The law “On Personal Data” and the practice of its application in Russian reality

As you know, the Federal Law No. 152 “On Personal Data” has been in effect for several years in Russia.
During its first publication in 2006, the Law has undergone significant changes, and the data itself is now required to be stored in the territory of the Russian Federation and be protected. In practice, this leads to increased business responsibility for data processing. The extent to which it is difficult to comply with the requirements of the Law “On Personal Data” and whether it gives real effect will be discussed in this article.

Any legal entity organized in the Russian legal field is subject to this regulation. Our project RUVDS The law affects both in terms of the processing of personal data of clients and the protection of information with which our clients work with our equipment.
')
There are several objects of protection.

The first type of data is the customer data itself. For example, this is his name, date and place of birth, passport data, for legal entities - information about the company. The client at the beginning of work with the service agrees to transfer this information to us for processing, and we undertake to work with them in accordance with the Law. It is more or less understandable and just the object of protection.

The second type of data is information that is directly stored by clients on a VDS / VPS server. This is just the most significant and important object of protection. Examples of such data can be the login password for social networks, mail, personal accounting from individuals. And for legal entities, the spectrum of such information is even wider - these are customer databases, accounting, and specialized software.

From the point of view of the Law, legal entities, transferring data for storage or processing, are fully responsible for protecting this information. That is why banks, brokers, large businesses check a potential partner in organizing data storage and processing. Everything is checked. It should be noted that some clients came to our data center in order to make sure that the physical media and communication channels are under reliable security, and the staff is really competent.

How can I organize data protection?

There are various sources of threats to personal information, for example, the use of customer data for personal purposes by an employee of a company, the destruction of customer data, whether it is an individual or a legal entity, data theft by hacking a server.
These are probably the most well-known and understandable threats that each telecom operator faces. The list itself, of course, is much broader.

Naturally, there are different ways and levels of data protection.

Speaking in terms of Law 152, the steps to protect information can be listed as: identifying threats, developing security measures and accounting for information carriers, applying measures and evaluating their effectiveness, and monitoring the entire security system. Our company consistently performs all the necessary actions for maximum data protection and the first thing that starts the work is people. Every employee of our company, when applying for a job, gets acquainted with a list of confidential information, which, in particular, includes personal customer data. He signs his responsibility for working with this data within the framework of the legislation of the Russian Federation.

However, it is impossible to rely only on consciousness in this matter. Therefore, we have a clear system of differentiation and control of access rights, developed by certified specialists in the field of information security. In short, access to customer data (the first type I mentioned earlier) is obtained only by those employees who have the appropriate, confirmed by a certificate, qualifications for working with confidential information, and strictly according to the rules. At the same time, access is always personalized, with logging of all employee actions. Therefore, if an expert has modified something, downloaded, sent, saved client data, we will always see it and will be able to uniquely determine who did it.

Access to customer data (the second type of data) that they store on the server can be obtained by employees only if there is an application from the client, for example, to assist in setting up, providing any additional specific services. At the same time, the employee who carries out any work on the client’s server is also certified to work with confidential information, and the computers from which, if necessary, access to the client’s data are equipped with specialized software to prevent unauthorized access and are certified by the Federal Service for Technical and Export control (FSTEC).

Such an organization of work, in essence, guarantees the protection of customer data from potential malicious actions of employees and limits the potential leakage of information to the area of ​​protected and inaccessible machines. By the way, our operator’s room is also equipped with round-the-clock video surveillance to prevent leaks with the help of improvised means of photographing.

However, the question remains, which system administrators and security officers of many companies are fighting about - the breaking of information systems. I must say that when working with a virtual server, providing protection against hacking is much simpler and more transparent. When you need to ensure the security of data transmission between the physical computers of employees, each of which individually has confidential information, you need to monitor each PC and the activity on it at each moment in time. And if you have all the data on one virtual server, then you only need to control access to it. Moreover, it is necessary to take into account that the data center itself as a separate business unit has already worked to protect customer data, protection from DDOS attacks. Separately, the same hosting provider and service provider worked on the same tasks. For example, in our data center there is monitoring of both the servers themselves and the traffic analyzer, which allows you to quickly block DDOS attacks. That is, the client is still at the start of the relationship gets a serious level of protection "out of the box."
If you need more, you can order a DDOS protection service. With this service, the server receives an IP address from a dedicated subnet, where the already filtered data stream arrives at the address. This is very important for popular sites, online banks, game resources.
At the same time, when organizing mass access to the server, each access is personalized and logged, both by the means of the VPS itself and by means of the operator’s control, so you can easily and quickly detect and stop any illegal activity with the data.

This is the motive for so many companies to transfer teamwork with data, ranging from general development to storage of long-term financial statements and Internet banking, to virtual servers. It is cheaper and more efficient.
Among our clients, for example, are banks and brokers. There is a certain specificity in working with them, but from the point of view of data security, in fact, working with such clients is no more difficult and no easier than with any other. Security standards and level of service are equally high for both a small retail client and a large legal one. Why is that? Because the license can be revoked for violation against any client. And how can a legal entity entrust its data to an operator who cannot protect the data of a retail customer? However, it should be said that at the request of large clients we can install additional monitoring tools, protection, which, in the opinion of the client, are necessary for him. Here we always go forward. Naturally, when working with large customers, no one believes the word. Therefore, their competence and level must be confirmed by licenses.

Any telecommunications operator that provides its services through its communication center (data center) is required to possess Roskomnadzor licenses for the relevant activities. For example, our company is licensed to provide telematic communication services and data transmission services (without voice information). Separately, to work with confidential information and state secrets, you must obtain a FSTEC license. A license can only be obtained if there are internal procedures for the protection of information, special certified software and equipment to control access to data, as well as the physical protection of information carriers from any method of theft or impact. This is a serious guarantee when working with legal entities. RUVDS is just in the process of obtaining this license.

In practice, the actual data protection begins with several cordons of security of the premises with video surveillance, personalized access to the premises with the equipment, while the equipment itself and the control room are also under 24-hour video surveillance. All communication takes place through certified secure switches, and the processing of customer personal data and their storage takes place on a dedicated machine under the control of specialized software that guarantees leakage protection.
Since the room itself has blank walls with a minimum thickness of 1 meter, this guarantees against wiretapping. Often, such protection conditions cannot be created in offices, not to mention the technological component in maintaining a constant temperature, uninterrupted communication and power supply and gas fire extinguishing. In essence, this is a repository of data of the level of reliable bank vault.

Why such measures?

All over the world, it has long been known that information is a kind of oil. It may be useless, as once the oil itself was worthless. But if used properly, it can become a gold mine. In our country, it was also realized and began to engage in the protection of this resource. The simplest use of such information is a database of potential customers. This is probably the most harmless, so to speak. The spectrum of applications is the most extensive, up to the collection of compromising data and hacking bank accounts using the information received. Therefore, protection is needed serious and permanent.

Also, do not forget about fault tolerance and storage of backup copies of data. Although the fact of the failure of the entire server is extremely unlikely, almost impossible, there should always be a data mirroring system, and for serious clients, on request, as a rule, double the amount of disks for permanent backup is allocated. This is true for banks, especially for those who have deployed an Internet bank on the server, because they must “raise” a backup copy of the resource as quickly as possible. This system allows you to do this and we also have it.
Another nuance is the scaling of the infrastructure. In the case when you encounter a similar problem with your “hardware”, you have two options - to reduce the load, which most likely does not suit you - either to increase the server's capacity, buying additional components, if the architecture allows, and most likely, you just have to buy a more powerful server.
Given the current economic situation, the task is sometimes unaffordable for small businesses and simply unprofitable. It is very difficult to assess the effect of the return of new equipment, and the money for it must be paid immediately.

If you use a virtual server , these issues are solved instantly. You simply re-order the resource and the company allocates the necessary capacity for you. This usually happens within a few minutes. If you have grown so much that one server is no longer enough for you and the data needs to be transferred to a new, more powerful server, it will take a couple of hours. But in any case, compared with buying and setting your own iron, this is lightning fast. And the price will be much lower. For example, renting a server with a capacity of a good laptop worth 50,000 rubles will cost you 1,500 rubles (this is without taking into account discounts for paying for the year). You understand what a savings. This is not to mention the fact that many employees can work on the machine at once, connecting to them from a weak cheap PC or even from a tablet. It also needs to add savings on the purchase of software. You can rent almost any software for your team’s activities from a hosting provider.