How we transported the data center of a western company to the Russian Federation due to the law on personal data
For foreign companies, the story of the IT infrastructure is very simple: as they grew up in the West, this is how everything remained. In Russia, as a rule, there are not even engineers, and all services are provided from anywhere in Ireland, Frankfurt, Boston or other cities where the parent organization and its data centers are located.
Dramatically, the situation changed after the entry into force of the amendments to FZ-152, stating that the personal data of Russian citizens need to be recorded, systematized, stored and processed using databases that are exclusively in our country. Some companies have decided to raise data centers in Moscow in order not to lose business. In our case, it turned out like this (some components and names have been changed, since there is a non-disclosure agreement - foreigners are what you want):
')
The difficulties of the sea, for example, are:
Firstly, it was quite difficult to form an exact technical project. And generally understand what and how to do it. The specifics are very simple - in Russia there is an office that does business, and not IT. And if for us CMS, ERP, workflow and mail server are different things, then from the point of view of the manager it is the same system. Therefore, the Russian representative of the company acted solely as a legal entity with whom the contract was signed. Absolutely all negotiations took place with foreign colleagues. Even the contract was in two languages. At the beginning, their specialists came on an excursion to our data centers: their IT vice as guests, our tops as guides.
Secondly, geography. The site and administrators in one time zone, the developers in another, we - in the third. There was no language barrier, fortunately, the entire IT world speaks English, and even with the Chinese, there was no misunderstanding.
Thirdly, it was necessary to understand what is PD in their information exchange, that is, to connect lawyers. As a result, lawyers concluded that the PD for this company is any data by which a person can be identified. The storage and processing of full names, photos, various indirect signs of the type of place of employment with indication of the position, addresses of accounts in social networks got there. At the same time, Twitter addresses with nicknames are not PD. By the way, we conducted a small educational program not so long ago.
It is very good that we had a lot of initial data. The story about the move is this: the less input you have - the more expensive the solution. You are laying the most expensive product that can do everything, the most expensive licenses - but you can not win the competition, because the customer will not like the price. We spent our time - showed that we can figure it out. And it turned out much cheaper for the customer.
As a result, the primary transfer tasks and the secondary certification certification were formed. The story is that the regulator will first look at companies with foreign origins - where their data is. If abroad - blocking can be done much faster than moving systems. And the second question that requires a deeper thoughtful digging is the certification of system elements. In our practice, no one resolves these issues at once. First moving, then checking everything on the ground, then the rest. These are two different projects.
Part A - moving - took six months from the first contact.
First, we provided a test zone of several virtual machines, for which the customer performed the so-called proof of concept. CROC performed the task of an infrastructure provider — servers, storage, and a network.
Representatives of the customer made test hyphens, checking how the connection is established, how fast the data is transmitted, how to deploy the system within what we provide. Roughly speaking, studied the toolkit.
Then the combat equipment was received and installed. At this point, the transfer of real systems began, but without transferring the actual load - in order to see that the systems are working, load tests were performed. Then he was moving himself downtown at the weekend.
We needed communication with three data centers, so we worked closely with our foreign colleagues in a bundle. Except for the difficulties with time zones, everything went smoothly and at a very high level of mutual understanding.
As a result, we completely created the infrastructure for the Russian site, and the customer poured data on it on our own under our supervision in case of surprises. Our part is infrastructure to the level of an operating system and a virtual machine. Addressing agreed almost immediately, and our network architect worked with their architect side by side. Internal addressing is fully consistent with their original network. Public addresses are Russian - because our channels are already used.
The simplest case is the backup scheme.
At first glance, the project seems to be quite simple - they say, the business is to assemble here the same thing that the customer has in Europe. At the customer, these services are also in different data centers, plus they immediately wanted to evaluate the subsequent modernization - and all these requirements do not always fit well with “just transfer”, it’s necessary to explain and figure out.
Identifying the infrastructure requirements and coordinating the terms of reference took half the time of the order, that is, almost three months. It was possible to save time very well due to the fact that we were able to create special questionnaires in the form of a list of closed questions ("yes" / "no" or 3-5 options) - in order to clearly receive information from the customer. Before that, I had experience with open questions on a similar move - and the answers were such that I had to go for two more iterations. Here we received quite a lot of information initially and could offer our options.
In most cases, this approach is justified. But in a couple of places we caught some nuances that, in the end, made migration a bit more difficult - despite the increased labor costs, we did it at our own expense, because we chose the approach with a closed questionnaire.
Plus local features, of course. For example, we coordinated the deadlines with the battles - foreign colleagues do not always represent the actual delivery time of the equipment. They do not understand that it is not always possible to bring something specific in the Russian Federation. Prices are not like theirs - they are different at us, and what is more expensive in Europe may be cheaper. Or vice versa.
What we were surprised by is their ideal thoroughness in everything that concerns the existing standards and rules, written often 10 years ago. All this works for them at an honest 100 percent, and not at 20-80, as we often see in Russia. With us, any standard rule is considered as some kind of useful recommendation. They have - like an iron barrier.
Or here's a migration plan. Our operational changes are made simply by a call, but it does not work for them. It is necessary to register, attach a scheme, then send letters and wait for Monday. No overtime. They are accustomed to work measuredly, slowly and kayfno, but for five plus.
We also did not always see their structure: at the stage of communication, you don’t even always know who you are communicating with. And you think - ok, we agreed, tomorrow they will demand. And this man in Ireland, iron in America, has his own IT team, with whom he still has to coordinate everything, and they have to show the project to the team leader in China. While the letter with the answer will pass - at least two days because of time zones. There are many separate business divisions, and each technical unit has its own wishes, especially for the future. Reconciling with 10 people per copy is perfectly normal.
Or, in general, a plague example: update the firmware of the router - we have the IT chief decides, and they have all these 10 people at once, and the developers of the butt also go there.
We implemented them on our own, and later the customer turned to us for support, not only at the infrastructure level, but also at the operating system level.
Now they have the next step - disaster recovery. We offer - there are two of our data centers, between them are thick independent channels for synchronous replication. Ready to switch or recover at any time, in other words to build any solution.
We agreed on switching downtime, moved 32 hours later (most downtime is the final data synchronization and production tests), coordinating the work of all the teams. Now the system has been working without any complaints for several months. Briefly, the story went like this: installation of hardware, assembly, testing, rolling infrastructure software, raising virtualization, initial setup, maintenance and implementation of their systems, more tests - the customer’s team went on. Sometimes they asked us to help with their tasks, for example, on the butt performance tests, we picked along with them, looking for bottlenecks in the infrastructure. We have all sorts of services, yet we are the first in IT infrastructures in Russia. Here they all boldly and enjoyed to the general happiness. Their networkers looked into the project only a couple of times, and when there were drawdowns on international channels, the rest of the time, no one, except applied scientists, is involved in the operation. After the introduction of 2 weeks, we were in the mode of enhanced support, that is, every day we discussed with their specialists statuses and minor improvements. Now we provide infrastructure: servers, storage systems, networks, balancers, information security devices, virtualization, backup system. Plus, all this in the failover mode is reserved in the second data center, due to which the SLA is 99.9% for all levels of infrastructure.
Dramatically, the situation changed after the entry into force of the amendments to FZ-152, stating that the personal data of Russian citizens need to be recorded, systematized, stored and processed using databases that are exclusively in our country. Some companies have decided to raise data centers in Moscow in order not to lose business. In our case, it turned out like this (some components and names have been changed, since there is a non-disclosure agreement - foreigners are what you want):
')
The difficulties of the sea, for example, are:
- The complete lack of IT staff in the Russian office, which deals with the migration of systems and the management of the entire project as a whole - you need to communicate with networkers from Europe or the USA and developers, for example, from Shanghai.
- It is not enough to raise the proxy structure - you really need to process the data in Russia. And, then, in Moscow (or in another city, but, as a rule, the action takes place in the capital), an instance of CMS, mail, application software for working with sales, accounting, and so on should be deployed.
- It is necessary to transport all this quickly and without significant downtime, and then also support it in terms of infrastructure (the butt in this case is supported by “native” IT teams).
Formulation of the problem
Firstly, it was quite difficult to form an exact technical project. And generally understand what and how to do it. The specifics are very simple - in Russia there is an office that does business, and not IT. And if for us CMS, ERP, workflow and mail server are different things, then from the point of view of the manager it is the same system. Therefore, the Russian representative of the company acted solely as a legal entity with whom the contract was signed. Absolutely all negotiations took place with foreign colleagues. Even the contract was in two languages. At the beginning, their specialists came on an excursion to our data centers: their IT vice as guests, our tops as guides.
Secondly, geography. The site and administrators in one time zone, the developers in another, we - in the third. There was no language barrier, fortunately, the entire IT world speaks English, and even with the Chinese, there was no misunderstanding.
Thirdly, it was necessary to understand what is PD in their information exchange, that is, to connect lawyers. As a result, lawyers concluded that the PD for this company is any data by which a person can be identified. The storage and processing of full names, photos, various indirect signs of the type of place of employment with indication of the position, addresses of accounts in social networks got there. At the same time, Twitter addresses with nicknames are not PD. By the way, we conducted a small educational program not so long ago.
It is very good that we had a lot of initial data. The story about the move is this: the less input you have - the more expensive the solution. You are laying the most expensive product that can do everything, the most expensive licenses - but you can not win the competition, because the customer will not like the price. We spent our time - showed that we can figure it out. And it turned out much cheaper for the customer.
As a result, the primary transfer tasks and the secondary certification certification were formed. The story is that the regulator will first look at companies with foreign origins - where their data is. If abroad - blocking can be done much faster than moving systems. And the second question that requires a deeper thoughtful digging is the certification of system elements. In our practice, no one resolves these issues at once. First moving, then checking everything on the ground, then the rest. These are two different projects.
Part A - moving - took six months from the first contact.
Stages
First, we provided a test zone of several virtual machines, for which the customer performed the so-called proof of concept. CROC performed the task of an infrastructure provider — servers, storage, and a network.
Representatives of the customer made test hyphens, checking how the connection is established, how fast the data is transmitted, how to deploy the system within what we provide. Roughly speaking, studied the toolkit.
Then the combat equipment was received and installed. At this point, the transfer of real systems began, but without transferring the actual load - in order to see that the systems are working, load tests were performed. Then he was moving himself downtown at the weekend.
Infrastructure
We needed communication with three data centers, so we worked closely with our foreign colleagues in a bundle. Except for the difficulties with time zones, everything went smoothly and at a very high level of mutual understanding.
As a result, we completely created the infrastructure for the Russian site, and the customer poured data on it on our own under our supervision in case of surprises. Our part is infrastructure to the level of an operating system and a virtual machine. Addressing agreed almost immediately, and our network architect worked with their architect side by side. Internal addressing is fully consistent with their original network. Public addresses are Russian - because our channels are already used.
The simplest case is the backup scheme.
A useful lesson in data collection
At first glance, the project seems to be quite simple - they say, the business is to assemble here the same thing that the customer has in Europe. At the customer, these services are also in different data centers, plus they immediately wanted to evaluate the subsequent modernization - and all these requirements do not always fit well with “just transfer”, it’s necessary to explain and figure out.
Identifying the infrastructure requirements and coordinating the terms of reference took half the time of the order, that is, almost three months. It was possible to save time very well due to the fact that we were able to create special questionnaires in the form of a list of closed questions ("yes" / "no" or 3-5 options) - in order to clearly receive information from the customer. Before that, I had experience with open questions on a similar move - and the answers were such that I had to go for two more iterations. Here we received quite a lot of information initially and could offer our options.
In most cases, this approach is justified. But in a couple of places we caught some nuances that, in the end, made migration a bit more difficult - despite the increased labor costs, we did it at our own expense, because we chose the approach with a closed questionnaire.
Plus local features, of course. For example, we coordinated the deadlines with the battles - foreign colleagues do not always represent the actual delivery time of the equipment. They do not understand that it is not always possible to bring something specific in the Russian Federation. Prices are not like theirs - they are different at us, and what is more expensive in Europe may be cheaper. Or vice versa.
What we were surprised by is their ideal thoroughness in everything that concerns the existing standards and rules, written often 10 years ago. All this works for them at an honest 100 percent, and not at 20-80, as we often see in Russia. With us, any standard rule is considered as some kind of useful recommendation. They have - like an iron barrier.
Or here's a migration plan. Our operational changes are made simply by a call, but it does not work for them. It is necessary to register, attach a scheme, then send letters and wait for Monday. No overtime. They are accustomed to work measuredly, slowly and kayfno, but for five plus.
We also did not always see their structure: at the stage of communication, you don’t even always know who you are communicating with. And you think - ok, we agreed, tomorrow they will demand. And this man in Ireland, iron in America, has his own IT team, with whom he still has to coordinate everything, and they have to show the project to the team leader in China. While the letter with the answer will pass - at least two days because of time zones. There are many separate business divisions, and each technical unit has its own wishes, especially for the future. Reconciling with 10 people per copy is perfectly normal.
Or, in general, a plague example: update the firmware of the router - we have the IT chief decides, and they have all these 10 people at once, and the developers of the butt also go there.
We implemented them on our own, and later the customer turned to us for support, not only at the infrastructure level, but also at the operating system level.
Now they have the next step - disaster recovery. We offer - there are two of our data centers, between them are thick independent channels for synchronous replication. Ready to switch or recover at any time, in other words to build any solution.
Total
We agreed on switching downtime, moved 32 hours later (most downtime is the final data synchronization and production tests), coordinating the work of all the teams. Now the system has been working without any complaints for several months. Briefly, the story went like this: installation of hardware, assembly, testing, rolling infrastructure software, raising virtualization, initial setup, maintenance and implementation of their systems, more tests - the customer’s team went on. Sometimes they asked us to help with their tasks, for example, on the butt performance tests, we picked along with them, looking for bottlenecks in the infrastructure. We have all sorts of services, yet we are the first in IT infrastructures in Russia. Here they all boldly and enjoyed to the general happiness. Their networkers looked into the project only a couple of times, and when there were drawdowns on international channels, the rest of the time, no one, except applied scientists, is involved in the operation. After the introduction of 2 weeks, we were in the mode of enhanced support, that is, every day we discussed with their specialists statuses and minor improvements. Now we provide infrastructure: servers, storage systems, networks, balancers, information security devices, virtualization, backup system. Plus, all this in the failover mode is reserved in the second data center, due to which the SLA is 99.9% for all levels of infrastructure.
Links
- Excursion to our data center T-III "Compressor" (T3 project, T3 object, T3 operation)
- Data migration of one bank
- Distributed data storage systems (part of software-defined data center)
- My mail is RSayfutdinov@croc.ru
Source: https://habr.com/ru/post/277891/
All Articles