ProHoster > Blog > Administration > IaaS 152-FZ: So You Need Security

IaaS 152-FZ: So You Need Security

IaaS 152-FZ: So You Need Security

No matter how much the myths and legends that surround compliance with 152-FZ are disassembled, something always remains behind the scenes. Today we want to discuss not always obvious nuances that both large companies and very small enterprises may face:

  • the subtleties of classifying PD by category - when a small online store collects data related to a special category without even knowing it;

  • where you can store backups of collected PD and perform operations on them;

  • what is the difference between the certificate and the conclusion of compliance, what documents to request from the provider in general, and stuff like that.

Finally, we will share with you our own experience of passing certification. Go!

The expert in today's article will be Alexey Afanasiev, Information Security Specialist of IT-GRAD and #CloudMTS cloud providers (part of the MTS group).

Subtleties of classification

We often encounter a client's desire to quickly determine the required level of security for ISPD without an IS audit. Some materials on the Internet on this subject give the false impression that this is an easy task and it is quite difficult to make a mistake.

To determine the KM, it is necessary to understand what data will be collected and processed by the client's IS. Sometimes it is not easy to unambiguously determine the protection requirements and the category of personal data that a business operates with. The same types of personal data can be valued and classified in completely different ways. Therefore, in some cases, the opinion of the business may differ from the opinion of the auditor or even the auditor. Let's look at a few examples.

Car park. It would seem that a fairly traditional type of business. Many fleets have been operating for decades, and their owners hire individual entrepreneurs. As a rule, employee data is subject to the requirements of UZ-4. However, to work with drivers, it is necessary not only to collect personal data, but also to carry out medical control on the territory of the vehicle fleet before leaving for the shift, and the information collected in the process immediately falls into the category of medical data - and this is personal data of a special category. In addition, the fleet may request certificates, which will then be stored in the driver's file. A scan of such a certificate in electronic form - data on the state of health, personal data of a special category. This means that UZ-4 is no longer enough, a minimum of UZ-3 is required.

Online store. It would seem that the collected names, emails and phone numbers fit into the public category. However, if your customers indicate gastronomic preferences, such as halal or kosher, such information may be regarded as data on religious affiliation and beliefs. Therefore, when checking or conducting other control activities, the inspector may classify the data you collect as a special category of PD. Now, if an online store collected information about whether the buyer prefers meat or fish, the data could be classified as other PD. By the way, what about vegetarians? After all, this can also be attributed to philosophical beliefs, which also belong to a special category. But, on the other hand, this may simply be the position of a person who has excluded meat from his diet. Alas, there is no sign that unambiguously determined the category of PD in such “subtle” situations.

Advertising agency with the help of any Western cloud service, it processes the public data of its customers - full name, email addresses and telephone numbers. These personal data, of course, refer to PD. The question arises: is it legal to carry out such processing? Is it possible to move such data without depersonalization outside the Russian Federation, for example, store backups in some foreign clouds? Of course you can. The agency has the right to store this data outside of Russia, but the initial collection, according to our legislation, must be carried out on the territory of the Russian Federation. If you back up such information, calculate some statistics based on it, conduct research or perform some other operations with them, all this can be done on Western resources. The key point from the point of view of legislation is where PD is collected. Therefore, it is important not to confuse the initial collection and processing.

As follows from these short examples, working with PD is not always straightforward and simple. It is required not only to know that you are working with them, but also to be able to classify them correctly, to understand how IP works in order to correctly determine the required level of security. In some cases, there may be a question of how much PD the organization really needs to work. Is it possible to refuse the most “serious” or just unnecessary data? In addition, the regulator recommends depersonalizing PD where possible. 

As in the examples above, sometimes you may encounter the fact that the inspection authorities interpret the collected PD in a slightly different way than you yourself estimated them.

Of course, you can take an auditor or a system integrator as an assistant, but will the “assistant” be responsible for the chosen decisions in the event of an audit? It should be noted that the responsibility always lies with the owner of the ISPD - the operator of personal data. That is why, when a company conducts such work, it is important to turn to serious players in the market for such services, for example, companies conducting certification work. Certifying companies have extensive experience in carrying out such work.

Options for building ISPD

The construction of ISPD is not only a technical, but also a legal issue in many respects. The CIO or Security Director should definitely consult with a lawyer. Since the company does not always have a specialist with the profile you need, it is worth looking in the direction of auditors-consultants. Many slippery points may not be obvious at all.

The consultation will allow you to determine what personal data you are dealing with, what level of security they require. Accordingly, you will get an idea about the IS that needs to be created or supplemented with protection tools and ORD.

Often the choice for a company is one of two options:

  1. Build an appropriate IS on your software and hardware solutions, possibly in your server room.

  2. Contact a cloud provider and choose an elastic solution, already certified such a “virtual server”.

Most IS processing PD uses the traditional approach, which, from a business point of view, can hardly be called easy and successful. When choosing this option, you must understand that the technical project will include a description of the equipment, including software and hardware solutions and platforms. This means that you will have to face the following difficulties and limitations:

  • complexity of scaling;

  • long project implementation period: it is required to select, purchase, install, configure and describe the system;

  • a lot of "paper" work, as an example - the development of a complete package of documentation for the entire ISPD.

In addition, business, as a rule, understands only the "top" level of its IP - in the business applications used. In other words, IT personnel are qualified in their narrow area. There is no understanding of how all the “lower levels” work: software and hardware protection tools, storage systems, backup and, of course, how to set up protection tools in compliance with all requirements, build the “iron” part of the configuration. It is important to understand that this is a huge layer of knowledge that lies outside the client's business. This is where the experience of a cloud provider providing a certified “virtual server room” can come in handy.

In turn, cloud providers have a number of advantages that, without exaggeration, can cover 99% of business needs in the field of personal data protection:

  • capital costs are converted into operating costs;

  • the provider, for its part, guarantees the necessary level of security and availability based on a proven standard solution;

  • there is no need to maintain a staff of specialists who will ensure the operation of ISPD at the hardware level;

  • providers offer much more flexible and elastic solutions;

  • the provider's specialists have all the necessary certificates;

  • compliance is not lower than when building your own architecture, taking into account the requirements and recommendations of regulators.

The old myth that you can't put your personal data in the cloud is still wildly popular. He is only partly true: PD really cannot be posted in the first available cloud. It requires compliance with certain technical measures, the use of certain certified solutions. If the provider complies with all legal requirements, the risks associated with the leakage of PD are minimized. Many providers have a separate infrastructure for processing personal data in accordance with 152-FZ. However, the choice of a supplier also needs to be approached with knowledge of certain criteria, we will definitely touch on them below. 

Clients often come to us with some concerns about placing PD in the provider's cloud. Well, let's discuss them right away.

  • Data can be stolen during transfer or migration

You should not be afraid of this - the provider offers the client the creation of a secure data transmission channel built on certified solutions, enhanced authentication measures for counterparties and employees. It remains to choose the appropriate methods of protection and implement them as part of the work with the client.

  • Show masks will arrive and take away/seal/de-energize the server

It is understandable that customers fear that their business processes will be disrupted due to insufficient control over the infrastructure. As a rule, those clients whose hardware was previously located in small server rather than specialized data centers think about this. In reality, data centers are equipped with modern means of both physical and information protection. It is almost impossible to carry out any operations in such a data center without sufficient grounds and papers, and such activities require compliance with a number of procedures. In addition, "pulling out" your server from the data center may affect other clients of the provider, and this is definitely no longer needed by anyone. In addition, no one will be able to point a finger at “your” virtual server, so if someone wants to steal it or arrange a mask show, he will first have to face a lot of bureaucratic delays. During this time, you will most likely have time to migrate to another site several times.

  • Hackers break into the cloud and steal data

The Internet and print media are full of headlines about how another cloud fell victim to cybercriminals, and millions of records with PD leaked to the network. In the overwhelming majority of cases, vulnerabilities were found not at all on the side of the provider, but in the IP of the victims: weak or even default passwords, “holes” in website and database engines, the banal carelessness of businesses when choosing protection tools and organizing data access procedures. All certified solutions are checked for vulnerabilities. We also regularly conduct "control" pentests and security audits, both independently and by means of external organizations. For the provider, this is a matter of reputation and business in general.

  • The provider/employees of the provider will steal PD for personal gain

This is a rather poignant moment. A number of companies from the information security world "scare" their customers and insist that "internal employees are more dangerous than outside hackers." Perhaps in some cases this is true, but a business cannot be built without trust. From time to time, news flashes that the internal employees of organizations are leaking customer data to intruders, and internal security is sometimes organized much worse than external. It is important to understand here that any major provider is not extremely interested in negative cases. The actions of the provider's employees are well regulated, roles and responsibilities are divided. All business processes are built in such a way that cases of data leakage are extremely unlikely and are always visible to internal services, so customers should not be afraid of problems from this side.

  • You pay little because you pay for services with your business data.

Another myth: a client who rents a secure infrastructure at a comfortable price actually pays for it with their data - this is what experts often think, who are not averse to reading a couple of conspiracy theories before going to bed. Firstly, the possibility of carrying out any operations with your data other than those specified in the order is essentially zero. Secondly, an adequate provider values ​​​​its relationship with you and its reputation - besides you, it has many more clients. The opposite scenario is more likely, in which the provider will zealously protect the data of its customers, on which, among other things, its business is based.

Choosing a cloud provider for ISPD

Today, the market offers many solutions for companies that are PD operators. Below is a general list of recommendations for choosing the right one.

  • The provider must be ready to conclude a formal agreement describing the obligations of the parties, SLAs and areas of responsibility in terms of PD processing. In fact, between you and the provider, in addition to the contract for the service, an instruction for the processing of PD must be signed. In any case, it is worth studying them carefully. It is important to understand the division of responsibilities between you and the provider.

  • Please note that the segment must meet the requirements, which means it must have a certificate indicating the level of security not lower than that required by your IP. It happens that providers publish only the first page of the certificate, from which little is clear, or refer to the audit or compliance procedures, without publishing the certificate itself (“was it a boy?”). It is worth asking for it - this is a public document that indicates who carried out the certification, the validity period, the location of the cloud, etc.

  • The provider must provide information about where its sites (protected objects) are located so that you can control the placement of your data. Recall that the initial collection of PD must be carried out on the territory of the Russian Federation, respectively, it is desirable to see the addresses of the data center in the contract / certificate.

  • The provider must use certified IPS and CIPF. Of course, most providers do not advertise the technical means of protection used and the architecture of solutions. But you, as a client, cannot be unaware of this. So, for example, to remotely connect to the management system (management portal), you must use security tools. The provider will not be able to circumvent this requirement and will provide you (or require you to use) certified solutions. Take the test resources and you will immediately understand how and what works. 

  • It is highly desirable that the cloud provider provide additional services in the field of information security. These can be various services: protection against DDoS attacks and WAF, an anti-virus service or a sandbox, etc. All this will allow you to receive protection as a service, not to be distracted by building protection systems, but to deal with business applications.

  • The provider must be a licensee of FSTEC and FSB. As a rule, such information is posted directly on the site. Be sure to request these documents and check that the service delivery addresses, provider company name, etc. are correct. 

Let's recap. Leasing infrastructure will allow you to abandon CAPEX and leave only your business applications and data in your area of ​​​​responsibility, and transfer the heavy burden of certification of hardware and software and hardware to the provider.

How did we get certified?

Most recently, we successfully passed the re-certification of the FZ-152 Secure Cloud infrastructure for compliance with the requirements for working with personal data. The work was carried out by the National Certification Center.

At the moment, the FZ-152 Secure Cloud is certified for hosting information systems involved in the processing, storage or transfer of personal data (ISPD) in accordance with the requirements of the UZ-3 level.

The attestation procedure involves checking the compliance of the cloud provider's infrastructure for compliance with the level of protection. The provider itself provides the IaaS service and is not a personal data operator. The process involves an assessment of both organizational (documentation, orders, etc.) and technical measures (setting up protective equipment, etc.).

It cannot be called trivial. Despite the fact that GOST on programs and methods for conducting attestation events appeared back in 2013, there are still no rigid programs for cloud objects. Certification centers develop these programs based on their own expertise. With the advent of new technologies, programs become more complex and modernized, respectively, the certifier must have experience with cloud solutions and understand the specifics.

In our case, the protected object consists of two locations.

  • Cloud resources (servers, storage systems, network infrastructure, security tools, etc.) are located directly in the data center. Of course, such a virtual data center is connected to public networks, therefore, certain firewall requirements must be met, for example, the use of certified firewalls.

  • The second part of the object is cloud management tools. These are workstations (administrator workstations) from which the protected segment is managed.

Locations are connected through a VPN channel built on CIPF.

Since virtualization technologies create the prerequisites for the emergence of threats, we also use additional certified protection tools.

IaaS 152-FZ: So You Need SecurityStructural diagram "through the eyes of a certifier"

If the client needs certification of his ISPD, after the IaaS lease, he will only have to evaluate the information system above the level of the virtual data center. This procedure involves checking the infrastructure and the software used on it. Since for all infrastructure issues you can refer to the provider's certificate, you will only have to work with the software.

IaaS 152-FZ: So You Need SecuritySeparation at the level of abstraction

In conclusion, here is a small checklist for companies that already work with personal data or are just planning to. So, how to handle and not get burned.

  1. To audit and develop threat and intruder models, invite an experienced consultant from among the certification laboratories who will help develop the necessary documents and bring you to the stage of technical solutions.

  2. At the stage of choosing a cloud provider, pay attention to the presence of a certificate. Well, if the company publicly posted it directly on the site. The provider must be a licensee of the FSTEC and the FSB, and the service it offers must be certified.

  3. Make sure that you have a formal contract and a signed instruction for the processing of PD. Based on this, you will be able to carry out both a compliance check and an ISPD certification. If these works at the stage of a technical project and the creation of design and technical documentation seem burdensome to you, you should contact third-party consulting companies from among the certification laboratories.

If the issues of PD processing are relevant for you, on September 18, this Friday, we will be glad to see you at the webinar "Features of building certified clouds".

Source: habr.com

Add a comment