Protection of personal information. Part 3

In this article, we will continue building a personal data protection system (hereinafter referred to as PDPS). In the previous two articles, we considered in sufficient detail the process of establishing the level of protection of personal data, actual threats, and also found out what kind of protection measures we need to apply for certain levels of security and actual threats.

Now is the time to talk about the practical side of the issue, namely, directly about the solutions that we can use in our protection system.

Solutions and their choice

Over the long years of the existence of requirements for the protection of personal data, many copies have been broken on the issue of the use of certified means of protection. Should or not the means of protection used be certified by the FSTEC? Those who wish can read different points of view on this issue from our information security bloggers. But within the framework of this article, we will only talk about the use of certified protective equipment.

In order not to be accused of advertising certain solutions in the comments, I will give descriptions of various products in relation to the implementation of protective measures.

But I would like to note that the article cannot do without mentioning specific vendors and their solutions. And a few words about which vendors we will choose from. If in the past it was possible to choose both domestic and foreign certified means (except for cryptography), then after the well-known events, the FSTEC withdrew certificates from a number of foreign manufacturers. And besides, it’s almost impossible to buy many foreign products now. Therefore, further in the article only Russian solutions that have a FSTEC certificate will be considered. You can find out what certificates a particular solution has (and whether it has it at all) on the FSTEC website https://reestr.fstec.ru/reg3.

Measures and solutions

Let’s start with Identification and Authentication (IAF). Protective mechanisms here can be implemented both with organizational and with the help of technical measures. Organizational measures – development of rules and procedures (policies) for identification and authentication of access subjects and access objects. It is implemented by fulfilling the provisions of internal documents.

However, it is obvious that all the requirements of this group of measures can be met only with the help of “paper security”. Here we will definitely need technical means.

The IAF Measures Group defines various requirements for providing secure authentication to the system. To fulfill these requirements, you can use the Secret Net Studio solution from Security Code. Secret Net Studio has several editions and allows you to log into the system both by login / password, and using hardware strong authentication. It is possible to use both standard authentication and enhanced authentication by key or password.

Secret Net Studio can work both with Active Directory and without a global catalog. In case you do not use Windows OS (and in 2025 we have many places to use Windows as other foreign software will be prohibited), you can use the Secret Net LSP edition, which runs under Linux. At the same time, Secret Net LSP supports domestic Linux distributions.

In addition to the solution from the Security Code, to fulfill the requirements of the IAF, you can also use the information security facility from NSD Dallas Lock from Confident. This solution provides authorization in the bootloader before the OS is loaded, as well as transparent conversion of hard drives and the mandatory principle of access control to file system objects and devices.

The next group of measures is Access Control (AAC). Measures from this group provide management of the rights and privileges of access subjects, differentiation of access of access subjects to access objects. In fact, the requirements from this group can be met using the same Secret Net Studio and Dallas Lock.

Separately, I would like to note the fulfillment of the requirements of the IAF and UPD in a virtual environment. Here, due to the virtual specifics, the use of the protection tools presented earlier will not be entirely correct. To protect the virtual environment, you can use the vGate solution from the same security code. This solution supports identification and authentication of users in a virtual environment and when working with a hypervisor.

Software environment restrictions (SPEs) should ensure that only authorized software is installed and/or run. Here, to fulfill the requirements, you can, of course, resort to the solutions that were presented just above, but I propose to consider another option for implementing protective measures – the use of certified operating systems. Of course, this option is far from suitable for everyone, since installing the OS requires certain labor costs both for deployment and for user training. In this respect, the imposed remedies are more convenient. However, if for one reason or another it is easier for you to deploy a certified Linux OS, then you can consider several domestic distributions. An important advantage of certified operating systems is that they immediately cover a large number of requirements of the FSTEC order.

Examples of certified operating systems include Astra Linux Special Edition. This distribution kit, depending on the selected edition, can be used to protect ISPD. On the vendor’s website, you can see a list of measures from 21 orders that Astra Linux closes and this list is quite impressive, most of the measures are closed.

Also speaking about certified operating systems, it is worth mentioning ROSA OS. This distribution also contains a large number of protective mechanisms that allow you to fulfill the requirements of most of the measures from the 21 orders of the FSTEC.

The order is followed by a set of measures to take into account machine storage media, which are usually implemented for the most part with the help of organizational measures. And the necessary technical actions, such as the destruction of information on machine media, can be performed by means of certified operating systems.

But the next group of measures Security Event Logging (SEL) is of more interest from a technical point of view. Here, of course, you can formally approach the fulfillment of requirements and simply collect events from the OS and security tools locally, and this will be enough to fulfill the requirements. Or you can use a specialized class of SIEM (Security Information Event Management) solutions, which are responsible for centralized collection, processing and storage of events collected from sources. In addition to actually collecting SIEM events, solutions can analyze them in real time and, if suspicious activities are detected, automatically create incidents.

The most interesting solution on the Russian market is Kaspersky Unified Monitoring and Analysis Platform (KUMA). This product supports a large number of event sources “out of the box”, that is, to connect them, it is enough to follow the ready-made configuration instructions on the source and events will automatically start collecting. Also, given that the developer of this solution is Kaspersky Lab, this product integrates well with other solutions from LC, which will be discussed later.

To fulfill the requirements of the group of measures for anti-virus protection (AVZ), the certified version of Kaspersky Endpoint Security will help us. As an alternative solution for anti-virus protection, you can use a certified version of Doctor Web anti-virus.

Next we have a group of measures to detect (prevent) intrusions. Here you can use the OWL functionality on the end nodes, which is available in the same Secret Net Studio. But it is still better to analyze network traffic in search of threats. And here we smoothly move on to network protection tools. As an SOV module, you can use the SOV/SOA Continent from the Security Code. You can also use ViPNet IDS NS from Infotex. These systems receive a copy of network traffic and analyze it for suspicious activity.

Security control and analysis (ANZ) measures can be implemented using the well-known XSpider or MaxPatrol vulnerability scanners.

The Group of Integrity Measures (ICL) can be implemented by the means that we have already discussed earlier. That is, file integrity control can be carried out using the same Secret Net, certified OS or antivirus.

The group of measures to ensure accessibility, although it puts forward technical requirements, is in fact implemented more by organizational measures. So, one of the requirements is to ensure the redundancy of hardware, which is obviously implemented by creating fault-tolerant hardware and software configurations.

The group of measures to protect the virtualization environment is relevant for systems that use virtualization. Here, of course, vGate should be used, but you can also use anti-virus solutions for virtual environments, such as Light Agent from Kaspersky Lab.

A large group of measures The protection of an information system, its means, communication and data transmission systems (3IS) puts forward various requirements, some of which we can close with the solutions already described (for example, measures to protect archive files, settings for information protection and software can be performed using the integrity controls described earlier). But there are also new requirements, such as network slicing, that must be met by firewalls. Here you can recommend solutions from UserGate or the already mentioned Security Code and ViPNet.

The remaining groups of measures Protection of technical means (ZTS), Incident detection and response to them (INC) and Configuration management of the information system and personal data protection system (PCF) are carried out mainly with the help of organizational measures and technical means here can only be used as auxiliary tools.

A bit about cryptography

In addition to the requirements of the FSTEC order, we also have FSB requirements regarding the transfer of personal data via communication channels going outside the controlled area. So if you transfer PD to a branch of an organization located outside the controlled area, you must use certified cryptography. To do this, you can use APKSh Continent or ViPNet, already familiar to us, which have the appropriate certificates and can be used to protect personal data.

Conclusion

In this article, we looked at the main solutions that can be used to meet regulatory requirements. Of course, there are many other solutions on the market and only the most common products were presented here, but the list of certified tools is not limited to this and, if necessary, you can choose a solution suitable for your IT infrastructure.

Well, as usual, I want to recommend you free webinar, within which you will find out what duties are assigned to site owners in accordance with 152-FZ. Which sites fall under the law on personal data. What penalties can be imposed and for what.