Kaspersky Hybrid Cloud Security: Public Cloud and Devops

KL 020.13: Kaspersky Hybrid Cloud Security.
Public Cloud and DevOps
KL 020.13
Kaspersky
Hybrid Cloud
Security
Technical training
1
Table of contents
1. What you should know about Kaspersky Hybrid Cloud Security, public cloud
protection and DevSecOps practices ................................................................................................. 3
1.1 Cloud technologies and DevSecOps practices ................................................................................ 4
Infrastructure as a Service market ................................................................................................... 4
Private, public and hybrid cloud models ........................................................................................... 5
DevSecOps: secure software development practices ...................................................................... 9
1.2 What Kaspersky Hybrid Cloud Security and Cloud Console are ...................................................13
1.3 How Kaspersky Hybrid Cloud Security is licensed .........................................................................15
1.4 Kaspersky Hybrid Cloud Security use cases ..................................................................................20
1.5 Introduction to Amazon Web Services: architecture, terms, main services ...................................25
2. Working with public clouds in Kaspersky Security Center Cloud Console ...........34
2.1 Scenarios and requirements ..........................................................................................................34
2.2 How to prepare Kaspersky Security Center Cloud Console ..........................................................36
2.3 How to prepare public clouds and connect them to Kaspersky Security Center Cloud Console ...38
Amazon Web Services ...................................................................................................................38
Microsoft Azure ...............................................................................................................................40
Google Cloud Platform ...................................................................................................................45
2.4 Optimizing settings .........................................................................................................................49
2.5 How to deploy Kaspersky Security Center from Amazon Web Services Marketplace ..................55
3. Deploying protection in public clouds .................................................................................. 59

3.1 Deploying protection in Amazon Web Services .............................................................................59
3.2 Deploying protection in Microsoft Azure .........................................................................................68
3.3 Deploying protection on Google Cloud Platform ............................................................................73
4. DevSecOps ..................................................................................................................................... 78
4.1 Introduction to container technologies and CI/CD ..........................................................................78
4.2 Protection for running containers ...................................................................................................85
4.3 Integrating Kaspersky Endpoint Security for Linux into CI/CD pipeline with Jenkins.....................87
4.4 KESL container ...............................................................................................................................91
1
Acronyms and conventions

AWS — Amazon Web Services
Azure — Microsoft Azure
CI/CD — Continuous Integration / Continuous Delivery / Continuous Deployment
Container runtime — a software component that can run containers on a host operating system
GCP — Google Cloud Platform
IaaS — Infrastructure as a Service
KES — Kaspersky Endpoint Security
KESL — Kaspersky Endpoint Security for Linux
KHCS — Kaspersky Hybrid Cloud Security
KSC — Kaspersky Security Center
KSC CC — Kaspersky Security Center Cloud Console
KSN — Kaspersky Security Network
KSWS — Kaspersky Security for Windows Servers
Network agent — Kaspersky Network Agent
PaaS – Platform as a Service
PAYG — Pay as you go
PPU — Pay per use
2
1. What you should know about Kaspersky

Hybrid Cloud Security, public cloud
protection and DevSecOps practices
Public cloud vendors provide their resources to external customers. The public cloud market is growing,
with more and more companies using public cloud resources in various ways in their day-to-day activities.
It's convenient to have a flexible consumption model that can scale quickly. In an environment of dynamic
growth, seasonal bursts of workload and growing requirements for infrastructure from developers,
companies prefer to use public clouds. If a company decides to use public cloud resources, it should first
make sure that its data will be safe, define the provider’s and customer’s areas of responsibility and take
measures to ensure security within its own area of responsibility. Kaspersky Hybrid Cloud Security helps
customers protect their resources in public clouds.
In a private cloud, the customer is responsible for every aspect of the infrastructure, from physical
security, power supply and cooling the server room or datacenter, to endpoint applications for internal and
external services and users.
Public cloud providers take on some of these responsibilities and offer three major cloud service models:
— Infrastructure as a Service (IaaS). The provider is responsible for the premises, power supply,
cooling, network access, server hardware and an abstraction layer in the form of virtualization
that helps segregate customers’ resources. The customer is responsible for managing software
on virtual machines. The customer configures the operating system and selects security and
other applications that will run on the virtual machines.
3
KL 020.13: Kaspersky Hybrid Cloud Security. 1. What you should know about Kaspersky Hybrid Cloud Security,
Public Cloud and DevOps public cloud protection and DevSecOps practices
— Platform as a Service (PaaS). The provider offers a ready-made platform along with virtual
instances of operating systems and manages updates and security. The customer can deploy
software and manage its settings
— Software as a Service (SaaS). The provider offers a ready-made instance of the software. The
customer can only change settings within the application.
If you're using IaaS, you need to build a company-wide security model with cloud resources in mind. You
must keep virtual machines in the cloud up to date, install critical security updates, control and restrict
network communications and protect resources against malware and targeted attacks.
Kaspersky Hybrid Cloud Security is indispensable in the following cases:

— You use virtualization in a private cloud and want to protect virtual server resources and virtual
desktop infrastructure.
— You're currently using or planning to use IaaS in a public cloud.
— You have a development infrastructure and are using or planning to use containers.
1.1 Cloud technologies and DevSecOps practices
Infrastructure as a Service market

The global IaaS market is led by three major service providers: Amazon Web Services, Microsoft Azure
and Google Cloud Platform.
Kaspersky Hybrid Cloud Security supports all three providers and integrates with them via API. Each
cloud has its own features that you should take into account when planning and deploying the protection
of your cloud resources. In this course, we will discuss the main features you should pay attention to and
how to deploy protection in these three main public clouds.
4
Private, public and hybrid cloud models
A private cloud is the most common resource ownership model for running and managing information
systems. It allows the owner to control every aspect of the infrastructure and is well known to information
security experts. Private cloud owners have already established security processes, built threat models
and studied and deployed security solutions for conventional workloads.
Kaspersky Hybrid Cloud Security is also designed to protect VMs in private clouds using Light Agent to
optimize the load on server capacities. This is covered in detail in course KL 031. Kaspersky Security for
Virtualization.
In our current course, we will focus on how to secure public and hybrid clouds, containerized applications
and DevOps processes.
The main disadvantage of a private cloud is the slow allocation of new resources. It often happens that
resources are urgently needed for a new project, but it is not possible to allocate them quickly. Long
cycles of purchasing and commissioning new server capacities force customers to delay projects, limit or
slow down information systems or turn to service providers for public cloud resources.
5
Public clouds can quickly fill the need for new resources. In public clouds, resources of different
customers are usually not clearly separated at the physical level. Their information systems can be
located on the same physical servers and data storage systems. Virtualization helps separate data at all
stages: at rest, in motion and in use. When a customer simultaneously uses resources of different cloud
providers, this is called multicloud.
While public clouds are all the same conceptually, in fact, different clouds require mastering different
management tools. Services that share a similar purpose have different names, capabilities and settings.
This forces specialists to use multiple tools and management patterns to ensure information security,
which makes their work more complicated.
The customer does not have direct control over the data placement and no access to the underlying
infrastructure settings. This forces many companies to only use public clouds for non-critical information
systems that do not process employees' or customers' personal data. Very often, the development and
testing environment, as well as the frontend, are moved into public clouds.
6
The need to keep full control over critical information systems and quickly allocate new resources is
forcing companies to use hybrid models. In the hybrid model, the customer has a private cloud with
critical infrastructure and also uses one or more public clouds to promptly allocate resources whenever
necessary.
This allows the customer to get the best of both worlds, but also complicates the infrastructure
architecture and requires new tools and approaches to ensure the company's information security.
Kaspersky Hybrid Cloud Security products enable customers to use a single tool to protect workloads
across their entire hybrid landscape.
7
The popularity of cloud technologies has had an impact on how applications are developed and used. It's
convenient for developers to use the capabilities of the cloud for development and testing. The desire to
quickly launch and scale applications, as well as the need to become less dependent on the runtime
environment, led to the creation of technologies for packaging programs into containers.
Developers started to implement complex software as a set of separate services in order to simplify the
development process, maintenance and scaling. Automation tools were introduced to speed up the
process of building, packaging and launching applications; and the elaborated norms of interaction
between development and operations teams have become standard DevOps practices.
8
DevSecOps: secure software development practices
DevOps software development practices only appeared recently, but have already become the worldwide
standard. They solve a range of problems regarding interaction between teams, but traditionally did not
address challenge of securing the processes and digital assets.
The software development industry is constantly evolving. Not that long ago, minor updates took weeks to
develop, and major software releases only came out a few times a year at best. Each update required
careful planning and performance testing. The impact on other elements of the digital landscape was
tested separately to ensure the uninterrupted operation of the company's services.
Digital products that we all use on a daily basis are updated regularly. Updates often carry not only fixes
for old bugs and critical vulnerabilities, but also new functionality. Such frequent updates would not be
possible without the transformation of the traditional development, testing and commissioning processes.
Each fix and new functionality goes through the pipeline and is built and tested automatically. If it
complies with the standards, it is immediately released.
Unfortunately, this development speed can lead to a drop in code quality, opening loopholes for attackers
to inject malicious code. Specialized analysis tools are required to check the software for potentially weak
elements.
Modern application building is based on the supply chain principle. Developers take ready-made
database and web server images from the internet, import the necessary libraries into them and build an
application from several containers. Unfortunately, they rarely consider the safety of the container images
downloaded from public resources.
9
The traditional separation of development, support, administering and information security teams doesn't
work in the setting of rapid development and deployment cycles. The challenge of speeding up processes
has led teams to implementing new ways of interaction.
DevOps practices enable development and operations teams to work together closely and build shared
goals, processes and culture. Later, the term was extended to DevSecOps since information security
must be an integral part of these processes and requires the tight integration of security applications into
the development and deployment pipeline.
Applications are often built by automation tools that compile ready-made code, perform sanity check and
launch the software in a test environment for further verification; then the application goes into production.
Security professionals need tools that scan apps for malicious code and known vulnerabilities to be
integrated into the development process.
10
Traditional monolithic applications take quite a long time to start. Scaling is often only possible by adding
resources to the virtual machine on which the monolithic application is installed. Clustering partly solves
this problem, but it often leads to overconsumption of resources, since it is usually necessary to deploy
many instances of a particular module rather than of the entire application. Elements of a monolithic
applications have a common codebase and functionality. Any partial changes to these can disrupt the
operation of other elements.
This makes developers change their approach and break monolithic applications into separate modules.
Each module performs a separate function called a microservice. These microservices are easier to
update, faster to launch and simpler to scale.
The vast majority of applications are now built entirely of a collection of interconnected microservices,
often in the form of containers.
11
Since developers often use cloud and on-premises resources with different underlying infrastructures
when developing and testing products, they need a way to package and run applications in any
infrastructure. A containerized application can be easily run on a developer's personal laptop, in an on-
premises infrastructure or public cloud.
A containerized application can be easily copied and run an unlimited number of times, making it simple
to migrate and scale. Containers are stored as images in a registry. The registry can be private or public.
Containers appeared to solve the problem of running multiple instances of an application in the same
environment with minimal overheads. The traditional approach ‘one virtual machine = one application
instance’ was slower and more resource intensive.
12
1.2 What Kaspersky Hybrid Cloud Security and Cloud

Console are
Kaspersky Hybrid Cloud Security is a protection solution for private, public and hybrid clouds. The
solution provides cutting-edge security for Windows and Linux operating systems, including containerized
applications.
13
A Kaspersky Hybrid Cloud Security license key allows you to use Kaspersky Security Center Cloud
Console or a physical instance of Kaspersky Security Center Administration Server, depending on your
preferences and specifics of your architectural landscape.
We recommend using Kaspersky Security Center Cloud Console as the main security management tool
in your distributed hybrid infrastructure. Kaspersky Security Center Cloud Console is a cloud-based
implementation of Kaspersky Security Center Administration Server. Kaspersky Security Center Cloud
Console does not require additional funds and does not consume resources in your private or public
cloud.
Kaspersky Security Center Cloud Console is accessible from anywhere in the world to protect any type of
infrastructure.
In Kaspersky Security Center Cloud Console, you work with a workspace—a virtual outline of your
organization. Note that you can have only one workspace per company; but within it, you can create a
hierarchical structure with secondary and virtual Kaspersky Security Center servers.
14
1.3 How Kaspersky Hybrid Cloud Security is licensed
Kaspersky Hybrid Cloud Security is available in two editions: Standard and Enterprise. The Enterprise
edition is designed to secure public clouds and containerized applications:
— To protect running containers, scan them for potentially malicious code and copy trusted images
to a trusted registry.
— To integrate with CI/CD automation tools. Automation tools can run scripts and commands to
scan containers and software using kesl-control on Linux systems.
— To scan Windows systems for vulnerabilities. Very often, resources deployed in a public cloud
get overlooked and are not covered by the company's traditional patch management systems
and update cycles.
— Controlling the operation of applications lets you to limit the list of applications allowed to run.
Configuration errors in public clouds can make active loads vulnerable, but application control
prevents an attacker or low-skilled engineer from running software that is not intended for that
VM.
— File integrity monitoring lets you track changes on virtual machines. Changes must be tracked so
as not to miss any unwanted and potentially dangerous modifications to applications or system
files.
15
Tools for centralized security update installation and control that companies use inside their perimeter
may not be suited for cloud resources. But cloud resources are also at high risk and it's essential to have
an accurate picture of all existing vulnerabilities and available security updates.
Kaspersky Hybrid Cloud Security Enterprise allows you to audit all systems running Windows. Status
reports give you an accurate picture of the current status of your landscape.
16
Cloud resources often perform a specific task. Use Application Control with lists of allowed or blocked
files. This will strictly limit the applications allowed to run and increase the overall system security.
Application Control is disabled by default. You can enable it in the security policy. At first, Application
Control should be used in test mode. This lets you explore the landscape and list applications that are
running normally. When ready, turn on blocking mode for unknown software.
We recommend that you enable sending of blocked start events in the security policy settings. This
enables you to monitor such events using Kaspersky Security Center Administration Console or
Kaspersky Security Center Cloud Console.
If cloud resources are performing clearly defined tasks and are mostly static, then any changes in critical
areas of the file system could indicate a security incident.
We recommend that you enable File Integrity Monitoring in critical and static areas of the file system and
add exceptions if necessary (for example, this tool should not be used for a shared folder on a file server
or a folder with database transaction logs).
By default, file system change events are not sent to Kaspersky Security Center Cloud Console. We
recommend that you enable sending of such events in the security policy settings and conduct regular
audits using reports on triggered Integrity Monitoring rules.
17
Kaspersky Hybrid Cloud Security is licensed by the number of protected resources:

— By the number of processors (physical sockets) on protected hardware or virtualized assets.
Only suitable for private clouds
— By the total number of server operating systems on virtual machines in your private and public
clouds
— By the total number of operating systems on virtual user workstations
Special Kaspersky Security Center Administration Server images with a Kaspersky Hybrid Cloud Security
license are available in the AWS and Azure marketplaces. They are convenient for customers who only
want to pay for actually used virtual machine resources per hour. Kaspersky Security Center images with
a built-in pay-per-use (PPU) license key have a limitation on the number of managed endpoints and are
supplied in discrete variations: for 25/50/100/200 virtual machines.
18
Bring your own license (BYOL) images are also available in the marketplaces so you can use a pre-
purchased Kaspersky Hybrid Cloud Security activation key or code.
However, remember that you only save on a license key in this case; the Kaspersky Security Center
virtual machine will consume public cloud resources and will be billed accordingly.
Kaspersky Security Center Cloud Console does not consume the customer’s cloud resources.
19
1.4 Kaspersky Hybrid Cloud Security use cases
For customers with a distributed hybrid infrastructure, we recommend using the Kaspersky Hybrid Cloud
Security solution with the cloud administration console. This allows you to manage the security of the
entire organization in a single window. Traditionally, customers use dedicated Kaspersky Security Center
Administration Servers for each private location and cloud, which can be inconvenient as it requires
configuring each server instance separately.
You should also allocate a dedicated Windows or Linux server instance to act as a distribution point (the
point of communication with Kaspersky Security Center Cloud Console). This allows you to configure
direct network access to Kaspersky Security Center Cloud Console only for the distribution point rather
than for all managed devices. Required ports for connecting a distribution point to *ksc.kaspersky.com:
— TCP/23100-23199
— TCP/27200-27299
— TCP/443
— TCP/80
Kaspersky Security Center Cloud Console supports all major providers and is accessible from any
geographic location.
20
If you don't use public clouds, but use virtualization and have in-house development, Kaspersky Security
Center Cloud Console with a Kaspersky Hybrid Cloud Security license key lets you avoid installing a
separate resource-consuming instance of Kaspersky Security Center Administration Server. This will also
lighten the task load of system administrators, since Kaspersky Security Center Cloud Console is
maintained and updated by Kaspersky experts.
If you only need to protect resources in one cloud, you can use a ready-made Kaspersky Security Center
image from the Amazon Web Services or Microsoft Azure marketplace. This image was prepared by
Kaspersky specialists and contains all the scripts and templates required for deployment. A server
deployed from a template with a PPU license key is limited by the number of managed devices and come
in discrete variations: for 25/50/100/200 virtual machines.
21
A BYOL Kaspersky Security Center Administration Server template lets you use a pre-purchased
Kaspersky Hybrid Cloud Security license key. In this case, the number of protected devices is limited only
by the license key and resources allocated to the Kaspersky Security Center Administration Server virtual
machine in the cloud.
SQL Express DBMS is installed on such a Kaspersky Security Center Administration Server; however, if
you plan to protect more than 5000 client devices, use a database service from the corresponding cloud:
— In Amazon Web Services, this is the Relational Database Service for SQL server
— In Microsoft Azure, create a Storage Account and use the Azure SQL service
— In Google Cloud Platform, you should only use the Cloud SQL for MySQL service
Native Amazon API integration allows you to deploy Network Agent to new virtual machine instances
using a task in Kaspersky Security Center Administration Console.
You can use a Kaspersky Security Center Administration Server deployed in one of the clouds to protect
resources in different locations. For example, a Kaspersky Security Center Server deployed in the
Amazon Web Services cloud can also protect Microsoft Azure or Google Cloud Platform resources. To do
so:
— Deploy a dedicated server in the other cloud and assign the Distribution Point role to it.
— Ensure network accessibility from the Distribution Point to Kaspersky Security Center
Administration Server via ports TCP/13000, TCP/14000, TCP/80 and TCP/443.
— Ensure network accessibility from Kaspersky Security Center Administration Server to the
Distribution Point via port UDP/15000.
22
The scenario for protecting an on-premises infrastructure using Kaspersky Security Center Administration
Server deployed in Amazon Web Services is no different from other cloud protection scenarios.
Requirements and capabilities remain the same.
You can use a Kaspersky Security Center Administration Server already deployed in your on-premises
infrastructure to protect cloud resources. In this case, it is necessary to ensure network connectivity
between Kaspersky Security Center Administration Server and Network Agents.
23
You can build a hierarchical structure of Kaspersky Security Center Administration Servers with a
dedicated administration server instance in each location. This will allow you to combine licensing models
and use PPU licensing for the public cloud and a previously purchased per-CPU license key for the on-
premises infrastructure. However, this leads to the fragmentation of the event database and partial
fragmentation of the administration console.
24
1.5 Introduction to Amazon Web Services: architecture,

terms, main services
Amazon Web Services is one of the largest providers of IaaS and PaaS cloud services. Amazon Web
Services uses the concept of Regions. A region is a physical location of a datacenter group. Datacenters
that are connected logically are called an Availability Zone. Each Amazon Web Services Region consists
of multiple Availability Zones, which are isolated logically and physically.
All availability zones in a region are connected into a high-performance network with dedicated fiber optic
channels and additional redundancy. All traffic between availability zones is encrypted.
25
Virtual Private Cloud is a logically separated outline of your cloud infrastructure. It's like a traditional
subnet but with virtual machines. And although it's possible to use several private subnets within a single
VPC, most often only one is used. Network connections within a VPC are controlled by network access
control lists (Network ACLs). Network access control lists are bound to the entire subnet and are fairly
similar to the traditional network rules of your on-premises infrastructure. However, you can also create
security groups with more granular network interaction rules and bind them to the desired virtual
machines.
A security group is a virtual firewall designed to protect EC2 instances.

Network ACL acts as a firewall for a VPC subnet.
26
Routing tables are used to redirect traffic between subnets within a VPC. A main routing table is created
by default and includes all the subnets of a given VPC that are not included in other tables. You can
create new routing tables as required, thus limiting and controlling network traffic between the subnets.
A subnet can only be associated with one route table at a time, but you can associate multiple subnets
with the same subnet route table.
An internet gateway is used for external access. An internet gateway is a horizontally scalable VPC
component that enables communication between your VPC and the internet. An internet gateway allows
resources on your subnets (such as EC2 virtual machines) to access the internet. Similarly, internet
resources can initiate connections to a resource on your subnet if the resource has a public IP address. A
subnet connected to the internet gateway is called a public subnet.
27
Your resources on subnets with public access get two IP addresses: one local, one public. The public IP
address assigned to your resources in the VPC is not static and changes during the lifecycle of the
resource (for example, when the virtual machine is rebooted). If you want to publish publicly accessible
services, such as a web server, then for proper operation you need to assign a static public address to it
using the Elastic IP service.
28
Virtual machines in Amazon Web Services are provided by the Elastic Compute Cloud (EC2) service.
Amazon EC2 allows users to rent a wide selection of virtual machine configurations optimized to fit
different use cases. The offered configurations comprise varying combinations of CPU, memory, storage
and networking capacity. This gives you the flexibility to choose the right one for your needs. Each
configuration type includes one or more subtypes, enabling you to scale resources to meet your
application requirements.
All the configuration types are organized into several groups according to their purpose:
— Universal
— Optimized for computing
— Optimized for applications requiring fast RAM
— Accelerated computing using hardware accelerators
— Optimized for applications requiring fast access to the data storage system
When creating a virtual machine, be sure to specify the VPC in which the virtual machine will be
launched. The virtual machine must have an IP address in one of the subnets within the parent VPC. To
keep the same public IP address over time, assign an Elastic IP address to the EC2 instance:
— An Elastic IP address is static; it does not change over time.
— An Elastic IP address is for use in a specific Region only and cannot be moved to a different
Region.
— You can allocate an Elastic IP address from Amazon's pool of public IPv4 addresses or from a
custom IP address pool that you have brought to your Amazon Web Services account.
— To use an Elastic IP address, you first allocate one to your account and then associate it with
your EC2 virtual machine or a network interface.
29
Amazon Web Services uses the Simple Storage Service (S3 for short) to store data. Amazon S3 service
stores data as objects within buckets. An object is a file and any metadata that describes the file. A
bucket is a container for objects.
To store your data in Amazon S3, you first create a bucket, name it, and select the Amazon Web
Services Region where the storage will be located. Then you upload your data to that bucket as objects in
Amazon S3. Each object receives a key (or key name), which becomes its unique identifier within the
bucket.
Buckets and the objects in them are private and can be accessed only by users to whom you explicitly
grant access permissions. You can use S3 policies, Identity and Access Management (IAM) policies and
access control lists (ACLs) to manage access.
30
AWS Identity and Access Management (IAM) is a web service that helps you control access to Amazon
Web Services resources.
The user who creates an Amazon Web Services account (subscription) receives the root status and full
access to all AWS services and resources. We strongly recommend that you don't use an account with
root permissions for routine tasks.
IAM lets you create policies with a set of permissions to perform certain actions, which in fact become
permissions to perform certain API requests. Policies can be grouped into roles and roles are attached to
an object, for example, a user or a service object (such as an EC2 virtual machine instance).
31
AWS Simple Systems Manager is actually not one tool but a collection of capabilities that helps you
manage your applications and infrastructure running in the Amazon Web Services Cloud. Simple
Systems Manager includes the EC2 Run Command feature, which enables you to send commands to
virtual machines. Kaspersky Security Center Administration Server uses EC2 Run Command to install
Network Agents. The current release of Kaspersky Security Center Cloud Console cannot use SSM to
install agents, and we recommend that you use Run Command to install Network Agents on Linux and
Windows systems.
Before using the Run Command tool, install the SSM agent on the virtual machines and register them
with the relevant service. Registered virtual machines are referred to as ‘managed instances’. An instance
must have the AWS Identity and Access Management role with the necessary permissions for the SSM
agent to function.
It's important to note that the ready-made virtual machine images, which Amazon Web Services supports
by default, already have the SSM agent installed.
32
AWS CloudFormation is a service for creating groups of connected resources in Amazon Web Services.
With CF, you can also update and manage resources in a structured and predictable way.
CloudFormation uses four concepts:
— A template is a declarative JSON or YAML file that describes the expected state of all the
resources needed to deploy your application.
— A stack represents a group of resources specified in your template and allows you to manage
the state and dependencies of those resources.
— A changelist is a preview of the changes that stack operations will make to create, update or
delete resources.
— A stack set is a group of stacks that you manage together.
The Kaspersky Security Center Administration Server images from the Amazon Web Services
Marketplace provide you with the templates to create all the necessary roles and security groups.
33
KL 020.13: Kaspersky Hybrid Cloud Security. 2. Working with public clouds in Kaspersky Security Center Cloud
Public Cloud and DevOps Console
2. Working with public clouds in Kaspersky

Security Center Cloud Console
2.1 Scenarios and requirements
Kaspersky Security Center Cloud Console provides you with a ready-made and running Kaspersky
Security Center Administration Server in the Kaspersky cloud. This makes initial deployment and
configuration easier. If you use Kaspersky Security Center Cloud Console to protect public clouds, you
only need to prepare standalone packages with Network Agent and install them on the virtual machine
instances that you want to protect. It is recommended to assign one of the virtual machines as a
Distribution Point to simplify interaction with the cloud infrastructure and reduce the amount of billed traffic
consumed.
If you prefer to use Kaspersky Security Center Administration Server as a virtual machine in the Amazon
Web Services cloud, you can deploy it using a template in the AWS Marketplace. We recommend that
you don't leave all the network ports open by default in the VPC; instead, create separate network
security groups and only allow the network flows required for the operation of Kaspersky Security Center
Administration Server. If you deploy Kaspersky Security Center Administration Server in the Amazon Web
Services cloud manually from scratch rather than from the marketplace, assign it the relevant IAM role.
This will enable Kaspersky Security Center Administration Server to install Network Agents using the
SSM Run Command tool.
We recommend that you complete the initial setup wizard to connect the cloud and create task and policy
templates. This will make subsequent configuration easier and let you quickly set up task and policy
settings to protect your cloud infrastructure.
We recommend Cloud Console as the easiest and most advanced way to secure your cloud or hybrid
infrastructure.
34
If you use Kaspersky Security Center Cloud Console, prepare standalone packages for Network Agents
in advance and upload them to a public storage, for example, S3 Bucket. You can install Network Agents
on new instances of virtual machines using a script in User Data—this is the metadata that a virtual
machine receives at its first start. For existing virtual machines, use the Run Command tool. It will install
the application using the link to its distribution package in S3 Bucket.
If you are using a Kaspersky Security Center Administration Server deployed in the Amazon Web
Services cloud, you can take advantage of direct integration with the AWS API. A Kaspersky Security
Center Administration Server needs the permission to run SSM Run Command to deploy Network Agents
on virtual machines.
After installing the Network Agents, create installation tasks for the appropriate Windows and Linux
security applications (KSWS, KES and KESL).
You can install Network Agents using any automation tool that is convenient for you and adopted by your
company, for example, Ansible, Chef or Salt. If none of these are available, we can recommend Amazon
Web Services tools: User Data and SSM Run Command.
35
2.2 How to prepare Kaspersky Security Center Cloud

Console
First, create a corporate account in the ksc.kaspersky.com portal. You will need to confirm your email
address. You can use any email address, but we recommend using corporate email. This will make it
easier for tech support to verify your license key ownership and restore access if you lose it.
36
After confirming your email address, accept the Cloud Console Use and Data Processing agreements.
You will also need to provide the company name and, optionally, add a description. During the company
registration process, you will need to create a workspace—this is the logical unit of management. Name
your workspace, specify your country and indicate the approximate number of devices that you plan to
protect.
If you do not plan to use trial access to Cloud Console, enter your Kaspersky Hybrid Cloud Security
activation code and click Verify. The system will check the data you’ve entered, deploy the workspace
and send an email when it's ready.
37
Follow the link in the email and select your workspace. The Configuration Wizard will start automatically
and prompt you to download the necessary distributions: Kaspersky Security for Windows Server,
Kaspersky Endpoint Security for Linux and Network Agents.
2.3 How to prepare public clouds and connect them to

Kaspersky Security Center Cloud Console
Amazon Web Services
Kaspersky Security Center Cloud Console uses API to query Amazon Web Services about VPC
resources and hosted virtual machines. To do so, Kaspersky Security Center Cloud Console uses an
AWS IAM account with the relevant permissions. We recommend that you create a dedicated service
account exclusively for the needs of Kaspersky Security Center Cloud Console.
To create a service account, on the AWS IAM menu, click Add User and create a user with the account
type ‘Access key - Programmatic access.’ Such an account will not be able to use a login-password pair
for authorization and will always be forced to use a public key ID and a private key. When you create a
private key, make sure to save it. You will not be able to see it later; you can only create a new one.
You must attach ReadOnlyAccess policy or a role containing this policy to the account. ReadOnlyAccess
is required and sufficient for Kaspersky Security Center Cloud Console to poll cloud resources via API.
38
To connect your cloud-based infrastructure to Cloud Console, run the Cloud Environment Configuration
Wizard. Kaspersky Security Center Cloud Console needs several parameters to connect to an Amazon
Web Services cloud:
— Access Key ID: the identification number of the service user key that you created
— Secret Access key: the secret key that corresponds to the Access Key ID
— Connection name and type of the connected cloud
We recommend that you don’t enable automatic synchronization between the Amazon Web Services
administration group hierarchy and the Kaspersky Security Center Cloud Console group hierarchy if you
already have resources protected by Kaspersky Security Center Cloud Console. Create synchronization
rules manually; they will be applied as soon as Network Agents are installed and devices become
managed.
39
As you proceed through the Cloud Environment Configuration Wizard, Kaspersky Security Center Cloud
Console creates a basic set of policies and tasks. When they are ready, you will be able to fine-tune them
to fit your needs.
Microsoft Azure
40
Connecting to the Microsoft Azure cloud is also done using the Cloud Environment Configuration Wizard.
Specify that you are connecting to the Microsoft Azure cloud and enter the necessary parameters:
— Azure Application ID. An application acts as a service account in Azure Active Directory
— Your Azure Subscription ID
— Azure Application password—the service account password
— Azure storage account name
— Azure storage account key—the secret key of the storage account
To register a new application (create a service account), go to Azure Active Directory and run the
registration wizard. Enter the application name; as for the other settings, you can leave default values.
Write down the generated Application ID.
If you have trouble registering a new application, check your user account settings for relevant
permissions.
41
By default, the new application does not have a secret authorization key. This must be created. To do so,
open Certificates and secrets in the application settings and click Add a client secret. Write down (or
copy into a text file and save) the created secret, as you will not be able to read it later.
42
Kaspersky Security Center Cloud Console uses the application created in Azure to poll cloud resources
and install Network Agents using API. The application must be assigned roles with the corresponding
permissions:
— The Reader role is required for polling cloud resources
— Virtual Machine Contributor is an optional role. Assign it to the application if you want to install
Network Agents using Kaspersky Security Center Cloud Console
To grant the necessary permissions to the application, go to Azure Access Control and click Add role
assignment for each role.
Kaspersky Security Center Cloud Console uses a Storage Account to temporarily store Network Agent
installation packages. To create an Azure storage account, go to the Storage accounts menu and click
Create. Enter a name. For the other settings, you can leave default values. Be sure to write down (save
into a text file) the access key, as it will be impossible to see it later.
43
After you enter all the necessary data, Kaspersky Security Center Cloud Console will connect to the
Microsoft Azure cloud and start collecting inventory information about your cloud resources. If you have
previously completed the Cloud Environment Configuration Wizard, the available policies and tasks will
be reused and will not be overwritten with the default ones. As with Amazon Web Services, we
recommend that you don’t enable automatic synchronization between the inventory and Kaspersky
Security Center Cloud Console administration groups.
44
Google Cloud Platform
Connecting to the Google Cloud Platform is the same as connecting to Amazon Web Services and
Microsoft Azure. Select Google Cloud from the list of available clouds and enter the required parameters:
— Client email address: an email address connected to the Google Cloud Platform. It can be either
an email address of a real user or a virtual address of a Google Cloud Platform service account
— Project ID: the project identification number
— Private key: a private authorization key
45
A project acts as an organizational unit in Google Cloud Platform. Note that a subscription may have
multiple projects and you will need to create a connection to each of them. In each project, you must
enable the API functionality (it is disabled by default):
— Kaspersky Security Center Cloud Console uses Identity and Access Management API for
authorization in the Google cloud
— Kaspersky Security Center Cloud Console uses Cloud Resource Manager API to collect
inventory information
46
We recommend that you don't use employees’ accounts to connect Kaspersky Security Center Cloud
Console to Google Cloud. Use the IAM & Admin console to create a dedicated service account. Click
Create Service Account, enter the account name and grant it Viewer permissions for the project.
To authorize Kaspersky Security Center Cloud Console, you will need a private key. Go to service
account settings and click Create new key. Select the JSON key format and click Create. A JSON file
will be downloaded automatically with a list of all the attributes required for connection.
Pay attention to the private key string. It is very important to copy all the characters between the quotation
marks, including the line breaks, into the Kaspersky Security Center Cloud Console connection wizard.
47
After you specify all the necessary data, Kaspersky Security Center Cloud Console will connect to the
Google cloud and collect inventory information about your cloud resources. If you have previously
completed the Cloud Environment Configuration Wizard, the available policies and tasks will be reused
and will not be overwritten with the default ones. As with Amazon Web Services and Microsoft Azure, we
recommend that you don't enable automatic synchronization between the inventory and Kaspersky
Security Center Cloud Console administration groups.
48
2.4 Optimizing settings
The Cloud Environment Configuration Wizard creates several basic tasks with the default configuration.
Pay attention to the Find vulnerabilities and required updates task: it will help you protect Windows
virtual machines. Remember that your cloud resources are also part of your infrastructure and have
access to the internet by default (unless configured otherwise). They must not be neglected; critical
updates must be installed to patch known OS and software vulnerabilities as soon as possible.
49
The quick scan task for Windows scans all objects on virtual machine disks, except for email archives. In
most cases, this is sufficient, but if you plan to use virtual machines in the cloud as user workstations, it is
better to enable scanning of email archives and email files.
If for some reason you need to exclude certain areas from the scan task for specific virtual machines, do
the following:
1. Create a dedicated administration group
2. Move target virtual machines into the created group
3. Clone the scan task
4. Configure the necessary exclusions
5. Assign the modified task to the created administration group
50
Select a schedule suitable for your company in the task settings. We recommend configuring it to scan
the virtual machines once a week during off-peak time, but you can select any other schedule.
A Distribution Point acts as a caching server and the database and protection component update task is
configured to use it by default. In practice, there can be periods when the Distribution Point is not
accessible for some reason. In order to keep the update process running, enable the installation of
updates from Kaspersky servers if the Distribution Point is inaccessible.
If the virtual machines are not fully utilizing the RAM, you can enable load optimization on the virtual
machine disk. This can somewhat reduce the I/O cost in the cloud, especially for high-performance SSD
drives.
51
The quick scan task for Linux runs every hour by default, which can be excessive for static VMs in the
cloud. We recommend changing the task schedule to run weekly, but you should also consider your
infrastructure and your tasks when choosing a schedule.
The task scans the entire file system, excluding email archives. If you plan to use Linux virtual machines
as user workstations, we recommend that you enable email archive scanning.
52
The database update task of Kaspersky Endpoint Security for Linux runs every hour by default and uses
Kaspersky servers as the source. Depending on the size of your cloud infrastructure, you can switch
update source to Distribution Points to minimize external traffic costs.
We recommend that you enable automatic installation of application updates.
In addition to tasks, the Cloud Environment Configuration Wizard creates three policies, one for each
product.
The default policy for Windows servers is pre-configured for cloud environments and Exploit Prevention is
enabled by default. We recommend that you select to remove objects that must not be trusted according
to information available in Kaspersky Security Network. Configure exclusions taking into account the
workload profile of your virtual machines running Windows Server. If necessary, create additional
53
administration groups for different workload profiles and copy the policy into each group, changing the
exclusions as required.
Network Threat Protection is enabled by default and you need to add exclusions for critical and trusted IP
addresses. Also, we recommend that you enable protection against file encrypting ransomware.
Configuration errors often make cloud-based resources vulnerable to external connections, and data
should be protected against ransomware.
54
In the security policy settings for Linux, most settings are locked and cannot be configured locally on
target virtual machines. We recommend that you enable archive scanning and container scanning. Also,
enable and configure System Integrity Monitoring (SIM), as virtual machines are usually quite static and
legitimate changes in critical system areas occur only during the update. When properly configured, SIM
will help you track changes to the file system and allow you to detect potentially dangerous file
modifications.
2.5 How to deploy Kaspersky Security Center from

Amazon Web Services Marketplace
If you don't want to use Kaspersky Security Center Cloud Console for some reason, you can deploy
Kaspersky Security Center Administration Server as a virtual machine in Amazon Web Services. Ready-
made Kaspersky Security Center Administration Server templates are available in the Amazon Web
Services Marketplace. They simplify initial deployment of Kaspersky Security Center Administration
Server and allow you to use an activation key or code that you purchased earlier or the PPU model
through the built-in Amazon Web Services billing.
To deploy Kaspersky Security Center Administration Server, search the Amazon Web Services
Marketplace for its image:
— To use an existing activation key or code, select the image marked BYOL
— To pay using Amazon Web Services billing, select the image that doesn’t have BYOL in the
description
Note that a Kaspersky Security Center Administration Server deployed in the cloud consumes cloud
resources anyway and will be billed accordingly.
55
You can use the Pay per Use Kaspersky Hybrid Cloud Security image in trial mode for up to 30 days.
However, the cloud resources consumed by the virtual machine will still be charged by the provider. After
the 30-day trial period, hourly billing mode is activated. The cost depends on:
— The number of protected devices
— Size of the virtual machine where Kaspersky Security Center Administration Server is running
To continue deployment, click Continue to Configuration and select:

— Kaspersky Security Center version
— The server deployment Region
Ready-made images have limitations on the maximum number of protected devices. We recommend that
you use Kaspersky Security Center Cloud Console if possible.
56
As part of the deployment, you will be prompted to specify:

— Name for the virtual machine running Kaspersky Security Center
— One of the supported instance types and volumes
— An existing key pair (or create a new one). This will allow you to decrypt the automatically
generated admin password after the deployment
— Select to create the recommended network security rules
After entering the data and selecting the attributes, click Launch instance to start creating the virtual
machine.
57
To cancel your Kaspersky Security Center subscription, go to Amazon Web Services Marketplace and
click the button Manage. Then select Actions and click Cancel subscription.
You will have to manually delete the virtual machine, security rules and other entities that may have
appeared as part of the virtual machine lifecycle.
58
KL 020.13: Kaspersky Hybrid Cloud Security. 3. Deploying protection in public clouds
3. Deploying protection in public clouds
3.1 Deploying protection in Amazon Web Services
Deploying protection in the Amazon Web Services Cloud using Cloud Console is simple and requires
minimal actions by the administrator. In Kaspersky Security Center Cloud Console:
— Activate your account and workspace
— Complete the Cloud Environment Configuration Wizard and connect the Amazon Web Services
cloud
— Fine-tune the protection settings and task schedule as desired
— Wait for the synchronization to complete and resources to be displayed in Unmanaged Instances
On the protected instances:

— Install Network Agents
— Ensure network accessibility of Kaspersky Security Center Cloud Console
— Create and run the tasks to install protection components
59
Cloud resources discovered by Kaspersky Security Center Cloud Console are organized hierarchically:
— Amazon Web Services Region
— VPC in which the virtual machines are located
— Availability Zone (if the VPC covers multiple Availability Zones)
— The subnet to which the virtual machine is connected
When Kaspersky Security Center Cloud Console discovers a virtual machine, it assigns a short hostname
to it: ip-<device's IP address on the subnet>. After the Network Agent is installed, the virtual machine
name changes to its Windows computer name or Linux hostname.
60
Information about the device location in the virtual infrastructure is available in its properties. This allows
you to accurately identify a virtual machine if you rename it or move to another administration group in
Kaspersky Security Center Cloud Console.
To deploy protection on virtual machines, first prepare the Network Agent installation packages. Select
the required installation packages, click Deploy and select Using a stand-alone package. Download the
package to the administrator's workstation.
61
You can install Network Agents on cloud-based virtual machines using any convenient method.
Companies often have centralized management tools for software installation. If you don't have such
tools or don't use them to manage cloud resources, you can use ready-made Amazon Web Services
tools:
— AWS Simple System Manager for existing virtual machines
— AWS EC2 User Data for new deployments
For convenience, we recommend that you save the installation packages in an S3 Bucket that your cloud
resources can access. Create a new S3 Bucket and upload the Network Agent installation packages to it.
Before you can install Network Agents using AWS SSM, fulfill the following requirements. First, SSM
agent must be installed on your virtual machines. Ready-made Amazon images (built and maintained by
Amazon Web Services) have the SSM agent installed by default.
If you are using a custom image, install the SSM agent yourself. The Amazon Web Services
documentation describes this process in detail, but it usually requires only two commands: to install and
register the agent.
62
For AWS SSM to be able to send commands to the agent, the virtual machines must have the relevant
AWS IAM role. You can create a new role or add the policy to an existing role. The policy you need is
called AmazonSSMManagedInstanceCore.
A virtual machine can have only one role.
63
You can use Run Command, a capability of AWS Systems Manager, to install the Network Agent. This
tool enables you to run various commands on virtual machines managed by AWS SSM. You can use
several commands to install Network Agent. We will use AWS-RunRemoteScript as an example.
In the command parameters, you are prompted to specify the source type (in our case, S3) and the
command to run:
— For the source info, specify {“path”=”<link to your Network Agent distribution>”}
— In the Command Line field, specify the file name
As a result of running the command, Network Agent will be downloaded and installed, and Kaspersky
Security Center Cloud Console will register the respective virtual machine.
If issues arise during the installation, consult the SSM agent logs on the target virtual machine. On a
Windows EC2 instance, you can find logs in:
— C:\Windows\Temp\psinstlog_<date>_<time>.txt
— %PROGRAMDATA%\Amazon\SSM\Logs\amazon-ssm-agent.log
— %PROGRAMDATA%\Amazon\SSM\Logs\errors.log
64
On a Linux EC2 instance, you can find logs in:

— /var/tmp/akinstall-cloud~<datetime>.log
— /var/log/amazon/ssm/amazon-ssm-agent.log
— /var/log/amazon/ssm/errors.log
User Data in Amazon Web Services is a set of commands and data that you can transfer to a virtual
machine during startup. This is an easy way to set the required configuration for a new virtual machine,
and you can use it to install Network Agents. Just add two commands:
— Download the Network Agent distribution from the S3 Bucket
— Install this distribution
65
You can set or change user data in the virtual machine settings.
It's important to remember that, by default, user data is only processed during the initial launch of the
virtual machine. If you want to use this functionality later, follow the steps described in the Amazon Web
Services documentation for Linux systems.
With user data, you can run PowerShell scripts on Windows virtual machines. In this case, scripts are
identified by special tags that open and close the script body. As in the case of bash commands, you can
install Network Agent using two commands: download and install the distribution.
To enable reprocessing of user data on Windows virtual machines, carry out the following command:
C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 –Schedule
66
If the installation fails, you can find the process details in the logs:
— For Windows: %ProgramData%\Amazon\EC2-Windows\Launch\Log\UserdataExecution.log
— For Linux: /var/log/cloud-init-output.log
These logs display the data and the commands passed via user data, as well as execution details. If the
command to install the Network Agent fails, you will need to consult the Agent logs too.
67
3.2 Deploying protection in Microsoft Azure
You can automate the deployment of protection in the Microsoft Azure cloud by using Azure API
integration. In Kaspersky Security Center Cloud Console:
1. Activate your account and workspace
2. Complete the Cloud Environment Configuration Wizard and connect the Microsoft Azure cloud
3. Fine-tune the protection settings and task schedule as desired
4. Wait for the synchronization to complete and resources to be displayed in Unmanaged Instances

5. Create a task to install Network Agents using Azure API
6. If you can't use Azure API for some reason, install the agents using Azure Run Command
7. Ensure network accessibility of Kaspersky Security Center Cloud Console
8. Create and run the tasks to install protection components
68
— Microsoft Azure region
— Resource group the virtual machine belongs to
When Kaspersky Security Center Cloud Console discovers a virtual machine, it appears under the Azure
Virtual Machine short name in the Kaspersky console. After the Network Agent is installed, the virtual
machine name changes to its Windows computer name or Linux hostname.
69
Information about the device location in the virtual infrastructure is available in its properties. This allows
you to accurately identify a virtual machine if you move it to another administration group in Kaspersky
Security Center Cloud Console.
Kaspersky Security Center Cloud Console supports Azure API not only for collecting inventory
information, but also for installing Network Agents on virtual machines in Microsoft Azure cloud. To do so,
assign the Virtual Machine Contributor role to the service account.
To install Network Agent using Azure API:

1. Specify the relevant task type for installing Network Agents
2. Select the target virtual machines
3. Specify credentials of the service account
4. Run the task
70
When you start the task, Kaspersky Security Center Cloud Console will automatically connect to Microsoft
Azure cloud using Azure API, upload the installation packages to a temporary Azure Blob Storage and
start the installation on the selected virtual machines. You can monitor the installation status and details
in the task properties.
If you can't assign the Virtual Machine Contributor role to the service account, you can install Network
Agents using any other convenient method. We can recommend using the Azure Run Command tool.
First, prepare Network Agent installation packages for Linux and Windows. Upload the packages into a
storage that the virtual machines can access. We recommend Azure Blob Storage.
71
To do so, go to Azure Storage Accounts and select the account that you created earlier to connect
Microsoft Azure cloud to Kaspersky Security Center Cloud Console. An account can have one or more
containers (a kind of a root folder) into which you can upload distribution packages.
Click Upload, select an existing container or create a new one and specify the distribution packages to
upload. After uploading, copy direct links to the Linux and Windows distributions and save them in a text
file.
72
Azure Run Command is a tool for running scripts on virtual machines in Microsoft Azure cloud. This utility
is started via the virtual machine properties and is not suitable for running scripts on several virtual
machines at the same time.
In the script, you need to specify two commands:

— The command to download the distribution using the Azure Blob Storage link
— The command to install the downloaded distribution
After installing the Network Agents, create and run tasks to install protection applications on the target
virtual machines.
3.3 Deploying protection on Google Cloud Platform
Deploying protection on Google Cloud Platform using Cloud Console is similar to deployment in Amazon
Web Services and Microsoft Azure. In Kaspersky Security Center Cloud Console:
1. Activate your account and workspace
2. Complete the Cloud Environment Configuration Wizard and connect the GCP cloud
3. Fine-tune the protection settings and task schedule as desired
4. Wait for the synchronization to complete and resources to be displayed in Unmanaged Instances

5. Install Network Agents
6. Ensure network accessibility from Network Agents to Kaspersky Security Center Cloud Console
7. Create and run the tasks to install protection components
73
— Resource group the virtual machine belongs to
— Google Cloud Platform Region
When Kaspersky Security Center Cloud Console discovers a virtual machine, it appears under the GCP
Virtual Machine short name in the Kaspersky console. After the Network Agent is installed, the virtual
machine name changes to its Windows computer name or Linux hostname.
The device location in the virtual infrastructure is shown in its properties along with other useful
information. This allows you to accurately identify a virtual machine if you move it to another
administration group in Kaspersky Security Center Cloud Console.
74
First, prepare Network Agent installation packages for Linux and Windows. You can install Network
Agents using any convenient method, for example, using the Google Cloud Platform tools: Cloud Shell
and Startup Metadata. Upload the agent packages to a storage that the virtual machines can access. We
recommend Google Cloud Storage.
Go to Google Cloud Storage. Create a new bucket or use an existing one, click Upload Files and select
the distributions. Once uploaded, copy and save the links to them.
75
Google Cloud Shell is a console that you can use to work with Google Cloud Platform CLI on the Google
Cloud portal via a browser. Click the console icon to open it and enter the following commands:
— gcloud compute ssh followed by the virtual machine name
— The curl or wget command with a link to the Network Agent distribution
— Make the file executable
— Run the script
The script will unpack the distribution and install the Network Agent.
76
A Startup Script, as the name implies, is run when the virtual machine starts. Such a file can be assigned
to one or all virtual machines in a Google Cloud Platform project. Scripts specified in virtual machine-level
metadata take priority over scripts specified in project-level metadata.
Note that the scripts only run when the virtual machine has a network connection.
77
KL 020.13: Kaspersky Hybrid Cloud Security. 4. DevSecOps
4. DevSecOps
4.1 Introduction to container technologies and CI/CD
Multiple containers can run on the same machine and share the operating system kernel with other
containers, each running as isolated processes. Containers require a container runtime, which is similar
to a virtualization tool, while containers themselves are like lightweight virtual machines. Containers
logically isolate applications—or modules of the same application—from each other.
One container corresponds to one running process. Turning off an individual container for debugging or
updating does not affect the operation of the entire application.
A container is like a folder that contains everything an application needs to run, including operating
system libraries and other dependencies. Each container is created from an image.
A container image is a read-only template. This template may, for example, contain the CentOS operating
system with the Apache web server and an application on top of it. Images are used to create containers.
The container runtime allows you to create new images and update existing ones.
The most important feature of containers is their relatively short lifecycle. You can stop, restart or delete
any container as required. In this case, the data in the container will also be lost unless you use a volume
mounted from the host OS file system.
Containers make the entire process—from application development to its deployment—much easier and
faster. A developer can compile code, pack it in a container and run it, for example, on a laptop for tests.
The application image can then be uploaded to on-premises or cloud infrastructure for deployment.
There are several competing container runtimes, but thanks to Open Container Initiative, container
images are intercompatible.
78
In Docker, container images are created using a Dockerfile (a text file). It contains instructions for creating
a container image. Every command starts on a new line in this file.
Read-only layers are laid over the base image sequentially. Any change to the image creates a new
layer.
— Each new command is a new layer
— Each new layer is the current version of the image
— The final image is a consolidation of all the layers into one
Each layer of the image is saved. If you use layer tags during the build, you can quickly roll back any
changes if necessary. This solution makes containers more lightweight and reduces the image build time.
A container is a copy of an image, but with another writable layer on top. Information is written to the
container and when you delete it, the top layer and its data is lost. You can avoid this by mounting a
folder from the host operating system to the container as a volume.
You can't get a Dockerfile directly from a container after the build is ready, but you can view the contents
of the image layers.
79
Developers prefer to download ready-made images from the internet rather than create them from
scratch. This is convenient because a huge number of ready-made container images for a variety of tasks
are already available. For example, more than 100,000 different images are publicly available on Docker
Hub. However, without proper control, this approach makes the company vulnerable to various attacks
and can compromise the corporate network:
— Most publicly available container images have critical vulnerabilities. These can be vulnerabilities
in either host OS or applications running inside the container.
— Absence of known vulnerabilities does not guarantee security. New vulnerabilities appear daily
and running containers that have passed all checks are not protected from zero-day attacks.
Attackers can gain access to running containers and then, for example, upload and run malicious code.
80
Also, a container image scanned for malicious code with the ‘clean’ result does not guarantee the
absence of backdoors. For example, a container may contain a command to be triggered by a specific
event (temporal or conditional). Such a command might access an external resource to download a script
and run malicious code. Also, attackers can obfuscate these commands or hide them in the parent image
to make them difficult to detect.
Attackers rarely target containers themselves. But a container can be the entry point for a targeted attack
on the enterprise network.
Ideally, you shouldn't mount a guest operating system volume to a container, but this is often necessary
for the application to function properly. Containers are subject to access control and, by default, they run
in an environment isolated from the host OS. However, sometimes a container requires privileged access
to its host environment resources to function properly. This enables it to connect to the file system of the
host OS with root permissions.
An attacker who gains access to such a container can then gain access to the entire host, collect data
and develop an attack.
81
In addition to in-house development, a company might use partner solutions based on containers.
Attackers actively exploit software supply chains to attack organizations because this can be faster and
easier than directly hacking the target organization security system. Whether you are a developer or
consumer, it's important to make sure that your software does not contain malicious code.
That's why it's so important to include security measures in the software development and launch cycles
(CI/CD, Continuous Integration / Continuous Delivery / Continuous Deployment). With the DevSecOps
approach, you can make security issues an integral part of development culture.
It's important to include security into the single workflow to prevent teams from falling apart. This also
ensures that fast application delivery does not compromise your company information security.
82
With Container Security you can:

— Scan container images for malicious code
— Protect the host operating system from malicious containers
Using publicly available container images is only possible after thorough scanning. Later, you must store
such an image in a private repository on the organization network and scan it every time it is changed or
run. Ideally, trusted container images should be digitally signed using specialized tools (such as Notary,
an open source tool). This digital signature is verified before each launch and updated every time when
the container image is changed and scanned.
83
It's important to scan the container for malicious code regularly, not just once. We recommend that you
set up your development and deployment pipeline (CI/CD Pipeline) with this requirement in mind and
scan each container whenever it is built, stored and started.
Any deviation from the norm must stop the pipeline.
You must also periodically scan a container while it is running, as attackers can load malicious code
during the lifecycle of an already built and running container.
84
4.2 Protection for running containers
You can use Kaspersky Endpoint Security for Linux with a Kaspersky Hybrid Cloud Security license to
scan running containers for malicious code and protect the host operating system from attackers. This
functionality is disabled by default. To configure it:
— Enable the monitoring of namespaces and containers in the Kaspersky Endpoint Security for
Linux security policy
— Put a lock (Enforce) on the container workload protection setting
— Make sure the paths in the settings correspond to your environment
85
Kaspersky Endpoint Security for Linux scans running containers according to the security policy settings.
Sometimes, a container image does not contain malicious code at first, but loads it during its lifecycle.
Such malicious code will be removed:
— When the file with malicious code is accessed for the first time
— During a scheduled file system scanning
The security policy determines whether the container stops if the removal of malicious code fails.
Do not turn off archive scanning in the container security policy. Attackers often use this approach to
bypass antivirus protection deployed on the host.
86
4.3 Integrating Kaspersky Endpoint Security for Linux into

CI/CD pipeline with Jenkins
The CI/CD pipeline is built using automation tools. These tools enable developers to control the entire
process of building and testing software, often with the help of a large number of scripts.
Jenkins is one of the most popular tools for automating the CI/CD pipeline. It supports Webhook
integration with GitHub and integration with Kaspersky Endpoint Security for Linux.
Jenkins supports a distributed architecture with an active primary and a number of secondary nodes.
Jenkins runs jobs on secondary nodes depending on the task settings, the labels applied to the nodes
and the capabilities of each of the secondary nodes.
87
To actively protect the CI/CD pipeline, install Kaspersky Endpoint Security for Linux on each of the
Jenkins nodes. In addition to protecting the nodes on the fly, scan container images for malicious code
before starting and running the pipeline.
Edit the default Kaspersky Endpoint Security for Linux security policy and grant permissions to run local
tasks. Jenkins starts container image scan tasks configured in Kaspersky Endpoint Security for Linux
using kesl-control.
Disable Web Threat Protection (or add exceptions) when installing and configuring Jenkins. Otherwise,
the Jenkins modules will fail to install. Don't forget to enable the protection after the installation.
88
Jenkins works with jobs (projects). You can set all the necessary data, variables and scripts in the job
(project) parameters.
When Kaspersky Endpoint Security for Linux is integrated with Jenkins, Jenkins starts a container from
an image, saves its ID and sends a command to Kaspersky Endpoint Security for Linux to scan the
container with that ID. To start the task, it's enough to specify the container image to be scanned.
89
You can view the task results (when it is running and after it completes) in the details of the task instance.
If the container does not contain malicious code, the task completes successfully and the console output
reads 'No threats found.'
If the task finds malicious code, it returns an error, and the container will be stopped and removed from
the host. Note that if you configure the security policy to automatically protect container workloads, the
container with malicious code will be stopped without waiting for an external command from Jenkins.
You can enable or disable automatic protection of containerized workloads on pipeline hosts. In some
cases, it's not advisable because it can break the pipeline logic without increasing the security of the
enterprise network.
Jenkins can integrate with source code management systems such as GitHub. In this case, changes to
the Dockerfile stored in the repository trigger a webhook and start a job. The job builds a container image
from the new version of the Dockerfile, runs it and scans for malicious code using Kaspersky Endpoint
Security for Linux.
90
4.4 KESL container
It's not safe to store container images on developers' workstations. Images require a highly available,
centralized repository that can be backed up. It's important to control user access to images because they
may contain classified developments and confidential data. A container image registry handles these
tasks.
Registries can be public or private. Public registries are popular because you can quickly get the
necessary image from a huge catalog of public applications. Public registries do not require complex
configuration and are always available as long as the workstation has an internet connection.
On the other hand, in your private registry, you have full control over the contents. This reduces the
number of available images, but greatly improves network security at the company. We recommend that
you use private image registries hosted on premises or in the cloud if:
— Your images must not be made publicly available for privacy reasons
— You must be able to trust the container image contents
Docker maintains a public DockerHub registry, but even on DockerHub, image owners can restrict image
accessibility to external users, thus ensuring some data privacy.
91
To trust a container image, you must scan it for malicious code. KESL container is designed to help you
with this task. KESL container itself is also a container image that you can run as a service. This service
accepts commands in the form of POST and GET requests.
A POST request specifies the container image to download from, for example, a public registry, and scan
for malicious code. If the container image passes the check, KESL container will upload it into another
registry, for example, a private one.
KESL container image is built from configuration files using ready-made Kaspersky scripts. The container
creates an additional layer of abstraction and runs a complete runtime within itself. The Podman runtime
is used (an open source solution).
92
This enables you to scan downloaded container images for malicious code. The solution supports
authorization for registries with role-based access control. If you use a private registry with a self-signed
TLS certificate, you can add this certificate to the list of trusted certificates in KESL container.
The service accepts POST and GET requests on port 8085 by default, but you can change this using the
configuration files.
You can download a KESL container distribution from the official Kaspersky website. The distribution
includes a set of configuration files, Python scripts and Docker files.
Configuration files are just a template. You must edit the configuration files for the solution to operate
properly in your environment.
93
Note that the KESL container archive doesn't include either Kaspersky Endpoint Security for Linux or
Network Agent distributions, which are required for building the solution. Download these distributions
from the official Kaspersky website.
Build the container using the build.sh script. This script runs the docker build command with the required
arguments already specified and does not require additional configuration.
In the Dockerfile, you must specify the path to the Kaspersky Endpoint Security for Linux and Network
Agent distribution packages.
The built image is stored locally on the workstation. We recommend that you upload it to a private
repository for storage and distribution in your working environment. The image does not include the
94
database. It is stored on a mounted disk of the host file system. The database is downloaded at the first
start of the container and updated on subsequent restarts, so KESL container requires internet access.
The service is started by the run.sh script. The script contains basic settings in the form of environment
variables that are transferred to the service at startup:
— Path to the mounted folder
— Log verbosity level
— Port for external connections
Other settings are configured in a configuration file stored on the mounted disk.
Depending on the working environment configuration, it may be necessary to disable the Docker and
SELinux security profiles in the run.sh script for mounting the host file system. The script must contain
paths to the configuration file and, if necessary, to the key file.
95
The configuration file must contain a Kaspersky Hybrid Cloud Security license key, either of the following:
— Activation code
— Key file name
In the configuration file, you must specify the FQDN of the public and private registries if authorization is
required. The parameters must contain authorization data and public keys that the service must trust.
When launched, KESL container runs the REST API interface at http://<ip-server-address>:<port>/scans.
POST and GET requests are supported.
Requests can be in different formats, but complex requests must be in the JSON format. A basic request
contains only a link to the container to be scanned.
In response to a request, you receive an ID that you can use to query the current task status using GET.
96
A POST request may contain additional parameters, such as a link to a private container registry. If the
container passes the check, it will be uploaded to the trusted private registry for further operation in the
enterprise network.
KESL container supports sending webhook requests to external systems. Requests can be triggered by
certain events:
— on_detect: when malicious code is detected
— on_complete: when a scan is successfully completed, regardless of the results
Use this functionality to further automate your CI/CD pipeline.
97
KESL container logs events according to the configured verbosity level. You can find the logs on the host
in a mounted folder ($PWD..VOLUME/log/kaspersky/ by default).
The logs contain valuable information about received and transmitted commands, downloaded images,
tasks and scan results. The logs also display results of authorization in private registries, and, of course,
you can use them for debugging.
98

Kaspersky Hybrid Cloud Security: Public Cloud and Devops

Uploaded by

Copyright:

Available Formats

You might also like

Kaspersky Hybrid Cloud Security: Public Cloud and Devops

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kaspersky Hybrid Cloud Security: Public Cloud and Devops

Uploaded by

Copyright:

Available Formats

KL 020.13: Kaspersky Hybrid Cloud Security.

Public Cloud and DevOps

Public Cloud and DevOps

3. Deploying protection in public clouds .................................................................................. 59

Acronyms and conventions

Azure — Microsoft Azure

CI/CD — Continuous Integration / Continuous Delivery / Continuous Deployment

GCP — Google Cloud Platform

IaaS — Infrastructure as a Service

KES — Kaspersky Endpoint Security

KESL — Kaspersky Endpoint Security for Linux

KHCS — Kaspersky Hybrid Cloud Security

KSC — Kaspersky Security Center

KSC CC — Kaspersky Security Center Cloud Console

KSN — Kaspersky Security Network

KSWS — Kaspersky Security for Windows Servers

Network agent — Kaspersky Network Agent

PaaS – Platform as a Service

PAYG — Pay as you go

PPU — Pay per use

1. What you should know about Kaspersky

Kaspersky Hybrid Cloud Security is indispensable in the following cases:

1.1 Cloud technologies and DevSecOps practices

Infrastructure as a Service market

Private, public and hybrid cloud models

DevSecOps: secure software development practices

1.2 What Kaspersky Hybrid Cloud Security and Cloud

1.3 How Kaspersky Hybrid Cloud Security is licensed

Kaspersky Hybrid Cloud Security is licensed by the number of protected resources:

1.4 Kaspersky Hybrid Cloud Security use cases

1.5 Introduction to Amazon Web Services: architecture,

A security group is a virtual firewall designed to protect EC2 instances.

2. Working with public clouds in Kaspersky

2.1 Scenarios and requirements

2.2 How to prepare Kaspersky Security Center Cloud

2.3 How to prepare public clouds and connect them to

Amazon Web Services

Google Cloud Platform

2.4 Optimizing settings

We recommend that you enable automatic installation of application updates.

2.5 How to deploy Kaspersky Security Center from

To continue deployment, click Continue to Configuration and select:

As part of the deployment, you will be prompted to specify:

3. Deploying protection in public clouds

3.1 Deploying protection in Amazon Web Services

On the protected instances:

A virtual machine can have only one role.

On a Linux EC2 instance, you can find logs in:

3.2 Deploying protection in Microsoft Azure

On the protected instances:

To install Network Agent using Azure API:

In the script, you need to specify two commands:

3.3 Deploying protection on Google Cloud Platform

On the protected instances:

4.1 Introduction to container technologies and CI/CD

With Container Security you can:

Any deviation from the norm must stop the pipeline.