Geekly Articles each Day
📜 ⬆️ ⬇️

Data Protection - Modern Security Challenges



Our third material from the series , which tells how the Cloud Technologies Forum took place in Russia , is today devoted to the second and, in my opinion, one of the most interesting plenary sessions of the event, “Data Protection - Modern Security Challenges”. Experts in the field of data protection discussed the main threats and ways to overcome them when building a cloud infrastructure and moving companies into the public cloud. The discussion covered both compliance issues and technical aspects of data protection measures, the experiences of which were shared by telecommunication companies, providers and banks.


')
Participants:
Moderator of the discussion, Kirill Zapolsky , Head of Development, Sberbank-Technology
Andrey Tomilenko , Managing Director, Big Data Host
Vadim Frolov , General Director, Telecom MediaSoft
Artem Fedoseev , Project Manager, RUVDS
Dmitry Krasnov , Head of the Information Technology Department of JSCIB Education
Artem Paizansky , DMA and algorithmic trading department, FINAM JSC




After welcoming the guests and speakers, the moderator, Kirill Zapolsky, Head of Development, Sberbank-Technologies, took the floor:

- While our speakers are coming out, I tried to get ready, maybe even in a sense, to help all participants. I printed out the 152nd FZ, so if suddenly someone has the desire to see it, so to speak, immediately rely on the actual data, then you can raise your hand, I will gladly pass on these 25 pages of fascinating reading. Probably, this is all in the introductory part, probably, it makes no sense to speak, that is, the period when everyone said that data protection is very important, has already passed, probably everyone already understands this. It makes no sense to argue on this topic for a long time, so we will try to go straight to the questions, probably, let the speakers speak, and, in the course of the discussion, discuss all these applied questions.

- I will also say a little about the terminology that we will use, which means, according to Law 152, there is such a term as “personal data operator” - is it a company or a group of companies, or a person who stores, receives, stores, processes any personal information about a person, it can be phone numbers of passports, last name, first name, patronymic, well, in general, any data that somehow relates to an individual. I think that this term will be fully used by everyone, and I would like it to just be clear to everyone. Let's probably ask the question to all participants of the session right away: “How exactly did you have to deal with this law, because it concerns many aspects of the processing of personal information, how exactly did you have to deal with this law? How do you actually implement it? What are the difficulties, what are the subtle points from your practice that you encountered in view of the applicability of 152 FZ? ”



Dmitry Krasnov, Head of the Information Technology Department of JSCB “Education” JSC:

- Well, let me start as a representative of the bank. So from the point of view of processing personal data, there are no particular problems that arise, only that it was changed, it was changed several years ago, quite often, and there was uncertainty. When the law has already become, so to speak, more or less constant, no questions arise. Information security adds documents, makes the necessary provisions, with each client is taken a signature on the consent of the processing of personal data, and the process is, in principle, debugged. At the moment, all personal data in the bank is stored in the internal cloud, that is, we are not in a hurry to transfer, as the infrastructure we have already prepared for, ready, and do not see any further prospects, but there are no difficulties with this either. If you transfer data to third parties, this also includes all bureaucratic processes, they are all spelled out, even more, we have several services that other vendors sell us, there for individuals, it is in our possession in another the company. And there are no problems with this. How many inspections and the Central Bank and the Federal Service for the Supervision of Consumer Rights Protection and Food Protection, we passed, and the FSB, there are no problems. That is, a certain set of documents is requested, the contractual base and all.



Andrei Tomilenko, Managing Director, Big Data Host:

- From the point of view of hosting an Internet provider, provider of cloud technologies, there are no special problems either. It is clear that when registering, the user specifies his own basic data: surname, name, patronymic, e-mail, telephone numbers, but the only requirement of the law, in essence, is to state in the offer that the user must agree with the processing of personal data. At the registration itself, he confirms that he agrees to the processing of personal data, well, everything, and the obligation of the cloud service provider not to provide this data to a third party and ensure their safety. That's all.



Artem Fedoseev, Project Manager, RUVDS:

- Good afternoon, colleagues! I would like to add the following thing: based on our hosting experience with our clients, one client who is competent enough in the field of legislation requested us to delete our personal data and before that provide a list of goals for which we collected this data. It is important to note here that when working with a bank, as a rule, this is a “face to face” client, the client you see, he signs, the paper that he, at least formally, should read, and he understands What this data is processed for. When, well, in order for you, for example, to get a loan, your credit bureau should evaluate. When you buy or rent a virtual server , the collection, sometimes, of passport data for the client is not obvious. Why, it would seem, to ask for passport data for a “virtualka” for 240 rubles? However, there are legal requirements that force the hosting provider to store data about the client that uses your conditions, uses our services, for the reason that there have been cases of initiation of attacks, in particular on the state. resources from hosting services. I won’t name exactly which ones, but there are a lot of them, and if you study attack statistics, in particular, on banks, you will see that about 10% are DDOS attacks, which, as a rule, are also made from unknown anonymous servers, which were bought or rented without any data. And this client, demanding to show why we collect data, was absolutely right, because 152 law obliges the provider to explain. And the same law obliges any data operator, even if it is formally not a data operator on the Roskomnadzor’s list, to collect only personal data that is sufficient for the provision of services, they should not be redundant. And there is such a subtle moment when a client requires you to delete data, you are at the same time between two fires: you must delete the data, but at the same time, you have Roskomnadzor, FSTEC, the FSB, which can send a request to you to the company on suspicion of any crime of your client, you must provide all the data. If you do not save the act of destruction, in which there is a maximum amount of data about the client upon his request, you can become potentially even an accomplice in a crime. Therefore, there is such a twofold moment that it seems that you have deleted the data, and it’s like they remained, and you have to provide them, and we should not forget about this, because we, on the one hand, live in Russia, and the more data you have about customers collect, the more safely, the more relaxed you sleep. That is why a colleague does not want to keep Roskosmos data, because he wants to sleep, God forbid, something will happen to him. Here, it is necessary even at a small level to take into account. Roughly speaking, I like to give an example that even if you own a simple barbershop who records a regular customer’s phone, in fact you are also governed by this law, another thing is that if you have not transferred these data to a party, you are not obliged to register in the prescribed manner. Here is a comment on how this law as a whole is applicable in practice. I probably would like to listen to Vadim on this topic.



Vadim Frolov, General Director, Telecommunication Company MediaSoft:

- Yes, well, in fact, personal data, we are also providers, that is, to justify the registration of any login, we store the login in accordance with the name or legal entity, and, well, contact e-mail, contact numbers. Well, that is, it was introduced, we gave it to outsourcing, plus we additionally did, well, as if our own security systems, well, this is a server access control system where servers are stored directly on the server with personal data, well, video surveillance systems. Usually, questions on this law arise or when conflicts arise with clients, well, I understand that he just wanted to force you to do something, no more than, I think, or if a leak occurs, well, there they will be stolen and published by security . And a scandal will arise, and then, probably, some questions will arise. But in general, in principle, the law is fairly normal and simple to comply with, you just need to try to avoid some kind of conflict situations, in other cases, people probably never ask about it and don’t think about it.

Kirill Zapolsky (Moderator): - I would just like to come back a little bit again when preparing for today's event, on the contrary I read a lot of reviews on the fact that many people don’t understand how this law works, many people don’t understand any aspects, many aspects are very, very vague, they use wording such as “sufficient, necessary”, that is, what, God forbid, in court can be interpreted in two ways. Here I would like to clarify with the participants, who, it seemed to me, demonstrated a very confident vision of their future regarding this law. Is everything really so smooth there? Are all the wordings of this law clear, all the points easy to implement, and the only thing you need is to follow the letter of the law?

Artyom Fedoseev: - Just now we are in the process of obtaining a FSTEC license, and therefore we have to study the requirements of the federal service for technical and export control quite meticulously enough. There really are a lot of formulations, such that "your means of protection must ensure an adequate level of data security." There is a whole set of software or hardware, essentially some sensors, which with different licensing, that is, you can get on the means of protecting confidential information to develop these means of protection. If you protect the premises, then you have a rather long list of sensors that until recently could have been bought abroad at all, in connection with the sanctions, in connection with this whole situation, you only have to turn to Russian counterparts, whose production is not at such a massive level implemented, first, and secondly, the quality, unfortunately, according to the same licensees, it is inferior to Western counterparts. This is despite the fact that Western counterparts are also certified by the FSB, so there are certain problems. And when you choose from this list, you seem to be making enough effort to work, but it is always possible to say from the regulator, who will check you every year, which, in their opinion, is not enough. For example, you have 2 rooms that are protected, or rather one main room is protected, where the database is located, and in the other you, for example, have ventilation, there is a pipe between them, which is used to run air. Here there is a whole list of potential sensors that need to be put into the pipe, in order to control the non-transmission of sound information there, not to mention, in my opinion, the absolutely delusional requirements of some licensees to protect against leakage from induced beams from CRT monitors, which are now not used anywhere. And even if you do not use them, they can make you put this sensor. And this, of course, is, in my opinion, I will say, it may not be very official, but this is nonsense. Yes, there are also statements from the Central Bank, which are also rather vague, they do not seem to prohibit, but not explicitly allow. And the wording is “good enough,” they are very similar to Western laws, where lawmakers proceed from the general level of citizens who will do it for the good of other citizens. And they will definitely understand the phrase "good." In our specificity, unfortunately, the phrase “well” can be understood by different parties in completely different ways. This, unfortunately, is, in my subjective opinion, it is. And now it is precisely for this reason that we therefore prescribe for a very long time all the points on licensing our company, in order not to fall for such things later. My opinion is this.

Kirill Zapolsky (Moderator): - From here, I think you can immediately withdraw the question: “How much does this storage infrastructure cost in general, in order to observe everything, put sensors, that is, if we talk to ordinary people about storing information, they think that it is just a server, on which there is a disk of some kind, yes, and software that somehow protects. As it turns out, not quite. How much does it all cost? How long and expensive to install all this?

Artyom Fedoseyev: - If we are talking about protecting the data center, then only information protection tools, without the production of protection means, that is, we are not Kaspersky, we do not program the antivirus, then this is a price tag of at least 1 million rubles, it’s straight , no frills, without hiring certified employees who should be in the company. Moreover, now it is still possible that the Government will issue a resolution that these employees should have management experience, the previous one, that is, there will also be a conflict, because where can we get so many security guards. As far as I know, MSU produces information security specialists at the military department, there are about 60 or 100 people graduating annually, plus a stream of programmers at the VMK. Obviously, such volumes, they are even less in other universities, they will not provide the industry with the necessary number of specialists, so here too there is such a moment that they are threatening to adopt such a resolution. From a million it is just the minimum, and then it depends on the fantasy. This builds a whole business, there can be very large amounts of money.

Dmitry Krasnov: - Let me add, we are like a bank, every 5 years we undergo a re-certification of the FSB, and now the last re-certification, it was a year ago, and in principle, did not cause any special problems, yes, that’s right, Artem said, we have this the room, the server, yes it is really certified, prepared, there are all these sensors. And having invested in this structure once, we calmly pass the recertification. But sometimes, yes, they endure some comments related to technical or access, but they all give time to eliminate them, so do not be afraid of it. And I do not think that this is a big problem, on the other hand, for a long time, yes, but then you will have a document with which you will attract all customers.

Artyom Fedoseyev: - Here is the receipt of the FSTEC license, in general, in my opinion, it is more expedient than obtaining a western license, with all due respect to our eldest western partners, for the reason that there are significantly more service consumers with a similar license, the same banks, same brokers. It’s one thing to transfer some customer data to the cloud, perhaps even impersonal, or to store some part of accounting there, another thing is when we have a full license, we can literally duplicate the entire infrastructure, up to 80% of a broker or a bank. And naturally the price tag there will not be the same as for a retail client for a server there for 200 rubles. Of course, all these costs, they will be reflected in prices, but there’s just a balance so that the client does not need to maintain the infrastructure. This is a significant advantage of the conversion from CAPEX to OPEX, while being sure that the counterparty is responsible for his actions and has licenses, and in case of some failure he is responsible for this not just there with some words that we are different we know a friend, everything will be fine, and his license will be revoked and he will lose money. But in general, obtaining a license is already a year of time, that is, it is a pity. Therefore, when someone already has something to lose, especially to the one who receives money, in this case it is the service provider, this is a more reliable scheme of work.

Kirill Zapolsky (Moderator): - I also wanted to clarify how time-consuming the process of obtaining all these licenses is, how long it takes, how many documents it takes, how many people and days you need to spend hours studying acts to make this work?

Dmitry Krasnov: - Correctly said, about a year. Not only is the study of acts, you need to select specialists, and follow their certificates so that they correspond, they have an education. This is quite a difficult process.

Kirill Zapolsky (Moderator): - We need to understand right away that such a process is available only to large companies, banks, specialized institutions.



Artyom Fedoseyev: - Roughly speaking, if a company has such a license, then clearly not a one-day, as Nikita cited an example, that the data center seemed to be like that, but the next day it was gone, that is, this is a different level of relationship. And here there is just another moment that it’s natural to get a license, you hire a legal agency that helps you go through all the steps in order not to reinvent the wheel.But unfortunately, in our city, at least, there is a very famous agency, I will not call it, who will look for information, will find that they take money for you to learn all this, and take a lot of money. Therefore, even when you are going to get a license, you also have to approach the choice of a law firm very well, very carefully, for the reason that in essence they have to teach you how to work correctly, and not to say that here are the links to the laws, study, we you just take the money for sending you a letter to the FSTEC. They should bear the teaching role, in particular, how to work correctly. Here's a moment more.

Kirill Zapolsky (Moderator):- Well, we got the infrastructure, we got the licenses, how expensive it is to support this whole thing, because it is known that the cost of support, some IT solutions and licenses may be just training new personnel, if suddenly a person has quit , gone, came new. What is the percentage of it? How expensive is it to maintain the entire infrastructure and in general, how often do the requirements for this infrastructure change and how expensive is the whole thing to be updated?

Dmitry Krasnov:- I, as a bank, need to support such an infrastructure not only to comply with the law on the protection of personal data, I have many requirements from other regulators, they, in principle, are suitable for one room. I really need to have it in my organization. Another thing is for organizations that do not need it and who are only concerned with the preservation of personal data. They, of course, will be more profitable to place in the cloud. I honestly do not consider such numbers, because I do not need to count it. I just need to do it. That's all.

Artem Fedoseev:- Actually, we still get it, but I assume that the very existence of a license should not be a determining factor in terms of relations with the client. There are certain moral norms, ethical norms. I understand that if I am with a client who does not need FSTEC, he’s treated as not a normal client, i.e. give his data, do not follow this, do not protect, then my business will not work. The FSTEC is like a certain diploma of a person, a certain brand that shows that you are thinking about something and, in general, you can do business. But this is not a sufficient condition for work. It is possible and without this license to work according to the norms of FSTEC as a whole, so that the client is satisfied and understands that these are normal people. In general, in general, regardless of whether you work in Broker, you work in Hosting, it is important for the client to have feedback with the company. Those.if he understands that the company treats him as a subhuman, then he does not care whether you have a license or not. And if you do not have a license, but at the same time you are sensitive to every request of the client, then success will come soon.

Kirill Zapolsky (Moderator): - I would like to ask you a little about what, in fact, what are we protecting ourselves from? What are the most common types of attacks and what are they trying to do with the infrastructure? Those.somehow loosen, get data out of there, compromise. What do you most often encounter as specialists in this field?

Dmitry Krasnov: - I have the biggest risk - this is the substitution of payment. Those.I have the risk that my data will not be taken away, but that they will be changed. And all the actions that we build on security, they are aimed at avoiding this risk. Two years ago, there were still attacks on remote banking customer service. It is customers, i.e. substitute payments. And we have struggled with this quite successfully, obliging everyone to use secondary authorization, either SMS, or other technical means. And now there are quite a few such attacks. But the attackers are more focused on the infrastructure of the bank and, in particular, on the machine that is in communication with the Central Bank. And they have to be completely isolated from the Internet, i.e. to separate two networks: the network, which is working with the ABS with the Central Bank and the network, which has access to the Internet. But here, too, big problems arise as to divide it all,if we keep accessing the Internet, theoretically, of course, an attacker can penetrate and forge somehow the payment. In general, this is indeed a very big problem, and the Central Bank, even, it acknowledges. And in the media there is information about such hacks that were carried out, so this is a really big problem. Even when they get hold of at least one computer of the bank’s network, this is already a huge risk for the bank’s business. Not for customers, but for the business of the bank.this is a huge risk for the bank’s business. Not for customers, but for the business of the bank.this is a huge risk for the bank’s business. Not for customers, but for the business of the bank.



, DMA , «»:

- I mainly work with clients. I, as a broker representative, provide clients with direct access to the exchange. We have a server that the guys serve in the collocation zone, we also use servers in their data center. And customers are most interested in how data is protected there, whether any attacks pass. They are worried about their strategies, their robots who write. They understand that they go to another level. Regional clients are very worried about this, because they understand that their trading speed improves many times, because the servers are already closer, not in Chelyabinsk. Their laptop sends signals directly to the exchange, and even from the data center of the guys. This is not a lot of money for them and they ask how to defend themselves, from what to defend themselves. In principle, we are sure that all the protection is there. Some DDOS, a small number of clients,but DDOS attacks went through. Everything was successfully repulsed. With viruses, so far, not even had to face, no one has penetrated these computers. There is a completely different protection, as well as by ip-addresses, as Lada said, by ports. In principle, there are no special problems. Maybe the guys have them, but we do not notice them, basically.

: — , , -. , UDP-, UDP-, , , , , -. ip-, , , , , . , IP-, - . Those.An IP address is usually blocked immediately, because, in principle, it makes no sense to use it for a while, because it is already known to the attacking side. And they will constantly attack. And then you need to understand how the subscriber himself needs this protection. Those. , , . . . , , - , -, , , , . , , , - , . - , , , - - , - - - , - , . , , , , - . RUVDS , they directly divided the common customer services and the risk zone, those who are directly attacked. For this, additional backup channels, additional backup routers, i.e. if a subscriber is attacked, he is transferred to the filtering zone, because an attack is always a risk zone, any client that is attacked even when helping him, it is always a risk zone, it must, first of all, be isolated and separated. Therefore, all of this is immediately taken out on separate equipment and there they are already working directly with the attacker.

Artem Fedoseev: — , , , , , . , , . . , , , , . , . DDOS-, . - , , . , , . . , . — , . , . , , , , . , 7 . , , , . , , . , , , . . , , , , IOVATION. . , , -, , , . , . , , , . , , , .. , , , , . . , . , . , , - , , - , , . , , , . , , , , - -. , , . , , , . , , , , , - . . , , . , , . , . , . .

:- I can tell you that there is such a system, but it is not official. Because officially, of course, we cannot rely on these data in any way, this is the opinion of “someone”, because we cannot deny clients according to the Constitution. But yes, there are positive customers and such analysis is carried out. And FinCERT is a bit of a different matter. He coordinates actions to combat fraudsters, but he doesn’t create any system. They wanted, but have not yet become. And if this is what FinCERT will do, then it will be a few more years. They have a rather weak technical base in this regard, they are still watching the format. I can tell you that what you said about signatures and anti-fraud systems is now all embedded in the suppliers, in the software, they have an internal system, and they act with such methods, only not globally, sharing each other,and as part of its system. Well, in principle, also correct.

Artem Fedoseev: - I just want information about all to be.

Dmitry Krasnov: - Yes, yes, yes. But you understand that it is impossible to tell and share about all, this is just a trade secret already, and not personal data. Someone else?

Cyril Zapolsky (Moderator): - But, in particular, we are talking about DDOS attacks, and so on. Andrew, maybe there will be something to add about the protection against DDOS attacks, just how to isolate the clients on which the attack occurs?

Andrei Tomilenko: — . , , : - DDOS-, – DDOS-. , , , . , - . , , .

(): — -, , , … , , , , , - . , ? - . ? , , , ? Those. , - .

:- We, fortunately, the servers themselves never lay down from the attack on a single client. As a rule, this happens, that's how Vadim correctly said, game resources are especially susceptible to attacks, here are all sorts of WarCraft, Counter Strike and other guys. They make money in a very competitive market and often their resources really come under attack. If such a client is attacked and it does not use our protection against DDOS attacks, then its ip-address is filtered for a couple of minutes, access to it is blocked, the attack is terminated. Accordingly, the server, the physical unit, all the other clients, they can see some lag in terms of speed reduction, because the channel is clogged, but this is a short-term phenomenon, after the address is locked, everything goes automatically. If the client took advantage, I bought the DDOS protection. We sell it in portions there from 0.5 megabit,someone has enough of it, if you have a small website there, and, in principle, not a huge attendance, this traffic is enough. For example, there, to a large gaming resource, someone takes and 5 megabits of protection. What constitutes protection is analytical protection, which allows not blocking the ip-address, but, namely, filtering incoming traffic, and delivering pure traffic to the server unit at the stated speed. In this case, as a rule: well, in my memory there was no such thing as a client who used DDOS protection because of a DDOS attack. So far we have a very good practice in this regard. The situation when going to the whole server is already a force majeure. This we did not have, I hope and will not, because all the same it is for this purpose that this whole structure is being built to prevent this from happening.if you have a small website there, and, in principle, not a huge attendance, this traffic is enough. For example, there, to a large gaming resource, someone takes and 5 megabits of protection. What constitutes protection is analytical protection, which allows not blocking the ip-address, but, namely, filtering incoming traffic, and delivering pure traffic to the server unit at the stated speed. In this case, as a rule: well, in my memory there was no such thing as a client who used DDOS protection because of a DDOS attack. So far we have a very good practice in this regard. The situation when going to the whole server is already a force majeure. This we did not have, I hope and will not, because all the same it is for this purpose that this whole structure is being built to prevent this from happening.if you have a small site there, and, in principle, not a huge attendance, this traffic is enough. For example, there, to large game resources, someone takes and 5 megabits of protection. What constitutes protection is analytical protection, which allows not blocking the ip-address, but, namely, filtering incoming traffic, and delivering pure traffic to the server unit at the stated speed. In this case, as a rule: well, in my memory there was no such thing as a client who used DDOS protection because of a DDOS attack. So far we have a very good practice in this regard. The situation when going to the whole server is already a force majeure. This we did not have, I hope and will not, because all the same it is for this purpose that this whole structure is being built to prevent this from happening.this traffic is enough. For example, there, to large game resources, someone takes and 5 megabits of protection. What constitutes protection is analytical protection, which allows not blocking the ip-address, but, namely, filtering incoming traffic, and delivering pure traffic to the server unit at the stated speed. In this case, as a rule: well, in my memory there was no such thing as a client who used DDOS protection because of a DDOS attack. So far we have a very good practice in this regard. The situation when going to the whole server is already a force majeure. This we did not have, I hope and will not, because all the same it is for this purpose that this whole structure is being built to prevent this from happening.this traffic is enough. For example, there, to large game resources, someone takes and 5 megabits of protection. What constitutes protection is analytical protection, which allows not blocking the ip-address, but, namely, filtering incoming traffic, and delivering pure traffic to the server unit at the stated speed. In this case, as a rule: well, in my memory there was no such thing as a client who used DDOS protection because of a DDOS attack. So far we have a very good practice in this regard. The situation when going to the whole server is already a force majeure. This we did not have, I hope and will not, because all the same it is for this purpose that this whole structure is being built to prevent this from happening.which allows you not to block the ip-address, but, namely, to filter incoming traffic, and at the declared speed, deliver pure traffic to the server unit. In this case, as a rule: well, in my memory there was no such thing as a client who used DDOS protection because of a DDOS attack. So far we have a very good practice in this regard. The situation when going to the whole server is already a force majeure. This we did not have, I hope and will not, because all the same it is for this purpose that this whole structure is being built to prevent this from happening.which allows you not to block the ip-address, but, namely, to filter incoming traffic, and at the declared speed, deliver pure traffic to the server unit. In this case, as a rule: well, in my memory there was no such thing as a client who used DDOS protection because of a DDOS attack. So far we have a very good practice in this regard. The situation when going to the whole server is already a force majeure. This we did not have, I hope and will not, because all the same it is for this purpose that this whole structure is being built to prevent this from happening.So far we have a very good practice in this regard. The situation when going to the whole server is already a force majeure. This we did not have, I hope and will not, because all the same it is for this purpose that this whole structure is being built to prevent this from happening.So far we have a very good practice in this regard. The situation when going to the whole server is already a force majeure. This we did not have, I hope and will not, because all the same it is for this purpose that this whole structure is being built to prevent this from happening.



(): — . . . , . , , . , , , , , , , . – . , , , . , , , , - . , – , , , « », . , , , , , .

:- Yes, data integrity is very important, several clients came to me, with the problem, what they wrote about the strategy of the robot, the laptop broke - that's all. We asked about our virtual machine service, we actually resell the services of the company RUVDS, there are “backups”, you can return the whole system back, and people are already more, they have not even asked about “backups”, they are just more sure that they will transfer these data to someone else, they will be there in safety, no need to monitor the iron, no need to monitor the old hard disk, these data lie somewhere in the data center, in Moscow, we trust Moscow, there the data will be intact and preservation. And we believe the guys and we know that the data can be restored in case of anything, all the guarantees were provided to us. One of the reasons why we went to them was the quality of the channel, the channel checked, well, actuallyinterested in the channel to the exchange, weirsharkom tested, the channel is clean. Losing retransmit the minimum amount. This was one of the important steps, although this is a regular Internet channel, and not a dedicated one.

Dmitry Krasnov: - Well, for me as a bank, the transfer speed is not as important as ... not as significant as yours. But, of course, more interested in reliability. Reliability of the provision of certain services. Well, the fact that you can lose data, well, now you need to lose data in order to actually manage it, because you can deploy in a cloud and not have backups, well, this is stupid, and it seems to me that everyone can. And that's what you say, I trust third parties, no, I do not trust. Naturally, when placed in a cloud, I will have a backup, ready to turn around in another cloud on the occasion of what.

Kirill Zapolsky (Moderator): — -, , , , , , . , , , . , , fat fingers, - , - - .

: — , . , , ?

: — , SLA, , , , , , , , , . , ? ? , ? , ? - . ? . . , , , , , . , . , , , - , . retail , , . , , , . Second moment. , , , - , , Intel . , , , . , . , . . , . , , « », , , , , . Something like that.

(): — , , , . , , 1,5 , . , 1,5 , , . , . , , -, , , , , . , - , - , , , , , , ? ?

:- As a bank, I have my own data center, it is not so big, 4 servers, they will pull in principle. According to the regulations, I have to restore the working capacity of the bank, even in the event of a crash, in one day. And, of course, we have a generator and raids, but we must follow this. And in the current activity the generator can not start, if it is not started, it can break - no one will know about it, the air conditioner can break - no one will know about it. That is, indeed, it is very difficult. In real life, there is one data center that you configure, and it will be working, and there is a backup: to which your entire infrastructure, once a day, or by necessity, is copied. These are just two different cloud providers. In my opinion, this is a great solution. If I were building a structure from scratch now, I would have built like this. Now the proposals that are on the backup data center,they are quite competitive, you turn it on, drive the data, turn off the car - it's not so expensive in the parking lot.

Kirill Zapolsky (Moderator): - What does the role of playing more often when buying cloud solutions? Dmitry has already consecrated this question a little, maybe other participants have more. What first of all pay attention? At cost? For quality? For licenses? How long has the company been on the market? Any feedback may be based? How can I analyze a cloud provider?

Artem Paizansky: — . , , . . , , . , , - . . – . . , , , . . . - . . Very convenient to work. . , , , . .

:- I want to add from the hoster. What customers contact us with. In general, why they come to us. There is such a common term in the West as business recovery in the event of the earth’s descent from orbit. That is, any company should have a plan to restore the entire infrastructure as quickly as possible. Why is it difficult to do when you have your own infrastructure? It went out of order with you, you called the equipment supplier, bought it, set it up, it took an unacceptable amount of time before the real business launch again. When you have cloud storage, employees work in the cloud, all transactions occur in the cloud, all work and this cloud is duplicated, it’s not enough that you will not immediately raise your business, but much faster than with your infrastructure, so you and the business you can relativate yours as you like. We have a lotas we said in the previous session, customers. They are freelancers who have no workplace, in particular, you know the example of a bank that has one office in development, not a single branch. And, you can imagine, if they go completely to the cloud, what freedom of thought the owner of this bank will have, he can even conduct business from Antarctica. Together with the whole team. This is a big plus. It is clear that there is a balance between what can be given there, what is impossible, there will always be such a problem. And I, as a hoster, want to support Andrew Listopad. I do not need all the customer data, because I want to live in peace and not worry about it. But this aspect still needs to be taken into account: the mobility of the business (as if anti-globalization players were not speaking, globalization is coming), and the business should be more mobile, faster, and it is the cloud technologies that allow them to be.This aspect must also be taken into account.

(): — -- .



, , :

— , . : / . , ?
: — , , , , .

: — , .

:- To do this, you must initially make sure that your physical data are in different geographic locations. You can give an example of FOREX brokers who distribute their data centers geographically. That is, when you trade with the world's leading brokers, you will see that you have one data center in the UK, another in Russia, third in Denmark, fourth in America and somewhere else. Only such a structure will definitely allow you to restore everything. If you have all the eggs in one basket, a meteorite fell on Moscow, and you have information in different data centers in Moscow, I'm afraid you will not pick them up. If we fall, then we, at most, had problems with communication for half an hour or so. We did not have a server crash, the backup copy rises from the hdd-shny disk within 15 minutes, from the SSD-shny - even faster. With SSD almost instantly restored.

Yevgeny Saltykov: - The question is, in fact, about the territorial distribution. Where are your data centers that you can afford it?
Artem Fedoseev: - Specifically, we have one data center in Moscow. This is the client's task to think it over We cannot think for each client, especially, roughly speaking, to let him distribute his structure to different data centers. Not everyone needs it. We can be one of the links, 1,2 or 3.

Yevgeny Saltykov: - Why not consider it as a service?

Artem Fedoseev: — . , . . , , - , , , : « , , . -». - . , – . . . . Huawei, , . . .

:- It turns out that there is no modern solution for such a call, as there is no solution to the long-range solution?

Artem Fedoseev: - It is potentially there. If you hear a proposal to create a self-regulating organization, it’s just that, to move from competition to providing services to the client in a united front. Roughly speaking, if a client sees that in a self-regulating organization there is a data center from the Far East, from the Urals, from Moscow, then he will probably place their data with them, knowing that they are in the same team, they have the same values. We need to go to this, it is even more realistic, in terms of money. Because reinventing the wheel for everyone else is also difficult and expensive.

Kirill Zapolsky (Moderator):- How are data centers globally located in Russia? Because we are now addressing aspects of the territorial separation of infrastructure between Moscow and Vladivostok. Have you analyzed where in Russia the main data centers are located, what development vector does this question have? Are data centers built in the middle lane in the Far East? Who is interested in it at all? How profitable is this whole area?

Vadim Frolov:- Mainly the data centers in Moscow, in second place - Peter, the main problem is in the Far East, I didn’t do it, but as I understand it, this is the optical channel from where it will come: either it will come immediately from somewhere from abroad, but it is possible to stretch the optics from Moscow to Vladivostok, the question is how much it will cost. Plus, how to reach this optical channel to the data center itself, it should be not one optics, but several. Or, most likely, it should come to Vladivostok from China or from Japan.

Kirill Zapolsky (Moderator): - And with China there will be no problems about the Chinese firewall?

Vadim Frolov: - I cannot say this with all certainty. In Moscow, basically like this.

Kirill Zapolsky (Moderator): — - ? -.
: — , , .

: — , , . , - , – .

:- It so happened, historically and geographically, that our economic activity is all in the center. No wonder they say that all of Russia feeds Moscow, and other things. It is economically feasible to place such infrastructure here. There was talk that in Kazan they would make a data center for a science city that is being built near Kazan, the same thing in Skolkovo. In Skolkovo data center of Sberbank, in my opinion. Obviously, since the economic life is all going to the center of the country, it is all located here. Due to this, the protests of the eastern part of our country, which are deprived of this infrastructure, are understandable. And these conversations, in order to launch the exchange for the Far East, the spaceport, other construction projects, they potentially, in addition to these projects themselves, must bring along the accompanying infrastructure, which includes communication. And then this region will develop more,but at the moment, the main data centers in Russia are in central Russia. Even in my native Volgograd region, I cannot even remember if there is a data center there. There, of course, the banks have their little stands, each has something, but there is a data center so that I can come and say: “So I want to work and do in the Volgograd region” - there’s no such thing as I know. And this situation does not change from region to region. In addition to Moscow, St. Petersburg, Tatarstan (the Minister of Communications is from us), he is also the Minister of Communications, because he took all these things forward.so that I could come and say: “So I want to work and do in the Volgograd region” - there is no such thing, as far as I know. And this situation does not change from region to region. In addition to Moscow, St. Petersburg, Tatarstan (the Minister of Communications is from us), he is also the Minister of Communications, because he took all these things forward.so that I could come and say: “So I want to work and do in the Volgograd region” - there is no such thing, as far as I know. And this situation does not change from region to region. In addition to Moscow, St. Petersburg, Tatarstan (the Minister of Communications is from us), he is also the Minister of Communications, because he took all these things forward.



, ,

- The problem of responsibility, as I understand it, is in the first place. As for the insurance activities, providers, in this case. If it was organized as deposit insurance, many users would be happy about this, and this need is ripe, because from the point of view of information security, no one wants to take responsibility, everyone ultimately blames the problem on the consumer, but I I think there should be a reliable insurance institution. And the mechanisms need to be developed. In particular, it was about our proposal to create a digital code. I am a representative of FinUniversity. How do you look at solving your problems and the problems of consumers with insurance in the digital sphere?

Dmitry Krasnov: — – , , , . – . , , – , , , , , , . -, , , , . .



, , RUVDS

- Nikita Tsaplin, RUVDS. I would like to ask a bit of a reverse question, just now during a break I talked with colleagues, and many note such a trend that, in addition to taxation benefits when transferring to the cloud, and cost savings, cloud service consumers delegate part of the data protection responsibility to industry professionals. In this case, all the responsibility of the suppliers. How secure are the service providers? What kind of liability in case of leakage of personal data may occur for the supplier? Are suppliers who benefit from such customers who work under such rigid contracts? How secure is the supplier? It is clear that it is beneficial for the consumer to transfer the responsibility to the supplier. That is, we have chosen a supplier - we have removed responsibility. How secure is the supplier after this?

Artem Fedoseev:- From the point of view of the law, as I have already said, this moment is very clearly stated here. The first requirement of the law is that the client who transmits the data, suppose the bank, the broker, he is still liable to his final client for his personal data, regardless of whether he transferred them to the second, third or fifth person. No matter what his license. Further, in case of force majeure, the broker's relationship with the cloud provider is only their relationship. The client will only talk with the bank or broker. From the point of view of responsibility, as I said, it is usually regulated by SLA, there is administrative and criminal liability for disclosing confidential information, if it is proved that it was an accidental release, or it was malicious intent, responsibility is different up to the employee. Employeewhich operates under the FSTEC license, it is legally responsible for handling data. Even for plugging a flash drive, I copied the database myself. If someone finds out about this, there is also legal responsibility there. In terms of money, it can only be adjusted SLA. If Sberbank had placed all its data in its data center to Durov, and he would have lost it, I won’t take anything from Durov except this data center. It is always a balance between risk, quality and service. That is, it must always be understood. If you think: “I have given and now everything is fine,” and the headache has gone, then this, of course, is absolutely wrong.In terms of money, it can only be adjusted SLA. If Sberbank had placed all its data in its data center to Durov, and he would have lost it, I won’t take anything from Durov except this data center. It is always a balance between risk, quality and service. That is, it must always be understood. If you think: “I have given and now everything is fine,” and the headache has gone, then this, of course, is absolutely wrong.In terms of money, it can only be adjusted SLA. If Sberbank had placed all its data in its data center to Durov, and he would have lost it, I won’t take anything from Durov except this data center. It is always a balance between risk, quality and service. That is, it must always be understood. If you think: “I have given and now everything is fine,” and the headache has gone, then this, of course, is absolutely wrong.

Nikita Tsaplin: - Providers here, of course, are also under a certain threat. They are actively accepting customers, but there have been no precedents for leaks, and in fact, some large bank can easily bankrupt a small provider in the event of a leak.

Artem Fedoseev: - Of course, it can. This is a risk.

Dmitry Krasnov: - And the provider could bankrupt the bank in case of a leak.

Artem Fedoseev:- You just need to distribute the risk. In my understanding, when you trade, you must distribute your money between brokers and banks. Similarly, there should be a distribution of risk here too. If you have a strategic long-term work plan, you, no matter how good partners you are, should think that you can fall a brick on your head, you should always distribute your business in several directions, so that if something happens, not all the legs of your chair broke down at once.

Nikita Tsaplin: - Dmitry, does your bank use several vendors for cloud services?

Dmitry Krasnov: — , . , , . , -, . .

: — , , , . – .

: — -.

(): — . , . ? ? ? ? , ?

: — IT- , , – , , , . , . – , , - , , , . , , , .

:- Regarding software, Microsoft is already helping with its SPLA solution. Now they modify it in the CSP, give us more leased software to reduce costs. From my point of view, in general, some point of trust should be reached between the business representatives from both sides. Not that even a single precedent. Sberbank made its cloud, sort of like it is. There must be a general state of the atmosphere and climate between the players, that this people have come to do business, and I do business and have one goal. Our industry is quite young, and it just takes some time to physically reach this climate. And, again, on the part of the state, a certain impulse is also needed here, in the sense that on the one hand they must clear the law of vague wording so that everyone can understand the rules of the game,on the other hand, the state itself should set an example in this regard. My documents, I like it in Moscow, that I come, and I do documents in any place, a good step, which shows that it works. In my opinion, the development vector of all is correct. It is clear to everyone why this is necessary, how much it saves and what it leads to, but it takes time to gain confidence in each other in this direction. And, naturally, with the growth of the number of companies with licenses, verified by western players, this will only improve. Here you just need to continue the development, accelerate it somewhat in connection with the sanctions. In general, the direction here is.that it works. In my opinion, the development vector of all is correct. It is clear to everyone why this is necessary, how much it saves and what it leads to, but it takes time to gain confidence in each other in this direction. And, naturally, with the growth of the number of companies with licenses, verified by western players, this will only improve. Here you just need to continue the development, accelerate it somewhat in connection with the sanctions. In general, the direction here is.that it works. In my opinion, the development vector of all is correct. It is clear to everyone why this is necessary, how much it saves and what it leads to, but it takes time to gain confidence in each other in this direction. And, naturally, with the growth of the number of companies with licenses, verified by western players, this will only improve. Here you just need to continue the development, accelerate it somewhat in connection with the sanctions. In general, the direction here is.speed it up somewhat due to the sanctions. In general, the direction here is.speed it up somewhat due to the sanctions. In general, the direction here is.

Kirill Zapolsky (Moderator): - So, while the process of recruiting is under way, so to speak ... Artem?

Artem Paizansky: - As I said, our direct access department is fairly new, I only joined it in December, before that I worked at the Moscow Exchange for 5 years, and what is a virtual machine ( VPS ), , , , . , , , , , , - , . , – . VPN – , , , , , VPN, , , . , , . , , , , , . Very comfortably.

: — , , . , , , , , CMS, 5 , , . , – . — . , , , , , . , , , , . , IT – , , . , , .

(): — . , . , . , , , , , , . , .

Source: https://habr.com/ru/post/304932/

More articles:


All Articles