form and are free of malware or ransomware to avoid potential risk to their organizational footprint.
In this post, we will discuss how you can securely migrate your data from an on-premises network file system (NFS) to Amazon S3 using AWS DataSync. We’ll also provide guidance on how Trend Micro Cloud One – File Storage Security can be implemented to perform malware scanning, as well as address compliance, needs such as PCI-DSS and HIPAA.
Trend Micro is an AWS Security Competency Partner and global leader in cybersecurity, helping make the world safe for exchanging digital information. Trend Micro Cloud One can be found in AWS Marketplace.
What is Malware and Ransomware?
Malware is malicious software or files which, if able to run, can cause harm in many ways, including:
- Causing a system to become locked or unusable.
- Stealing, deleting, or encrypting data.
- Taking control of your devices to attack other organizations.
- Obtaining credentials which allow access to your organization’s systems or services that you use.
- Mining cryptocurrency.
- Using services that may cost you money, such as replicating the same large file to multiple regions/spinning up new AWS resources.
Ransomware is a type of malware that prevents you from accessing your storage (or the data that’s stored on it). The storage itself may become locked, or the data on it may be stolen, deleted, or encrypted. Some ransomwares will try to spread to other services in the infrastructure.
For these reasons, it’s necessary for organizations to build solutions where they can modernize their workflows from the get-go when they are designing their migration plan. They can take advantage of existing independent software vendor (ISV) offerings like Trend Micro Cloud One – File Storage Security that helps to ensure none of your files that are uploaded to the cloud are infectious before they are consumed by other services within AWS.
Leveraging the AWS MAP Program
Amazon Web Services (AWS) offers the Migration Acceleration Program (MAP) as a collection of tools and AWS migration experiences that help customers reduce costs, automate workloads, and accelerate execution with knowledge from AWS professional services and the global partner ecosystem.
MAP uses a three-phase migration process designed to assist organizations on how to best approach migrating data, applications, and other processes into the AWS Cloud:
- Assess: Assess your organization’s current readiness for operating in the cloud. Organizations need to identify their business outcomes and use cases for migration.
- Mobilize: Define a migration plan and identify the gaps in readiness discovered from the initial assess phase.
- Migrate and modernize: Design, migrate, and validate migration.
Figure 1 – Phases of AWS MAP program.
Assessing Business Challenge
Imagine a company that owns and operates a data center but has decided to scale down its storage footprint and free up resources. Within the data center is an NFS server that’s been identified to migrate its data to AWS.
In addition, some of the data on the NFS server has not been interacted with for a long time but still needs to be retained and will require validation to ensure it’s not infected with any kind of malware that can impact downstream workflows. The company must adhere to PCI-DSS compliance, so validating data in cloud storage is a must.
Trend Micro Cloud One – File Storage Security (FSS) enables users to detect different malware types including viruses, trojans, spyware, ransomware, and more. When a user, resource, or program uploads a file to a designated cloud storage container, FSS performs a scan without the file ever leaving the environment. This also helps meet any specific data residency requirements.
Figure 2 – Components of proposed architecture to migrate and secure files in AWS.
By using an event-based scanning approach, once an object is sent to an Amazon S3 bucket, the function will execute the scan and tag the file as malicious or clean, depending on the scan result. It’s also possible to connect plugins to perform additional actions; for example, as soon as the file is tagged as malicious, the plugin moves the tagged file to a designated quarantine bucket.
For more information, see the Trend Micro Cloud One – File Storage Security Data Collection Notice.
Figure 3 – File Storage Security workflow diagram.
Before you Begin
In this post, we assume you have the following:
- Source NFS file system that you can transfer files from.
- For this migration workflow, two S3 buckets will be required:
- The first bucket is for files being transferred or uploaded. This is the bucket FSS will monitor and scan.
- The second is a quarantine bucket for objects determined to be malicious to be moved into, with the Files Storage Security plugin.
Figure 4 – Amazon S3 console view for the two buckets created per the solution overview.
Migrate and Modernize
Step 1: Deploy File Storage Security
File Storage Security deployment is simplified by using AWS CloudFormation templates to deploy the following:
- Storage stack: This is responsible for accepting the notification for the S3 bucket, as well as sending newly-uploaded files to the scanner stack for the security scan. After the scan is complete, an Amazon Simple Notification Service (SNS) message is published, and the file is tagged as “malicious” or “clean.”
- Scanner stack: This is responsible for executing the scan and publishing the results to the SNS “Scan Result” topic. When the scanner stack receives the request from the storage stack, it processes it and uses an AWS Lambda function to execute the scan. Like many Trend Micro technologies, FSS can utilize Trend Micro Smart Protection Network for the latest threat information.
Figure 5 – Under the hood architecture of AWS services used inside of File Storage Security.
The stack requires at least one piece of information, which is the name of the S3 bucket you intend to monitor and scan. Once the solution has been deployed successfully, you can view the protected bucket in the security console.
Figure 6 – File Storage Security console view in Trend Micro Cloud One.
To enhance the operations of File Storage Security, the post-scan action quarantine plugin can be deployed. The CloudFormation template can be deployed from the AWS Serverless Application Repository. This additional functionality will require the following parameters:
- Optional: PromoteBucketName
- Optional: QuarantineBucketName
Figure 7 – AWS Lambda console view where you define values for post scan action.
Step 2: Configure AWS DataSync
AWS DataSync is a data transfer service that simplifies the automation of moving data between on-premises storage systems and the cloud. DataSync automatically handles many of the tasks related to data transfers that can slow down migrations or burden your IT operations, including running your own instances, handling encryption, managing scripts, network optimization, and data integrity validation.
Deploy the DataSync Agent
For DataSync to access managed storage, an agent must be associated with your AWS account. The agent image can be downloaded and deployed to your on-premises VMware ESXi, Linux Kernel-based Virtual Machine (KVM), or Microsoft Hyper-V hypervisor.
Figure 8 – AWS DataSync console view to monitor the status of running agents.
Create the Source (NFS) and Destination (S3) Locations
For a DataSync task to run, two locations must be configured. The source location defines the storage system or service you want to read data from; in this case, the NFS server is the source. The destination location defines the storage system or service you want to write data to; S3 will be the destination location.
Figure 9 – AWS DataSync console view listing your source and destination locations.
Create and Run the Transfer Task
With the agent created and configured, and both source and destination locations defined, you can now configure the settings for a new task. A task is a set of two locations (source and destination) and a set of options you use to control the behavior of the task.
Run the task after creation to start the transfer. One thing to note is the AWS Lambda service has a default setting of 1,000 total allowable concurrent executions, and File Storage Security’s ScannerLambda function follows this configuration. For more information on how many files can be scanned concurrently, see the FSS documentation.
Figure 10 – AWS DataSync console view to manage and review the details of your migration task.
Step 3: Validate Migration
You can easily monitor and validate all of the files that have been scanned with FSS under the File Storage Security console. In this console view, you can filter based on a specific time period in minutes, hours, or even specify a date range to identify which files where tagged as malicious and any files scans that resulted in an error with a color-coded graphical view.
Figure 11 – File Storage Security console view on the events captured from the scan results.
Understanding how to move data eloquently and securely to AWS with minimal overhead can seem intimidating at first, but it can easily be done with leveraging the AWS Migration Acceleration Program (MAP) to cover the costs of a proof of concept (PoC) for the solution discussed in the above section. This program helps organizations achieve business goals and can be used either for migrating application data, archiving data, or even building a data lake on AWS.
Compliance needs and data security during migration to the AWS Cloud can easily be achieved using Trend Micro Cloud One – File Storage Security for malware scanning.
For a more detailed step-by-step, please refer to this workshop which helps you test this solution in your own AWS environments.
Trend Micro – AWS Partner Spotlight
Trend Micro is an AWS Security Competency Partner and global leader in cybersecurity, helping make the world safe for exchanging digital information.