Trend Micro Secure Cloud the test drive

Post date: Aug 9, 2014 9:20:13 AM

Introduction

Using cloud services is getting cheaper and cheaper and to more companies are looking for cloud solutions as an option to lower IT costs.

For most EU based companies storing data a US based cloud can be an issue because of patriot act and other laws and off course because of compliancy requirements, that is why companies like Trend Micro are developing solutions to encrypt virtual disks in the cloud or even in private clouds.

If you are looking at a simple solution to encrypt Windows Data Disks, then please read alsothis article for a solution based on Bitlocker at no extra cost.

There are multiple articles that explain how to install Trend Micro, however there are more things important like restoring disks, cloning and automatic installation.

How Secure Cloud is working

SecureCloud applies real-time, full-disk encryption to protect disk drives using the following components:

  • Key Management Server: The key server hosted by Trend Micro or a Managed Service Provider
  • Web Console: The console where SecureCloud administrators can review and approve pending key requests, check device status and integrity, set up policies, manage devices, check reports and logs, and manage user accounts
  • SecureCloud Agent: A software application that communicates with the Key Management Server and performs device encryption

Source of this info: http://docs.trendmicro.com/all/ent/sc/v3.6/en-us/webhelp_sp1/con_sc_how_works.html

SecureCloud System Requirements

The target machine must meet the following minimum hardware specifications:

The SecureCloud Agent can operate in the following CSP environments:

The SecureCloud Agent can operate on the following platforms:

On premise or SAAS?

One of the first choices you have to make is the location of the management server.

The Key Management Server is the server hold the encryptions keys so it is a very important part of the secure cloud solution.

You have 2 options here for this.

A SAAS solution from Trend Micro and an on premise solution where you host the management server yourself.

I personally like the SAAS solution but one of the reasons some companies use disk encryption is the fear for services like the NSA and the Trend Micro secure cloud solution will be just as vulnerable as the cloud providers like Amazon, Azure and many others.

The Trend Micro datacenters were the Secure Cloud SAAS solution runs in is only ISO27001 certified (http://docs.trendmicro.com/all/ent/sc/v1.2/en-us/sc_1.2_op_olh/sc_ag/sc_ag_ap_b/certifications_securecloud.htm).

In the next sections I will talk about the SAAS solution because that is part or the trail you can order here

When I have more information about the on premise solution I will update the article.

The Secure Cloud installation manual

When you sign up for a trail you also get access to a manual, I recommend you read it, here is the link of the manual http://docs.trendmicro.com/all/ent/sc/v2.0/en-us/SC20_SaaS_AG.pdf

The web interface.

The management part of secure cloud is web based and the interface is very simple, here are some steps with pictures you have to take to for encryption to work.

When you login for the first time to the console you see a screen like this.On the left you see a few options.

For this test I created a very simple policy that always applies.In production you have many options for filtering.

For example only allow unlocking of disks when the servers are coming from a specific amazon region or one of the many other options.

Next we decide when we allow the unlocking of disks.In this sample we auto approve

Now press save and where are done with the policies.

Last step is to copy the Account ID and the Provision passphrase.

You need this later when you install and configure the agents.

Manual Install an agent

The installation can be done in two ways, manual (small setup) and an unattended way that I think fists better in most environments.

Let’s start with the manual way.

Windows OS.

For this demo I use a standard Windows 2008 R2 server but I have also tested on Windows 2012 R2 and saw no issues.The server has 2 disks, one is the OS disk and one is a standard data disk.

If we downloaded the agent from the TrendMicro website (download like is part of your welcome mail).Unpack and start the setup this would we your first setup screen.

Accept the license

Use the default setting Created a local accountPress next

For this demo I use a typical installation.If you choose Custom please make shure you read the presented popup

Warning if you choose custom

And that is the end of the setup press finish and your system will restart.

After the server is restarted you will see the Configuration wizard.Here you can type your Account ID and Passphrase that you saved from the web interface.

Now press configure

If all goes well you should see your server in the Secure Cloud management console.

You can now start the encryption from the wizard or from the management console.

Linux OS

The linux version installation is always command line driven and for custom kernels there are some extra steps to take, more info can be found here

https://esupport.trendmicro.com/solution/en-US/1060509.aspx

To install the agent in Linux just execute the bin file you can download from TrendMicro.

The installation will now start the configuration with the command./var/lib/securecloud/scconfig.sh

scroll to the license agreement.

Type yes at the end.

Select the environment that you are using.

Here you can type your KMS Account ID that you saved from the web interface.

Type the url of the secure cloud management server, in this case we use the SAAS solution so we can leave this blank.

Here you can type your Passphrase that you saved from the web interface.

The configuration is now finished

Boot disk encryption not always working

For the previous screenshots I used a paravirtual amazon AMI

This default AWS image seems to give issues with the boot volume encryption as you see in the next screenshot

Errors that you may get

During installation of the linux agent I faced a couple of errors like libcrypto.s0.10 errorsTrendMicro has a support article for services running the agents that can be found here.

The SecureCloud Agent fails to verify the SSL connection to the KMS when OpenSSL is ugpraded to a version from February 11, 2013 or above.

http://esupport.trendmicro.com/solution/en-us/1102532.aspx

This fix won’t help to install a new agent/server in a correct way.

The best solution would be to install version 3.6 service pack 1

http://downloadcenter.trendmicro.com/?regs=us&prodid=1123

Please note that during testing I noticed that when you install the non Service Pack 1 version, and then start upgrading to SP 1 can give you install errors.

Automatic Install an agent

Yes you can install the secure cloud agent using a setup wizard I think that is not the best way to install the solution, fortunately TrendMicro is delivering 2 setup versions, one for the manual installation and one silent installer.

Next to the installation you also need to create an ini file and give some commands you can add to your existing scripts.

Step 1

create an ini file with the following content

Sample[Agent]

KMS_URL=https://ms.securecloud.com/

ACCOUNT_ID=<Your account ID>

CSP=Native

POLICY=Default Policy

AUTO_PROVISION=yes

For Windows: Save this file in C:\Program Files (x86)\Trend Micro\SecureCloud\Agent\ and give it the name agentconfig.ini

For Linux: Save this file in /var/lib/securecloud/ and give It the name agentconfig.ini

More info about this part and the vcloud config can be found here:http://docs.trendmicro.com/all/ent/sc/v3.6/en-US/webhelp/t_config_agent_config_file.html#task_md3_xb3_1k

Step 2

For Windows: go to C:\Program Files (x86)\Trend Micro\SecureCloud\Agent\ and type scprov conf -c agentconfig.ini -x “<Youre Provision passphrase>” -q

For Linux: Save this file in /var/lib/securecloud/ and type scprov conf -c agentconfig.ini -x “<Youre Provision passphrase>” –q

Here is the list with options

More info can be found here: http://docs.trendmicro.com/all/ent/sc/v3.6/en-US/webhelp/t_provisioning_config_tool.html#task_ac2_r43_1k

Clone a virtual encrypted server

For most environments cloning is a normal way of working, so it is important that cloning is supported by the encryption solution you chose.

Here are the steps you need to take to clone a server with encrypted disks.

Windows

First make Shure your original/master/source/template server is turned of and then start the clone version of the server

Stop the secure cloud agent

Navigate to the appropriate directory:click Start and type cmd to open a command shell, then enter cd C:\Program Files (x86)\Trend Micro\SecureCloud\Agent\

Start the Configuration Toolsc_config.exe

Run the clone scriptBecause my passphrase contains an ‘,’ is placed the password inside “” else you get an error.

scconfig.exe –clone-this -x <passphrase>

Tip

Administrators can specify the clone name and assign a policy to the clone using the following parameters:

  • –clone-image-name <image name>
  • –policy-name <policy name>

If the name is not specified, the clone is identified by its machine name in the inventory. Similarly, if the policy is not specified, the Default Policy is automatically assigned to the clone.

As you can see the cloning was successful

The clone is added to the inventory

Start the SecureCloud Agent service

You can now also start the source server

Linux

First make Shure your original/master/source/template server is turned of and then start the clone version of the server

Stop the secure cloud agent/etc/init.d/scagentd stop

Navigate to the appropriate directory:cd /var/lib/securecloud/

Start the Configuration Tool./scconfig.sh

Run the clone scriptscconfig.sh –clone-this -x <passphrase>

Tip

Administrators can specify the clone name and assign a policy to the clone using the following parameters:

  • –clone-image-name <image name>
  • –policy-name <policy name>

If the name is not specified, the clone is identified by its machine name in the inventory. Similarly, if the policy is not specified, the Default Policy is automatically assigned to the clone.

The clone is added to the inventory

Start the SecureCloud Agent service

/etc/init.d/scagentd start.

You can now also start the source server

TIP: Speed verses ease of deployment

You basically have two options for cloning servers, both have their dis (advantages).

Using templates with no encryption software installed.

  • Easy to deploy, just clone your servers like you do know and then install the secure cloud encryption agent using a script or manual.
  • You can work with templates like u use to do and always use the latest securecloud agent versions withoud upgrade path or even switch over of combine different encryption software solutions depending on requirements and costs
  • Since templates are not encrypted you may save a bit on license costs.

Using templates with secure cloud encryption software installed.

  • Cloning encrypted disks takes a bit more work but the disks are always encrypted so you don’t have to wait for encryption of disks is finish.
  • You templates are also encrypted and less likely to be tampered with

Source for cloning info: http://docs.trendmicro.com/all/ent/sc/v3.5/en-US/webhelp/t_device_clone.html

Increasing encrypted volume size

Increase the size of an encrypted volume in Secure Cloud is one of the tasks that will need to be done once in a while, for this a step by step instruction is available at http://esupport.trendmicro.com/solution/en-us/1098792.aspx

Export the encryption keys

To lower costs or for backup purposes you can export the encryption key so you can import them later if you want to recover encrypted disks.

To export the keys you have to create a new user and give him the role of security Administrator.That is the only role with the permission to export the encryption keys.

We are no logged in with a user that has the security administrator role assigned to him.When we go to a server we have the option to export the encryption keys.

Now select the disks and press export keys

You now can type are passphrase to secure the keys with.When you press Export Keys the keys will be downloaded.

Save the keys I to a secure place and don’t leave then in you download folder!!

Your keys are now exported.

You can now login with the administrator roleSelect the server and remove the Keys

There is now way to bulk export all the keys in your environment and you could delete the keys from you management console to save license costs (disks and or servers have to have an offline state else you can’t remove them).

Import the encryption keys

If you have note removed the server from your inventory you are still be able to recover the operating system.Press Import key

If you only case about the data than your cloud mount the encrypted disk to a server with the Trend Micro secure cloud agent already added.

Select the key file you created during export.Type the passphrase u typed during the key export.

Press import.

Repeat the import procedure for all other disks.

Press Save when you are finished with importing all keys.

Autostart Windows server products and roles

During the development of the free bitlocker solution, I noticed that some functions won’t work or need special attention so I decided to test some configurations that may also give issues with the Trend Micro Solution.

For this I created a standard Windows 2012 Server with 2 disks (C: the OS and boot disk and an extra disk called E:)

All disks where standard NTFS with no special storage settings, all software installed with default settings only the location of the database are different.

I configured the Secure Cloud agent to encrypt all disks so the OS and other disks like in my case the data disk called E:

Software product or role

Windows Role Active Directory

SQL Server 2012

install all software on encrypted C:

Yes

Yes

install Database files on encrypted E:

No

No

Commend

If you move the NTDS databases to other disks than the OS/Boot disk your server will not come online anymore (also tested in VMware workstation to see impact since Amazon is not having console access).

If you install SQL server on other disks then the C: SQL will not start automatically.

You have to wait until the secure cloud agent has unlock the disks and then start SQL server.

Vendor locking

The encryption works as expected but I notice one limitation, there seems to be no decryption option.

Basically you can’t remove secure cloud from your servers without loose of data you have to do a V2V or data migration.

Also this is in the readme file

Uninstallation of the SecureCloud Agent is not possible if the boot volume is encrypted.

http://docs.trendmicro.com/all/ent/sc/v3.6/en-us/readme_runtime_3.6_sp1.txt

I also not able to find information to decrypt the data disks but the older readme files are giving some clues.

SecureCloud 2.0 Runtime Agent does not support an upgrade from a 1.x version of the product. Also, it cannot access volumes encrypted with SecureCloud 1.x Runtime Agent. Therefore, you need to do a manual migration of any SecureCloud 1.x data before it can be accessed using the SecureCloud 2.0 Runtime Agent.

http://docs.trendmicro.com/all/ent/sc/v2.0/en-us/readme_MgmtSrv_SP3.txt

Design considerations

When you are designing a AWS cloud environment based on EC2 servers with Secure Cloud keep the following in mind

  1. Plan how you configure your disk layout, do you install software like SQL all on one big disk or do you use multiple disks but have to create a script to prevent your server product from starting until all encrypted disks are unlocked and available for use.
  2. Keep in mind is that you need to make absolutely shure that your servers can access your secure cloud management server or the SAAS solution, else you are not able to startup the servers again, this is a very important part of your high available or disaster recovery design.
  3. Remember that if you use snapshots as a backup solution, they are also encrypted and therefor only available if you mount the disks to the same server or to other servers if you have the encryption keys available.

Conclusion

TrendMicro Secure Cloud 3.6 is a big improvement when you compare it with the previous versions and is now also capable of encrypting the boot/OS disks bit it is still not a perfect solution.

With tools like Secure Cloud you my solve some issues regarding data storage in the cloud but with a cost of being unable uninstall the product in the feature without data or server migrations.

Personally if you have the choice, it may be enough to only encrypt the disks that are containing actual data because they are easier to recover, for that you could use bitlocker or the new Amazon EBS encryption option.

As a last resort you could implement disk encryption solutions like TrendMicro Secure Cloud.

Appendix

Here are some articles that are good to know.

Logging on to the SecureCloud Web Console Using a Multi-factor Authentication Code

http://docs.trendmicro.com/all/ent/sc/v3.6/en-us/webhelp_sp1/t_mfa_loggingon.html

Troubleshooting Amazon EC2 Boot Volume Encryption

http://docs.trendmicro.com/all/ent/sc/v3.6/en-US/webhelp/troubleshooting_aki.html#task_grl_rg3_hm

SecureCloud Agent System Requirements

http://docs.trendmicro.com/all/ent/sc/v3.6/en-us/webhelp/con_system_req.html