“And so it goes”: that cloud providers do not agree on personal data
Somehow an application for cloud services came to us. We figured out in general terms what would be required of us, and sent back a list of questions to clarify the details. Then we analyzed the answers and realized: the customer wants to place personal data of the second level of security in the cloud. We answer him: "You have the second level of Persians, sorry, we can only make a private cloud." And he: “You know, but in Company X they can put everything in a public place for me.”
Photo by Steve Crisp, Reuters
Strange things! We went to the site of company X, studied their certification documents, shook our heads and understood: there are a lot of open questions in the placement of persdans and they should be properly ventilated. What we will do in this post.
To begin with, we’ll understand by what criteria personal data is generally attributed to a particular level of security. It depends on the category of data, on the number of subjects of this data that the operator stores and processes, as well as on the type of actual threats.
The types of actual threats are defined in the Decree of the Government of the Russian Federation No. 1119 of November 1, 2012 “On approval of the requirements for the protection of personal data during their processing in personal data information systems”:
The main thing in these definitions is the presence of undocumented (undeclared) opportunities. To confirm the absence of undocumented software capabilities (in the case of the cloud it is a hypervisor), FSTEC of Russia is certified. If the PD operator accepts that there are no such capabilities in the software, then the corresponding threats are irrelevant. Threats of the 1st and 2nd types are extremely rarely accepted by PD operators as relevant.
In addition to determining the security level of personal data, the operator must also determine specific actual threats to the public cloud and, based on the identified security level of personal data and actual threats, determine the necessary measures and means of protection against them.
FSTEC has all the main threats clearly listed in the BDU(data bank of threats). Providers and certifiers of cloud infrastructures use this database in their work. Here are some examples of threats:
You can protect yourself from these threats only with the help of a hypervisor, since it is he who manages virtual resources. Thus, the hypervisor must be considered as a means of protection.
And in accordance with the order of the FSTEC No. 21 of February 18, 2013, the hypervisor must be certified for the absence of NDV at level 4, otherwise the use of personal data of levels 1 and 2 with it will be illegal ( "Clause 12. ... To ensure 1 and 2 levels of security of personal data, as well as to provide 3 levels of security of personal data in information systems, for which threats of the 2nd type are classified as relevant, information protection tools are used, the software of which was tested no lower than at level 4 of control I undeclared capabilities " ).
Desired level of certification, NDV-4 has only one hypervisor, developed in Russia - Horizon Amphibious & . To put it mildly, not the most popular solution. Commercial clouds are usually built on the basis of VMware vSphere, KVM, Microsoft Hyper-V. None of these products are certified for NDV-4. Why? Obviously, obtaining such certification for manufacturers is not yet economically justified.
And only the Horizon of the Sun remains for us for level 1 and level 2 Persons in a public cloud. Sad but true.
At first glance, everything is quite strict: these threats should be eliminated by properly setting up standard protection mechanisms for the NDV-4 certified hypervisor. But there is one loophole. In accordance with the Order of the FSTEC No. 21 ( “Clause 2, the security of personal data during its processing in the personal data information system (hereinafter referred to as the information system) is provided by the operator or a person who processes personal data on behalf of the operator in accordance with the legislation of the Russian Federation”), providers independently evaluate the relevance of possible threats and, in accordance with this, choose protection measures. Therefore, if the threats of UBI.44 and UBI.101 are not accepted as relevant, then there will also be no need to use a NDV-4 certified hypervisor, which should provide protection against them. And this will be enough to obtain a certificate of compliance of the public cloud with levels 1 and 2 of PD security, which Roskomnadzor will be completely satisfied with.
Of course, in addition to Roskomnadzor, the FSTEC may come with a check - and this organization is much more meticulous in technical matters. She will probably be interested in why precisely the threats of UBI.44 and UBI.101 were recognized as irrelevant? But usually the FSTEC only checks when it receives information about some striking incident. In this case, the federal service first comes to the Persdan operator - that is, the customer of the cloud services. In the worst case, the operator receives a small fine - for example, for Twitter at the beginning of the year, the fine in a similar case amounted to 5,000 rubles. Then FSTEC moves on to the cloud service provider. Which may well be deprived of a license due to non-compliance with regulatory requirements - and these are completely different risks for both the cloud provider and its customers. But I repeatto check the FSTEC usually need a clear reason. So cloud providers are willing to take risks. Until the first serious incident.
There is also a group of “more responsible” providers who believe that it is possible to close all threats by adding a hypervisor with an add-in like vGate. But in a virtual environment distributed among customers for some threats (for example, the UBI.101 above), an effective protection mechanism can be implemented only at the level of a NDV-4 certified hypervisor, since any add-on systems for standard functions of the resource management hypervisor work (in particular RAM) are not affected.
We have a cloud segment implemented on a hypervisor certified by FSTEC (but without certification for NDV-4). This segment is certified, so that it is possible to place personal data of security levels 3 and 4 in the cloud based on it - the requirements for protection against undeclared capabilities are not required to be observed here. By the way, here is the architecture of our secure cloud segment:
Systems for personal data of 1 and 2 security levelswe sell only on dedicated equipment. Only in this case, for example, the threat of UBI.101 is really not relevant, since server racks that are not united by one virtual environment cannot influence each other even when placed in the same data center. For such cases, we offer a dedicated equipment rental service (it is also called Hardware as a service, equipment as a service).
If you are not sure what level of security is required for your personal data system, we also help in their classification.
Our small market research showed that some cloud operators are ready to risk both the security of customer data and their own future to receive an order. But we adhere to a different policy in these matters, which we briefly described a little higher. We will be happy to answer in the comments your questions.
Photo by Steve Crisp, Reuters
Strange things! We went to the site of company X, studied their certification documents, shook our heads and understood: there are a lot of open questions in the placement of persdans and they should be properly ventilated. What we will do in this post.
How it should work
To begin with, we’ll understand by what criteria personal data is generally attributed to a particular level of security. It depends on the category of data, on the number of subjects of this data that the operator stores and processes, as well as on the type of actual threats.
The types of actual threats are defined in the Decree of the Government of the Russian Federation No. 1119 of November 1, 2012 “On approval of the requirements for the protection of personal data during their processing in personal data information systems”:
“Threats of the 1st type are relevant for an information system if, for it, threats related to the presence of undocumented (undeclared) capabilities in the system software used in the information system are also relevant for it.
Threats of the 2nd type are relevant for the information system if, for it, threats related to the presence of undocumented (undeclared) capabilities in the application software used in the information system are also relevant for it.
Threats of the 3rd type are relevant for an information system if threats relevant to it are not related to the presence of undocumented (undeclared) capabilitiesin the system and application software used in the information system. ”
The main thing in these definitions is the presence of undocumented (undeclared) opportunities. To confirm the absence of undocumented software capabilities (in the case of the cloud it is a hypervisor), FSTEC of Russia is certified. If the PD operator accepts that there are no such capabilities in the software, then the corresponding threats are irrelevant. Threats of the 1st and 2nd types are extremely rarely accepted by PD operators as relevant.
In addition to determining the security level of personal data, the operator must also determine specific actual threats to the public cloud and, based on the identified security level of personal data and actual threats, determine the necessary measures and means of protection against them.
FSTEC has all the main threats clearly listed in the BDU(data bank of threats). Providers and certifiers of cloud infrastructures use this database in their work. Here are some examples of threats:
UBI.44 : “The threat lies in the possibility of violating the security of user data of programs operating inside the virtual machine by malicious software operating outside the virtual machine.” This threat is caused by the presence of vulnerabilities in the software of the hypervisor that isolates the address space used to store user data of programs operating inside the virtual machine from unauthorized access by malicious software operating outside the virtual machine.
Realization of this threat is possible provided that the malicious software successfully overcomes the boundaries of the virtual machine, not only by exploiting the vulnerabilities of the hypervisor, but also by implementing such an impact from lower (with respect to the hypervisor) levels of system functioning. ”
UBI. 101: “The threat lies in the possibility of unauthorized access to the protected information of one consumer of cloud services from another. This threat is due to the fact that due to the nature of cloud technologies, consumers of cloud services have to share the same cloud infrastructure. The implementation of this threat is possible if mistakes are made when sharing the cloud infrastructure elements between consumers of cloud services, as well as when isolating their resources and isolating data from each other. ”
You can protect yourself from these threats only with the help of a hypervisor, since it is he who manages virtual resources. Thus, the hypervisor must be considered as a means of protection.
And in accordance with the order of the FSTEC No. 21 of February 18, 2013, the hypervisor must be certified for the absence of NDV at level 4, otherwise the use of personal data of levels 1 and 2 with it will be illegal ( "Clause 12. ... To ensure 1 and 2 levels of security of personal data, as well as to provide 3 levels of security of personal data in information systems, for which threats of the 2nd type are classified as relevant, information protection tools are used, the software of which was tested no lower than at level 4 of control I undeclared capabilities " ).
Desired level of certification, NDV-4 has only one hypervisor, developed in Russia - Horizon Amphibious & . To put it mildly, not the most popular solution. Commercial clouds are usually built on the basis of VMware vSphere, KVM, Microsoft Hyper-V. None of these products are certified for NDV-4. Why? Obviously, obtaining such certification for manufacturers is not yet economically justified.
And only the Horizon of the Sun remains for us for level 1 and level 2 Persons in a public cloud. Sad but true.
How everything (in our opinion) actually works
At first glance, everything is quite strict: these threats should be eliminated by properly setting up standard protection mechanisms for the NDV-4 certified hypervisor. But there is one loophole. In accordance with the Order of the FSTEC No. 21 ( “Clause 2, the security of personal data during its processing in the personal data information system (hereinafter referred to as the information system) is provided by the operator or a person who processes personal data on behalf of the operator in accordance with the legislation of the Russian Federation”), providers independently evaluate the relevance of possible threats and, in accordance with this, choose protection measures. Therefore, if the threats of UBI.44 and UBI.101 are not accepted as relevant, then there will also be no need to use a NDV-4 certified hypervisor, which should provide protection against them. And this will be enough to obtain a certificate of compliance of the public cloud with levels 1 and 2 of PD security, which Roskomnadzor will be completely satisfied with.
Of course, in addition to Roskomnadzor, the FSTEC may come with a check - and this organization is much more meticulous in technical matters. She will probably be interested in why precisely the threats of UBI.44 and UBI.101 were recognized as irrelevant? But usually the FSTEC only checks when it receives information about some striking incident. In this case, the federal service first comes to the Persdan operator - that is, the customer of the cloud services. In the worst case, the operator receives a small fine - for example, for Twitter at the beginning of the year, the fine in a similar case amounted to 5,000 rubles. Then FSTEC moves on to the cloud service provider. Which may well be deprived of a license due to non-compliance with regulatory requirements - and these are completely different risks for both the cloud provider and its customers. But I repeatto check the FSTEC usually need a clear reason. So cloud providers are willing to take risks. Until the first serious incident.
There is also a group of “more responsible” providers who believe that it is possible to close all threats by adding a hypervisor with an add-in like vGate. But in a virtual environment distributed among customers for some threats (for example, the UBI.101 above), an effective protection mechanism can be implemented only at the level of a NDV-4 certified hypervisor, since any add-on systems for standard functions of the resource management hypervisor work (in particular RAM) are not affected.
How do we work
We have a cloud segment implemented on a hypervisor certified by FSTEC (but without certification for NDV-4). This segment is certified, so that it is possible to place personal data of security levels 3 and 4 in the cloud based on it - the requirements for protection against undeclared capabilities are not required to be observed here. By the way, here is the architecture of our secure cloud segment:
Systems for personal data of 1 and 2 security levelswe sell only on dedicated equipment. Only in this case, for example, the threat of UBI.101 is really not relevant, since server racks that are not united by one virtual environment cannot influence each other even when placed in the same data center. For such cases, we offer a dedicated equipment rental service (it is also called Hardware as a service, equipment as a service).
If you are not sure what level of security is required for your personal data system, we also help in their classification.
Conclusion
Our small market research showed that some cloud operators are ready to risk both the security of customer data and their own future to receive an order. But we adhere to a different policy in these matters, which we briefly described a little higher. We will be happy to answer in the comments your questions.