152 ready eng
Transcript of 152 ready eng
152 READY:Personal Data Allocation Infrastructure
ABOUT CLOUD-152
Cloud-152 is a cloud infrastructure built in line with new
requirements for personal data protection:
Community cloud for allocation of personal data with
protection level #2 and #3
Private cloud for allocation of personal data with protection
level #1.
New Requirements for Data Protection and IT-infrastructure Providers
SETTING REQUIREMENTS FOR DATA PROTECTION
Personal data are divided into 4 categories – protection
levels.
Each protection level has its own requirements for the
personal data protection administration.
These requirements vary depending on the type of threats
relevant for each separate information system, as well as on
the Internet connectivuty of the system.
FACTORS DESIGNATING DATA PROTECTION LEVEL
Data category
Subjects
Number of subjects
Type of immediate
threats
Employees
Counterparties
Public
Special
Biometric
Other
< 100,000
> 100,0003 categories of
threats
TYPES OF IMMEDIATE THREATS
1. Threats caused by undeclared
(undocumented) capabilities in the system
software.
2. Threats caused by undeclared capabilities in
the application software.
3. Threats caused by other factors.
Data category
Subjects
Number of
subjects
TYPES OF
THREATS
Threat type designation is not regulated.
PROTECTION LEVELS
Data CategoryOperator’s
Employees
Number of
Subjects
Type of Vital Threats
1 2 3
(UDC* OS) (UDC* SW)(Without
UDC*)
Special
No > 100,000 PL-1 PL-1 PL-2
No < 100,000
PL-1 PL-2 PL-3Yes
Biometric PL-1 PL-2 PL-3
OtherNo > 100,000 PL-1 PL-2 PL-3
No < 100,000PL-2 PL-3 PL-4
Yes
PublicNo > 100,000 PL-2 PL-2 PL-4
No < 100,000PL-2 PL-3 PL-4
Yes
* UDC– undeclared capabilities
INFORMATION PROTECTION MEANS
PROTECTION LEVEL PL-1, PL- 2 PL-3 PL-4
TYPE OF THREATS 3 1, 2, 3 2 3 3
INTERNET CONNECTIVITY no yes - yes no -
Computer equipmentClass 5* Class 6
Intruder detection system
Class 4 Class 5
Class 5 Virus protection means
Firewall Class 4 Class 3 Class 4
Other information protection
means Any safety specifications or tasks
*Each category of tools has its own FSTEC classification.
INFRASTRUCTURE MODELS & REQUIREMENTS TO DATA PROTECTION
Virtualization protection
Firewalling
Communication channels protection
Physical security
COLOCATION
CLOUD
PROVIDER REQUIREMENTS
FSTEC license for development and (or) production of
information confidentiality protection means
FSTEC license for confidential information technical protection
FSS license for cryptographic protection means usage
FSTEC certificates for utilized information protection means
Lease/purchase agreement for utilized protection means
OUR APPROACH
INFRASTRUCTURE-152:WE OFFER
Virtualization platform / hardware allocation in line with federal
laws
Integration of your IS tools / equipment into our solution
architecture
Attestation and maintenance of the IS*:
threat model development
documents preparation
information system attestation
information system maintenance
*The service is provided in cooperation with partners.
OUR CERTIFICATES AND LICENSES
Premier VSSP VMware
Microsoft GOLD Hosting Provider
Oracle Gold Partner
SAP for Business All-in-One in Application Management and Hosting Services
HP GOLD Partner
ISO/IEC 27001:2013
ISO 9001:2011
Uptime Institute Management and Operations
Uptime Institute Tier III Certified (Design)
PCI DSS v. 3.0
ISAE 3402
FSTEC license #0763: for development and (or) production of information
confidentiality protection means
FSTEC license #1279: for confidential information technical protection
FSS license #0011865 for provision of the services using cryptographic means
PHYSICAL SECURITY
Multilevel access control
Round-the-clock video monitoring; video records are
stored during 3 months
Individual fences for racks
Access control system of the fence/rack, biometrics
Dedicated video monitoring solutions (APC Netbotz, etc.)
Extra sensors on rack doors opening
Safe rack
NETWORK SECURITY
FSTEC certified equipment and software
Network segmentation in the cloud via VLAN and firewall of
Check Point Security Gateway
External networks interaction control via the intruder
detection system of Check Point Security Gateway
Cryptographic protection of communication channels
GOST coding via the virtual crypto gateway S-Terra
Second level coding using the MacSec protocol
VPN organization using AES, 3DES coding
NETWORK SECURITY
CLOUD-152
Cloud core switch’s
ESXi ESXi ESXi ESXi
S-Terra virtual gateway
DataLine Admins
Remote user sites
Check Point Security
Gateway’s (FW/IDS)
DataCenter core switch’s
Site-to-site VPNINTERNET
CLOUD-152: IAAS VERSIONS
Private cloud for allocation of personal data with protection
level #1
Community cloud for allocation of personal data with
protection levels #2, #3 and #4
The standard solution offers a resilient architecture based on NORD-4 data centre.
Disaster-proof cloud-152 can be also arranged based on NORD and OST data centres locations.
PRIVATE CLOUD-152 FOR DATA WITH PL-1
For the information systems processing personal data
with protection level #1, an individual project is
developed on the allocated hardware.
This solution may be fail-safe or disaster-proof.
COMMUNITY CLOUD: ARCHITECTURE
COMMUNTY CLOUD: PROTECTION MEANS
All protection means used in Cloud-152 architecture are certified by
FSTEC*:
vGate R2 (virtualization protection means)
CheckPoint IDS (intruder detection system)
CheckPoint FW (firewall)
Wallix (proxy server with sessions recording)
Kaspersky (virus protection)
S-Terra (VPN gateway)
SecretNet and Sobol software and hardware (protection against
unauthorized access)
* Register of FSTEC certified protection means
INFRASTRUCTURE-152: ALGORITHM
Threat model
Migration toCloud-152
Set of documents (OED***)
System attestation****
Documents submission to Roskomnadzor
Technical project**
System audit*
* For current projects/operating systems. Launch of the IS from the scratch commences with development of a threat model.** Technical project includes a list of protection means corresponding to the level of protection of used personal data and type of threats immediate for the particular system.*** A set of documents includes: a threat model, technical project, organizational records, letter to Roskomnadzor**** The attestation includes compliance assessment of the threat model system to the technical project
Maximum allowable service downtime per month*
≥
1,700
0.37 h
Maximum allowable service downtime per month*0.15 h
MIPS / 1 vCPU
250 IOPS/
500 GBHDD IOPS
Time of access to the VM disc≤20ms
99.982%
availability of the data centre and
network infrastructure
10 minutes
response time
99.98% of the service availability for
data with PL-3
99.95% of the service availability
for data with PL-2
SLA: KEY PARAMETERS
* including technological downtime (infrastructure maintenance)
SLA for data with PL-2: why 99.95%
Reduced guaranteed availability of the service is caused
by the prohibition of the remote access to the host under
protection administration of personal data with protection
level # 2.
Manual reboot of the servers is only permissible for the IS
with this data category.
$11
$3.23 $6.44
$0.12
$0.26$0.51
HDD SATA, for 1 Gb
HDD SAS, for 1 Gb
SSD, for 1 Gb
RAM, for 1 Gb
CPU,for 1 GHz
Protection means,
For vCPU
HOW MUCH DOES IT COST?
INTERESTED, BUT STILL HAVE QUESTIONS?
Contact us at +7 (495) 784 65 05 or
[email protected] if you have any questions on personal
data protection options.