Somehow an application for cloud services came to us. We figured out in general terms what would be required of us, and sent back a list of questions to clarify the details. Then we analyzed the answers and realized: the customer wants to place personal data of the second level of security in the cloud. We answer him: "You have a second level of personal data, sorry, we can only make a private cloud." And he: “You know, but in company X they can place everything in public for me.”
Photo Steve Crisp, Reuters
Strange things! We went to the site of company X, studied their attestation documents, shook our heads and realized that there are a lot of open questions in the placement of personal data and they should be well ventilated. What we will do in this post.
How things should work
To begin with, let's figure out on what grounds personal data is generally attributed to one or another level of security. It depends on the category of data, on the number of subjects of this data that the operator stores and processes, as well as on the type of current threats.
For a definition of the types of current threats, see dated November 1, 2012 "On approval of requirements for the protection of personal data during their processing in information systems of personal data":
“Threats of the 1st type are relevant for an information system, if for it, among other things, current threats associated with the presence of undocumented (undeclared) features in system softwareused in the information system.
Threats of the 2nd type are relevant for an information system, if for it, among other things, current threats associated with the presence of undocumented (undeclared) features in application softwareused in the information system.
Threats of the 3rd type are relevant for an information system if for it relevant threats that are not related with the presence of undocumented (undeclared) features in system and application softwareused in the information system."
The main thing in these definitions is the presence of undocumented (undeclared) features. To confirm the absence of undocumented software features (in the case of the cloud, this is a hypervisor), FSTEC of Russia is certified. If the PD operator accepts that there are no such opportunities in the software, then the corresponding threats are irrelevant. Threats of the 1st and 2nd types are rarely accepted by PD operators as relevant.
In addition to determining the level of PD security, the operator must also determine specific current threats to the public cloud and, based on the identified level of PD security and current threats, determine the necessary measures and means of protection against them.
The FSTEC has all the main threats clearly listed in (threat database). Providers and certifiers of cloud infrastructures use this base in their work. Here are examples of threats:
: "The threat lies in the possibility of compromising the security of user data of programs operating inside the virtual machine by malicious software operating outside the virtual machine." This threat is due to the presence of vulnerabilities in the hypervisor software, which ensures the isolation of the address space used to store user data of programs operating inside the virtual machine from unauthorized access by malicious software operating outside the virtual machine.
The implementation of this threat is possible if the malicious program code successfully overcomes the boundaries of the virtual machine, not only by exploiting the vulnerabilities of the hypervisor, but also by implementing such an impact from lower (in relation to the hypervisor) levels of the system functioning.
: “The threat lies in the possibility of unauthorized access to the protected information of one cloud service consumer by another. This threat is due to the fact that, due to the nature of cloud technologies, cloud service consumers have to share the same cloud infrastructure. The implementation of this threat is possible if mistakes are made when separating elements of the cloud infrastructure between consumers of cloud services, as well as when isolating their resources and isolating data from each other.
You can only protect against these threats with the help of a hypervisor, since it is he who manages virtual resources. Thus, the hypervisor must be considered as a means of protection.
And in accordance with dated February 18, 2013, the hypervisor must be certified for the absence of NDV at level 4, otherwise the use of personal data of levels 1 and 2 with it will be illegal (“Item 12. … To ensure the 1st and 2nd levels of personal data security, as well as to ensure the 3rd level of personal data security in information systems for which type 2 threats are classified as relevant, information security tools are used, the software of which has been tested at least 4 the level of control of the absence of undeclared capabilities").
The required level of certification, NDV-4, has only one hypervisor, Russian development - . To put it mildly, not the most popular solution. Commercial clouds are usually built on the basis of VMware vSphere, KVM, Microsoft Hyper-V. None of these products are NDV-4 certified. Why? Probably, obtaining such certification for manufacturers is not yet economically justified.
And it remains for us for the personal data of the 1st and 2nd levels in the public cloud only Horizon VS. Sad but true.
How everything (in our opinion) actually works
At first glance, everything is quite strict: these threats must be eliminated by properly configuring the standard protection mechanisms of a hypervisor certified according to NDV-4. But there is one loophole. In accordance with FSTEC Order No. 21 (“clause 2 The security of personal data during their processing in the personal data information system (hereinafter referred to as the information system) is ensured by the operator or the person processing personal data on behalf of the operator in accordance with Russian Federation"), providers independently assess the relevance of possible threats and, in accordance with this, choose protection measures. Therefore, if the UBI.44 and UBI.101 threats are not accepted as relevant, then there will be no need to use a hypervisor certified according to NDV-4, which should provide protection against them. And this will be enough to obtain a certificate of compliance of the public cloud with 1 and 2 levels of PD security, which Roskomnadzor will be completely satisfied with.
Of course, in addition to Roskomnadzor, the FSTEC can come with an audit - and this organization is much more meticulous in technical matters. She will certainly be interested in why exactly the threats UBI.44 and UBI.101 were considered irrelevant? But usually the FSTEC undertakes an inspection only when it receives information about some bright incident. In this case, the federal service first comes to the operator of personal data - that is, the customer of cloud services. In the worst case, the operator receives a small fine - for example, for Twitter at the beginning of the year in a similar case amounted to 5000 rubles. Then FSTEC goes further to a cloud service provider. Which may well be deprived of licenses due to non-compliance with regulatory requirements - and these are completely different risks, both for the cloud provider and for its customers. But, I repeat, a clear reason is usually needed to check the FSTEC. So cloud providers are willing to take the risk. Until the first major incident.
There is also a group of "more responsible" providers who believe that it is possible to close all threats by adding an add-on like vGate to the hypervisor. But in a virtual environment distributed among customers for some threats (for example, the above UBI.101), an effective protection mechanism can only be implemented at the level of a hypervisor certified according to NDV-4, since any add-on systems to the standard functions of the resource management hypervisor (in particular , RAM) do not affect.
How we work
We have a cloud segment implemented on a FSTEC-certified hypervisor (but without NDV-4 certification). This segment is certified, so that personal data can be placed in the cloud based on it 3 and 4 security levels - the requirements for protection against undeclared capabilities do not need to be observed here. By the way, here is the architecture of our secure cloud segment:
Systems for personal data 1 and 2 security levels We implement only on dedicated equipment. Only in this case, for example, the UBI.101 threat is really not relevant, since server racks that are not united by one virtual environment cannot influence each other even when placed in the same data center. For such cases, we offer a service for renting dedicated equipment (it is also called Hardware as a service, equipment as a service).
If you are not sure what level of security is required for your personal data system, we also help in classifying it.
Hack and predictor Aviator
Our small market research showed that some cloud operators are quite willing to risk both the security of customer data and their own future to receive an order. But we adhere to a different policy in these matters, which we briefly described a little higher. We will be happy to answer your questions in the comments.
Source: habr.com