Cloudmersive Private Cloud Storage Protection - Azure Blob Storage Configuration and Best Practices

Overview

Cloudmersive Private Cloud Storage Protection allows you to apply security policies to all of the files in your Cloud Storage systems, including Azure Blob Storage. Use these policies to block viruses, malware and other threats at the storage tier automatically, in real time, and with no code.

General Approach

In general, the Cloudmersive Private Cloud Storage Protection system integrates with your Azure Blob Storage system to get notified when new files are created/updated, and then responds to take action when needed in real time.

To provision the Cloudmersive Private Cloud Storage Protection system, talk to your Cloudmersive account representative.

Preliminary Planning

Before beginning the install, you will need to decide if you want to deploy Cloudmersive Storage Protection running in a Managed Instance or in a Private Cloud self-managed deployment.

If you wish to use a Managed Instance, talk to your Cloudmersive representative to provision the needed instance in the data center region(s) of your choice. This will be deployed and operated by Cloudmersive. Once deployed, proceed to step 1.

If you wish to use a Private Cloud self-managed install, talk to your Cloudmersive representative to provision the needed licenses into your account. Then, perform the Private Cloud installation of those services (or if it is an existing installation, perform the Update operation). Once ready, proceed to Step 1.

Storage Protection licenses also need to be added to your account; talk to your Cloudmersive representative to add these licenses.

Walkthrough Video

Step 1 - Create the Cloud Connection

First, we need to create a secure Cloud Connection in your Cloudmersive Account portal to your Azure Blob Storage container.

Navigate to your Cloudmersive Portal and click on Cloud Storage Protection. Click on Add Connection.

Under Connection Name, give your connection a meaningful name so that you can track this connection among others. Under Infrastructure, select which Cloudmersive infrastructure you would like to use; you can use a Cloudmersive Private Cloud endpoint or a Cloudmersive Managed Instance.

Under Cloud Storage Type, select Azure Blob Storage. Now fill in the Connection String and Container Name. Be sure these are accurate and correct, and no stray chracters such as spaces are introduced. This information will be securely stored encrypted in a Hardware Security Module. You will not be able to view or cahnge these settings later for security reasons, so ensure that the information is correct at this stage.

Under Outcome Actions, select what you would like to have happen when Clean or Infected files are found. Note that you can change these settings later.

Outcome Actions

Here for clean files - that is files with no infections, you can select from "No Action" which will take no action for the clean file, "Add Tag to Clean Files" which will create a tag called VirusScanResult and set its value to Clean, or "Copy File and Add Tag to Clean Files" which will copy the given file into the specified destination Cloud Connection, and apply the Clean tag, or Move which will move the specified file into the destination Cloud Connection (copy to destination and delete from source location).

Here for infected files - that is files with threats/infections, you can select from "Add Tag to Infected Files" which will create a tag called VirusScanResult and set its value to Infected, Delete Infected Files which will delete the original file (recommended), or "Copy File and Add Tag to Infected Files" which will copy the given file into the specified destination Cloud Connection, and apply the Infected tag, or Move which will move the specified file into the destination Cloud Connection (copy to destination and delete from source location).

When ready, click on Create Connection.

Step 2 - Connect Azure Blob Storage to Cloudmersive

Now, from the list of Cloud Connections click on Manage next to the one you just created.

Under API Keys click on Add API Key and select the API key you wish to use. This step is mandatory; if you do not complete it, scanning will produce unauthorized errors.

Finally, follow the on-screen customized instructions to setup Azure Blob Storage notifications to be sent to your Cloudmersive server. When using the URL, ensure that if it is IP-address-based, that the correct IP address is used. If you are using Cloudmersive Private Cloud deployed in Azure, you will want to configure TLS encryption on your Private Cloud server, or use an Azure Front Door load balancer to perform TLS termination to ensure that the notifications from Azure Blob Storage to Cloudmersive Storage Protection are encrypted.

Webhook Callbacks (Optional)

You can initiate a callback from Cloudmersive Storage Protect to your web application or API by enabling the Webhook callback feature. It is strongly recommend that you use HTTPS and TLS 1.2 or higher for encryption in transit on your Webhook server implementation.

You can enable Webhook callback by clicking on Edit Connection. Once enabled, an HTTP POST request (with timeout 15 seconds) will be sent to the Webhook URL that you specify with the following body and data type application/json:

    class StorageProtectScanResult
    {
        public string Azure_ContainerName;

        public string FileName;

        public CloudStorageVirusScanResult ScanResult;
    }

The schema for CloudStorageVirusScanResult is:

    class CloudStorageVirusScanResult
    {
        public bool Successful { get; set; }

        public bool CleanResult { get; set; }

        public CloudStorageVirusFound[] FoundViruses { get; set; }

        public string ErrorDetailedDescription { get; set; }

        public long FileSize { get; set; }
    }

If you specify the optional access key parameter, a header will be added to the request with name WebhookAccessKey and the value you provide for Webhook Access Key.