Time of the brave. How to migrate to the clouds without violating the requirements of regulators?

The financial services segment is one of the most technologically advanced. At the same time, in Russia it is one of the most regulated. Bankers are forced to take into account the "mountain" of requirements, so they are very attentive to all new initiatives of state bodies that may affect their business.

Despite the fact that in the world the banking sector became one of the first to use cloud technologies, in the Russian Federation, due to the adoption of a number of new laws (the Law “On Personal Data” and related documents), financial institutions are wary. And if the legislation has not touched the private cloud market, then public companies are wary. After all, the use of "external" services has always required increased attention to information security issues, after all, the banking industry. In addition, in recent years, the number of cyber threats and hacker attacks has significantly increased, and now toughened requirements of Russian legislation in the field of information protection and acts of regulatory bodies are imposed on financial market participants.

So, below we analyze the attitude of regulators to the use of cloud banks managed by third-party providers. As well as the regulatory data protection requirements that these providers must comply with .

Legislation to reach the "clouds"

Let's start with the main thing - with the requirements of legislation and regulatory bodies.

1. Requirements of the legislation of the Russian Federation in the field of information protection - Federal Laws 149- ("On Information, Information Technologies and Information Protection"), 152- ("On Personal Data"), 242- ("On Amendments to Certain Legislative Acts Of the Russian Federation on the issues of state control (supervision) and municipal control ”), 161- (“ On the national payment system ”), etc .;
2. The requirements of the FSTEC of Russia and the Federal Security Service of Russia in the field of information security - containing measures for the protection of personal data, the order of the FSTEC of Russia No. 21 and the Order of the Federal Security Service of Russia No. 378, methodological documents and explanations of regulators;
3. The requirements of the Central Bank of the Russian Federation (CB) in the field of information security - the industry standard for ensuring information security (STO BR IBBS) and recommendations in the field of standardization (RS BR IBBS), Regulations of the Central Bank of the Russian Federation No. 382-P and No. 552-P for information security ensuring the transfer of funds, instructions of the Central Bank of the Russian Federation and other documents;
4. Requirements of the FSTEC of Russia and the Federal Security Service of Russia for licensees for information protection activities;
5. Requirements of international payment systems for the protection of information of cardholder data (PCI DSS);
6. Initiatives of the Central Bank.

Destroying the myths about the impossibility of public "clouds"

The list of documents is impressive. Let's figure it out. If we do not consider information classified as state secrets, then there is no prohibition on placing any banking information systems in public clouds. Including there are no prohibitions on the use of information systems (IS) processing personal data (PD). The only legal restriction is contained in Federal Law No. 242-FZ and concerns the physical placement of PD processing and storage facilities in the territory of the Russian Federation when collecting PD.

Documents of the Central Bank, FSTEC and the FSB impose requirements for the protection of information throughout the life cycle of information systems. The requirements of federal legislation and the documents of the above regulators are quite clear how to follow when placing banking ICs on the bank’s own site. But when it comes to information systems in the cloud, there are some features of the implementation of certain technical and organizational protection measures, and with them many questions about the implementation of specific measures. Most of the questions relate to the delimitation of areas of responsibility for ensuring information security between the cloud service provider and the bank. This is due to the fact that when the system is located in the cloud, both the bank employees and representatives of the cloud service provider are involved in managing the protection system.

As a result, due to the need to use non-trivial solutions to fulfill certain requirements of the legislation and regulators, as well as the need to elaborate a matrix of information security responsibility areas, the most common arguments are against transferring banking IP to a public cloud, it’s impossible to comply with them all. But is it?

FSTEK does not object, FSB is not against

Implementing a package of measures and fulfilling legal requirements in the cloud is difficult, we will agree, but still it is possible. The way out for banks when transferring their infrastructure to a third-party provider site in these conditions is the solution of not only organizational-technical, but also legal issues.

The FSTEC, for its part, does not impose additional requirements for the protection of information when using public clouds. There are requirements to protect the virtualization environment, but specifically to protect the clouds - no. The order of FSTEC No. 21, directly dedicated to ensuring the safety of PD, speaks about the need to protect the key element of cloud computing - the “virtualization environment” (part 2, item 8), without prohibiting the direct or indirect use of external services. This order also contains specific measures to protect the virtualization environment, which should be implemented depending on the level of personal data protection and the presence of actual threats (AEC.1 – AECV.10).

Speaking of threats. If you look at the threat data bank, which the FSTEC actively calls for using when modeling threats (and in the case of state systems it clearly requires), then you can find many threats in this bank that can be implemented only in systems located in the clouds.

FSB is silent. In her documents there is no mention of clouds.

Based on the foregoing, it can be concluded that the FSTEC and the FSB allow the use of cloud technologies for processing protected information.

CB cloud intentions

In addition to the above documents, the financial industry regulator - the Central Bank (CB) - has its own vision on cloud technologies. The financial regulator started testing cloud technologies in 2011. Even then, Bank of Russia IT specialists said that in the “cloud” there should be protection from malicious code, control and access control at the network level, at the level of access to various applications and virtual machines. In 2014, a working group was created , whose task was to develop proposals for making the necessary changes to the legislation, allowing more extensive use of electronic document management (EDM). In fact, then the Central Bank began to prepare for financial transactions in cloud services. In May 2016, participants in the financial market switched to a mandatory EDI with the Bank of Russia. Last summer at the International Financial Congress, the Deputy Chairman of the Central Bank Olga Skorobogatova announced that the largest banks and IT companies, headed by the Bank of Russia, are creating a consortium to introduce new technologies . The community has set a goal to explore and then implement the technologies of distributed registers (blockchain), cloud technologies, big data management and the development of a simplified identification system.

The “Main Directions for the Development of the Financial Market of the Russian Federation for the Period 2016–2018” states that the Bank of Russia intends to “work out approaches to provide services for small supervised financial organizations that allow keeping business records without the obligation to submit reports when the Central Bank gives the right to use accounting data accounting, including the use of cloud technologies. ” As part of this, according to the “Basic measures for the development of the financial market of the Russian Federation for the period 2016–2018” , in 2016, the Central Bank’s work plan (plan) to create a single technology for keeping track of business activities without the obligation to submit reports was determined. Other events in the "cloud" direction in the document does not appear.

Actually, the Central Bank itself is already using cloud products in its activities. For example, in March of this year , Vedomosti, citing data from an electronic trading platform, reported that the Bank of Russia intends to purchase about 45 thousand licenses for the Office 365 cloud office product. The Central Bank explained the purchase by extending licenses. The plans of the financial regulator and the creation of a platform of instant payments (p2p) with banks belonging to the association “Fintech”. And it is clear that without cloud technology is not enough.

Harmless PCI DSS

Compliance with the requirements of the PCI DSS standard becomes relevant for the bank when hosted in the public cloud of systems that process data of cardholders. Requirements and relationships of financial sector organizations when using cloud technologies are regulated by clause 12.8 of PCI DSS, and the practice of using PCI DSS hosting with third-party service providers has long been widespread.

So, there are no obstacles or prohibitions on the use of public clouds by banks located on the territory of the Russian Federation in the regulatory documents and requirements for financial sector organizations. If a bank uses infrastructure from a public cloud, a third-party provider must implement and comply with its regulatory requirements (within its area of ​​responsibility) and the information security requirements of the bank in its cloud. The responsibility of the cloud provider should be fixed in the relevant agreement between the parties.

Fear against technology

Of course, the fears of using public clouds by banks do not go away. Although, as is well known, specialized cloud service providers are among the first to study the latest regulatory acts and most promptly bring their proposals into full compliance with the requirements of domestic legislation.

For example, now when placing a bank’s IS in the Technoserv Cloud cloud, both parties must compile a complete register of information security requirements imposed on the bank and the bank and delineate the areas of responsibility. As a rule, the cloud service provider is responsible for protecting the perimeter from external threats (firewalling, protection from the network) and for protecting the virtual infrastructure, and the bank is responsible for ensuring information security within the virtual machine provider provided to it. At the same time, the provider certainly protects the workstations of its administrators and provides them with secure access to the administration tools of the cloud platform infrastructure.

Next, work begins on preparing or updating the internal documents of the bank required for successful auditing of the STO BR IBBS, the provision of the Central Bank of the Russian Federation No. 380-P, PCI DSS v.3.2 standard and others, taking into account the new consumption pattern of infrastructure resources. At the same time, the bank's IS is being transferred to the cloud platform.

In general, world practice shows that companies specializing in cloud services, most often, create a better infrastructure and services than most non-core organizations can afford. For example, Technoserv Cloud is deployed on the site of a data center category Tier III. The platform consists of two physically isolated parts (VDC and VDC.152; for state and financial organizations):

• The closed segment is implemented using VMware solutions. The infrastructure complies with the requirements of orders No. 17 and No. 21 of the FSTEC to ensure up to the 1st class of GIS protection and the 1st level of personal data protection. Strictly speaking, the solution allows, among other things, government agencies to place IP with the highest requirements for information security, as evidenced by the presence of a certificate of compliance with information protection requirements established by the FSTEC of Russia.

  
  
• The Secure segment is suitable for financial institutions, implemented using VMware solutions. The infrastructure complies with the requirements of the Regulations of the Central Bank of the Russian Federation No. 382-P and is certified for compliance with the requirements of the PCI DSS standard.

The bottom line is not so scary the cloud, "as it is painted." As for regulators, cloud providers to meet their requirements is quite real.