Cloud Security

In recent years, the development of the information security market and the growth of interest among a wide range of people in this area are due to the pressing issue of personal data protection. A lot of orders, additions to the Federal Law No. 152- dated July 27, 2006 “On Personal Data” (152-), methods and recommendations of regulators have been issued on this topic.

What can be considered personal data? By definition, this is any information relating to directly or indirectly to a specific individual (subject of personal data). For example, if there is an address of the subject, but there is no full name, it is also personal data, but impersonal, since it is not possible to establish the subject of personal data without additional information. The detailed classification of personal data is given in the Government Decree No. 1119 of 01.11.2012 “On the approval of requirements for the protection of personal data when they are processed in personal data information systems” (PP-1119). Information on impersonal personal data can be found in 152-FZ.
')
When a company - an operator of personal data - is faced with the need to protect a system containing personal data, it must take an important decision: create a security system based on its own infrastructure or transfer the information system to the “cloud”, having fulfilled the requirements of the law at the mercy of the hosting provider.

This article will discuss the second approach.

In the light of the entry into force of the Federal Law of the Russian Federation of July 21, 2014 N 242-FZ “On Amendments to Certain Legislative Acts of the Russian Federation Regarding the Clarification of the Procedure for Processing Personal Data in Information and Telecommunication Networks”, obliging the operators of personal data of citizens of the Russian Federation to transfer their systems and databases to servers physically located on the territory of the Russian Federation, many Russian data center operators providing IaaS services, began building capacity, integrating additional solutions Nij information security, capacity competence in consulting within the framework of compliance with the law. At the moment, the leading players in the hosting market can offer their customers an easy and fast way to get a workable infrastructure with pre-installed information protection tools.

The "cloud" personal data information system (ISPDN) is ideal for:

• developers of application software and online services;
• placement of shared services (Shared Services) of large companies;
• online stores;
• startups;
• social networks;
• microfinance services;
• and etc.

The advantages of the cloud approach are as follows:

• reducing staff costs;
• capital cost savings;
• scalability of computing power;
• high availability of infrastructure;
• lack of costs for the modernization and support of equipment;
• standardization of company services.

Key moments when transferring personal data to the "cloud".

Choosing a hosting provider. At the moment there are a huge number of companies offering hosting services. How to correctly select a service provider without having friends who are knowledgeable in this area?

The first thing you should pay attention to is whether the data center is located in the territory of the Russian Federation, since this is one of the requirements of 242-FZ. An important factor is checking the resiliency of the data center for compliance with international standards (for example, the Tier classification system).

In order for a hosting provider to provide information protection services, it is necessary to have licenses of FSTEC (for technical protection of confidential information) and FSB (for the use of cryptographic information protection tools).

The great advantage is the documentation development service for the hosted information system, since there is no need to look for an additional contractor for documentary support of the system and assistance will be provided to the regulator, which simplifies its passage without remarks, prescriptions and, especially, fines.

The choice of architecture hosted system. It is important to note that all system components containing personal data must be protected. Therefore, you can reduce the cost of information security tools by resorting to the following methods:

• de-identification of personal data. Applicable in systems that use personal data as statistical data;
• separation of the personal data base into an anonymized database (DB 1) and a database containing references to DB 1 (DB 2). Based on the requirements of the legislation, compliance with the level of security should be ensured only for BD 2 (there is no consensus regarding the legitimacy of using this approach, so everyone makes a decision at his own peril and risk);
• division of the system into segments containing and not containing PD. Applicable for online stores, banking portals, etc .;
• separation of one large system into two or more, depending on the personal data being processed. Thus, the level of security of a part of the system is reduced, which according to the documents becomes an independent personal data information system (SPID). Applicable for large corporate, medical, banking and other systems.

Using these methods, we should not forget about the further development of the system, since some methods of cost optimization can lead to difficulties in its scaling and maintenance.

The choice of information security. This is the most difficult choice in the upcoming migration to the “cloud”, since any security tools applied to the application system in a certain way (most often negative) affect the serviceability and availability of the service.

First, it is necessary to determine the level of system security using a simple algorithm that can be found in PP-1119 or using a simpler table located on the Internet. When the technical requirements that must be met become clear, the task of choosing the technical means arises. In this matter, it is better to trust the advice of an information security specialist to the hosting provider, as in companies offering the ISPD protection service, all information protection tools are tested for compatibility with most popular operating systems and application software. However, you should check the availability of a valid certificate of conformity FSTEK or FSB (most often they can be found on the developer’s website).

For the allocated infrastructure, a threat and intruder model is created, which facilitates the choice of remedies, since some threats can be neutralized by organizational measures or by the infrastructure of the data center in which it is located.

Migration system. It is best to create a test loop in the first stage of placing the system in the cloud, in which the basic properties of the system are checked, plus organizing load testing to determine if the selected network infrastructure of the hosting provider is suitable for the tasks.

Additional services. After the system has been migrated and tested, it is commissioned. To increase reliability, you should build a competent monitoring system or connect to an existing hosting provider system. Do not forget about backups.



Documents and verification by the regulator.

When concluding a contract with a hosting provider, it is necessary to conclude an additional contract for the processing of personal data. Thus, the fact that the company - operator of personal data - is part of the process of processing personal data to the hosting provider is recorded, that is, the latter assumes the responsibility of complying with the legal requirements to the established level of system security. In addition to the contract, a threat model should be attached, according to which the installed remedies are applied. This is important when checking.

Today, compliance with the requirements for the processing of personal data is regulated by Roskomnadzor. Documents are checked for ISPDN. They should contain the procedure for processing personal data, establish the order of interaction with personal data subjects, describe the ISPDn and measures for its protection, etc. It is necessary to develop a package of documents in advance so that the test does not end up in a difficult situation and does not waste time on their revision.

Many hosting providers and integrators offer to certify ISPD. This procedure is not mandatory and is quite expensive, therefore, with budget constraints, it is better to neglect this procedure and focus on the mandatory set of documents, which is regulated by the following adopted legislative acts:

• 152- “About personal data” - the federal law regulating the activity of processing (using) personal data - the main law;
• 242-FZ "On Amendments to Certain Legislative Acts of the Russian Federation on the Implementation of State Control (Supervision) and Municipal Control" - amendments to the law (including storage in the territory of the Russian Federation);
• PP-1119 “On approval of requirements for the protection of personal data when processing them in personal data information systems” - levels of security, classification of personal data;
• Order of the FSTEC of Russia of February 18, 2013 No. 21 “On Approval of the Composition and Content of Organizational and Technical Measures for Ensuring the Security of Personal Data During Their Processing in Personal Data Information Systems”;
• Order of the Federal Security Service of Russia No. 378 of July 10, 2014 “On Approving the Composition and Content of Organizational and Technical Measures for Ensuring the Security of Personal Data when Processing the Personal Data Information Systems Using the Information Cryptographic Security Tools Required to Fulfill the protection of personal data for each level of security ";
• Government Decree dated August 19, 2015 No. 857 “On the automated information system“ Register of violators of the rights of personal data subjects ”.

The last mentioned resolution was adopted not long ago, and since September 1, 2015, each company that violates the procedure established by law for processing personal data of citizens runs the risk of being entered into it, which may entail certain difficulties in doing business.

So let your company choose its own way to comply with the laws at the lowest cost and with the greatest business benefits.

If we have missed some points or you have additional questions while reading the text - ask them directly in the comments to this article.