What you need to know about migration to Russia by September 1, 2015 from foreign infrastructure
Any personal data operator that processes data not in Russia may be blocked.
Below I want to tell you about some moments of migration that we have already encountered in practice when transferring clients to Russia to our infrastructure. Of course, the first question will be about the laws , the second - about how the data is protected from removal .
')
Main
It is not yet clear how the mechanism described in the law will work in practice, moreover, by-laws have not yet been adopted, which will detail the procedure for restricting (blocking) access to resources. Therefore, it is necessary to dig in more detail: below are a few important, but rather boring things.
The legislation does not divide Russian and foreign persons, the national regime applies to foreigners (everyone is equal before the law). Feels like there are fines, but there is no practical possibility of applying them to foreigners. And the fines are ridiculous, of course - up to 10,000 rubles. However, the fines do not abolish Roskomnadzor’s authority to block sites - Roskomnadzor will not care whether the Russian domain or foreign, it will be able to block both for all Russian users.
That is, for example, if Aeroflot cannot access the Saber ticket system, it will cost our carrier much more than a fine of as much as 10,000 rubles.
What you need to know about personal data?
242- in Articles 2 and 4 and 526- say that from September 1, 2015, when collecting personal data, incl. on the Internet, the operator is obliged to ensure the recording, systematization, accumulation, storage, refinement (update, change), extraction of personal data of citizens of the Russian Federation using databases located in the territory of the Russian Federation (part 5 of article 18).
Exceptions to 242-FZ are as follows:
1) the processing of personal data is necessary to achieve the goals stipulated by the international treaty of the Russian Federation or the law for the implementation and fulfillment of the functions, powers and duties assigned by the legislation of the Russian Federation to the operator;
2) the processing of personal data is necessary for the administration of justice, the execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
3) the processing of personal data is necessary to fulfill the powers of federal executive authorities, state extrabudgetary funds, executive bodies of state power of the constituent entities of the Russian Federation, local governments and the functions of organizations involved in the provision of state and municipal services, respectively, provided for by the Federal Law of July 27, 2010 №210- “On the organization of the provision of state and municipal services”, including the registration of that personal data on a single portal of state and municipal services and (or) regional portals of state and municipal services;
4) the processing of personal data is necessary for the professional activities of the journalist and (or) the legal activities of the media or scientific, literary or other creative activities, provided that it does not violate the rights and legitimate interests of the subject of personal data.
2) the processing of personal data is necessary for the administration of justice, the execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
3) the processing of personal data is necessary to fulfill the powers of federal executive authorities, state extrabudgetary funds, executive bodies of state power of the constituent entities of the Russian Federation, local governments and the functions of organizations involved in the provision of state and municipal services, respectively, provided for by the Federal Law of July 27, 2010 №210- “On the organization of the provision of state and municipal services”, including the registration of that personal data on a single portal of state and municipal services and (or) regional portals of state and municipal services;
4) the processing of personal data is necessary for the professional activities of the journalist and (or) the legal activities of the media or scientific, literary or other creative activities, provided that it does not violate the rights and legitimate interests of the subject of personal data.
In all other cases, operators will be required to collect personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.
What is the responsibility?
If the operator violates the new requirements for placing databases on the territory of the Russian Federation, the current version of article 13.11 of the Administrative Violations Code of the Russian Federation “Violation of the procedure for collecting, storing, using or disseminating information about citizens (personal data) established by law” the head can be brought to administrative responsibility : the head - in the form of a fine in the amount of from five hundred to one thousand rubles, the operator - from five thousand to ten thousand rubles bley
Currently, the State Duma of the Russian Federation is considering the draft law No. 683952-6, which is supposed to limit the range of violations of the law on personal data, for which administrative responsibility will be imposed under article 13.11 of the Code of the Russian Federation on administrative violations.
In the new edition of this article, the operators violated the requirements to ensure the recording, systematization, accumulation, storage, clarification (updating, changing), retrieving personal data of citizens of the Russian Federation using databases located in the territory of the Russian Federation when collecting personal data, including it will not be an administrative offense through the information and telecommunications network Internet, since the draft law does not provide for such an offense.
That is, you can not store in the Russian Federation?
Not really. The planned changes in the administrative legislation do not mean that the violation by operators of the requirements of Federal Law No. 242-FZ will not entail any negative consequences for them. We are looking at article 15.5 of the Federal Law of July 27, 2006 No. 149- “On Information, Information Technologies and Information Protection”, which comes into force on September 1, 2015, which appeared in the law as a result of the adoption of Federal Law No. 242-.
According to this article, if a court decision on the basis of an application of the subject of personal data confirms the fact of processing the personal data of this subject on the operator’s Internet resources in violation of the law on personal data, the Federal Service for Supervision in the Field of Communications, Information Technology and Mass Communications (Roskomnadzor ) upon request of the subject of personal data on the basis of a court decision, it will be able to include information about the operator-violator in the specialized “Register of violators Rabbi subjects of personal data "and to restrict (block) access to the Internet resource of the operator, where the violation has been found.
The law does not specify exactly which violations of the law on personal data will be the basis for Roskomnadzor to restrict user access to the operators' Internet resources.
Is there practice?
For obvious reasons, until the law works, it will be difficult to say exactly what and how to do it. The wording allows a fairly broad interpretation, and, as usual, you need to focus on law enforcement practice.
What does all this mean to you?
From September 1, 2015, operators should be prepared for the Roskomnadzor to verify compliance with the legislation on personal data, including the requirements for processing personal data using databases located in the Russian Federation at any time - this conclusion follows from the amendment introduced by the article 3 of the Federal Law No. 242- to the Federal Law of December 26, 2008 No. 294- “On the Protection of the Rights of Legal Entities and Individual Entrepreneurs in the Implementation of State Control (Supervision) and Municipalities ipalnoy control, according to which the control and supervision of the processing of personal data is derived from the operation of Federal Law No. 294-.
Most likely, the order, timing, frequency of inspections will be determined by Roskomnadzor. Such checks will not be coordinated with the prosecution authorities and will not be included in the annual consolidated plans of inspections of legal entities and individual entrepreneurs.
Now I will tell you about our practice.
We offer three data-centers for commercial customers, including one of them TIER III by Uptime Institute. As a rule, very large companies (such as banks, insurance companies and retail chains leaders) come to us inside the data center in specially enclosed spaces, where, for example, there can be 50–60 racks of this client only. The passage into the space, even for those who carry out technical works, is possible only with a representative of this company, therefore everything that requires maintenance is initially taken from us behind the fence. In addition, we ensure that the cameras of other customers do not fall sectors on other people's fences. This is a fairly simple layout.
Companies that do not have such large-scale projects with us (usually transferring infrastructure from cloud environments like Amazon) get into the CRIC cloud, which is 85% compatible with the same API of Amazon (EC2, S3). Migrating is easy - almost all utilities will work from Amazon without modifications or with minimal changes. The only thing, of course, will have to change the format of the image. But the main thing is that the approach and ideology are preserved. I think it’s not for me to explain that when switching to a different structure, various architectural issues that spoil life very often come out - we haven't had such surprises for a long time.
By itself, the transfer does not represent any difficulties and has long been worked out. The question is different: each customer is worried about the new law. And here there are several options:
- The first is the statement to the data center and certification of the final IT solution according to the standards of FSTEC. This is a classic collocation.
- The second option is to work with our public cloud. We already have experience of fourth-grade attestation and relevant documentation, which includes a threat model, remedies, two pentest reports, a vulnerability report based on the results of this pentest, internal regulations of the data center, operation services, HR (recruitment regulations). If necessary, we will prepare such a set of documents and pass it on to the customer for further verification and issuance of an opinion to an accredited certification body.
- The third option is SaaS with a cloud solution, a centralized security hub (GTC) to protect against specific threat models. You can use the cloud scaling model, even if it was previously unavailable for you due to the requirements of regulators. In short, the procedure is the following: a protected virtual environment with information security services based on tools certified by the FSTEC and the FSB is deployed in 1-2 days. Firewalls, IPSec VPN and Intrusion Prevention (IPS).
Data storage
The second frequent question that frequently appears during meetings with customers is how data is stored. Actually, almost no meeting can do without this question, even if it went with the financial director.
The bottom line is this. We have two data centers, they have a total of about 500 physical servers that run customers' virtual machines. Each server has two disks. And to these 500 servers 12 arrays are connected, 6 each to the site. On local drives that are on board servers, customer data is not stored. They are all stored in a centralized repository. If we approach the issue of data acquisition by inspection bodies, then the removal of servers as such is simply useless, because there are no customer data for them. They all connect over a storage area network — SAN. And they are taken from disk arrays that are connected via SAN. There is complete certainty at each moment where the data is stored (exactly on which site), that is, the customer chooses when creating a virtual disk whether to run it on Volochaevskaya or on the Compressor. Further, all these disks at the level of physical disk arrays are stored in this form - they are evenly distributed across all disk arrays interspersed with data from other customers. Naturally, only the owners of this data have access to this data. If you physically remove one of the arrays, the data will be incomplete, inconsistent. This may be 1/6 of the data, the rest of the data is spread over the remaining arrays. That is, no value will not be. Even if you extract all the arrays in order to collect any disks from this porridge, without this access you will not be able to get this information.
The easiest way is to find out the username and password and get access to the self-service portal by taking these passwords from the customer’s system administrator. I note: for all 6 years that we are engaged in the clouds, there were no similar incidents with the withdrawal of equipment.
Migration itself
As a rule, international companies with Russian representative offices move to us. Historically, they hosted around the head office somewhere, and now the Russian business is separated into a separate one, in Russia. And build the same infrastructure. Plus, about 10% of customers are those who are hosted in the West and move “home” to similar infrastructures. There are those who go to the storage of data with us instead of storage in the office, because it is more reliable.
An important feature is that many people need English writing support and English-speaking managers. It has long been built.
The main problem of migration is conversion from a format to a format of virtual servers, details on architecture, if the transition is not from an Amazon-like service. As a rule, we either do all these things for free, or we advise for free in the part of building architecture inside the cloud. For the customer, everything passes without surprises, our specialists, who have already eaten a dog at such jobs, are watching every transfer. And the experience is tremendous: at the beginning of the year, companies from western hosting companies started to push the line. They are now attracting us for consulting on network connectivity and network infrastructure both on their projects and during transitions. In general, it is in our interests that the customer does not pile up nonsense in a cloud, so that everything will be correctly and beautifully constructed. And so that there is no false negative, if the admin is somewhere namudril out of ignorance or chance. Therefore, free help.
Source: https://habr.com/ru/post/256217/
All Articles