Scenario: Deployment for a cloud environment
Dec 4, 2023
This section describes the deployment of Kaspersky Security Center for working in cloud environments such as Amazon Web Services, Microsoft Azure, and Google Cloud.
After you finish the deployment scenario, Kaspersky Security Center Administration Server and Administration Console are started and configured with the default parameters. Anti-Virus protection managed by Kaspersky Security Center is deployed on the selected Amazon EC2 instances or Microsoft Azure virtual machines. You can then fine-tune the configuration of Kaspersky Security Center, create a complex structure of administration groups, and create various policies and tasks for groups.
The deployment of Kaspersky Security Center for working in cloud environments consists of the following parts:
- Preparation work
- Deploying Administration Server
- Installing Kaspersky anti-virus applications on virtual devices that need to be protected
- Configuring the update download settings
- Configuring the settings for managing reports about the protection status of devices
The Configure cloud environment wizard is intended for performing the initial configuration. It starts automatically the first time that Kaspersky Security Center is deployed from a ready-to-use image. You can manually start the wizard at any time. In addition, you can manually perform all of the actions that it performs.
We recommend that you plan for a minimum of one hour for deploying Kaspersky Security Center Administration Server in the cloud environment and at least one working day for protection deployment in the cloud environment.
Deployment of Kaspersky Security Center in the cloud environment proceeds in stages:
- Planning the configuration of cloud segments
Learn how Kaspersky Security Center works in a cloud environment. Plan where Administration Server will be deployed (inside or outside of the cloud environment); and determine how many cloud segments you plan to protect. If you are planning to deploy Administration Server outside of the cloud environment or if you are planning to protect more than 5000 devices, you will need to install Administration Server manually.
To work with Google Cloud, you can only install Administration Server manually.
- Planning the resources
Make sure that you have everything that is required for deployment.
- Subscribing to Kaspersky Security Center as a ready-to-use image
Select one of the ready-to-use AMIs at AWS Marketplace or select a Usage-based monthly billed SKU at Azure Marketplace, pay for it according to marketplace rules if necessary (or use the BYOL model), and then use the image to deploy an Amazon EC2 instance or Microsoft Azure virtual machine with Kaspersky Security Center installed.
This stage is necessary only if you plan to deploy Administration Server on an instance or a virtual machine within a cloud environment and you are also planning to deploy protection for no more than 5000 devices. Otherwise, this stage is not necessary and instead you manually have to install Administration Server, Administration Console, and the DBMS.
This step is unavailable for Google Cloud.
- Determining the location of the DBMS
If you plan to use a database outside the cloud environment, make sure that you have a working database.
If you plan to use Amazon Relational Database Service (RDS), create a database with RDS in the AWS cloud environment.
If you plan to use Microsoft Azure SQL DBMS, create a database with the Azure Database service in the Microsoft Azure cloud environment.
- Installing Administration Server and Administration Console (Microsoft Management Console based and/or web-based Console) on selected devices manually
Install Administration Server, Administration Console, and the DBMS on the selected devices, as described in the main installation scenario for Kaspersky Security Center.
This stage is necessary if you plan to place Administration Server outside of a cloud environment or if you plan to deploy protection for more than 5000 devices. Then make sure that your Administration Server meets hardware requirements. Otherwise, this stage is not necessary and a subscription to Kaspersky Security Center as a ready-to-use image in AWS Marketplace, Azure Marketplace, or Google Cloud is sufficient.
- Ensuring that Administration Server has the permissions to work with cloud APIs
In AWS, go to the AWS Management Console and create an IAM role or an IAM user account. The created IAM role (or IAM user account) will allow Kaspersky Security Center to work with the AWS API: Poll cloud segments and deploy protection.
In Azure, create a subscription and an Application ID with password. Kaspersky Security Center uses these credentials to work with the Azure API: Poll cloud segments and deploy protection.
In Google Cloud, register a project, get your project ID and a private key. Kaspersky Security Center uses these credentials to poll cloud segments by using the Google API.
- Creating an IAM role for protected instances (for AWS only)
In the AWS Management Console, create an IAM role that defines the set of permissions for executing requests to AWS. This newly created role will be subsequently assigned to new instances. The IAM role is required in order to use Kaspersky Security Center to install applications on instances.
- Preparing a database by using Amazon Relational Database Service or Microsoft Azure SQL
If you plan to use Amazon Relational Database Service (RDS), create an Amazon RDS database instance and an S3 bucket on which the database backup will be stored. You can skip this stage if you want a database on the same EC2 instance where Administration Server is installed or if you want your database to be located somewhere else.
If you plan to use Google MySQL, configure your database in the Google Cloud. (Please refer to https://cloud.google.com/sql/docs/mysql for details.)
- Licensing Kaspersky Security Center for working in the cloud environment
Make sure that you have licensed Kaspersky Security Center to work in the cloud environment and provide an activation code or key file so that the application can add it to license storage. This stage can be completed during the configuration of the cloud environment.
This stage is required if you are using Kaspersky Security Center installed from a free ready-to-use AMI based on the BYOL model or if you are manually installing Kaspersky Security Center without the use of AMIs. In each of these cases, you will need a license for Kaspersky Security for Virtualization or a license for Kaspersky Hybrid Cloud Security, to activate Kaspersky Security Center.
If you are using Kaspersky Security Center installed from a ready-to-use image, this stage is not necessary and the corresponding window of the Configure cloud environment wizard is not displayed.
- Authorization in the cloud environment
Provide Kaspersky Security Center with your AWS, Azure, or Google Cloud credentials so that Kaspersky Security Center can operate with the necessary permissions. This stage can be completed during the authorization in the cloud environment.
- Polling a cloud segment so that Administration Server can receive information about devices in the cloud segment
Start cloud segment polling. In the AWS environment, Kaspersky Security Center will receive the addresses and names of all instances that can be accessed, based on the permissions of the IAM role or IAM user. In the Microsoft Azure environment, Kaspersky Security Center will receive the addresses and names of all virtual machines that can be accessed, based on the permissions of the Reader role.
You can then use Kaspersky Security Center to install Kaspersky applications and software from other vendors on the detected instances or virtual machines.
Kaspersky Security Center regularly starts a poll, which means that new instances or virtual machines are automatically detected.
- Combining all network devices into the Cloud administration group
Move the discovered instances or virtual machines into the Managed devices\Cloud administration group so that they can become available for centralized management. If you want to assign devices to subgroups, for example, depending on which operating system is installed on them, you can create several administration groups within the Managed devices\Cloud group. You can enable automatic moving of all devices that will be detected during routine polls to the Managed devices\Cloud group.
- Using Network Agent to connect networked devices to Administration Server
Install Network Agent on devices in the cloud environment. Network Agent is the Kaspersky Security Center component that provides for communication between devices and Administration Server. Network Agent settings are configured automatically by default.
You can install Network Agent on each device locally. You can also install Network Agent on devices remotely using Kaspersky Security Center. Or, you can skip this stage and install Network Agent together with the latest versions of the security applications.
- Installing the latest versions of security applications on networked devices
Select the devices on which you want to install security applications, and then install the latest versions of security applications on those devices. You can perform the installation either remotely using Kaspersky Security Center on Administration Server or locally.
You may have to create installation packages for these programs manually.
Kaspersky Endpoint Security for Linux is intended for instances and virtual machines running Linux.
Kaspersky Security for Windows Server is intended for instances and virtual machines running Windows.
- Configuring update settings
The Find vulnerabilities and required updates task is created automatically when you start configuring the cloud environment. You can also create the task manually. This task automatically finds and downloads required application updates for subsequent installation to network devices using Kaspersky Security Center tools.
It is recommended to complete the following stage after the cloud environment configuration is complete:
- Configuring report management
You can view reports on the Monitoring tab in the workspace of the Administration Server node. You can also receive reports by email. Reports on the Monitoring tab are available by default. To configure the receipt of reports by email, specify the email addresses that should receive reports, and then configure the format of reports.
Upon completion of the scenario, you can make sure that the initial configuration was successful:
- You can connect to Administration Server through Administration Console or Kaspersky Security Center Web Console.
- The latest versions of Kaspersky security applications are installed and running on managed devices.
- Kaspersky Security Center has created the default policies and tasks for all managed devices.