Myths about the protection of personal data in the cloud

Recently, questions have often been raised about the possibility of processing and protecting personal data in “clouds” in accordance with Federal Law No. 152 “On Personal Data”. All this is often reminiscent of the discussion of myths, so I would venture to present my view on the problem of protecting SPDN in the clouds and try to answer basic questions.

A sample list of questions is:

• Is it possible, in principle, to place information systems of personal data (ISPDN) in the "cloud" taking into account the requirements of regulatory authorities for the protection of information?
• What properties should a “cloud” have in order to be able to be used to build personal data information systems (SPDs)?
• What should be taken into account by the PD operator, who decided to transfer his information resources to the “cloud”?
• Is it possible to certify ISPD placed in a public “cloud”?
• What are the tasks to ensure information security assigned to the cloud provider?
• What are the guarantees that a competitor located in the same “cloud” next door is reliably separated and will not be able to attack while inside the “cloud”?
• What does IPPDN of which class can be built in a particular "cloud"?

At the moment, I am actively working in the direction of protection of the CROC Virtual Data Center in terms of the possibility for our customers to place information systems of personal data in it, so I would like to share ideas and experiences gained in this direction.

Immediately, I will note that the emphasis will be placed mainly on the technical side of compliance of cloud-based ISPDs with the requirements of regulatory bodies: the organizational aspects of protection will be left behind.
')
I base myself on the practical developments obtained in the framework of the current approach to the protection of the CRIC Virtual Data Center.

Introductory

Suppose that the task is to build a distributed ISPDn, one part of which is located on the site of the organization itself, and the other part is in the “cloud” of some provider. Automated workplaces (AWPs) of users are located in the office of the organization, and server components and a database with personal data are located in the “cloud”. The “cloud” itself is located in the territory of the Russian Federation. This is how it looks like:



There are three main elements to be protected:

• The set of AWP users on the side of the organization;
• The communication channel between the office of the organization and the cloud (Internet);
• A set of virtual machines in the “cloud” on which the server software of the corresponding SPDD functions.

FAQ

- What is needed from the point of view of technical protection measures such ISPDN?
To eliminate the threats to information security, the fundamental point is the need to use certified remedies for each of the three elements identified above.

- What are the main directions of threats that must be taken into account when building an ISPDN protection system?



The main sources of threats for distributed ISPD elements:
1. Internal users of the organization that carry out attacks on the ISPDN resources located on the site of the organization itself.
2. External attackers who carry out attacks on ISPDN resources located on the organization’s site.

Threats to these two points should be prevented by the organization itself using certified protection tools for workstations and the network environment.

3. External attackers attacking a communication channel from the outside in order to intercept or distort ISPDN network traffic.

This part of the problem is solved using certified means of cryptographic protection of network traffic. They can be provided in the form of information security services of the cloud provider.

4. The staff of the cloud provider servicing the components of the cloud.

Here we need certified means of differentiating the rights of personnel access to cloud platform resources that can be integrated into the platform itself. You can also use certified security tools deployed on the ISPDn server components.

5. External attackers who carry out attacks from outside the data center of the cloud provider to the “cloud” resources and, accordingly, to the ISPD resources located in the “cloud”.

Here you also need certified means of protection, which can both be provided as a security service to the “cloud” client and also be a tool for protecting the “cloud” itself from external threats. Plus can be used certified security tools deployed on the server components SPDn.

6. Cloud neighbors who use platform weaknesses to attack from their cloud environment

Deal with this threat will help the means of delimiting the resources of the cloud platform between customers. They also need certification.

An illustration of the relevant protection principles is shown in the following figure:



- Is it possible, in principle, to place ISPDN in the “cloud” taking into account the requirements of regulatory authorities for the protection of information?
Yes, while complying with existing technical requirements of regulatory authorities. Obviously, the main requirement is, again, certification of protective equipment.

- What properties should a “cloud” possess in order to be able to be used to build personal data information systems?
In addition to the delimitation of customer resources, control of maintenance personnel, protection from external threats, which have already been mentioned, one more thing is important. Since the “clouds” are built on the basis of virtualization platforms, it automatically becomes necessary to use certified hypervisors when building them.

- What needs to be considered when deciding on the transfer of information resources in the "cloud"?
Check certification of “cloud” protection components, clarify what services there are to protect personal data (go through the list of sources of threats above as per checklist).

- Is it possible to certify ISPD placed in a public “cloud”?
At the moment (with the existing regulatory framework) it is impossible to certify ISPD, located in the public "cloud" next to the resources of other clients. This is due to the fact that the existing regulatory framework prescribes to certify the object of informatization (in fact, it is the data center / data center of the cloud provider). This implies the fixation of the equipment used within a specific certificate of a specific ISPD. But in the context of cloud computing, this is impossible, since the technology of “clouds” itself implies the use of the same hardware and software resources by different clients. At the same time, there are no visible restrictions on certification of a private “cloud”, since it is possible to single out a specific object (or objects) of informatization that is in the service of a particular organization, including an external one.

- What are the tasks to ensure information security assigned to the cloud provider?

• Provide a set of organizational and technical protection measures to ensure that customers are unable to realize threats from the staff and from other customers located in the "cloud" next door.
• Provide security services (based on certified security tools) that can be used by customers hosting their SPDs in the “cloud”.

- What are the guarantees that a competitor located in the same “cloud” next door is reliably separated and will not be able to attack while inside the “cloud”?
In essence, this is achieved by certifying the virtualization mechanisms: the computing resource hypervisor, the virtualized data network management system, the storage virtualization platform.

- What does it depend on, which ISPD class can be built in a particular “cloud”?
From the restrictions specified in the certificates of cloud protection in terms of regulations.

Summarizing, I would like to note that an important point in terms of placing ISPDn in the “cloud” is its certification, i.e. availability of certificates for various “cloud” elements that implement protection functions (hypervisor, cloud-integrated security features, security features offered to clients as security services). At the moment, me and my colleagues are deploying CROC cloud security services based on certified protection tools and there are plans to certify other components of the cloud platform in the near future.