How to scan files in a public cloud

To prevent Azure Storage and Amazon S3 cloud services from becoming malware distribution vectors, scan files while they’re uploading.

Doing business today without big data would be unthinkable. Market specialists gathering information for analysis and forecasts, developers producing numerous versions of programs, and business processes at times requiring storage of gigantic amounts of files are just a few broad examples of how business rests on data — and storing such volumes of information on one’s own systems tends to be cumbersome. As a result, companies are increasingly turning to public cloud platforms such as Azure Storage or Amazon S3. Somewhere during migration to the cloud, however, a common question arises: How can you scan uploads to prevent cloud storage from becoming another source of cyberthreats?

Why scan uploads at all?

Not every file uploaded to the cloud comes from a trusted computer. Some may be files from clients, for example, and you can never be sure what kind of security solution, if any, they use. Some data may be transferred in automatically (e.g., files uploaded once a day from remote devices). And ultimately, you cannot rule out the possibility of attackers gaining access to the credentials of a company employee and uploading malicious files on purpose.

In other words, you cannot eliminate every trace of cyberrisk. Scanning incoming files is an obvious and critical safety process. That said, we have always advocated for multilayered approaches to security as part of a defense in depth strategy. As well, incident investigations rely on knowing not only that a file contains a threat but also exactly when the threat arrived. Knowing whether the file became compromised on the client side or was replaced with malware in your cloud storage, for example, helps identify the source of the problem.

Moreover, some business processes require file access for partners, contractors, or even customers. In such cases, no one can guarantee the reliability of the security mechanisms they employ, so if an incident occurs, your cloud storage will be considered, fairly or not, the source of the threat. Hardly great from a reputational point of view.

How to stop cyberthreats from spreading through your file storage

We recommend using Kaspersky Scan Engine to scan all incoming files in any file storage. If your data is stored in Azure Storage or Amazon S3, there are two possible use scenarios.

Scenario 1: Running through Kubernetes

If you use Kubernetes, a container-orchestration system for applications, then integrating Kaspersky Scan Engine for file scanning is not difficult. We provide a solution in the form of a ready-made image. Customers need only mount the container and run it.

Scenario 2: Support through connectors

If you don’t use Kubernetes, then you’ll need native platform support. However, that situation is not much more complicated; we provide connectors for attaching Kaspersky Scan Engine to Azure Storage or Amazon S3. All of the tools you’ll need to configure and fine-tune our engine are right in the cloud control panel.

You’ll find more information about Kaspersky Scan Engine on the solution's page.

Tips