Deploying a tenant protection infrastructure

The tenant protection infrastructure created using the Integration Server REST API is based on the use of virtual Kaspersky Security Center Administration Servers. Each tenant is provided with a virtual Administration Server and an account that the tenant administrator uses to connect to the virtual Administration Server.

One Kaspersky Security Center Administration Server can support up to 500 virtual Administration Servers.

Tenant virtual machines with Light Agents installed are located on the tenant's virtual Administration Server.

A tenant administrator can perform the following actions on their virtual Administration Server:

• Centrally manage protection of their virtual machines using the Light Agent policies and group tasks.
• Receive information about their infrastructure protection status using event notifications and reports available on the virtual Administration Server.
• Work with copies of files placed in backup storage on all of the virtual machines of this tenant.

For more information about virtual Administration Servers, see the Kaspersky Security Center help.

The service provider's administrator installs the solution in their infrastructure and ensures the operation of Light Agents and other solution components:

• Configures the settings for connecting Light Agents installed on tenant virtual machines to the SVMs and to the Integration Server.
• Activates the solution and monitors license restrictions.
• Updates the solution's databases and application modules.
• Configures the Protection Server settings.

The service provider's administrator can also configure general protection settings for tenant virtual machines.

During operation, information that may contain personal and confidential data is transmitted between Kaspersky Security Center and Kaspersky Security solution components installed in the service provider's infrastructure and on tenant virtual machines.

Before creating a tenant protection infrastructure, you need to perform the following steps:

1. Install or update the Kaspersky Security solution.

   The following components must be installed in the service provider's infrastructure:

   • Integration Server and Integration Server Console.
   • Protection Server.
   • Kaspersky Security management plug-ins.
2. Prepare the solution for work:
   • Prepare the Protection Server for operation.
   • Change the default password of the multitenancy account. A multitenancy account is created automatically as a result of Integration Server installation. It is required to interact with the Integration Server REST API.
   • Configure the settings for connecting the Integration Server to Kaspersky Security Center Administration Server. These settings are required for authorization on the Kaspersky Security Center Administration Server when executing requests to the Integration Server REST API.

Deploying a tenant protection infrastructure consists of the following steps:

1. Creating a tenant and virtual Kaspersky Security Center Administration Server for the tenant.
2. Configuring the location of SVMs that will protect tenants' virtual machines and configuring Protection Server settings.
3. Configuring SVM discovery settings and general operating settings for Light Agents installed on tenant virtual machines.
4. Installing Kaspersky Security Center Network Agent and Light Agent on tenant virtual machines and moving the virtual machines to a virtual Administration Server configured for the tenant.
5. Registering tenant virtual machines in the Integration Server database.
6. Activating a tenant.
7. Transferring the following Kaspersky Security Center Administration Server connection settings to the tenant administrator:
   • Address of the virtual Administration Server configured for the tenant;
   • Administrator account settings of the virtual Administration Server.

   Tenant administrator are advised to change the account password they receive from the service provider's administrator.

The steps of deploying tenant protection infrastructure can be automated using the Integration Server REST API and the Kaspersky Security Center OpenAPI (open the description of Kaspersky Security Center OpenAPI methods).

To prevent unauthorized access, it is recommended to deploy the SVM and the device on which the Kaspersky Security Center Administration Server and the Integration Server are installed in a dedicated virtual network and to configure routing with address translation (SNAT) from the tenant subnets to this subnet.

Configuring the Integration Server connection settings to the Kaspersky Security Center Administration Server

For the Integration Server REST API interaction with the Kaspersky Security Center Administration Server during execution of requests, an account is required that has the following permissions in the Kaspersky Security Center:

• Permissions in the functional areas of the Administration Server:
  • General functionality → Basic functionality: Read, Modify
  • General functionality → Administration group management: Modify
  • General functionality → User permissions: Modify access control lists
  • General functionality → Virtual Administration Servers: Read, Modify, Execute, Manage
• Permissions to read and modify objects in the functional areas related to Light Agent settings.

You can create and configure an account to connect the Integration Server to Kaspersky Security Center:

• In Kaspersky Security Center Administration Console, in the Security section of the Kaspersky Security Center Administration Server properties window.

  By default, the Security section is not displayed in the Administration Server properties window. To enable the display of the Security section, you must select the Display security settings sections check box in the Configure interface window (View → Configure interface menu) and restart the Kaspersky Security Center Administration Console.

• In Kaspersky Security Center Web Console, in the Users and roles → Users and groups section of the main window.

For more information on creating and configuring account rights in Kaspersky Security Center, see the Kaspersky Security Center Help.

How to configure the Integration Server's connection to Kaspersky Security Center Administration Server in Integration Server Web Console

How to configure the Integration Server's connection to Kaspersky Security Center Administration Server in Integration Server Console

Creating a tenant and virtual Administration Server

At this step of the deployment of tenant protection infrastructure, tenant information is added to the Integration Server database and a virtual Administration Server is created for the tenant. The procedures are automated by means of the Integration Server REST API.

The actions performed in response to the REST API request depend on the tenant type specified when calling the REST API method: deployment of tenant protection infrastructure is available only for the complete tenant type.

Specify the following information in the REST API request:

• Tenant name.
• Tenant type: complete.
• Settings of the account used by the tenant administrator to connect to the virtual Administration Server configured for the tenant. During the procedure, an account with the main administrator permissions will be automatically created on the virtual Administration Server.

  Kaspersky Security Center verifies the uniqueness of account names within the main Kaspersky Security Center Administration Server and all its virtual Administration Servers. By default, if the account name is not unique, the account creation fails. If you want to use same account names for the virtual Administration Servers, you can disable uniqueness check for internal user names. See Kaspersky Security Center help for more information.

As a result of the procedure, the following actions are performed:

• Tenant data is saved in the Integration Server database, and the tenant is assigned a unique identifier.
• A virtual Kaspersky Security Center Administration Server and an account used by the tenant administrator to connect to the virtual Administration Server are created for each tenant.
• When registering the first tenant on the main Administration Server, a folder with the default name Multitenancy KSV LA is created in the Managed devices folder. You can change this name if required.
• The following structure of folders and nodes is created for each tenant in the Multitenancy KSV LA folder:

  <Tenant name> folder

  • Administration Servers node
    • Administration Servers <Tenant name> node
      • Folders and administration groups required for managing protection of this tenant, similar to the structure of folders and groups of the main Kaspersky Security Center Administration Server.

Configuring SVM location and Protection Server settings

At this step of the deployment of tenant security infrastructure, you can perform the following actions:

1. Configure the location of SVMs that will protect tenant virtual machines in the Kaspersky Security Center administration group hierarchy.
2. Configure the operation settings of the Protection Server installed on these SVMs using the Protection Server policy.
3. Configure the general settings of the Light Agents that will be installed on tenant virtual machines using Light Agent policies.

You can deploy SVMs that will protect tenant virtual machines in any folder or administration group on the main Kaspersky Security Center Administration Server.

It is not recommended to deploy the SVMs and Protection Server policy in folders and administration groups to which the tenant administrator has access, that is, in folders and administration groups under the Administration Server <Tenant name> node.

If you want the SVM to protect virtual machines of only particular tenants, you need to restrict Light Agents' access to the SVM in one of the following ways:

• Using the connection tags mechanism. Tags must be specified in the Protection Server policy and in the Light Agent policy. It is recommended to "lock" the configured settings in order to prevent these settings from being changed in child policies.
• By blocking network connections from the tenant subnet to the subnet with the SVM on TCP ports 80, 9876, 9877, 11111, and 11112.

It is not recommended to configure connection tags in Light Agent policies located in folders and administration groups to which the tenant administrator has access, that is, in folders and administration groups under the Administration Server <Tenant name> node.

In accordance with the procedure for inheritance of Kaspersky Security Center policies, the default Protection Server policy is applied on all SVMs in administration group hierarchy. It is created in the Managed devices folder on the main Administration Server. If you want to configure specific operating settings for the SVMs that will protect tenant virtual machines, you need to create a Protection Server policy in the folder where the SVM that protects tenant virtual machines is located.

If you want to centrally enable use of Kaspersky Security Network to protect tenants' virtual machines, make sure that tenants' personal data is being processed legally.

Configuring settings for SVM discovery by Light Agents and general tenant protection settings

At this stage of deployment of the tenant protection infrastructure, you need to create a Light Agent policy in one of the following folders:

• In the Multitenancy KSV LA → <Tenant name> folder, if you want to configure general operating settings for all Light Agents that will be installed on the virtual machines of one particular tenant. A policy in the Multitenancy KSV LA → <Tenant name> folder must be created for each tenant.
• In the Multitenancy KSV LA folder, if you want to configure general operating settings for all Light Agents that will be installed on the virtual machines of all tenants.

In the Light Agent policy, configure the Light Agent operation settings as follows:

• Settings for connecting Light Agents to SVMs:
  • Enable the use of the Integration Server for SVM discovery in the Light Agent policy. Light Agents installed on the virtual machines of complete tenants must use the Integration Server to discover SVMs that are available for connection.
  • If you want to restrict Light Agents access to SVMs using the mechanism of connection tags, you can assign connection tags to Light Agents.

    To restrict Light Agents' access to SVMs, you can also block network connections from the tenant subnet to the subnet with the SVM on TCP ports 80, 9876, 9877, 11111, and 11112.

  The default values can be used for other settings for connecting Light Agents to SVMs.

  It is recommended to "lock" all the settings for connecting Light Agents to SVMs in order to prevent these settings from being changed in child policies.

• If required, you can configure general operating settings for the Light Agents that will be installed on the tenant virtual machines.

  You can use the "lock" attribute to allow or block changing of settings or groups of settings in task settings or in nested policies (for nested administration groups and secondary Administration Servers). Tenant administrators cannot configure "locked" settings. If the "locks" are open, the tenant administrator can independently configure the operation of Light Agent components.

It is not recommended to configure the general operating settings of Light Agents in the policies located in folders and administration groups to which the tenant administrator has access, that is, in folders and administration groups under the Administration Server <Tenant name> node.

Installing a Light Agent on tenant virtual machines

At this step of the deployment of the tenant security infrastructure, the following actions are performed:

• Kaspersky Security Center Network Agent, which is configured to connect to the tenant's virtual Administration Server, is installed on tenant virtual machines.
• Tenant virtual machines are moved to the Managed devices folder of the virtual Administration Server configured for the tenant.
• Light Agent for Linux or Light Agent for Windows is installed on tenant virtual machines.

The listed actions can be performed both on the service provider's side and on the tenant's side after the tenant administrator receives the virtual Administration Server connection settings.

If installation is performed on the service provider's side

You can use the following installation methods:

• Using Kaspersky Security Center OpenAPI, automate the installation of applications on tenant virtual machines and the movement of virtual machines to administration groups (open a description of Kaspersky Security Center OpenAPI methods).
• Remotely install applications on virtual machines using the Kaspersky Security Center wizard or remote installation task.
• Deploy virtual machines from a virtual machine template.

  If you want to use Kaspersky Security Center OpenAPI or Kaspersky Security Center remote installation tools, then for each tenant you need to prepare the installation packages required to install Light Agent and Kaspersky Security Center Network Agent. You can distribute installation packages to the selected virtual Administration Servers using the Administration Server task or automate the distribution of packages using Kaspersky Security Center OpenAPI (open the description of Kaspersky Security Center OpenAPI methods).

  In the package properties or in the properties of the remote installation task, you can specify the administration group that the virtual machine should be assigned to after Network Agent is installed on it. For more information about configuring installation packages and the deployment procedure, see the Kaspersky Security Center Help.

  If you want to deploy virtual machines from a virtual machine template, then for each tenant you need to prepare a virtual machine template that has an installed Network Agent configured to connect to the tenant's virtual Administration Server and an installed Light Agent. Then you can deploy virtual machines for the tenant from this template.

  When installing Network Agent on a virtual machine template, it is recommended to enable optimization of Network Agent settings for VDI.

If installation is performed on the tenant's side

If there are installation packages or virtual machine templates prepared by the service provider's administrator, the tenant's administrator can install Network Agent and Light Agent on the tenant virtual machines.

Registering tenant virtual machines

At this step of the deployment of the tenant security infrastructure, tenant virtual machines are registered. The procedure is automated by means of the Integration Server REST API.

In the request to the REST API, you need to specify the virtual machine ID (BIOS ID) and the tenant ID of the tenant to which these virtual machines belong.

As a result of performing the procedure, information about the virtual machine is saved in the Integration Server database and a connection is established between the virtual machine and the tenant.

Activating a tenant

The tenant activation procedure is performed at this stage of deploying the tenant security structure. Tenants are registered with the "Inactive" status in the Integration Server database. As long as the tenant has this status, Light Agents installed on the tenant virtual machines do not receive information about the SVMs they can connect to, and protection of the tenant virtual machines is disabled. To start protecting tenant virtual machines, you must activate the tenant.

The tenant activation procedure is automated using the Integration Server REST API.

As a result of the procedure, the following actions are performed:

• The tenant status changes to "Active". The tenant status is saved in the Integration Server database. You can get information about the tenant status using the Integration Server REST API or by viewing the list of tenants in the Integration Server Console.
• The Light agents installed on the tenant virtual machines receive information about the SVMs available for connection from the Integration Server. The Light Agents select the best SVMs for connection in accordance with the configured SVM connection settings, and protection of the tenant virtual machines is enabled.