Geekly Articles each Day
⬆️ ⬇️

Cloud security: reality or myth?



We are starting to publish materials from the “Collaborative Security of Cloud Solutions for Business” forum , which we conducted together with Kaspersky Lab and HUAWEI on May 31 in Moscow. The plenary session of the same name turned out to be the central event and we decided to start with it. The panelists presented their security solutions in the cloud, and the service users present appreciated them essentially. What happened in the end - read, watch.



Participants:



Discussion moderator: Nikita Tsaplin , RUVDS Managing Partner

Vladimir Ostroverkhov , Kaspersky Lab corporate sales support expert

Mikhail Sergeev , Director of Corporate Communications, GARS Telecom

Danila Chegin, Variti Sales Director

Sergey Slukin , Head of DMA and Algorithmic Trading at FINAM JSC

Stanislav Pogorzhelsky , Product Manager HOSTKEY

Alexander Misyurev , AIG Development Director

Alexander Milyar , HUAWEI Information Security Expert

Frank Harzheim , CEO, Deltalis

Lidia Schrader-Stroub , Deltalis Sales Manager


Video Recording:

')







Inviting speakers, moderator Nikita Tsaplin, RUVDS Managing Partner, opened the discussion



For a start, I would like, again, to draw some parallel with last year’s forum; there, on the eve of the forum, it was discussed that the American bank JP Morgan announced that some of its services were transferred to the public cloud and we discussed, just at the forum, how much scenarios for the Russian market of information services. But a few months before the current forum, the technical director of JP Morgan, Mr. Deasy, had a working breakfast where he had already demonstrated the results of transferring several applications to the Amazon public cloud. That is, we see that the trends in the transfer to the cloud, they really come true. And while JP Morgan is a financial institution, it is the largest asset bank in the world. And financial institutions, they are most sensitive to transfers to the clouds and even according to the most optimistic forecasts, no more than 15% of these financial companies can be transferred to the cloud by the nineteenth year. While, for example, such companies as Johnson and Johnson declare their readiness to transfer 85% within the next two years. What we see is a really strong trend. Of course, it happens ... The locomotive of all this is of course the western market. We kind of see that everything is fine there, we are happy for them, but we would like to talk more about the situation in Russia directly. About the situation how such forecasts are carried out in Russia, according to transfers to the cloud and how much the vendors' offers meet the expectations of consumers here. I would like that we would talk not about such large companies as JP Morgan, here, but about those companies that make up our market that create demand - these are small and medium business companies for which we, as providers and our colleagues from other providers which are present here, vendors, are oriented. Therefore, I would like for us to talk specifically about this sector.

- Since the vector for discussion is set, in terms of scale for small and medium businesses, I would like to ask the vendors present here, first of all the equipment - how much does this segment for you, small and medium businesses, mean to your company? What does your company offer to similar clients and are you ready to respond to requests from these companies, or are they still rather small to ask for any specific demand, do you think?







Alexander Milyar, information security expert at HUAWEI :

- Good afternoon, colleagues. My name is Miller Alexander. I deal with information security company HUAWEI. And if you answer, then if we speak in the context of thin clients and when we have infrastructure in the cloud, including users, then all the same, compliance with corporate policies is necessary. Including internet access. If we have, for example, firewalls, proxy servers that are in our company, we set policies for them, then what will be in the cloud? In fact - the same thing. Our products are ready both for use in the cloud and for local ones ... Here for myself, in enterprises. They are the same, the only difference is that it is insisted either by administrators here or in the cloud. And we connect all of our same resources that we use here, that is - the policy of Internet access, protection of servers that are in the cloud, using IPS, URL filtering, application identification, granular Internet access, also in the cloud . From the point of view of small business, as we considered today the case of ... If a small business is ready to go to the cloud, then everything is saved for them, from this point of view. HUAWEI sees a small business using the cloud a little differently. That is, it will be used more as a subscription to the management of local devices. That is, if you don’t install solutions locally for managing a lot, for example, switches or WI-FI networks, then we see all this going to the cloud. For example, by the 20th year, we have an understanding that more than half of the access points that will now be sold will be managed from the cloud. And 35% of switches and routers will use cloud management. That is, not only our desktops will go to the cloud, but the local networks that we build, the management of all policies, devices, configurations, will still come from the cloud. If we are talking about a small business, then a small business in particular wants, it is the size of, say, 10 people who are in the company and up to 500. That's, roughly speaking, our small business. Although we often say that a small business 500 is already a medium-sized business, but in reality it is not. It still belongs to the small business segment. And when we have a branch network, we need to manage, say, the settings, we need to use administrators in our staff who understand how to build VPNs, how to connect our networks, how to build access to the Internet. Through the cloud, this is realized through the VM-interface, that is, there is a simplification to the setting up and use of resources of the enterprise structure.



Nikita Tsaplin (Moderator): - Thank you. Now I would like to ask a similar question to representatives of hosting providers, but first let's not tell you much about our company and our customers. For the RUVDS project, 90% of clients are individuals and only 10% are legal entities. Rules 20 to 80, where 20% of customers make 80% of the profits, our company is not satisfied. Meanwhile, we see the small and medium business segment as very important for us in terms of further scaling and technology development. I would like to ask Stanislav how our colleague is in the workshop - what is the situation, how much your company follows the needs of small and medium-sized businesses and how important is this segment for you, and are there any specific requests from them?





Stanislav Pogorzhelsky, Product Manager HOSTKEY :

- Good afternoon, my name is Stanislav. I represent the company HOSTKEY. As for small and medium businesses, these are the clients who come to us. For us, this is a very interesting segment. And we try to attract them as much as possible in our own way, strictly speaking, why. Our goal is to provide the client with the infrastructure. This is as usual - hardware, servers, and cloud virtualization. With that important point, the clouds are automated as much as possible, that is, the client comes to the site, the client registers himself, the client moves the sliders to himself, bought services and rejoices, pays himself, we don’t even actually communicate with him, only in case of emergency technical assistance . I answer your question, literally, that the small and medium segment is very interesting to us. These are independent people, these are companies that value financial expenses and usually require services right now. Here they went to the site and they need to buy services right now. They are ready to pay with their card and they receive it from us. Very relevant.



Nikita Tsaplin (Moderator): - Here is another interesting question. Does such a situation often happen when a client comes in, figuratively, a representative of a small and medium business and the final question about the transition, about making a cloud decision, is a security issue. We often have a situation where a large commercial bank or another structure comes to us that requests a commercial offer, starts to study it, look, think for a long time and say at the end - no, we will take a dedicated server. We also provide such services, but nevertheless, it’s just as interesting as this moment.



Stanislav Pogorzhelsky: - I understood the question, yes, the question is excellent, good. In fact, the very first level of evaluation of the hosting company from the point of view of the client, they look - and where the data will be placed. And look at which data center hosting provider is located. There was a wonderful data center presented before this presentation. There are, as it were, clients who want to place their data there, because they so want. In our case, they look where we are located, we are located in a good data center, TIER certification in Moscow, this is a location in Russia and there is a location in the Netherlands. Actually all worthy. First of all, the client asks - in which center are you located? Then he looks - and how my data is placed on your servers? How we provide it, and we provide as follows. Customer data, they are referred to as the cipher value. Our system administrator, who manages the cloud, they do not have the binding of a particular client and a separate user's vault guard. They do not know whose data it is. Our data is hosted on many servers in our data center. At the same time there is a storage system. That is purposefully, the system administrator cannot get into the client data and violate security requirements. Plus, we can recommend clients such a service as delivering their personal network equipment and we will only enter there, links through this equipment. For example, CISCO K9 or some other encryption equipment.



Nikita Tsaplin (Moderator): - I understand this is about individual solutions, they are not offered to all customers as a package.



Stanislav Pogorzhelsky: - Yes, absolutely true, the additional contour of network security is built in an exclusive variant when there is a request from a client. The most important security issue of people, companies that come to us and want an automated cloud, they ask - where will the data be placed? Everything, this is all that they care about in the first place. This information is available immediately from the site. The client may not communicate with us and not receive information personally from us.



Nikita Tsaplin (Moderator): - Everything is clear about the location of the data center. This is question number 1 and still I would like to understand, maybe there are some services for the security of customers in the cloud, if among these services are DDoS protection, anti-virus protection, something? And how much they are in demand? According to the experience of our company, these innovative solutions are slowly spreading, in general, the market wants, but these are point solutions, which cannot be a mass trend. I would like to know what security services in the cloud do you offer and how much are they in demand?



Stanislav Pogorzhelsky: - Let's start with the first one you called - DDoS protection, in general, I think that this is a standard service that should be provided by a hosting provider. Because when a client is hosted on company servers, any DDoS can affect a neighboring client in the same communication channel. Therefore, DDoS protection as a basic service. If the client wants to personally, I do not know, to clean his communication channel, and he purposefully knows that he will have DDoS. When, naturally, this service is provided, but it is separate. In the basic version of DDoS protection is, and if we see a DDoS attack, we tell the client that you have security problems, you have an attack, let's think of something good and proper and have this experience. If we are talking about anti-virus protection, there are no large requests, but I follow the market, people basically want, but do not fully understand this service. People have a virtual machine, they have set themselves some kind of antivirus, they understand, they have received a report - so many viruses and everything is fine. But according to our anti-virus, they believe that the data will be scanned and this is a security vulnerability. This is the opinion of people with whom I spoke. Therefore, we provide this service only in the custom version.



Nikita Tsaplin (Moderator): - Is protection against DDoS-attacks offered to all clients as an integrated service?



Stanislav Pogorzhelsky: - It is in any case.



Nikita Tsaplin (Moderator): - Often there are attacks? Is there a pattern that affected firms or individuals more?



Stanislav Pogorzhelsky: - Since anyone can go to our site and buy a virtual machine and rent servers, many companies buy as a physical. faces and we can't identify them. By the number of DDoS - the minimum is every day. Big DDoS, probably once a month. There is no possibility to sort, big companies or physical. faces.



Nikita Tsaplin (Moderator): - Do you often have to deal with new types of attacks? We have resourceful customers, they regularly come up with something new.



Stanislav Pogorzhelsky: - An interesting question. But since we provide only infrastructure, we can only see high-level traffic. And the traffic that came to the customer, on his server, he analyzes. We give the infrastructure, namely, a deep analysis of what comes to the client, this is all additional services.





Nikita Tsaplin (Moderator): - I see. Thank. I think it would be interesting to hear security vendors who are present here. Let's start with the question to Danil, the company VARITY. Who are your main customers, acquiring protection from DDoS attacks, products in this direction, do you plan to expand them?





Danila Chegin, Variti Sales Director:

- Good afternoon, colleagues, my name is Danila. I am responsible for interaction with customers and for working with partners of the company. A few words about us. We have developed our own technology to protect against timely threats. We are not doing this at the level that many have become accustomed to defending at the channel level and protecting the network perimeter or information security circuit, as sounded here. We protect specific services and these are services that bring business money. Here are my colleagues from the company HUAWEI, the company HOSTKEY, and many others sitting nearby, they sell their services by registering their clients, by registering in their personal accounts. All this is web. And we focus on the protection of web services, and unlike the usual approach, when many people buy protection at the channel level, we protect in addition to the infrastructure level L3-L4, we also protect at the application level. We are well versed in http, https, and this gives a number of technological advantages, we do it a little differently. In general, if you answer the question. We are also a young company, smaller even to us than RUVDS, and we also face the fact that customers are not ready to switch to cloud services right away, be it an infrastructure or a cleaning service, filtering DDoS attacks, this is the client’s approach when there were no such cases and we will not deal with them. There is an approach when people understand that what they do is important for a business and if it is an online store, then the web is for them the main source of revenue and profits, and they understand that besides that this resource would just work, it should work well . And it should give the opportunity to any person, even if the resource is under attack, and even if the device of the person at this moment attacks the resource, the protection should enable this person to still come in and pay some money for the service or for the goods. We can do this, we have to tell and explain this, and in the framework of meetings, conferences and the forces of our partners who sell technology, we understand you well here, and if I missed something, let us ...



Nikita Tsaplin (Moderator): - There is another question. Let's imagine, we have a hosting provider, if we, for example, have any kind of failure, it is our fault that we have an agreement on which we return the funds. For example, there is a DDoS-attack, which all the same, despite the connected protection service, interrupted the work of the web service, what then does the vendor do?



Danila Chezhin: - We, as all players in this market, offer a certain level of service and we are ready to bear responsibility within this SLA and this may be some typical option, we have a number of tariffs that depend on the guaranteed availability of our service, but we are ready discuss and individually in the framework of some separate projects, some separate conditions. But it would be interesting for us to study your experience when you worked with AIG, and here ...



Nikita Tsaplin (Moderator): - I'm leading to this. Some failures, they occur at all vendors that they would not speak there. The question is how to handle these situations? It is clear that there is an SLA, but very few people are satisfied that the cost of services will be reimbursed for a month, while the losses of the injured party can significantly exceed the cost of these services, as far as we see a downward trend in prices for such services. Then this compensation, it does not suit the client. The client will leave, it is a difficult and not pleasant situation. We started thinking about what to come up with in this direction, and here we and our partners with AIG, came up with such a solution, or rather, they came up with it long before us, because CyberEdge program has been existing since 2007, and since 2008. Together with partners from the AIG campaign, we developed this risk insurance program and I would like Alexander to share some of his company's experience in insuring against risks of data loss, network interruption due to DDoS attacks, or outside influence.





Alexander Misyurev, AIG Development Director:

- Good afternoon. My name is Alexander. I am responsible for the development of business in the AIG company, Nikita, it is always interesting to share experience, there is a lot of it, maybe it makes sense to tell a little about the product itself, how it works, or how to specify it?



Nikita Tsaplin (Moderator): - We've been discussing a specific situation. Here comes a DDoS attack, it is so strong that the defense for some reason could not stand it. What suggestions does AIG have, I would like you to tell the audience, we know that. By what can be done with this, what can be offered and how can you get compensation over SLA.



Alexander Misyurev: - Now the task is more clear. As Mike Tyson said - "You always have a good plan before the first blow to the jaw." Indeed, now all providers provide some kind of SLA, provide guarantees, someone reimburses the cost of service for a month. But the civil code and, in general, no one has repealed the reimbursement under the law, and in addition to everything you still have such a risk, when a DDoS attack occurs, it is a break in production. This is if you represent an online store, say, or your critical infrastructure is built on some of its solutions and it all falls and you can not serve customers, then you will inevitably lose money, no matter how much you want it. What is AIG doing here? We have been doing this for about 15 years in the world, in 2013 this product was brought to Russia and it is called CyberEdge, it is in fact divided into 3 components. The first component is the cost of, it is called service, the cost of professionals who help you look at and minimize the potential loss, because Cyber ​​is first and foremost data protection, and everything connected with it. That is, when a DDoS attack occurred, some experts are involved, it could be specialists from Kaspersky, it could be specialists from Group-IB, some other specialists who help track what happened, how much information has flowed, where it all went away, and how to continue to work with it in order not to receive a claim in the second section in the future. Because you, as companies that process the data of your customers, you are responsible for this data. And no matter who you send this data to, you can give it to any cloud or else, if I work with you as a company, buy this service, I will come to you for a request and ask you for compensation and not from someone It is very important to think about what kind of responsibility you really carry, no matter how you build the entire infrastructure, and give responsibility to other contractors.



One should not forget such a moment that the developers are developing very secure tools and equipment every time everything is more secure and more secure, there are guys who help, give the right advice on how to build a protection correctly. But the most vulnerable are your employees and social engineering and hackers in general, they are always one step ahead of you. We are always late because we are afraid of sharing data, we are afraid of sharing experiences. Who will tell how anyone has security built in this studio, I doubt that you will tell all the secrets now. Using the insurer allows you to attract specialists who help overcome this crisis and help pay the amount of the requirement that comes to you if your user data leaks, that is, the data leaked, say due to a DDoS attack. A number of clients come to you, they can be individuals, legal entities and make demands to you. This requirement is required by law to pay. And the third part is a break in production. If your company does not work due to a DDoS attack for a week or 3 days, it doesn't matter. You suffer losses, this amount of loss can be compensated at the pole of CyberEdge, under the conditions stipulated by the contract. One of the good examples where it would seem, nothing could happen. Everyone knows the airline Delta. Last year, due to technical failures, they could not serve customers for 2 or 3 days. Although it seemed that this is the airline that should best take care of its data, as well as Yahoo, more than 1 million user accounts have flowed. I think that there clearly are not fools working in these companies and they stand their security system. Nevertheless, the same Yahoo, for example, 4.86 billion dollars a deal, it did not fail, it was postponed until the circumstances were clarified. They spent more than $ 10 million just to go through the initial stage of the crisis, to understand what happened, to notify their clients and incur additional costs.



Nikita Tsaplin (Moderator): - Well, and yet, we are talking about some such large companies. Among the buyers of CyberEdge policies, among your customers who prevail, who are these buyers. We became the first provider in Russia to insure their responsibility, but the program is not quite new and it has a lot of differences, I just would like you to tell who your customers are in this program, after all, this is a medium-sized enterprise or larger players . Do they buy boxed solutions or some kind of customization is required?



Alexander Misyurev: - I will not answer the question, probably, if I say that our clients are all our clients who work with data. Who buys them and who is actively interested. Well, of course, financial institutions. Because they process the most data. Their information is most critical. We have customers who are software developers, and by virtue of contractual obligations they buy this policy. We have customers who are online stores. These are small online stores, I’ll say right away that these are companies with a turnover of 100 million rubles conditionally, this is a penny compared to the online business. As AIG is a global insurer, we have global clients who are starting to adapt their international programs to Russia.



Let's say the international hypermarket chain, European, they have this policy in Russia as well. That's when there was a WannaCry attack, they turned to us, their payment terminals stopped working, for example. That is, it is one of the cases. , Cyber . , , , , , . , , Cyber'. , , 3 , , , 3 . 500 , . , .



(): — . CyberEdge. . « ». , , . , ? .





, « »:

— . , « ». . 40 . …



(): — . ? ?



: — , , . . . , . , , , . DDoS , .



(): — , ? - , , , , - , , ?



: — , , , , , - . , , . , , , , , .



(): — , ?



: — .



(): — .



: — , — , , , . . . , , , 60-70 . , , , . , , . , . - WannaCry.



(): — , ?



: — , .



(): — , .



: — . hack-as-a-service. , , DDoS, , .



(): — . software-as-a-service, software. ?



: — . DDoS, , DDoS 200 .



(): — 200 , , 200



: — 4 .



(): — DDoS .



: — , , , . . DDoS-- .



(): — ? .



: — . , . , . , - . . .



(): — . , , , .



: — , , , , , , , , , , . , , . . WannaCry .



(): — , - « », - ?



: — . -, . , . , , , Trend Micro, Symantec, , , .



(): — - ?



: — .



(): — , , . AIG, .



: — .



(): — , , , , - - , . , , , , - , , , , ?





, CEO, Deltalis ( ): — , . - , , . . - . , , , , , . - , .



, , - , , , , - . , - . , , RUVDS, -- RUVDS , . , , - , - .



(): — - , , , , , , Deltalis ier 4, , . , . , - , ? , , .



, CEO, Deltalis ( ): — . - , , . — , , . - , . , , - .



(): — , , , ? , , . , , , , - , . , , ?



, CEO, Deltalis ( ): — .



(): — , , -, , -, . , … .



, CEO, Deltalis ( ): — -. . . - , . , , , , , , - , , ISO, . , - , , , - .



(): — , , , .



( ): — - ?



, CEO, Deltalis ( ): — , . , - , , . - - , , .



(): — , . , . . , . , VPS-, HOSTKEY, - , VPS/VDS. . , , . .





, :

— , – . 99 30 , , , , . , , , , . , , - , , . 20 , , , , , . , -10 , . , , 10 , , , — . . , , . . - , , . . - , . , . , , , , . , . , , , , , -, - , , - . - .



(): — ?



: — — , . — ? . , , , 2 : -, , - , , , - . , , , , . - . , , , , , . - , .



(): — . , «Its all about the trust», - , . , , : DDoS- - . ? , — . – , . — , .



: — , – . , , , , - , . , - — , . , , , , . , , , , , . , .



(): — . . - , VPS- , , , . , ? , , . - ?





Sergey Slukin, Head of DMA and Algorithmic Trading, FINAM JSC:

- Good afternoon, my name is Sergey. I manage the trade department at FINAM - it is the largest broker in Russia by number of clients. We have a representative office in every major city of Russia. Several tens of thousands of customers in Russia and abroad. Our department helps clients to build their own structure, so that their algorithms work successfully, so that they earn money. Including we provide customers with iron solutions, that is, we provide our servers to customers, we buy servers if they need it, we present clouds in partnership with RUVDS. Both in terms of Internet connectivity in the Moscow Stock Exchange, and in the perimeter of the Moscow zone of the Dataspace exchange location. With regard to security, in fact, if we talk about the perimeter of the Internet, then about customers who use virtual machines, then the security services that are now provided are enough. If we talk about the perimeter of the location, then this is not a lot of other circle of clients and their requirements are higher. But we are not limited only to what the provider gives us. We use the symbiosis of the cloud and our own stock exchange solutions, we have our firewalls and firewalls of the exchange. We allow access from certain static ip. We monitor traffic, the exchange also monitors traffic on its own perimeter, we take security seriously, and this primarily concerns our customers. But if we talk about what is more important safety or sustainability, it is on the same level.



Nikita Tsaplin (Moderator): - These are synonymous, I agree. And did it happen when clients were hacked, attacked in such a plan? Or it is not about your category of clients.



Sergey Slukin: - This is not about these customers. We see? that sometimes packets arrive from China, we see that it is trying to conduct DDoSs and is trying to put channels, servers. Naturally, nothing happens because, again, because of the symbiosis of protection systems. If we had everything in the cloud, then, probably, these clients would have problems. In this regard, we are not yet ready to transfer the entire infrastructure to the cloud; a symbiosis of solutions will work here for a long time.



Nikita Tsaplin (Moderator): - As I said, the financial sector is the hardest to transfer, because there is interaction directly with financial flows. I would like to hear your opinion about AIG, how interesting is insurance for your clients in case the client of the fund - who manages the funds, is subject to a DDoS attack, for example, and it will be impossible to carry out transactions. Someone will get unauthorized access to the server that manages transactions, with the result that huge losses can be incurred.



Sergey Slukin: - The question is difficult, because it is quite difficult to assess losses. Naturally, to reimburse the cost of services per month for SLA, this is not enough.



Nikita Tsaplin (Moderator): - We are not talking about lost profits.



Sergey Slukin: - Obviously, this is not about lost profit. If a client says - I have a server dropped, I’m hanging an application, I couldn’t take it off in time for me to lose a million rubles, it's hard to prove, and so on. If we are talking about the theft of some algorithm, it is also difficult, because it is impossible to estimate the cost of the client’s algorithm in a judicial order. In terms of basic functions, if proven. that something was stolen from the client’s server, something was merged or that its server was attacked and he could not trade, then if the insurance company can recover more than the SLA suggests, then it will be interesting.



Nikita Tsaplin (Moderator): - This is the point, because it is clear that compensation is possible only if this event is confirmed otherwise this service would lose its meaning. There must be confirmation of unauthorized access, otherwise grief-traders can write off any loss as an insured event.



Sergey Slukin: - We did not offer this service to customers, because it is new. But in principle, within a week we are ready to launch the action. If the product helps customers, if we understand how to use the product, we can actively promote.



Nikita Tsaplin (Moderator): - And what do you think about the Swiss instruction? Switzerland is the capital of banking. This is a close question to financial markets, I understand that geographically it is not the best location in terms of speed of access to financial markets, but how interesting is the offer to place customer services in such a safe place where a local government request event is impossible. How interesting is legal security for clients? I know that most of the funds that operate, including on the Moscow stock exchange, do not belong to the Russian jurisdiction, and yet, placing equipment in our country, they bear the risk of local authorities. How interesting is this question to the client?



Sergey Slukin: - It depends on the type of client, if the client is ready, the foreign fund is ready to have infrastructure in Russia, 90-99% will be placed in the exchange location in Russia. Switzerland is good, but from the point of view of trade it is not very well applicable to the client, which is important access speed. From the same Switzerland, the signal will go several tens of milliseconds. And customers are already competing for nanoseconds. If the client can save 200 nanoseconds, then this is already a big plus. If we are talking about the storage of back office data, some kind of market date, then yes it might be interesting, but if the services that make decisions process the market date, then they should be where the marketplace is. But I do not see anything like that in the separation of client services. When the service is here, and the back-end and database are in another place.



Nikita Tsaplin (Moderator): - Thank you. Now I would like to come back again with a question to Alexander from AIG. Do you have experience working with insurance companies in the IT sector? Have any projects or cases? I understand that this area is confidential and, as is the case with Deltalis, they cannot show their clients, because, in many respects, clients go there precisely for confidentiality. But nevertheless, maybe there are some interesting interaction cases with IT companies that you could talk about here? As a provider, we are the first to insure against these risks, but maybe there are some other projects, such as security vendors? I think insurance is the only way. The issue of trust is understandable. The issue of physical security, reliability, all this is somehow solved, DDoS protection. But anyway, some kind of failure can happen, and in any case, you can be protected from it only by insurance and nothing else, so this is a question for you.





Alexander Misyurev, AIG Development Director:

I will not tell about clients, because it is still confidential information. Since I am engaged in the adaptation of certain products, in Russia, the most difficult thing is who are your customers, who buys? And everyone is used to the fact that, as a rule, all Russian insurers show a million logos in their presentations, so they bought everything. We have a different approach, we have, we initially work with corporate clients, large, now we are developing small and medium businesses. If we talk about where Cyber ​​is as an embedded product that allows customers to protect themselves, and in this we see a great perspective from the development point of view, when there is not only a financial solution like insurance, financial protection insurance, but also some kind of alarm system for your equipment. Here with our partner, Group-IB, we made a product called Group-IB TDS and CyberEdge, this product is just about what Cyber ​​gives its sensor to the client, and then if the sensor does not cope with its task, certain parts of our policy work . From interesting IT solutions, I can say that there are about three providers that provide protection against DDoS attacks — we are negotiating with them in this part. Initially, the idea emerged from this, when DDoS does pass and the company incurs losses, then insurance should work, it is clear that we are striving to provide 99.9% protection, because under 100% protection I doubt that anyone signs up, this is unrealistic. But after our press release came out with RUVDS, Nikita, another cloud service addressed us — once you can insure it, let's work.



Nikita Tsaplin (Moderator): - The question is that many do not know what to insure. We have a representative of the DDoS protection company. How do you think that it is advisable to offer you the delivery of insurance protection services? Or do you adhere to the paradigm that we provide 100% protection and we cannot allow thinking that something can happen? There is such a point of view, really, that they do not want to offer insurance, because it breaks the paradigm, introduces a doubt that something can break.





Danila Chegin, Variti Sales Director:

- Everything that is created by man, man is imperfect and, unfortunately, someone makes some mistakes sooner or later, it can be seen from some permanent leaks. Some holes in the most diverse software are. And they are after quite a long time. Vulnerabilities in SSL, for example, that carried a fairly serious threat. And all this suggests that how many nines after the decimal point you did not write in your website, no matter what you wrote in the contract, all the same, of course, the likelihood that something will happen is there. The question is how much resources an attacker should spend on achieving the goal.



Nikita Tsaplin (Moderator): - Vladimir assured that the amounts available.



Danila Chezhin: - We see such attacks, they look like a rectangle, on the charts this is the effect of the shelf channels. The attack has clear parameters, as a rule, the attacks pop up high-frequency, this is some kind of flood, and such cheap attacks are usually ordered, I guess I don’t know I didn’t order, but if it worked once, why not repeat again if inexpensive . There is another approach when ordering attacks not just with some parameters in terms of volume and duration, but there is an order for the result. I do not think that $ 200 for some good resources is completely different money. And here the attacker, he is completely in the art is not limited in any way, he thinks, we see it including on the charts, tries different methods, smokes away, comes back, tries something else, does not work again, and so on. There are also living people there and since they have a task to fulfill an order, they put maximum effort. If I say that we will always protect everything from everything, no matter what happens, it seems to me that this will be some kind of assumption and not very honest towards the client, so what AIG offers is interesting. There is always a question of balance, because there is an insurance premium, it is understandable, and there is an insurance cost for the end customer. And if we are talking about some kind of not very big business, new, on the background of Morgan Stanley, many will be small. For business in the realities in which we live, in the country in which we live, for it any additional costs, they are heavy. The purchasing power of the population has been falling for quite a long time. The business has the same situation. They have no orders, it becomes less, they get less profit, and naturally the budget of expenses that they have, they try to optimize somehow. And when buying insurance from AIG, we will obviously shift it somehow to the client, mortgage it in the price, if there is a significant increase in services, it simply will not be needed by such a small business. For corporations, this will be in demand, this is what they want to see. Indeed, they say that SLA compensation for a month or two is not all for us.





Alexander Misyurev, AIG Development Director:



- True, in fact, as if this did not sound paradoxical, we are not trying to sell our solutions, we are trying to help our customers, and here we really need to find a middle ground. Everyone fell for CASCO on such things, when we were offered - guys, let's insure without a deductible, and when there was a currency jump, a certain amount of losses, everyone began to insure abruptly with a deductible to keep the premium, because the cost of insurance is enormous. This is the message that I want to convey to the client when we communicate: that insurance should help in a difficult situation, with light sneezes, with a cold, you can cope, insurance should help a business where there is a threat when things like WannaCry occur when everything falls, insurance should help here. But I will also add a plus, so Vladimir and I from Kaspersky Lab talked about industrial safety: there are already a certain number of solutions and a library of knowledge how to close vulnerabilities. And it is worth remembering that everyone seals the seals, and such messages come in, no matter how much technical security is lined up. You should not forget to work with your employees, conduct tests, send messages that can be referenced, anything that is not so dangerous for the organization, but will identify those weak links that will be able to bring certain problems in the future.





Danila Chegin, Variti Sales Director:

- We are talking here on the one hand about DDoS, then about information leaks, it’s still a little different stories. I just wanted to clarify: as far as I understand, the business of any insurance company is based on an effective assessment of risks, risks of an insured event, and if we talk about DDoS, then in my opinion the cost of the policy should depend on whether there is protection there or not. A business, probably, can be insured and without having such protection, it can come to you and say, I want to insure against data loss, from inaccessibility. And you as experts should see that the client has security and conduct an audit. Or simply looking at the contract with the vendor of protection and seeing some name familiar to say and some level of SLA, say "okay, it will cost you 40% cheaper because you have a good solution for protection". Do you have similar approaches, how do you usually act here?



Alexander Misyurev: Of course, as with the sale of any policy, there is always an underwriting procedure, that is, a kind of box solution that is based on an assumption and a box, like any financial product, costs more because it is based on an assumption. Of course, we ask you to fill out a questionnaire, if it is a large client or financial institution, then we conduct pre-insurance surveys, attract specialists who look at how it all works. This is all present. And back to our decision with Group-IB, we, before launching any decisions, we understand the effect that their decision gives, and due to this we can provide more favorable conditions that are included in this joint product. Therefore, underwriting is very important for the insurer, but much more important is how the client will work and act if we are not. If you act rationally and expediently, then the premium will obviously be cheaper for you if you do not have any degrees of protection, and you want to buy a policy, we simply will not sell it to you.



Nikita Tsaplin (Moderator): - We realized that the market has enough offers, there are completely different proposals in the area of ​​anti-virus protection, DDoS protection, and where it does not help, there is also a data center in a safer place and Finally, the insurance cover. But I would also like to hear some questions from the audience on the part of potential consumers of these services. How convincing were the speakers' arguments and, perhaps, what additional risks in cloud solutions do you see that are not covered by the solutions presented?





Shevchenko Andrey, HOSTKEY:

- Good afternoon, Shevchenko Andrei company HOSTKEY. I would like to make a little step aside, if possible. If we are talking about cloud solutions and is it possible to provide some kind of security there, I would probably say, is it possible to ensure this security on my infrastructure? I will give a commonplace example. 152 FZ. Everyone knows him, everyone understands him. The law is getting a little tougher. And we understand that it is difficult to make the right decision in our infrastructure. Not everyone has a license from the FSB, FSTEC, to supply cryptography, yes. But there are cloud solutions on the market for reasonable money, which, up to the first level, all allow to block. It can be a private cloud, a private cloud can, but everything can be solved. The second point, which I also wanted to say - regarding DDoSs - I fully agree with my colleagues, we have experience in protecting our customers. The one who attacks, always tries to suit you, some kind of ball game. At one time they defended a large game hoster, 4 hours is the time it takes for colleagues from the other side to adjust to your protection. It takes 4 hours and changing the nature of the attack, it is necessary to rebuild. I think now there are so many opportunities for a good, strong attack. We now have so many problems in the RFPs, which now simply no one uses. I recently learned how to use smart things for large attacks, got 700 gigabit attacks, but this is a small part, which will not be solved soon. , , , , . , , . , , . , , DDoS- , , . , , , , . , , - . , , - , , . - , . , . . , , , , , . . , , : , , , . .



(): — , ?



: — , , . , , , . . , , , .



(): — , , - .



: — . : , . , , , , , , . , . , . . . Thank.



(): — , , , . , , , . , , , — -, . , , , . .





Source: https://habr.com/ru/post/331180/

More articles:



All Articles