Cloudmersive Private Cloud Storage Protection - Google Cloud Storage Configuration and Best Practices

Overview

Cloudmersive Private Cloud Storage Protection allows you to apply security policies to all of the files in your Cloud Storage systems, including Google Cloud Storage. Use these policies to block viruses, malware and other threats at the storage tier automatically, in real time, and with no code. In addition to scanning for viruses and malware, Cloudmersive can also scan for PII/PCI/PHI, NSFW Content Moderation, Spam, Phishing and Fraud.

General Approach

In general, the Cloudmersive Private Cloud Storage Protection system integrates with your Google Cloud Storage bucket to get notified when new files are created/updated, and then responds to take action when needed in real time.

To provision the Cloudmersive Private Cloud Storage Protection system, talk to your Cloudmersive account representative.

Preliminary Planning

Before beginning the install, you will need to decide if you want to use Cloudmersive Storage Protection running in a Managed Instance or in a Private Cloud self-managed deployment.

If you wish to use a Managed Instance, talk to your Cloudmersive representative to provision the needed instance in the data center region(s) of your choice. Once deployed, proceed to step 1.

If you wish to use a Private Cloud self-managed install, talk to your Cloudmersive representative to provision the needed licenses into your account. Then, perform the Private Cloud installation of those services (or if it is an existing installation, perform the Update operation). Once ready, proceed to Step 1.

Storage Protection licenses also need to be added to your account; talk to your Cloudmersive representative to add these licenses.

Step 1 - Create the Cloud Connection

First, we need to create a secure Cloud Connection in your Cloudmersive Account portal to your Google Cloud Storage bucket.

Navigate to your Cloudmersive Portal and click on Cloud Storage Protection. Click on Add Connection.

Under Connection Name, give your connection a meaningful name so that you can track this connection among others. Under Infrastructure, select which Cloudmersive infrastructure you would like to use; you can use a Cloudmersive Private Cloud endpoint or a Cloudmersive Managed Instance.

Under Cloud Storage Type, select Google Cloud Storage. Now fill in your GCP credentials and the Bucket Name for the bucket you wish to protect. Be sure these are accurate and correct, and no stray characters such as spaces are introduced. This information will be securely stored encrypted in a Hardware Security Module. You will not be able to view these settings later for security reasons, so ensure that the information is correct at this stage.

Under Outcome Actions, select what you would like to have happen when Clean or Infected files are found. Note that you can change these settings later.

Outcome Actions

Here for clean files - that is files with no infections, you can select from "No Action" which will take no action for the clean file, "Add Tag to Clean Files" which will create a tag called VirusScanResult and set its value to Clean, or "Copy File and Add Tag to Clean Files" which will copy the given file into the specified destination Cloud Connection, and apply the Clean tag, or Move which will move the specified file into the destination Cloud Connection (copy to destination and delete from source location).

Here for infected files - that is files with threats/infections, you can select from "Add Tag to Infected Files" which will create a tag called VirusScanResult and set its value to Infected, Delete Infected Files which will delete the original file (recommended), or "Copy File and Add Tag to Infected Files" which will copy the given file into the specified destination Cloud Connection, and apply the Infected tag, or Move which will move the specified file into the destination Cloud Connection (copy to destination and delete from source location).

When ready, click on Create Connection.

Step 2 - Connect Google Cloud Storage to Cloudmersive

Now, from the list of Cloud Connections click on Manage next to the one you just created.

Under API Keys click on Add API Key and select the API key you wish to use. This step is mandatory; if you do not complete it, scanning will produce unauthorized errors.

Next, you need to configure Google Cloud Storage to send notifications to Cloudmersive when new objects are created in your bucket. The Manage screen will provide you with the Callback URL to use. This is done by creating a Pub/Sub topic and a push subscription that points to the Cloudmersive callback URL.

Step 2.1 - Create a Pub/Sub Notification on the Bucket

Open the Cloud Shell Terminal in the Google Cloud Console and run the following command, replacing the bucket name with your own:

gsutil notification create -t cloudmersive_storage_protect -f json gs://your-bucket-name

This creates a Pub/Sub topic named cloudmersive_storage_protect and configures your bucket to publish JSON-formatted notifications to it whenever objects are created or updated.

Step 2.2 - Create a Push Subscription

In the Google Cloud Console, navigate to Pub/Sub and click on the topic named cloudmersive_storage_protect. Click on Subscriptions, then click Create Subscription.

  1. Give the subscription a name, such as "cloudmersivesp".
  2. Under Topics, choose the cloudmersive_storage_protect topic.
  3. Choose delivery type Push.
  4. Under Endpoint URL, paste in the Callback URL shown on the Manage screen of your Cloud Connection in the Cloudmersive Portal.
  5. Under Retry Policy, choose Retry after exponential backoff delay.
  6. Click Create.

When using the Callback URL, ensure that if it is IP-address-based, that the correct IP address is used.

Once configured, Google Cloud Storage will automatically notify Cloudmersive via Pub/Sub whenever new objects are created in your bucket, and Cloudmersive will scan and take the configured action on those files.