Protection of personal data in accordance with N 242-ФЗ: how to understand and what to do?

The topic of information security continues to be relevant - recently in Moscow at the conference “Protection of personal data” they discussed the Federal Law number 242 or as it is called the “Law on the localization of personal data of Russians in the territory of the Russian Federation.” Its essence is as follows: from September 2015, the organizations-operators of PD, it is necessary to collect and systematize personal data (hereinafter - PD) of Russians in the territory of the Russian Federation. And the lion’s share of various service providers is foreigners, or they keep their servers abroad, and Russian users, purchasing the services of such providers, transfer their data abroad, where not only their storage, but also systematization takes place. The question arises - how customers continue to use the services of foreign suppliers, without violating the standards of PD processing under Russian law.

There are two answers: either to organize the protection of personal data on your own, or to transfer your data to the existing Russian DC, which has licenses and certificates to comply with the requirements of the Federal Law. For a huge number of PD operators (and there are from 5 to 7 million of them working in the territory of the Russian Federation), the issue is topical. The introduced law applies to all companies that operate in the territory of the Russian Federation: both Russian and foreign. Despite the fact that the law mentions that these operations should be carried out “using databases located in the territory of the Russian Federation” and not EXCLUSIVELY in the territory of the Russian Federation, by September 1, 2015, more than 5,000 applications from PDAs were filed. on the deployment of its information databases in the territory of the Russian Federation. In connection with the introduction of the new law, a number of large foreign companies have opened their DCs in Russia.

In light of the relevance of the subject of our attention, we will tell you about what solution our data center plans to implement.
')


Protected cloud DC IT park - is a dedicated infrastructure, built using funds certified by FSTEC and the FSB. It is connected to the infrastructure of the PD operator via secure communication channels. Thus, customers will continue to use the services of foreign operators, and their personal data will be stored in a secure cloud of the Russian data center - in our case, the data center of the IT park - in accordance with the requirements of the Federal Law.



Read more about how it will be arranged. A secure cloud consists of the following elements:
• Separate physical servers, switches and storage systems;
• MS Hyper-V virtualization environment is deployed on these servers;
• The virtualization environment is protected by the 5nine solution;
• The communication channels are protected by Fortigate firewalls, the VPN is organized on VIPNet equipment.
The main advantages of the choice of DC IT park for service providers will be the lack of costs for the creation and ownership of cloud infrastructure; compliance with the requirements of the Federal Law on PD and the lack of costs for technical support, which is carried out 24 hours a day.

Of course, there is no unified solution suitable for every customer. Each supplier has its own infrastructure, so each solution for the protection of personal data is individual and the development process takes some time. On average, the process takes from 2 to 6 months depending on the complexity of the task:
1. Definition of the model of interaction with the PD operator;
2. Assessment of the required resources;
3. Drafting of technical specifications, organizational and distribution documentation;
4. Migration testing.

Well, now let's summarize - let's start with less pleasant conclusions.

In connection with the introduction of the law, service providers who store their data on foreign servers have additional costs. Plus, the process of transferring data is time consuming and quite long, it is not always possible to implement it without stopping services.

But there are also positive moments: when transferring their data to a Russian data center, the service provider will have no costs for creating and maintaining cloud infrastructure, the infrastructure will be protected in accordance with Russian law.

It is worth noting that the introduction of the Law on PD Protection was the impetus for the development of Russian data centers, since the development of data center infrastructure, new equipment is required to comply with the law, and the solution of new non-standard tasks leads to an increase in the skills of the data center staff, the emergence of new jobs. The advantages can also be attributed to the fact that in fact the number of violations during PD processing actually decreased: in 2014, more than 80% of operators carried out PD processing with violations, in 2015 - about 65%. Let's hope that all this will lead the Russian data center industry to a new, higher level.