How to convince everyone that you have a secure data center?

    Preamble . The article is for informational purposes only. It is intended for potential customers of the data center who have heard about 152-ФЗ, 149-ФЗ, want to spend budget funds and do not know that such schemes exist. For ease of perception of the material, the author will present the schemes in the first person, although he has never applied these schemes. The author does not suggest the use of these schemes. The author is not a court, and does not know whether the schemes outlined can be classified according to the articles of the Civil Code / Criminal Code. But it may be so.


    Scheme 1. Budget certification


    1. Choose any computer (for example, an outdated boss secretary's computer, which they were going to throw out / write off anyway).
    2. We make the documents of the applicant. As the name of the certified object of informatization, we select "Protected Data Processing Center of Isterossa"
    3. We order certification for compliance with any requirements, even at the AS . The issue price is about 50 thousand rubles.
    4. We obtain a certificate of compliance of the object of informatization “Protected Data Processing Center of Isteross” with information security requirements.
    5. We write on the website: " Our Secure Data Processing Center of Isteross has been certified according to the requirements of the FSTEC "

    Advantages and disadvantages of the scheme

    Benefits disadvantages
    For a service provider: Cheap. Highly. Are absent
    For the consumer of services: Customer data can be protected.
    Client data may not leak.
    Most likely it will be cheaper than other options.
    The client can also tell everyone that uses a certified data center.
    You can set the price as if everything is certified, and the client does not think that it is suspiciously cheap. If it is required by law, decree or any regulation to store the customer’s data in a certified data center, then during the audit the client’s officials will not be rewarded for the saved budget


    Scheme 2. Ordinary budget certification according to the 17th order


    1-2. As in scheme 1.
    3. We order certification for compliance with the requirements of Order No. 17 in class K1. The issue price is about 350 thousand rubles. (100 thousand rubles for certification and 250 thousand for protective equipment (AVZ, NSD, SKN, SDZ, ME, SOV, UPS, SKZI with the ability to connect mobile clients and other
    secondary schools) 4. We receive the certificate of conformity of the object of informatization “Protected Center data processing in Hysteross ”to the information protection requirements for security class K1.
    5. We write on the website:“ Our Secure Data Processing Center in Hysteross is certified for the maximum class K1! We can provide power to any GIS / ISPDn. We connect using certified cryptographic FSBs funds "

    Advantages and disadvantages of the scheme

    Benefits disadvantages
    For a service provider: Cheap. It’s necessary, nevertheless, to buy various protection tools (the networker says that they are not needed), and this will not be Cisco
    For the consumer of services: Client information systems may not be hacked.
    Customer data may not leak.
    Not an expensive option.
    Two options: either launch the client’s IS on this certified machine - and, as a result, the IS will work slowly, or (most likely) run not on this machine, but the client will have normal speed


    Scheme 3. The most budgetary certification on the 17th order


    1-2. As in scheme
    2.2a. Physically disconnect from the AWP Internet.
    3. As in scheme 2, but cheaper: there is no Internet - no ME, SOV, CPSI are needed. The issue price is reduced to 130 thousand rubles. (100 thousand rubles for certification and 30 thousand for protective equipment (AVZ, NSD, SKN, SDZ, UPS).
    4. As in scheme 2.
    5. We write on the website as in scheme 2, but a little shorter: " Our Isterossa Secure Data Center is certified to the maximum class K1! We can provide capacity with any GIS / ISPDn "

    Advantages and disadvantages of the scheme

    Benefits disadvantages
    For a service provider: Cheaper than option 2 It is necessary, nevertheless, to buy various means of protection, but not enough
    For the consumer of services: Client information systems may not be hacked.
    Customer data may not leak.
    Very not expensive option.
    You can write on the website that the certified encryption communication channel to the data center can be selected by the customer, even the customer’s cryptocurrency network (No. XXXXX) is used, in addition, you do not impose on the client the purchase of certified cryptocurrencies compatible with data center equipment
    As in previous cases, the client’s IP will not function in the certified data center segment


    Scheme 4. Correct landing


    1. We call practical security guards, normal networkers.
    2. We buy what they say (the equipment familiar to these “tsiskars”).
    3. They do everything, protect in accordance with “best practices”.
    4. We design a web page about the data center:
    - because the purchased equipment does not have certificates that allow you to host high-class IP on the site; we do not write about classes, simply: " protection is organized using xxxxx (certified by the FSB and FSTEC) ";
    - because there is no certificate, and there are no particular advantages over other commercial data centers, we write something that everyone has, but show it as an advantage: " 24-hour security, backup equipment, RAID arrays, 24-hour duty service, use of https ";
    - because there is no certified cryptographic network equipment, we just make promises of the form “ if necessary, it can be organized ... ” (yes, everyone knows that everyone needs this to host certified IPs, and we will give it as an advantage);
    - we use abstract phrases: “we will ensure security / confidentiality / integrity / accessibility of information” (the main thing is not to write what information we mean);
    - you can still get unnecessary pieces of paper, preferably in voluntary certification systems from the category " certificate of conformity for 1 day, according to two documents, cheaply, without registration and sms) " and post on the website the phrase that our data center is certified.

    Advantages and disadvantages of the scheme

    Benefits disadvantages
    For a service provider: No additional costs for information security It is difficult to answer specific questions about certification according to the requirements of the FSTEC of Russia and the FSB of Russia
    For the consumer of services: Client information systems may not be hacked.
    Customer data may not leak.
    Very not expensive option.
    We can say that the data is protected in accordance with “best practices”
    Supervisory authorities use other "best practices" in their activities, so there may be a misunderstanding between the client and the commission.
    As in previous cases, the client IP will not function in the certified segment of the data center.


    Scheme 5. Correct certification according to the 17th order


    1. Choose a server / servers / rack / several racks to highlight in the form of a "protected segment of the data center" or the entire data center for certification.
    2. Choose service delivery schemes (colocation / IaaS / SaaS / ...). Write a Policy / Declaration in which you mark the points of the legal acts that are ready to be implemented (for example, we protect everything to the level of virtualization. Everything in virtual machines is the client’s responsibility). We buy certified equipment for the certified data center segment.
    3. We order certification for compliance with the requirements of Order No. 17class K1 / K2 / K3 (for this, the marketer must say what IP in the target market segment). The issue price differs from the class, the number of protected servers, the certification approach (segmented or not), the service delivery scheme, the nomenclature of options for organizing the client’s secure workflow, etc. etc. From several million rubles.
    4. We obtain a certificate of compliance of the object of informatization "Protected Data Processing Center of Isteross" with the requirements of information security by security class.
    5. We write on the website: "The Protected Data Processing Center of Isterossa is certified for such and such a class! We can provide capacities to any GIS / ISDN. We connect using certified cryptographic tools by the FSB "

    Advantages and disadvantages of the scheme

    Benefits disadvantages
    For a service provider: You can offer the client to conduct an audit of the second / third party, monitor the location of the client’s IP in the certified segment, undergo any FSB / FSTEC inspection regarding the client’s IPExpensive. We need a normal methodologist who will correctly maintain all the documentation, organize the acceptance of new racks
    For the consumer of services: Your information systems may not be hacked.
    Your data may not leak.
    Your IP is really protected by the requirements of the FSB / FSTEC
    An expensive option.


    conclusions


    1. When organizing a secure data center, its owners can go to any of these options or choose their own.
    2. The client must choose the service provider. Responsibility for the choice lies with the client.
    3. The level of confidence in the data center is determined by the client independently (from "they have a beautiful sign" to the preliminary audit of the data center and monitoring the level of service to them)

    Also popular now: