How to convince everyone that you have a secure data center?
Preamble The article is for informational purposes only. Designed for potential data center customers who have heard about 152-FZ, 149-FZ, they want to spend budget funds and do not know that such schemes exist. For the convenience of perception of the material, the author will present the scheme from the first person, although he has never applied these schemes. The author does not propose to use these schemes. The author is not a court, and does not know whether the outlined schemes can be classified according to the articles of the Civil Code / Criminal Code. But so can be.
1. Choose any computer (for example, an outdated computer of a secretary of the boss who was going to throw it away / write off anyway).
2. Making the documents of the applicant. As the name of the certified object of information, select the “Protected Data Center of the city of Istratosa”
3. We order attestation for compliance with any requirements, at least for RD AS . Issue price of about 50 thousand rubles.
4. We receive a certificate of conformity of the information object “Protected Data Processing Center of the city of Isteross” to information security requirements.
5. We write on the website: " Our Protected Data Processing Center of Istrosa is certified according to the requirements of FSTEC "
')
1-2. As in scheme 1.
3. We order attestation for compliance with the requirements of Order No. 17 for class K1. Issue price of about 350 thousand rubles. (100 thousand rubles for certification and 250 thousand rubles for protection means (AVZ, NSD, SKN, SDZ, ME, SOV, UPS, SKZI with possibility of connection of mobile clients and other KSh)
4. We receive a certificate of conformity of the information object “Protected Data Processing Center of the city of Isteross” to the information protection requirements for the K1 security class.
5. We write on the website: " Our Protected Data Center of Istrosa is certified for the maximum class K1! We can provide power to any GIS / ISPDn. We connect using cryptographic means certified by the FSB "
1-2. As in scheme 2.
2a We physically disconnect from AWS Internet.
3. As in scheme 2, but cheaper: there is no Internet - I don’t need ME, Owls, SKZI. The price of the issue is reduced to 130 thousand rubles. (100 thousand rubles for certification and 30 thousand for protective equipment (AVZ, NSD, SKN, SDZ, the UPS).
4. As in scheme 2.
5. We write on the site as in scheme 2, but a bit shorter: “ Our Protected Data Center of Istrosso is certified for the maximum class K1! We can provide power with any GIS / ISPDn ”
1. We call practical security guards, normal networkers.
2. We buy what they say (the equipment that is familiar to these “ciscares”).
3. They do everything, protect in accordance with the "best practices."
4. We make out a web-page about the data center:
- because the purchased equipment does not have certificates that allow hosting high-end IPs on the website not writing about classes, simply: " protection is organized using xxxxx (certified by the FSB and FSTEC) ";
- because there is no certificate, and there are no particular advantages over other commercial data centers, we write something that everyone has, but we show as an advantage: " round-the-clock security, backup equipment, RAID arrays, round-the-clock duty service, use of https ";
- because there is no certified cryptographic network equipment, we simply give promises of the form " if necessary, it can be organized ... " (yes, everyone knows that this is necessary for everyone to host certified ICs, and we will give as an advantage);
- use abstract phrases: “we will ensure the security / confidentiality / integrity / availability of information” (the main thing is not to write what information we mean);
- you can still get unnecessary pieces of paper, preferably in voluntary certification systems from the category of " certificate of conformity for 1 day, according to two documents, cheap, without registration and sms) " and place on the site the phrase that our data center is certified.
1. Choose a server / servers / rack / multiple racks for selection in the form of a "secure data center segment" or the entire data center for certification.
2. Choose service provision schemes (colocation / IaaS / SaaS / ...). You write the Policy / Declaration in which you mark the provisions of the LA that are ready to perform (for example, we protect everything to the level of virtualization. Everything in virtual machines is the responsibility of the client). We buy certified equipment for the certified data center segment.
3. We order certification for compliance with the requirements of Order No. 17 for the K1 / K2 / K3 class (for this, the marketer must say which ICs are in the target market segment). The price of the question is different from the class, the number of protected servers, the approach to certification (segment or not), the scheme of service provision, the nomenclature of options for organizing a client's protected workflow, etc. etc. From a few million rubles.
4. We receive a certificate of conformity of the information object “Protected Data Processing Center of the city of Isteross” to the requirements of information security by security class.
5. We write on the website: "The protected Data Processing Center of Istrosa is certified in the class of such and such! We can provide power to any GIS / ISPDn. We connect using cryptographic means certified by the FSB "
1. When organizing a secure data center, its owners can go for any of these options or choose their own.
2. The client must choose the service provider. Responsibility for the choice lies with the client.
3. The level of trust to the data center is determined by the client independently (from “they have a beautiful sign” to a pre-audit of the data center and monitoring the level of service they provide)
Scheme 1. Budget certification
1. Choose any computer (for example, an outdated computer of a secretary of the boss who was going to throw it away / write off anyway).
2. Making the documents of the applicant. As the name of the certified object of information, select the “Protected Data Center of the city of Istratosa”
3. We order attestation for compliance with any requirements, at least for RD AS . Issue price of about 50 thousand rubles.
4. We receive a certificate of conformity of the information object “Protected Data Processing Center of the city of Isteross” to information security requirements.
5. We write on the website: " Our Protected Data Processing Center of Istrosa is certified according to the requirements of FSTEC "
Advantages and disadvantages of the scheme
| Benefits | disadvantages | |
| For the service provider: | Cheap. Highly. | Absent |
| For the consumer of services: | Customer data can be protected. Customer data may not leak Most likely it will be cheaper than other options. The client can also tell everyone that he uses certified data center | You can set the price, as if everything is certified, and the client does not think that it is suspiciously cheap. If a law, decree or any order requires that the client’s data be stored in a certified data center, then the client’s officials will not be rewarded for the saved budget when checking. |
')
Scheme 2. Normal budgetary certification for the 17th order
1-2. As in scheme 1.
3. We order attestation for compliance with the requirements of Order No. 17 for class K1. Issue price of about 350 thousand rubles. (100 thousand rubles for certification and 250 thousand rubles for protection means (AVZ, NSD, SKN, SDZ, ME, SOV, UPS, SKZI with possibility of connection of mobile clients and other KSh)
4. We receive a certificate of conformity of the information object “Protected Data Processing Center of the city of Isteross” to the information protection requirements for the K1 security class.
5. We write on the website: " Our Protected Data Center of Istrosa is certified for the maximum class K1! We can provide power to any GIS / ISPDn. We connect using cryptographic means certified by the FSB "
Advantages and disadvantages of the scheme
| Benefits | disadvantages | |
| For the service provider: | Cheap. | It is necessary, nevertheless, to buy different means of protection (the networker says that they are not needed), and it will not be Cisco |
| For the consumer of services: | Client information systems may not be hacked. Customer data may not leak. Not an expensive option. | Two options: either start the client's IP on this certified machine - and, as a result, the IP will work slowly, or (most likely) not run on this machine, but the client will have a normal speed |
Scheme 3. The most budgetary certification for the 17th order
1-2. As in scheme 2.
2a We physically disconnect from AWS Internet.
3. As in scheme 2, but cheaper: there is no Internet - I don’t need ME, Owls, SKZI. The price of the issue is reduced to 130 thousand rubles. (100 thousand rubles for certification and 30 thousand for protective equipment (AVZ, NSD, SKN, SDZ, the UPS).
4. As in scheme 2.
5. We write on the site as in scheme 2, but a bit shorter: “ Our Protected Data Center of Istrosso is certified for the maximum class K1! We can provide power with any GIS / ISPDn ”
Advantages and disadvantages of the scheme
| Benefits | disadvantages | |
| For the service provider: | Cheaper than option 2 | It is necessary, nevertheless, to buy different means of protection, but not enough |
| For the consumer of services: | Client information systems may not be hacked. Customer data may not leak. Not very expensive option. You can write on the site that the channel of certified encryption to the data center can be selected by the Customer, even the Customer’s crypto network is used (No. XXXX), moreover, you do not impose the purchase of certified crypto tools compatible with the data center equipment to the client. | As in previous cases, the client's IC will not function in the certified data center segment. |
Scheme 4. The correct landing
1. We call practical security guards, normal networkers.
2. We buy what they say (the equipment that is familiar to these “ciscares”).
3. They do everything, protect in accordance with the "best practices."
4. We make out a web-page about the data center:
- because the purchased equipment does not have certificates that allow hosting high-end IPs on the website not writing about classes, simply: " protection is organized using xxxxx (certified by the FSB and FSTEC) ";
- because there is no certificate, and there are no particular advantages over other commercial data centers, we write something that everyone has, but we show as an advantage: " round-the-clock security, backup equipment, RAID arrays, round-the-clock duty service, use of https ";
- because there is no certified cryptographic network equipment, we simply give promises of the form " if necessary, it can be organized ... " (yes, everyone knows that this is necessary for everyone to host certified ICs, and we will give as an advantage);
- use abstract phrases: “we will ensure the security / confidentiality / integrity / availability of information” (the main thing is not to write what information we mean);
- you can still get unnecessary pieces of paper, preferably in voluntary certification systems from the category of " certificate of conformity for 1 day, according to two documents, cheap, without registration and sms) " and place on the site the phrase that our data center is certified.
Advantages and disadvantages of the scheme
| Benefits | disadvantages | |
| For the service provider: | No additional costs for information security | Difficult to answer specific questions about certification for the requirements of the FSTEC of Russia and the Federal Security Service of Russia |
| For the consumer of services: | Client information systems may not be hacked. Customer data may not leak. Not very expensive option. We can say that the data is protected in accordance with the "best practices" | Supervisory authorities use other "best practices" in their activities, so there may be a misunderstanding between the client and the commission. As in the previous cases, the client's IC will not function in the certified data center segment. |
Scheme 5. Correct certification for the 17th order
1. Choose a server / servers / rack / multiple racks for selection in the form of a "secure data center segment" or the entire data center for certification.
2. Choose service provision schemes (colocation / IaaS / SaaS / ...). You write the Policy / Declaration in which you mark the provisions of the LA that are ready to perform (for example, we protect everything to the level of virtualization. Everything in virtual machines is the responsibility of the client). We buy certified equipment for the certified data center segment.
3. We order certification for compliance with the requirements of Order No. 17 for the K1 / K2 / K3 class (for this, the marketer must say which ICs are in the target market segment). The price of the question is different from the class, the number of protected servers, the approach to certification (segment or not), the scheme of service provision, the nomenclature of options for organizing a client's protected workflow, etc. etc. From a few million rubles.
4. We receive a certificate of conformity of the information object “Protected Data Processing Center of the city of Isteross” to the requirements of information security by security class.
5. We write on the website: "The protected Data Processing Center of Istrosa is certified in the class of such and such! We can provide power to any GIS / ISPDn. We connect using cryptographic means certified by the FSB "
Advantages and disadvantages of the scheme
| Benefits | disadvantages | |
| For the service provider: | It is possible to offer the client to conduct a second / third party audit, monitor the presence of the client’s IP in the certified segment, pass any FSB / FSTEC audit with respect to the clients ’IP | Expensive. We need a normal methodologist who will correctly keep all the documentation, organize the acceptance of new racks |
| For the consumer of services: | Your information systems may not be hacked. Your data may not leak. Your IP is really protected by the requirements of the FSB / FSTEC | Dear option. |
findings
1. When organizing a secure data center, its owners can go for any of these options or choose their own.
2. The client must choose the service provider. Responsibility for the choice lies with the client.
3. The level of trust to the data center is determined by the client independently (from “they have a beautiful sign” to a pre-audit of the data center and monitoring the level of service they provide)
Source: https://habr.com/ru/post/453098/
All Articles