152 READY:Personal Data Allocation Infrastructure

ABOUT CLOUD-152

Cloud-152 is a cloud infrastructure built in line with new

requirements for personal data protection:

Community cloud for allocation of personal data with

protection level #2 and #3

Private cloud for allocation of personal data with protection

level #1.

New Requirements for Data Protection and IT-infrastructure Providers

SETTING REQUIREMENTS FOR DATA PROTECTION

Personal data are divided into 4 categories – protection

levels.

Each protection level has its own requirements for the

personal data protection administration.

These requirements vary depending on the type of threats

relevant for each separate information system, as well as on

the Internet connectivuty of the system.

FACTORS DESIGNATING DATA PROTECTION LEVEL

Data category

Subjects

Number of subjects

Type of immediate

threats

Employees

Counterparties

Public

Special

Biometric

Other

< 100,000

> 100,0003 categories of

threats

TYPES OF IMMEDIATE THREATS

1. Threats caused by undeclared

(undocumented) capabilities in the system

software.

2. Threats caused by undeclared capabilities in

the application software.

3. Threats caused by other factors.

Data category

Subjects

Number of

subjects

TYPES OF

THREATS

Threat type designation is not regulated.

PROTECTION LEVELS

Data CategoryOperator’s

Employees

Number of

Subjects

Type of Vital Threats

1 2 3

(UDC* OS) (UDC* SW)(Without

UDC*)

Special

No > 100,000 PL-1 PL-1 PL-2

No < 100,000

PL-1 PL-2 PL-3Yes

Biometric PL-1 PL-2 PL-3

OtherNo > 100,000 PL-1 PL-2 PL-3

No < 100,000PL-2 PL-3 PL-4

Yes

PublicNo > 100,000 PL-2 PL-2 PL-4

No < 100,000PL-2 PL-3 PL-4

Yes

* UDC– undeclared capabilities

INFORMATION PROTECTION MEANS

PROTECTION LEVEL PL-1, PL- 2 PL-3 PL-4

TYPE OF THREATS 3 1, 2, 3 2 3 3

INTERNET CONNECTIVITY no yes - yes no -

Computer equipmentClass 5* Class 6

Intruder detection system

Class 4 Class 5

Class 5 Virus protection means

Firewall Class 4 Class 3 Class 4

Other information protection

means Any safety specifications or tasks

*Each category of tools has its own FSTEC classification.

INFRASTRUCTURE MODELS & REQUIREMENTS TO DATA PROTECTION

Virtualization protection

Firewalling

Communication channels protection

Physical security

COLOCATION

CLOUD

PROVIDER REQUIREMENTS

FSTEC license for development and (or) production of

information confidentiality protection means

FSTEC license for confidential information technical protection

FSS license for cryptographic protection means usage

FSTEC certificates for utilized information protection means

Lease/purchase agreement for utilized protection means

OUR APPROACH

INFRASTRUCTURE-152:WE OFFER

Virtualization platform / hardware allocation in line with federal

laws

Integration of your IS tools / equipment into our solution

architecture

Attestation and maintenance of the IS*:

threat model development

documents preparation

information system attestation

information system maintenance

*The service is provided in cooperation with partners.

OUR CERTIFICATES AND LICENSES

Premier VSSP VMware

Microsoft GOLD Hosting Provider

Oracle Gold Partner

SAP for Business All-in-One in Application Management and Hosting Services

HP GOLD Partner

ISO/IEC 27001:2013

ISO 9001:2011

Uptime Institute Management and Operations

Uptime Institute Tier III Certified (Design)

PCI DSS v. 3.0

ISAE 3402

FSTEC license #0763: for development and (or) production of information

confidentiality protection means

FSTEC license #1279: for confidential information technical protection

FSS license #0011865 for provision of the services using cryptographic means

PHYSICAL SECURITY

Multilevel access control

Round-the-clock video monitoring; video records are

stored during 3 months

Individual fences for racks

Access control system of the fence/rack, biometrics

Dedicated video monitoring solutions (APC Netbotz, etc.)

Extra sensors on rack doors opening

Safe rack

NETWORK SECURITY

FSTEC certified equipment and software

Network segmentation in the cloud via VLAN and firewall of

Check Point Security Gateway

External networks interaction control via the intruder

detection system of Check Point Security Gateway

Cryptographic protection of communication channels

GOST coding via the virtual crypto gateway S-Terra

Second level coding using the MacSec protocol

VPN organization using AES, 3DES coding

NETWORK SECURITY

CLOUD-152

Cloud core switch’s

ESXi ESXi ESXi ESXi

S-Terra virtual gateway

DataLine Admins

Remote user sites

Check Point Security

Gateway’s (FW/IDS)

DataCenter core switch’s

Site-to-site VPNINTERNET

CLOUD-152: IAAS VERSIONS

Private cloud for allocation of personal data with protection

level #1

Community cloud for allocation of personal data with

protection levels #2, #3 and #4

The standard solution offers a resilient architecture based on NORD-4 data centre.

Disaster-proof cloud-152 can be also arranged based on NORD and OST data centres locations.

PRIVATE CLOUD-152 FOR DATA WITH PL-1

For the information systems processing personal data

with protection level #1, an individual project is

developed on the allocated hardware.

This solution may be fail-safe or disaster-proof.

COMMUNITY CLOUD: ARCHITECTURE

COMMUNTY CLOUD: PROTECTION MEANS

All protection means used in Cloud-152 architecture are certified by

FSTEC*:

vGate R2 (virtualization protection means)

CheckPoint IDS (intruder detection system)

CheckPoint FW (firewall)

Wallix (proxy server with sessions recording)

Kaspersky (virus protection)

S-Terra (VPN gateway)

SecretNet and Sobol software and hardware (protection against

unauthorized access)

* Register of FSTEC certified protection means

INFRASTRUCTURE-152: ALGORITHM

Threat model

Migration toCloud-152

Set of documents (OED***)

System attestation****

Documents submission to Roskomnadzor

Technical project**

System audit*

* For current projects/operating systems. Launch of the IS from the scratch commences with development of a threat model.** Technical project includes a list of protection means corresponding to the level of protection of used personal data and type of threats immediate for the particular system.*** A set of documents includes: a threat model, technical project, organizational records, letter to Roskomnadzor**** The attestation includes compliance assessment of the threat model system to the technical project

Maximum allowable service downtime per month*

≥

1,700

0.37 h

Maximum allowable service downtime per month*0.15 h

MIPS / 1 vCPU

250 IOPS/

500 GBHDD IOPS

Time of access to the VM disc≤20ms

99.982%

availability of the data centre and

network infrastructure

10 minutes

response time

99.98% of the service availability for

data with PL-3

99.95% of the service availability

for data with PL-2

SLA: KEY PARAMETERS

* including technological downtime (infrastructure maintenance)

SLA for data with PL-2: why 99.95%

Reduced guaranteed availability of the service is caused

by the prohibition of the remote access to the host under

protection administration of personal data with protection

level # 2.

Manual reboot of the servers is only permissible for the IS

with this data category.

$11

$3.23 $6.44

$0.12

$0.26$0.51

HDD SATA, for 1 Gb

HDD SAS, for 1 Gb

SSD, for 1 Gb

RAM, for 1 Gb

CPU,for 1 GHz

Protection means,

For vCPU

HOW MUCH DOES IT COST?

INTERESTED, BUT STILL HAVE QUESTIONS?

Contact us at +7 (495) 784 65 05 or

cloud-152@dtln.ru if you have any questions on personal

data protection options.