What Kaspersky Security Center Cloud

Console is
Kaspersky Security Center Cloud Console is a new tool for managing applications included with
Kaspersky Endpoint Security for Business Select or Advanced and Kaspersky Endpoint
Detection and Response (EDR) Optimum.

When a company purchases Kaspersky Endpoint Security for Business Select or Advanced,
administrators can choose which management system to use: an on-premises Kaspersky Security
Center with a web or MMC console, or Kaspersky Security Center Cloud Console. An on-
premises Kaspersky Security Center requires a Microsoft Windows server and a database server.
Kaspersky Security Center Cloud Console uses resources hosted in Microsoft Azure
infrastructure and does not require additional investments.
What benefits does a company get if they choose to use Kaspersky Security
Center Cloud Console?
1 Cost savings—no need to purchase either physical servers or software to deploy the
Kaspersky Security Center Administration Server and the database server. Nor does the
company have to pay for resources in Microsoft Azure infrastructure.
2 Prompt deployment—resource allocation and creating a company workspace takes
mere minutes in the Cloud Console.
3 Scalability—the Cloud Console automatically allocates additional computing power to
a workspace as the number of connected devices grows.
4 Availability—Kaspersky experts are responsible for the health and availability of the
company's workspace in the Microsoft Azure infrastructure.
5 Maintenance-free—Kaspersky experts are also responsible for upgrade, backup and
restore of Kaspersky Security Center Cloud Console.

Kaspersky Security Center Cloud Console vs.

Kaspersky Endpoint Security Cloud
If administrators want to manage their Kaspersky products from the cloud, they can use either
Kaspersky Endpoint Security Cloud or Kaspersky Security Center Cloud Console.
What is the difference between these offers?

First of all, Kaspersky Endpoint Security Cloud and Kaspersky Security Center Cloud Console
pertain to different products. 
Kaspersky Endpoint Security Cloud has a license of its own, while Kaspersky Security Center
Cloud Console is a management tool for applications included with Kaspersky Endpoint Security
for Business Select or Advanced or Kaspersky Endpoint Detection and Response Optimum. The
Kaspersky Endpoint Security Cloud console manages applications included with Kaspersky
Endpoint Security Cloud and Kaspersky Endpoint Security Cloud Plus. 
The customer makes the choice before the purchase.
The Kaspersky Security Center Cloud Console supports Kaspersky Endpoint Security for
Business Select, Kaspersky Endpoint Security for Business Advanced and Kaspersky Endpoint
Detection and Response Optimum licenses. 
The Kaspersky Endpoint Security Cloud Console manages applications included with Kaspersky
Endpoint Security Cloud and Kaspersky Endpoint Security Cloud Plus. The computing resources
of both management systems are hosted in the Microsoft Azure infrastructure. 

Kaspersky Endpoint Security Cloud/Cloud Plus manages:

Protection of Windows and Mac servers and workstations
Android and iOS portable devices
Vulnerability and patch management
Encryption
Protection of Microsoft Office 365
The Kaspersky Security Center (KSC) Cloud Console manages:
Protection of Windows, Mac and Linux servers and workstations under a
Kaspersky Endpoint Security (KES) for Business Select or Advanced
license.

Kaspersky Security Center Cloud Console supports management of encryption, vulnerabilities

and patches, and other features covered by Kaspersky Endpoint Security for Business Advanced
licenses, as well as advanced incident analysis and response capabilities covered by Kaspersky
Endpoint Detection and Response (EDR) Optimum licenses. 

Android mobile devices will be supported later in 2021.

Kaspersky Security Center Cloud Console is not planned to manage protection of Microsoft
Office 365 so far.
Management capabilities
The Kaspersky Endpoint Security Cloud/Cloud Plus console is designed for small organizations
and is as simple as possible. Security settings are applied to users (and to their devices through
them). Many functions use a single configuration that is applied to all users. This console does
not provide flexible management capabilities required for large or distributed networks.

Kaspersky Security Center Cloud Console, by contrast, is targeted at medium to large

organizations. Security settings apply to devices. For most functions, you can create different
configurations for different devices. Multiple deployment and management mechanisms useful
for large and distributed networks are supported:

1 Discovery of unassigned devices via distribution points

2 Hybrid management that combines Kaspersky Security Center Cloud Console and an on-
premises Kaspersky Security Center into a single management system (Kaspersky Security
Center virtual administration servers are not yet supported)

3 Flexible task management:

You can apply tasks to groups or specific computers, and you can create multiple tasks of the
same type with different schedules and settings

4 Flexible installation management allows you to create multiple installation packages with
different settings for the same application

5 Dynamic structure and configuration management using tags and relocation rules

6 Permits creating new report templates and customizing those preconfigured

7 Traffic optimization thanks to distribution points and connection gateways

8 Allows you to create custom device and event selections

Kaspersky Security Center Cloud Console vs.
Kaspersky Security Center Web Console
The first version of Kaspersky Security Center Cloud Console has fewer
capabilities than Kaspersky Security Center Web Console so far. 

Until recently, an on-premises Kaspersky Security Center was the main management tool for
Kaspersky software; as of now, it has more administration capabilities implemented and supports
more applications. In the future, Kaspersky Security Center Cloud Console will be the primary
management tool for Kaspersky products and applications.

The current version of Kaspersky Security Center Cloud Console supports functionality covered
by Kaspersky Endpoint Security for Business Select and Advanced licenses. Kaspersky Security
for Virtualization support and SIEM integration are planned to be added in Q2 2021.

Supported licenses
The Cloud Console requires activation. 

When creating a workspace, you can activate it with a Kaspersky Endpoint Security for Business
(Select or Advanced) or Kaspersky EDR Optimum license. 

When you create a workspace, the number of licensed devices is checked. Kaspersky Security
Center Cloud Console requires a license for more than 300 but less than 10 000 devices.
Managing more devices from a single workspace will be supported in the future. Information
about the current limitations of Kaspersky Security Center Cloud Console is available at
https://support.kaspersky.com/KESB/12/en-US/198653.htm
Feature comparison of Kaspersky Endpoint Security for Business running on-premises
and as a cloud solution
 
Feature or Kaspersky Security Center
property

  MMC-based Kaspersky Kaspersky

Administratio Security Security
n Console Center 12 Center Cloud
Web Console
Console

Administratio On-premises On- Cloud

n Server premises
location

Database On-premises On- Cloud

management premises
system
(DBMS)
location

Web-based
administration
console

Maintenance Managed by Managed Managed by

of customer by Kaspersky
Administratio customer
n Server and
DBMS

Hierarchy of
Administratio (Administration
n Servers Server of
Kaspersky
Security Center
Cloud Console
can only act as
a master
Administration
Server and can
only be used
for policies and
tasks
monitoring)
Administratio
n group
hierarchy

Migration of
the managed
devices and
related objects
from
Kaspersky
Security
Center on-
premises to
Kaspersky
Security
Center Cloud
Console

Network
polling (by distribution
points only)

Maximum 100 000 100 000 10 000

number of
managed
devices

Protection of
Windows,
macOS, and
Linux
managed
devices

Protection of
mobile devices

Protection of
virtual
machines

Protection of
public cloud
infrastructure

Device-centric
security
management

User-centric
security
management

Application
policies

Tasks for
Kaspersky
applications

Kaspersky
Security
Network

KSN Proxy
(on distribution
points only)

Kaspersky
Private
Security
Network

Centralized
deployment of
license keys
for Kaspersky
applications

Switching
managed (you must
devices to reinstall
another Network
Administratio Agents on
n Server managed
devices to
switch them to
another
Administration
Server)

Support for
virtual
Administratio
n Servers

Installing
third-party (to fix third-
software party software
updates and vulnerabilities,
fixing third- you can install
party software only
vulnerabilities recommended
fixes)

Notifications
about events
occurred on
managed
devices

Encryption
management

Creating and
managing user
accounts

Integration
with SIEM (by using
systems Syslog
only)

Using
Administratio
n Server as
WSUS server

Monitoring the
policies and
tasks status

Support of the
cluster
technology
 How to create a workspace
LESSON 5 of 9

Getting started with Kaspersky Security Center Cloud Console

To create a workspace, you need a single Kaspersky account. If you do not have one, create it.
Only a valid email address is required for that.

How to create a Kaspersky single account

https://youtu.be/JRLs3JObyf4

After you create and activate your Kaspersky account, go to ksc.kaspersky.com and create a
workspace:

1 Read and accept the terms of Kaspersky Security Center Cloud Console Agreement, Privacy
Policy and Data Processing Agreement.

2 Specify your company name.

3 Name your workspace. The current version of Kaspersky Security Center Cloud Console
supports only one workspace per company.
4 Select the country where your company is located. The country you choose defines the
location of the Microsoft data center where your data will be stored and processed.

5 Specify the estimated number of devices you plan to protect.

6 Enter your activation code or request a trial workspace. If you have selected to create a trial
workspace, note that the current version of the Cloud Console does not support migration from a
trial workspace to a commercial one.

7 Wait for an email message that the workspace has been created (up to 15 minutes). If you do
not receive a message in an hour, contact the technical support.

How to create a Kaspersky Security Center Cloud

Console workspace
https://youtu.be/2W_mwa7EBws

General interaction schema

Before we explain how to deploy security applications using Kaspersky Security Center Cloud
Console, it makes sense to say a couple of words about how the solution as a whole works: What
the user sees and what is hidden in the ‘black box’ (inside MS Azure).
Imagine that the solution has already been deployed. 
A user can connect to the corporate workspace in Kaspersky Security Center Cloud Console
using a browser; security applications and the Network Agent are installed on all corporate
devices. 
So what is in the ‘black box’ and how do all these components interact?

Virtual machines (Azure VM) are deployed on the MS Azure cloud platform; companies’
workspaces are created within them. Each workspace is a special instance of Kaspersky Security
Center Administration Server that has a dedicated database in Azure SQL Elastic Pool. 

The administration server and the database are deployed automatically after the user completes
the workspace creation wizard.

We will use the ‘workspace’ term when talking about the Administration Server and the database
server of Kaspersky Security Center Cloud Console.

If you have worked with an on-premises Kaspersky Security Center or Kaspersky Endpoint
Security Cloud, you know that to be able to connect to the Administration Server, the Network
Agent must know the address of the Administration Server or virtual server (and in case of
Kaspersky Endpoint Security Cloud, the connection port, too).
This data changes very rarely, almost never.

This is not the case with Kaspersky Security Center Cloud Console. The Kaspersky Security
Center Network Agent does not know the address or port of its workspace. It only knows the
workspace’s ID. To find out the address and port of its workspace, the agent connects to Hosted
Discovery Service (HDS) on port 443.

Hosted Discovery Service is a special service deployed in every Microsoft data center. It polls
workspaces periodically and maintains the ‘Workspace ID - Address - Port’ list.

The Hosted Discovery Service returns the address and port to the agent, after which the agent
connects to its workspace. For the agent to be able to connect to its workspace, ports 23100-
23199 and 27200-27900 must be open in the firewall for outgoing TCP connections to
*ksc.kaspersky.com.

Agents must use IDs because a workspace is not bound to a virtual machine. Workspace’s
address and port may change, for example, after a migration to another virtual machine in MS
Azure. Migration may be required for maintenance or load balancing.

How to deploy protection using Kaspersky

Security Center Cloud Console
LESSON 7 of 9
Once your workspace has been created in Kaspersky Security Center Cloud Console, you can
begin deploying security applications on endpoints. 
Follow this procedure to deploy protection using Kaspersky Security Center
Cloud Console:

The first step is preparatory. 

Open the ports listed in the figure for outgoing TCP connections to *.ksc.kaspersky.com to
enable Network Agents to connect to your corporate workspace. Then open a browser, log on to
your workspace and complete the quick start wizard. 

Next, select the computer with which you will start the deployment. This step is important
because the first computer will discover computers on your local network and help remotely
install security applications and Network Agents. Then download the Network Agent stand-alone
package from Kaspersky Security Center Cloud Console and install it on the selected computer.
Return to the cloud console and make this computer a distribution point. Enable network
discovery for it. Wait for the distribution point to discover computers on the local network and
transfer this data to the cloud console.

After that, in Kaspersky Security Center Cloud Console, create and run a task to remotely install
the Network Agent and security applications on the discovered computers.
How to deploy protection using Kaspersky Security
Center Cloud Console
https://youtu.be/Hb3k7ZmGynQ
Migration from an on-premises Kaspersky
Security Center
Kaspersky Security Center Cloud Console supports migration from an on-premises Kaspersky
Security Center. However, you must take into account a number of limitations and requirements
prior to migrating to the Cloud Console.
To understand which limitations a customer may face when migrating, consult the table that
compares the capabilities of an on-premises Kaspersky Security Center and Kaspersky Security
Center Cloud Console https://support.kaspersky.com/KESB/12/ru-ru/198653.htm

If your customer does not have any limitations or you can find a workaround,
begin the migration. Make sure the following prerequisites are met:
1 Upgrade your on-premises Administration Server to the latest version
2 Install the KSC Web Console. The Migration Wizard is only implemented in
Kaspersky Security Center Web Console.
Migration from an on-premises Kaspersky Security Center
The process of migrating from an on-premises Kaspersky Security Center Administration Server
to Kaspersky Security Center Cloud Console boils down to two simple things: 1
1 Copying the settings 
2 Reinstalling the Network Agent

Prior to beginning the migration, open the ports listed in the figure for outgoing TCP connections
to *.ksc.kaspersky.com in the corporate firewall to enable Network Agents to connect to your
corporate cloud workspace immediately after the reinstallation. 

Then connect to the on-premises Kaspersky Security Center Web Console in one browser
window and to Kaspersky Security Center Cloud Console in another window. 

In the Web Console, start the migration wizard, select the necessary device groups, tasks,
policies, selections and reports and export them. In Kaspersky Security Center Cloud Console,
also run the migration wizard and import the settings. Then download the stand-alone agent
package from Kaspersky Security Center Cloud Console. In the Web Console, in the migration
wizard, specify the location of the downloaded stand-alone package. The migration wizard will
automatically create a regular installation package and a remote installation task from the stand-
alone agent package on your Administration Server. 

Next, run the created KSC CC Network Agent installation task and wait for it to complete
successfully. 

We do not recommend that you run a remote installation task on all computers on the network at
once; it is best to start with a small group of computers that does not include servers or
computers located outside your local network. 
What cannot be exported:
1 Events from the Administration Server database
2 Installation packages
3 Some Administration Server maintenance tasks, such as Backup and Download updates
to the repository.
4 Policies and tasks of security solutions that are not listed in the migration wizard, for
example, Kaspersky Endpoint Security for Linux

Migrating Kaspersky Security Center on-premises

to Kaspersky Security Center Cloud Console
https://youtu.be/lkmdQaJCRSk

How to connect an on-premises

Administration Server to Kaspersky Security
Center Cloud Console
Hybrid configuration
A hybrid management system consists of on-premises Kaspersky Security Center Administration
Servers and a workspace in Kaspersky Security Center Cloud Console.

In this management scheme, Kaspersky Security Center Cloud Console workspace acts as the
master Administration Server, and the on-premises Administration Servers are connected to it as
slave servers.
 You can use this scheme as an interim solution during the migration.
The hybrid management scheme is also useful for companies with numerous remote users if the
company wants to control their protection. 
The hybrid management scheme allows you to: 
Easily connect remote and on-premises devices to different servers

Avoid issues related to connecting remote devices to an on-premises Administration Server:

access management, accessibility, security, and so on
At the same time, the customer enjoys all the advantages of a single management system.

To connect an on-premises Administration Server as a slave to your Cloud Console, you need
Kaspersky Security Center Cloud Console and Kaspersky Security Center Web Console. The
MMC console of Kaspersky Security Center does not provide this capability.

In short, the slave server connection procedure boils down to exchanging certificates and
specifying the address and port of the Hosted Discovery Service server. It is best to start from
Kaspersky Security Center Cloud Console. 

Let us study the procedure in detail:1

1 In Kaspersky Security Center Cloud Console, open the Administration Server properties and
switch to the Hierarchy of Administration Servers section
2 This section contains the address and port of the Hosted Discovery Service server that you
need to write down or memorize. Click the download links to save the certificates of the Cloud
Console Administration Server and Hosted Discovery Service server to your computer.

3 Then open the Administration Servers tab, select the group where you want to put the slave
server, and click ‘Connect Slave Administration Server’ to start the connection procedure.4

4 The Add Server wizard prompts you for the slave server name. You can specify any name
here; it does not need to coincide with the current name of this Administration Server or the
name of the machine where it is installed. The slave server will simply be displayed in
Kaspersky Security Center Cloud Console under this name. You will be able to change this name
in the Cloud Console whenever you deem it appropriate. You do not need to specify the slave
Administration Server address

 5
5 Download the slave server certificate from the Web Console of your on-premises Kaspersky
Security Center server: Click the respective link in the General section of the Administration
Server properties
If the browser is running on the on-premises Administration Server, you can use the following
path: 

ALLUSERSPROFILE%\Application Data\Kaspersky Lab\adminkit\1093\cert

6 In Kaspersky Security Center Cloud Console, specify the certificate of the connected (slave)
Administration Server

7 Now, you need to configure connection on the side of your on-premises Administration Server.
Let us continue with its Web Console. In the Administration Server properties, open the
Hierarchy of Administration Servers section8

8 Select the check box This Administration Server is slave in the hierarchy9

9 Choose the Type of master Administration Server: Cloud Console

10 Specify the address and port of the Hosted Discovery Service server that you wrote down at
the second step

11 Upload the certificates of the Cloud Console Administration Server and Hosted Discovery
Service server that you saved to your local drive.

This completes the slave server connection; you can return to the Cloud Console to verify that
the slave server has successfully connected. If the slave server remains inaccessible for 10-15
minutes, make sure the required firewall ports are opened for outbound connections to
*.ksc.kaspersky.com