Cloud Storage Scanning Implementation

Referring now to Figure 1, an example system 100 includes a cloud infrastructure 102 that includes a scanning service 104 and virtual machines running on one or more virtual private cloud 114. Applications instantiated on virtual machines within the virtual private cloud 114 may access one or more clouddata stores 106 for storage of data. Administrators may configure the virtual private cloud in zones, and may architect applications to store in and receive data from the cloud data store 106 so as to provide fault tolerance and availability. 

While the cloud infrastructure 102, scanning service 104 and virtual machine instances in the virtual private cloud 114 may be described with respect to cloud-based infrastructure generally, and respect to Amazon Web Services (AWS) and AWS s3 buckets as an example implementation, it should be understood that the architecture and concept may be used with any suitable cloud service and related storage system. For example, cloud infrastructure services available from Microsoft Azure, CenturyLink Cloud, VMware, rackspace, joyent, and google may be suitable in various implementations as well as other cloud infrastructure or infrastructure-as-a-service providers with adjustments or modifications as may be needed for a particular implementation. 

Deployment of the scanning service 104 may be accomplished with a workflow that is intended to be relatively simple for an administrator to initiate and manage, and relieve a requirement to deploy and manage an agent on application templates or instances as they are created. This may enable, for example, in some implementations, a usage-based billing model as compared to a per-seat license for each image created, which may be desirable with cloud billing models, and particularly in an auto-scaling environment. As instances are created and shut down, instantiations of the scanning service 104 may be based on the load on the scanning service 104load, and may be managed, for example, by the security manager 116, rather than the administrator of the applications running in the virtual private cloud 114. 

In some implementations, installation and registration may involve setting permissions and authentication configuration, so that a cloud scanning provider handles administration of the scanning application and datasets without additional impact to customers’ workflows. This reduces complexity for the application administrator when adding data protection capability to applications. 

The system 100 includes a cloud infrastructure service 102 that provides computing resources for execution of software applications, data storage, and resource management, and may provide other services as well. In an example implementation, the cloud infrastructure 102 is implemented with the AWS service, although as mentioned above other suitable cloud infrastructure services may be used. 

The cloud infrastructure service 102 may include a cloud data store 106. The cloud data store 106 may be used by applications within the cloud infrastructure 102 to store data. The cloud data store 106 may be used, for example, by a web application operating within the cloud infrastructure 102 to store files uploaded to the web application by a user. The cloud data store 106 may receive one or more files directly or indirectly from applications, such as mobile apps, operating on user device 122 or a mobile device 322B. In an AWS implementation, the cloud data store 106 may be implemented with the AWS Simple Storage Service S3. Other clouddata services may be used instead or in addition. 

The cloud infrastructure 102 may include a scanning service 104. The scanning service 104 may be implemented with one or more scanningapplications running on one or more virtual machines within the cloud infrastructure 102. The scanning service 104 may receive policies from a security manager 116 and also may provide status information, events, and alerts to the security manager 116. 

The security manager 116 may be implemented within the cloud infrastructure 102 or outside the cloud infrastructure 102. The security manager 116 may provide a web-based management interface for configuration of the scanning service 104 and for an administrator to manage their use of the scanning service 104 and potentially other security applications. For example, the security manager 116 may provide management for endpoint protection, firewalls, and so forth. In some implementations, one or more firewalls under management by the security manager 116 are included in the virtual private cloud 114 and may be managed by the security manager 116. 

The scanning service 104 may receive data updates from a datadistributionservice (DDS 118). data from the DDS 118 may include, for example, code updates and definitions of known or potential malicious files, portions of files, code, or content, or code that may be used to identify malicious files, applications, or the like. The definition files may contain one or more commands, definitions, patterns, or instructions, to be parsed and acted upon, matched, or the like. Patterns may include, for example, identifying files or portions of files that fit a specific pattern, or that were identified in malicious files. Patterns also may include, for example, identifying code that has the same effect of code that is known to be malicious. The data updates may be used by the scanning service 104 when scanningfiles. 

The scanning service 104 may exchange security-related information, such as files or portions of files and resource reputation information with a security datadata lookup service 120. The security datadata lookup service 120 may be provided within the cloud infrastructure 102 or outside the cloud infrastructure 102. The security datadata lookup service 120 may be used, for example, to check patterns identified by the scanning service 104, determine reputations of resources identified or provided by the scanning service 104, and so forth. The scanning service 104 may provide files or data to the data lookup service 120 for further analysis. In some implementations, the scanning service 104 may initiate sending data to the data lookup service 120 under a variety of circumstances, for example, if the scanning service 104 is unable to determine whether a file or a portion of a file is malicious, or the relevance of code or other content, or if the reputation of a file is unknown. The data lookup service 120 may request a file or data to be provided to the data lookup service 120 for further investigation. 

The scanning service 104 accesses files to be scanned directly from the cloud data store 106 that is used by the virtual machine instances, which avoids overhead and performance delay. The use of virtual machine instances for the scanning that are different from the virtual machine instances of the application facilitate management and reduce complexity. In some implementations, the scanning service provides alerts to an administrator, but does not attempt to control access to files. In some implementations, the scanning service may move files or change the name of files in order to control access. For example, to prevent access to a file, the scanning service may change the name or the location (e.g., path in a file system) of a file in order to prevent access. In some implementations, the scanning service 104 may replace a file with another file that is “clean.” 

In some implementations, file permissions are used to control use of files. For example, if the scanning service 104 has been configured with an account having the appropriate permissions, the scanning service 104 may change the permission of files in the cloud data store 106 to permit or deny access to files by the applications in the virtual private cloud 114. Use of file permissions to control file access provides security for data, without a need for lengthy setup or installation. This reduces the costs to deploy and provision and takes advantage of the benefits of the cloud, which is to distribute processing and avoid the need for custom infrastructure, which in turn reduces total cost of ownership for cloud applications. 

In some implementations in which permissions are used, an application stores a file in the cloud data store 106 with default permissions that permit access by applications running in the virtual private cloud 114. The scanning service 104 receives notification of the storage event from the cloud data store 106, and the scanning service 104 scans the file. If access to the file needs to be restricted based on the scan, the scanning service 104 changes the permission of the file so that applications in the virtual private cloud 114 can no longer access the file. 

In some implementations in which permissions are used, an application stores a file in the cloud data store 106 with default permissions that do not permit access by applications running in the virtual private cloud 114. The scanning service 104 receives notification of the storage event from the cloud data store 106, and the scanning service 104 scans the file. If access to the file needs to be restricted based on the scan, the scanning service 104 does not change the permission of the file so that applications in the virtual private cloud 114 still cannot access the file. If access to the file does not need to be restricted based on the scan, the scanning service 104 changes the permission of the file so that applications in the virtual private cloud 114 may access the file. 

The cloud infrastructure 102 may include a virtual private cloud 114 (VPC) including one or more computing resources on which virtual machine instances are implemented. For example, the virtual private cloud 114 may include one or more applications such as a software application, a web application, a virtual desktop, a server application, etc. Applications in the virtual private cloud 114 may access and store data in the cloud data store 106, depending on the permissions assigned to the files in the cloud data store 106. In some implementations, some or all of applications may be implemented on infrastructure inside or outside of the cloud. For example, applications may be implemented in a co-location facility or in a data center not associated with a cloud infrastructure. For example, applications may be implemented on a user device, such as a mobile app or desktop computer application. Applications implemented outside of the cloud may make use of cloud resources, such as cloud storage. Use of the scanning techniques described with respect to cloud storage may be useful even if the applications are partially or entirely implemented outside of the cloud infrastructure, for example, with the exception of the cloud storage. 

User devices 122 may be in communication with the data store. The user devices 122 may have applications that directly store data in the data store 106. The user devices 122 may be in communication with one or more applications in the virtual private cloud 114, which in turn store data in the data store 106. 

An example is presented in which the cloud data store 106 includes three files; clean files 108, clean files 110 and malicious file 112. The clean files 108, clean files 110, malicious file 112 may be any sort of data file or collection of data files (e.g., a word processing file, an image, a video, an archive collection of files, etc.). In this example, there may be a first clean file 108 and a second clean files 110. The clean files 108, clean files 110 may be clean in the sense that they do not contain content that would be identified by the scanning service 104 to require reporting or restriction. The cloud data store 106 also includes a third malicious file 112, which contains content may be identified by the scanning service 104 to require restriction of file access. For example, the malicious file 112 may include malware or other malicious content. For example, the file may include content that should be protected from distribution under a policy. 

In some implementations, access to the malicious file 112 by applications running on the virtual private cloud 114 may be prevented through the use of permissions associated with the malicious file 112 within the data store 106, while the clean files 108, clean files 110 may have other permissions assigned and so applications running the on the virtual private cloud 114 would not be blocked. As a result, applications running on the VPC may access the clean files 108, clean files 110 but not access the malicious file 112. In some implementations, the file names of the clean files 108, clean files 110 are not changed, but the file name of the malicious file 112 is changed such that applications running on the virtual private cloud 114 cannot access the malicious file 112. In some implementations, the clean files 108, clean files 110 are not moved, but the malicious file 112 is moved such that applications running on the virtual private cloud 114 cannot access the malicious file 112.