8 800 250-10-01 Connect
Services
Project solutions
Partnertship
Support
Useful
Company
Подключиться
Eng
Back to News
29 October 2019
944

Why traditional antivirus solutions are not suitable for public clouds and how to solve security issues?

More and more clients are moving their entire IT infrastructure to public clouds. However, in case of insufficient antivirus control, serious cyber risks arise in the customer’s infrastructure. Practice has shown, that up to 80% of existing viruses are out there in a virtual environment and can harm your software and data. In this post, we’ll talk about how to protect IT resources in the public cloud and why traditional antiviruses are not quite suitable for these purposes.

More and more clients are moving their entire IT infrastructure to public clouds. However, in case of insufficient antivirus control, serious cyber risks arise in the customer’s infrastructure. Practice has shown, that up to 80% of existing viruses are out there in a virtual environment and can harm your software and data. In this post, we’ll talk about how to protect IT resources in the public cloud and why traditional antiviruses are not quite suitable for these purposes.

Let’s begin with the explanation how we arrived at the idea that the usual antivirus protection tools are not suitable for a public cloud and that a different approach towards resources protection is required.

To begin with, as a rule, providers establish safeguards to guarantee a high-level of protection of cloud platforms. For example, #CloudMTS specialists analyze all network traffic, track cloud security logs, and regularly perform pentests. Cloud segments, allocated to each customer, must also be well protected.

Secondly, the traditional cybersecurity approach involves installation of an antivirus and its controls on each virtual machine. However, with a large number of virtual machines, this practice can be inefficient and require significant amounts of computing resources, thereby additionally loading client’s infrastructure and reducing the overall performance of the cloud. This has become the fundamental premise of finding new approaches to build effective antivirus protection for customer’s virtual machines.

In addition, most of the antivirus solutions available on the market are not designed to protect IT resources in a public cloud. Typically, they are heavyweight EPP solutions (Endpoint Protection Platforms), which, moreover, do not provide the necessary customization to meet the needs of cloud clients.

It is now clear that classic antivirus solutions are poorly suited for use in the cloud, since they lead to heavy overload of the virtual infrastructure during updates and scans, and also do not have the necessary levels of role management and settings. Further in the article we will proceed to analyze in detail why the cloud needs new approaches to antivirus protection.

What are the requirements for cloud antivirus solutions?

Let’s review the specific nature of work in the virtual environment: 

Efficiency of updates and scheduled multiple simultaneous checks. If a significant number of virtual machines that use traditional antivirus initiate an update at the same time, the so-called ‘boot storm’ will occur in the cloud. Productive capacity of the ESXi host, which hosts several virtual machines, may not be enough to handle a gust of repetitive tasks that launch automatically. From the point of view of the cloud provider, such a problem can lead to additional loads on a number of ESXi hosts, which will ultimately lead to a decrease in the performance of the cloud virtual infrastructure. This may affect, among other things, the performance of the virtual machines of other cloud clients. A similar situation may arise when running a mass scan: simultaneous processing by the disk system of a large number of similar requests from different users will negatively affect the performance of the entire cloud. Very likely, a decrease in the working capacity of storage systems will affect all customers. Such ‘hopping’ loads won’t be good news either for the provider or its customers, as they affect all the so-called “neighbors” (nearby clients) in the cloud. From this point of view, a traditional antivirus can be a big problem.

Secure quarantine. If a file or a document potentially infected with a virus is detected in the system, it is sent to quarantine. Of course, an infected file can be deleted immediately, but this is often not acceptable for most companies. Corporate enterprise antiviruses that are not designed for the provider's cloud usually have a general quarantine zone where all infected objects go. For example, files found on the computers of company’s users. Cloud clients operate in their own segments (or tenants). These segments are opaque and isolated: clients do not know about each other and, of course, do not see what others are storing in the cloud. It is obvious that in the general quarantine area, which will be accessed by all antivirus users in the cloud, a document that might contain confidential or commercial secrecy information can possibly get into it. This is not acceptable for the provider and its clients. Therefore, there can be only one solution. A personal quarantine area for each client in its segment that cannot be accessed by the provider or other clients.

Custom security policies. Each client in the cloud is a separate company, where its IT department sets its own security policies. For example, administrators define scan rules and antivirus scan schedules. Accordingly, each organization should have its own control center to configure antivirus policies. At the same time, custom settings should not affect other cloud clients, and the provider should be able to make sure that antivirus updates are performed routinely for all client virtual machines.

Billing and licensing process. The cloud model is flexible and involves payment only for the amount of IT resources that was used by the customer. If there is a need, the amount of resources can be quickly increased or reduced based on current needs for computing power. For example, this might be needed due to seasonality. Traditional antivirus is not so flexible. As a rule, a client purchases an annual license for a predetermined number of servers or workstations. Cloud users regularly disconnect and connect additional virtual machines depending on their needs and tasks. In this case, antivirus licenses must fall under the same model of operation.

The second issue is what exactly the license is applied to. Traditional antivirus license is distributed on selected number of servers or workstations. Licensing based on the number of protected virtual machines does not quite fit within the cloud model. A client can create a required number of virtual machines from available resources, for example, five or ten machines. Machine quantity varies from client to client; it is not possible for us, as a provider, to track these changes. CPU-based licensing is technically impossible: clients receive virtual processors (vCPU), which should be licensed. Thus, the new antivirus protection model should include the possibility for the customer to determine the required number of vCPUs for which he will receive antivirus licenses.

Compliance with the law. An important point, since the applied solutions must ensure compliance with regulatory requirements. For example, cloud users often work with personal data. In this case, the provider must have a separate certified cloud segment, which must fully comply with the Law on Personal Data. If it is so, then companies do not need to plan the entire system for working with personal data on their own: purchase certified equipment, connect and configure it, and undergo certification. The antivirus must also comply with the requirements of Russian law and have a FSTEC certificate for carrying out ISPD cybersecurity of clients with such data.

We have considered the mandatory criteria that antivirus protection must meet in a public cloud. Next, we will share our own experience in adapting an antivirus solution for a provider's cloud.

How to implement an antivirus in the cloud

We have concluded that the way of choosing a solution based on its description and documentation is one thing, and introducing it in an already operating cloud is a completely different task and a rather complex one. We will share our experience on how we adapted the antivirus for use in a public cloud hosted by a provider. The choice fell on Kaspersky Security for Virtualization (Light Agent) ¬– an antivirus solution from Kaspersky company.


The solution includes a single Kaspersky Security Center console. Light Agent and Security Virtual Machine (SVM) and KSC Integration Server.

After studying the architecture of Kaspersky’s solution and conducting the first tests together with vendor’s engineers, it was decided to integrate the service into the cloud. The first implementation was carried out at Moscow cloud platform. And that’s what we’ve learned so far.

In order to reduce network traffic, it was decided to place SVM on each ESXi host and bind SVM to ESXi hosts. In this case, Light Agents of the protected virtual machines access the SVM of the particular ESXi host on which they are running. A separate administrative tenant has been selected for the main KSC. As a result, subordinate KSCs are located in the tenants of each individual client and turn to the superior KSC located in the management segment. Such a scheme allows to quickly solve issues in clients’ tenants.

In addition to tasks connected with implementation of the antivirus solution components, we were challenged with things like introducing a Web API through the creation of additional VxLANs. The solution was originally intended for enterprise clients with private clouds but with the help of technical understanding of our engineers and technological flexibility of NSX Edge, we were able to solve all the problems associated with the separation of tenants and licensing.

We worked closely together with Kaspersky engineers. Thus, in the process of analyzing the architecture of the solution in terms of network interaction between the system components, we found out that, in addition to access from Light Agents to SVM, feedback is also required from SVM to Light Agents. This network connectivity is not possible in a multitenant environment due to the possibility of the existence of identical network settings of virtual machines in different tenants of the cloud. Upon our request, Kaspersky engineers redesigned the mechanism of network interaction between Light Agent and SVM in terms of eliminating the need for network connectivity from SVM to the last one.

After the solution was deployed and tested on Moscow cloud platform, we replicated it to other platforms, including the certified cloud segment. Now the service is available in all regions of the country.

Cybersecurity solution architecture in terms of new approach


The general scheme of the antivirus solution in a public cloud is as follows:

Antivirus solution workflow within #CloudMTS public cloud


Further we’ll discuss how solution’s individual elements in the cloud operate and their features:

• A single console that allows clients to coordinate processes within the protection system: run checks, control updates and observe quarantine zones. The console also allows to configure individual security policies within one’s own segment.

It is worth noting that, although we are a service provider, we do not interfere with the settings applied by clients. The only thing we can do is reset the security policies settings to standard if a readjustment is required. For example, this may be necessary if the client accidentally strengthened them or significantly weakened them. A company can always get a control center with default policies, that can be then configured by themselves. The downside of Kaspersky Security Center solution is that so far, the platform is available only for Microsoft OS. Although Light Agents can work with both Windows and Linux machines. However, Kaspersky Lab promises that in the near future KSC will work under Linux as well. One of the important features of KSC is the ability to manage quarantine. Each client company in our cloud has its personal quarantine zone. This approach excludes situations when an infected file accidentally slips into the public domain, as it happens when using a classic corporate antivirus with a general quarantine zone.

• Light Agents. As part of the new model, a Kaspersky Security Light Agent is installed on each virtual machine. This eliminates the need to store an antivirus database on each VM, which reduces the amount of disk space used. The service is integrated with the cloud infrastructure and works through SVM, which increases the density of virtual machines on the ESXi host and the performance of the entire cloud system. Light Agent manages task queuing for each virtual machine: to check the file system, memory, etc. However, SVM is responsible for performing these operations, which we will talk about later. The agent also acts as a firewall, monitors security policies, sends infected files to quarantine, and monitors the overall health of the operating system on which it is installed. All this can be controlled using the already mentioned single console.

• Security Virtual Machine. All compute-intensive tasks (anti-virus database updates, scheduled scans) are handled by a separate Security Virtual Machine (SVM). It is responsible for the work of the full-fledged antivirus engine and its databases. A company's IT infrastructure may include multiple SVMs. This approach increases the reliability of the system. If a machine crashes and does not respond for thirty seconds, the agents automatically start looking for another one.

• KSC integration server. One of the components of the main KSC, which assigns its SVMs to Light Agents in accordance with the algorithm, specified in its settings, as well as controls the availability of SVMs. Thus, this software module provides load balancing on all SVM within the cloud.

In general, the algorithm of the antivirus can be represented as follows. The agent accesses the file in the virtual machine and checks it. The result of the verification is stored in a common centralized database of SVM verdicts (it is called Shared Cache), each entry in which identifies a unique sample file. This approach allows to ensure that the same file is not scanned several times in a row (for example, if it was opened on different virtual machines). A file is scanned again only if it has been modified or a scan has been started manually.

Antivirus solution implementation in the provider's cloud

The image represents the general scheme for implementing the solution in the cloud. The main Kaspersky Security Center is deployed in the control zone of the cloud, and an individual SVM is deployed on each ESXi host using the KSC integration server (each ESXi host has its own SVM associated with special settings on VMware vCenter Server). Clients work in their cloud segments, where virtual machines with agents are hosted. They are managed through individual KSC servers subordinate to the main KSC. If it is necessary to protect a small number of virtual machines (up to 5), the client can be granted access to the virtual console of the dedicated KSC server. Networking between client KSCs and the main KSC, as well as Light Agents and SVMs, is carried out with NAT through EdgeGW client virtual routers.

ПAccording to our estimates and test results of colleagues from Kaspersky, Light Agent reduces the load on clients’ virtual infrastructure by about 25% (when compared with a system that uses traditional antivirus software). In particular, the standard Kaspersky Endpoint Security (KES) antivirus for physical environments consumes almost twice as much server processor time (2.95%) than the Kaspersky Security for Virtualization Light Agent (1.67%).

CPU load comparison graph


The same goes with disk hit rate record: for classic antivirus it is 1011 IOPS, for cloud antivirus – 671 IOPS.

Disk hit rate comparison graph

Productivity advantage helps maintain infrastructure stability and leverage computing power. The solution, adapted for use in a public cloud, does not affect cloud performance: it performs a centralized file check and downloads updates, thus distributing the load on the machine. This means that, on one side, threats to the cloud infrastructure will not be missed, and on the other, requirements for virtual machine resources will decrease by an average of 25% compared to traditional antivirus approach.

In terms of functionality, both solutions are very much alike. A comparative table is represented below. However, based on test results, it is still better to use the solution for virtual environments in the cloud.

Functional capabilities

Physical Media options¹

Virtual Media options²

Protection

File threat protection
Email and Web based threat protection
Network attack protection

+
+
+

+
+
+

Network activity analysis

Malicious URL detection
Phishing URL detection
Firewall
Analysis of program behavior
Exploit protection
Program control
Memory check
Device control and Web control
Host-based Intrusion Prevention System (HIPS)
Encryption protection
File integrity monitoring

+
+
+
+
+
+
+
+
+

+
-

+
+
+
+
+
+
+
+
+

+
+

Functionality for Data Centers

Resource optimization
Automatic deployment
SVM high availability

-
+/-
N/A

-
-/+
N/A


¹ KES for Windows
² KSW 2.0 Light Agent


As for pricing of the new approach. We decided to use a model that allows to obtain licenses based on the number of vCPUs. This means that the number of licenses will be equal to the number of vCPUs. Antivirus can be tested by leaving a request on our website

In the next article on cloud-related topics, we’ll talk about the evolution of cloud-based WAFs and what’s best to choose: hardware, software, or the cloud.

The text prepared by #CloudMTS cloud provider employees: Denis Myagkov, lead architect and Alexey Afanasyev, IT security software development manager.



Share this

Video

Event

Data management in hybrid multicloud environments

1:30
Webinar

BaaS и ФЗ-152 — особенности работы в защищенном сегменте

2:05
Webinar

IaaS ФЗ-152: Всё о защите персональных данных в облаке

2:55
Services

Corporate mail #CloudMTS

4:24
Services

Что такое Публичное облако (Elastic Cloud)

Services

Резервное копирование Acronis Infoprotect

Services

Аварийное восстановление (DRaaS)

1:48
Services

Object storage

Articles

Expert article

The Evolution of Web Application Firewall: From Firewalls to Machine Learning Cloud Security

Read the article
Expert article

Ральф Баер: пиксель, пиксель, огуречик

Read the article
Expert article

Знакомство с vRealize Automation

Read the article
Expert article

Kubernetes: open source против вендорского

Read the article
Expert article

Почему традиционные антивирусы не подходят для публичных облаков. И что делать?

Read the article

Sign up to #CloudMTS news updates