How to use Selectel services to comply with the requirements of Federal Law 152
Storing and processing personal data (PDn) in the cloud is a convenient and flexible solution. However, practice shows that companies do not always manage to optimize the protection of such information. My name is Mark Peskov, I am a methodologist
on information security
in Selectel. In this article, I will tell you how to organize secure processing of personal data in a cloud infrastructure and what to consider when dividing the areas of responsibility of the operator and the provider.
Use navigation if you don't want to read the full text:
→ Where to begin
→ Who is involved in implementing security measures?
→ What should a personal data operator do on his side?
→ What's next
Where to begin
The sphere of processing and protection of personal data is regulated by fFederal Law No. 152by-laws and methodological documents. Step-by-step implementation of their requirements and recommendations allows building an adequate information security management system.
First of all, you need to analyze what data and in what volume your service processes. Particular attention should be paid to personal data.
The next step is to define the main external and internal conditions, service operation features and tasks to be solved. External conditions include the expectations and needs of users and partners, applicable legal requirements, etc. Internal conditions include, for example, the service development strategy. Features are what distinguishes it from other products: technology stack, architecture, etc.
The analysis will help you formulate two key indicators.
Now it is necessary to form a set of legal, organizational and technical measures to ensure the security of personal data. There are 109 such measures in total, they are combined into 15 groups – a detailed description can be found in
Order of the FSTEC of Russia No. 21
.
The basic set of security measures is formed depending on the level of personal data protection. For the fourth (minimum) level there are only 27 of them, and for the first (maximum) level – 69.
However, the composition of the measures may change. For example, if certain technologies and processes are not used in the information system, the measures associated with them may be excluded. And vice versa: if certain security threats are relevant for the system, additional measures may be added to neutralize them.
Groups of measures to ensure the security of personal data:
All these measures are necessary to exclude any unauthorized actions with personal data. These may include accidental or intentional destruction, modification, blocking, copying, distribution, not related to normal data processing. It is important to understand that the protection of PDn is the responsibility of the operator company. In other words, whoever collects personal data is responsible for its security. At the same time, the IT service provider can ensure compliance with some of these measures. What exactly can be entrusted to Selectel and how best to organize all processes, we will discuss below.
Who is involved in implementing security measures?
The security of personal data in the cloud infrastructure is ensured by the personal data operator and the IT infrastructure provider. The boundaries of the areas of responsibility may shift in one direction or another. This depends on the model of providing cloud services (infrastructure or platform) and the specifics of implementing specific security measures.
For example, the operator implements almost all legal and organizational security measures independently. He does this on the basis of organizational and administrative documentation, which:
- distributes duties and responsibilities among the operator’s employees for maintaining the service and ensuring its security,
- describes in detail the processes and uniform rules for using security tools.
All organizational measures to protect technical means for any level of personal data protection are fully implemented on the Selectel side. Only the provider's employees have physical access to the equipment in the data centers. That is, the basic set of security measures implemented by the operator is reduced due to the division of areas of responsibility.
Scheme of division of areas of responsibility.
The PDn operator and the IT provider implement technical security measures at different technological levels. In doing so, the operator can use the functions and specialized services of Selectel.
It is important to understand here: part of the work remains with the operator. For example, you can instruct the provider to organize the infrastructure for identifying and authenticating users. But the operator will have to solve the problem of access control.
What should a personal data operator do on his side?
Below we will look at the steps you need to take to easily comply with the requirements of Federal Law 152.
Identification, authentication and access control
System and application software, as well as specialized information security tools, have built-in security mechanisms in terms of identification, authentication, and access control. Because of this, it is sometimes thought that the personal data operator only needs to use them. It is worth remembering that access control at the control panel and API level is no less important.
Basic service Identity and Access Management (IAM) — a role-based model that allows you to create, modify, and delete accounts, as well as control their access to resource management. Federated access allows you to use your own management system as a source of user data – Identity Provider: Keycloak, ADFS and other SAML-compatible systems. Thanks to this, you can do without additional authentication in the control panel. Single Sign-On (SSO) technology is enough.
In addition to IAM, you can restrict access to the control panel and API at the data network level: by IP address or subnet. This is described in more detail in the documentation.
By default, when you log into the control panel, it is enabled.
. We recommend that you do not disable it, and also contact Selectel technical support if you suspect that your account has been compromised. Logging into the control panel from an unknown IP address will be recorded
and the account administrator will receive an email notification. At the same time, the compromise may be subtle if third parties have uncontrolled access to account data.
Firewall in cloud platform And dedicated equipment allows you to control access to network services from the Internet and in private networks. With its help you can implement:
- IPv4 traffic filtering for a private subnet,
- opening and closing specific ports or ranges of ports,
- Allowing and denying access from specified IP addresses or subnets, taking into account the state of network connections.
There are also more complex scenarios for protecting network services. For example, detecting and preventing network attacks. To implement them, you can
rent a firewall
. And to protect web services from attacks at the application level (L7), use the service
Web Application Firewall
(WAF).
To help you navigate through Selectel's services related to account identification and authentication, we have compiled a table.
Ensuring accessibility
Service availability implies, first of all, fault tolerance. It can be ensured by reserving components in different regions and availability zones. Access to these components from the Internet and distributing the load between them will help
It also provides protection against DDoS attacks for all incoming traffic at L3 and L4 levels.
Backups allocated And cloudy servers provide protection against data loss and quick restoration of service operation. And when using cloud databases, resource backup is performed automatically.
Below is a table to help you understand Selectel's services to ensure service availability and protect virtualization tools.
Configuration Control
To control changes in the configuration of components, you can use
. It periodically scans the range of network addresses of your project. When new open TCP ports are detected that have not been marked as trusted, the service sends a notification to the account administrator via email or Telegram. This allows you to promptly detect suspicious activity or errors made by the administrator when configuring network services and the firewall.
Selectel's open port monitoring service helps implement two security measures:
- control of the operability, settings and correct functioning of software and information security tools,
- protection of archive files, settings for information security tools and software, and other data that cannot be changed during the processing of personal data
Automation of resource management
Automation of resource management in large projects reduces the impact of the human factor on service security. Such errors may occur, for example, when configuring resources. In addition, automation allows you to document configuration changes without unnecessary actions. And this is already the implementation of measures of the UCF group (information system configuration management and personal data protection system).
There is an approach to managing resource configurations called “infrastructure as code» (Infrastructure as Code, IaC). It consists in the fact that all computing resources and changes in them are described by code. This way, many manual operations and settings can be eliminated, and as a result, the risk of errors can be minimized. In addition, the approach allows describing and applying reference resource configurations taking into account security requirements.
Configuring basic security settings when creating virtual machines in the control panel can be simplified. For this purpose, there is a mechanism for specifying user parameters (field User Data). It allows you to either automatically perform a specified set of actions using a bash script, or set configuration parameters for individual services using the cloud-init mechanism.
With User Data, you can, for example, automatically configure sshd parameters before starting the virtual machine. These parameters include:
- disabling root login capability,
- disable password authentication,
- adding the administrator's public key to the authorized_keys file, etc.
Selectel's API, combined with Terraform and User Data in the cloud platform, helps implement two security measures:
- management of changes in the configuration of the information system and the personal data protection system,
- documenting information (data) about changes in the configuration of the information system and the personal data protection system.
Thus, resource configuration helps the personal data operator to implement some of the security measures in his area of responsibility even at the stage of creating virtual machines.
Summary of Security Measures
When using infrastructure services (IaaS), the PDn operator implements security measures at the operating system and application level. When using platform services (PaaS) – only at the application level.
The implementation of the following technical security measures remains the responsibility of the PDn operator.
- Identification and authentication of access subjects and objects: management of personalized user accounts and their authentication when attempting to access the system.
- Access management: assigning access rights to users, limiting the number of login attempts and methods, etc.
- Security event logging: setting up rules for event logging, storage periods, access to log files, etc. Security events include, for example, attempts to access the system, adding and deleting accounts, changing configurations, installing software components, accessing files with confidential information, using utility programs, etc.
- Antivirus protection.
- Detect and prevent intrusions using host systems or by integrating dedicated network-level security into the infrastructure (IaaS only).
- Monitoring and analyzing the security of personal data: using security scanners or vulnerability detection mechanisms.
- Ensuring the integrity of the information system and personal data.
- Protection of the information system, its means, communication systems and data transmission based on secure network protocols (HTTPS, SSH).
What's next
After implementing security measures, it is necessary to evaluate their effectiveness. The PDn operator can conduct such an assessment independently or engage a contractor company. A mandatory requirement for such a company is a license from the FSTEC of Russia for activities related to the technical protection of confidential information.
Efficiency assessment can also be carried out in the form of certification. It is carried out by an accredited organization in accordance with the procedure established by FSTEC. In this case, the operator must use information protection tools that have certificates of compliance with the security requirements of FSTEC or FSB. Certification is mandatory only for state information systems. In other cases – at the discretion of the operator.
However, sometimes operators still have to certify their system to fulfill the terms of contracts or connect to certain government systems. Such operators often include medical organizations, B2G service developers, financial and insurance companies.
Selectel provides by subscription Remedies from unauthorized access at the level of dedicated or virtual servers, as well as trusted boot modules and anti-virus protection tools.
For secure network interaction with your resources, you can use GOST VPNThe service includes certified cryptographic protection tools.
Efficiency
which are implemented by Selectel, are confirmed by the results of an independent assessment of effectiveness or a certificate of compliance with safety requirements.
