Cloud Account

Vulnerability ProtectionDeep Security supports Agent-based protection of computing resources from the following Cloud Provider services:

Once you have imported the resources from the Cloud Provider account into the Vulnerability ProtectionDeep Security Manager, the computers in the account are managed like any computer on a local network.

To import cloud resources into their Vulnerability ProtectionDeep Security Manager, Vulnerability ProtectionDeep Security Users must first have an account with which to access the cloud provider service resources. For each Vulnerability ProtectionDeep Security User who will import a cloud account into the Vulnerability ProtectionDeep Security Manager, Trend Micro Recommends creating dedicated account for that Vulnerability ProtectionDeep Security Manager to access the cloud resources. That is, Users should have one account to access and control the virtual machines themselves, and a separate account for their Vulnerability ProtectionDeep Security Manager to connect to those resources.

Having a dedicated account for Vulnerability ProtectionDeep Security ensures that you can refine the rights and revoke this account at any time. It is recommended to give Vulnerability ProtectionDeep Security a Access/Secret key with read-only rights at all times.
The Vulnerability ProtectionDeep Security manager only requires read-only access to import the cloud resources and mange their security.

Proxy Setting for Cloud Accounts

You can configure Deep Security Manager to use a proxy server specifically for connecting to instances being protected in Cloud Accounts. The proxy setting can be found in Administration > System Settings > Proxies > Proxy Server Use > Deep Security Manager (Cloud Accounts - HTTP Protocol Only).

Creating an Amazon Web Services account for the Manager

To create an Amazon Web Services account for access by a Vulnerability ProtectionDeep Security Manager:

  1. Log in to your Amazon Web Services Console.
  2. Go to IAM (Identity and Access Management).
  3. In the left navigation pane, click on Users.
  4. Click Create New Users to open the Create User dialog window.
  5. Enter a username and select the Generate an access key for each User option.
  6. Record the generated User Security Credentials (Access Key and Secret Key) and close the dialog window.
  7. Back on the Users page, select the User and then click on the Permissions tab at the bottom of the page.
  8. Click on Attach User Policy at the bottom of the window to display the Manage User Permissions dialog window.
  9. Select the Policy Generator option.
  10. Click the Select button to edit the permissions you will grant to the new User.
  11. Select Effect: Allow.
  12. Select AWS Service: Amazon EC2.
  13. Select the following Actions:
    • DescribeImages
    • DescribeInstances
    • DescribeTags
  14. Set the Amazon Resource Name to *.
  15. Click Add Statement.
  16. Click Continue to generate the permission policy.
  17. Click Apply Policy to apply the policy to the user account.

The Amazon Web Services account is now ready for access by a Vulnerability ProtectionDeep Security Manager.

To import the Amazon AWS resources into the Vulnerability ProtectionDeep Security Manager, the User will be prompted for the Region the resources are hosted in. (If resources are hosted in multiple regions, the User will have to add the resources independently for each region), the Access Key Id , and the Secret Access Key .

Importing Computers from an Amazon Web Services account

To import Amazon Web Services cloud resources:

  1. In the Vulnerability ProtectionDeep Security Manager, go to the Computers section, right-click Computers in the navigation panel and select Add Cloud Account... to display the Add Cloud Account wizard.
  2. Select Amazon as the Cloud Provider Type.
  3. Select the Region the cloud resources are hosted in. (If resources are hosted in multiple regions, you will have to add the resources independently for each region.)
  4. Enter a Name and Description of the resources you are adding. (These are only used for display purposes in the Vulnerability ProtectionDeep Security Manager.)
  5. Enter the Access Key Id and Secret Access Key provided to you by your AWS administrator. Click Next .
  6. Vulnerability ProtectionDeep Security Manager will verify the connection to the cloud resources and display a summary of the import action. Click Finish .
  7. Upon successfully importing the Cloud Provider resources, the wizard will display the results of the action.

The Amazon AWS resources now appear in the Vulnerability ProtectionDeep Security Manager under their own branch under Computers in the navigation panel.

If the Amazon region hosting your cloud resources does not appear in the list, you will need to add the region to the Vulnerability ProtectionDeep Security Manager. See Managing Amazon Web Services regions for more details.

Creating a VMware vCloud Organization account for the Manager

To create a VMware vCloud Organization account for access by a Vulnerability ProtectionDeep Security Manager:

  1. Log in to VMware vCloud Director.
  2. On the System tab, go to Manage And Monitor.
  3. In the left navigation pane, click Organizations.
  4. Double-click the Organization you wish to give the Vulnerability ProtectionDeep Security User access to.
  5. On the Organizations tab, click Administration.
  6. In the left navigation pane, go to Members > Users.
  7. Click the " plus " sign to create a new User.
  8. Enter the new User's credentials and other information, and select Organization Administrator as the User's Role.
    Organization Administrator is a simple pre-defined Role you can assign to the new user account, but the only privilege required by the account is All Rights > General > Administrator View and you should consider creating a new vCloud role with just this permission. For more detailed information on preparing vCloud resources for Vulnerability ProtectionDeep Security integration, see the Installation Guide.
  9. Click OK to close the new User's properties window.

The vCloud account is now ready for access by a Vulnerability ProtectionDeep Security Manager.

To import the VMware vCloud resources into the Vulnerability ProtectionDeep Security Manager, Users will be prompted for the Address of the vCloud, their User name , and their Password .

The User name must include "@orgName". For example if the vCloud account's username is kevin and the vCloud Organization you've given the account access to is called CloudOrgOne, then the Vulnerability ProtectionDeep Security User must enter kevin@CloudOrgOne as their username when importing the vCloud resources.

(For a vCloud administrator view, use @system.)

Importing Computers from a VMware vCloud Organization Account

To import VMware vCloud Organization resources:

  1. In the Vulnerability ProtectionDeep Security Manager, go to the Computers section, right-click Computers in the navigation panel and select Add Cloud Account... to display the Add Cloud Account wizard.
  2. Select vCloud as the Cloud Provider Type.
  3. Enter a Name and Description of the resources you are adding. (These are only used for display purposes in the Vulnerability ProtectionDeep Security Manager.)
  4. Enter the vCloud Address. (The hostname of the vCloud Director host machine.)
  5. Enter your User name and Password.
    Your User name must be in the form username@vcloudorganization.
  6. Click Next.
  7. Vulnerability ProtectionDeep Security Manager will verify the connection to the cloud resources and display a summary of the import action. Click Finish.

The VMware vCloud resources now appear in the Vulnerability ProtectionDeep Security Manager under their own branch on the Computers page.

Importing Computers from a VMware vCloud Air Virtual Data Center

To import a VMware vCloud Air data center:

  1. In the Vulnerability ProtectionDeep Security Manager, go to the Computers section, right-click Computers in the navigation panel and select Add Cloud Account... to display the Add Cloud Account wizard.
  2. Select vCloud as the Cloud Provider Type.
  3. Enter a Name and Description of the vCloud Air virtual data center you are adding. (These are only used for display purposes in the Vulnerability ProtectionDeep Security Manager.)
  4. Enter the Address of the vCloud Air virtual data center.
    To determine the address of the vCloud Air virtual data center:
    1. Log in to your vCloud Air portal.
    2. On the Dashboard tab, click on the data center you want to import into Deep Security. This will display the Virtual Data Center Details information page.
    3. In the Related Links section of the Virtual Data Center Details page, click on vCloud Director API URL. This will display the full URL of the vCloud Director API.
    4. Use the hostname only (not the full URL) as the Address of the vCloud Air virtual data center that you are importing into Deep Security.
  5. Enter your User name and Password.
    Your User name must be in the form username@virtualdatacenterid.
  6. Click Next .
  7. Vulnerability ProtectionDeep Security Manager will verify the connection to the virtual data center and display a summary of the import action. Click Finish.

The VMware vCloud Air data center now appears in the Vulnerability ProtectionDeep Security Manager under its own branch on the Computers page.

Enable Agent-initiated Communication for Microsoft Azure

There are three options for communication between the Deep Security Manager and Agents: Bidirectional, Manager-initiated, and Agent-initiated. If you are adding Microsoft Azure resources to Deep Security Manager, you must use Agent-initiated communication.

To enable Agent-initiated communication:

  1. In the Deep Security Manager console, go to Administration > System Settings > Agents > Agent-Initiated Activation.
  2. Ensure that Allow Agent-Initiated Activation is selected.
  3. Click Save.

Generate a Certificate and Key Pair for Use with Microsoft Azure

Before adding a Microsoft Azure resource to Deep Security Manager, you will need to generate a certificate and key pair. After generating the required files, you will import the certificate (.cer file) into Azure Web Services Console. You will upload the key pair (.pem file) to Deep Security Manager when you add your Microsoft Azure resources.

To create a certificate and key pair:

  1. In the Vulnerability ProtectionDeep Security Manager, go to Administration > System Settings > Security.
  2. Under Key Pair Generation, click Generate Key Pair.
  3. Enter a password in the Key Pair Password and Confirm Password boxes.
  4. Click Create Key Pair.
  5. Save the .pem file locally.
  6. Click Export Certificate.
  7. Save the .cer file locally.
  8. Click Close.

Creating a Microsoft Azure Account for the Manager

To create a Microsoft Azure account for access by a Deep Security Manager:

  1. Log in to the Azure Web Services Console.
  2. In the left navigation pane, click Settings.
  3. Click your Subscription ID.
  4. Click Management Certificates.
  5. At the bottom on the page, click Upload and select the .cer file that you generated previously.

Importing Computers from a Microsoft Azure account

To import Microsoft Azure cloud resources:

  1. In the Vulnerability ProtectionDeep Security Manager, go to the Computers section, right-click Computers in the navigation panel and select Add Cloud Account... to display the Add Cloud Account wizard.
  2. Select Azure as the Cloud Provider Type.
  3. Enter a Name and Description of the resources you are adding. (These are only used for display purposes in the Vulnerability ProtectionDeep Security Manager.)
  4. Enter the Subscription ID and then click Browse to select the .pem file that you generated previously.
    If you have not already created a .pem file, you can click Generate a new key pair and then click Create Key Pair to create a new key pair that you can upload to Deep Security Manager. Then click Export Certificate to create a self-signed certificate (.cer file) that you can import in the Azure Web Services Console.
  5. Click Next.
  6. Vulnerability ProtectionDeep Security Manager will verify the connection to the cloud resources and display a summary of the import action. Click Finish.

The Azure resources now appear in the Vulnerability ProtectionDeep Security Manager under their own branch on the Computers page.

Managing a Cloud Account

To implement Vulnerability ProtectionDeep Security protection on your Cloud computers, you must install an Agent and assign a Policy to the computer like any other computers on a network. See the Installation Guide for instructions on installing Vulnerability ProtectionDeep Security Agents on your computers. Computers running in a Cloud Provider infrastructure are managed by Deep Security no differently than any other computers using Agent-based protection.

If synchronization is enabled, the list of Cloud Provider account instances is updated every ten minutes. To enable or disable regular synchronization, open the Cloud Provider account Properties window by right-clicking on the Cloud Provider account in the navigation panel and then go to the General tab. (You can determine your own synchronization schedules by automating this procedure as a Scheduled Task in the Administration section.)

Configuring Software Updates for Cloud Accounts

Relays are modules within Vulnerability ProtectionDeep Security Agents that are responsible for the download and distribution of Security and Software updates. Normally, the Vulnerability ProtectionDeep Security Manager informs the Relays when new updates are available, the Relays get the updates from Vulnerability ProtectionDeep Security Manager, and then the Agents get their updates from the Relays.

However, if your Vulnerability ProtectionDeep Security Manager is in an enterprise environment and you are managing computers in a cloud environment, Relays in the cloud may not be able to communicate with Vulnerability ProtectionDeep Security Manager. You can solve this problem by allowing the Relays to obtain software updates directly from the Trend Micro Download Center when they cannot connect to the Vulnerability ProtectionDeep Security Manager. To enable this option, go to Administration > System Settings > Updates and under Software Updates, select Allow Relays to download software updates from Trend Micro Download Center when Vulnerability ProtectionDeep Security Manager is not accessible.

Removing a Cloud Account

Removing a Cloud Provider account from Vulnerability ProtectionDeep Security Manager permanently removes the account from the Vulnerability ProtectionDeep Security database. Your account with your Cloud Provider is unaffected and any Vulnerability ProtectionDeep Security Agents that were installed on the instances will still be installed, running, and providing protection (although they will no longer receive Security Updates.) If you decide to re-import computers from the Cloud Provider Account, the Vulnerability ProtectionDeep Security Agents will download the latest Security Updates at the next scheduled opportunity.

To remove a Cloud Provider account from Vulnerability ProtectionDeep Security Manager:

  1. Go to the Computers page, right-click on the Cloud Provider account in the navigation panel, and select Remove Cloud Account... .
  2. Confirm that you want to remove the account.
  3. The account is removed from the Vulnerability ProtectionDeep Security Manager.