Myths about protecting personal data in the cloud

Published on May 23, 2012

Myths about protecting personal data in the cloud


    Recently, questions have often been raised about the possibility of processing and protecting personal data in the “clouds” in accordance with Federal Law No. 152 “On Personal Data”. All this often resembles a discussion of myths, so I will venture to express my view on the problem of protecting ISPD in the clouds and try to answer the basic questions.

    A sample list of questions is as follows:
    • Is it possible, in principle, to place personal data information systems (ISPDs) in the “cloud”, taking into account the requirements of regulatory authorities to protect information?
    • What properties should a “cloud” have to be able to use it for building personal data information systems (ISPD)?
    • What needs to be considered for the PD operator who decided to transfer its information resources to the “cloud”?
    • Is it possible to certify ISPDn hosted in a public “cloud”?
    • What are the tasks of ensuring information security assigned to the cloud provider?
    • What guarantees exist that a competitor located in the same “cloud” in the neighborhood is reliably separated and cannot attack while inside the “cloud”?
    • What determines the class of ISPDs that can be built in a particular "cloud"?

    Currently, I am actively working towards protecting the CROC Virtual Data Center regarding the possibility of our customers placing personal information information systems in it, so I would like to share ideas and experiences gained in this area.

    I note right away that the emphasis will be placed mainly on the technical side of cloud ISPD compliance with regulatory requirements: organizational aspects of protection will remain somewhat aloof.

    I am based on practical experience gained as part of the current approach to protecting the CROC Virtual Data Center.

    Introductory


    Suppose that the task is to build a distributed ISPD, one part of which is located on the site of the organization itself, and the other in the “cloud” of some provider. Automated workstations (AWPs) of users are located in the organization’s office, and server components and a database with personal data are located in the cloud. The “cloud” itself is located on the territory of the Russian Federation. This is how it looks:



    There are three main elements to be protected:
    • The set of AWP users on the side of the organization;
    • Communication channel between the organization’s office and the cloud (Internet);
    • The set of virtual machines in the "cloud" on which the server software of the corresponding ISPD is functioning.


    FAQ


    - What is needed from the point of view of technical protection measures for such ISPDn?
    To eliminate threats to information security, the fundamental point is the need to use certified protective equipment for each of the three elements indicated above.

    - What are the main areas of threats that need to be taken into account when building the ISPD protection system?



    The main sources of threats to the elements of a distributed ISDN:
    1. Internal users of the organization that carry out attacks on ISDN resources located on the site of the organization itself.
    2. External attackers that implement attacks on ISPD resources located at the organization’s site.

    The threats of these two points should be prevented by the organization itself using certified means of protection of workstations and network environments.

    3. External attackers attacking the communication channel from the outside in order to intercept or distort the ISPD network traffic.

    This part of the problem is solved using certified cryptographic protection tools for network traffic. They can be provided in the form of IB services of a cloud provider.

    4. The staff of the cloud provider serving the components of the cloud.

    Here we need certified means of differentiating personnel access rights to the resources of the cloud platform, which can be integrated into the platform itself. Certified security features deployed on ISPD server components can also be used.

    5. External attackers who carry out attacks from outside the cloud-based data center’s data center on “cloud” resources and, accordingly, on ISPD resources located in the “cloud”.

    It also requires certified security tools that can be provided as a security service to the client of the cloud, and can be a tool to protect the cloud itself from external threats. Plus, certified security features deployed on ISPD server components can be used.

    6.Cloud neighbors who use weaknesses of the platform to attack from their cloud environment

    Deal with the cloud’s resources between customers will help to cope with this threat. They also need certification.

    An illustration of the relevant protection principles is given in the following figure:



    - Is it possible, in principle, to place ISPD in the "cloud" taking into account the requirements of regulatory authorities to protect information?
    Yes, subject to existing technical requirements of regulatory authorities. Obviously, the main requirement is, again, certification of remedies.

    - What properties should a cloud have in order to be able to use it for building personal data information systems?
    In addition to delimiting customer resources, monitoring staff, protecting against external threats that have already been mentioned, another point is important. Since “clouds” are built on the basis of virtualization platforms, the need automatically arises for using certified hypervisors when building them.

    - What should be taken into account when deciding on the transfer of information resources to the "cloud"?
    Check the certification of the “cloud” protection components, clarify what services are available to protect personal data (go through the list of threat sources above as a checklist).

    - Is it possible to certify ISPDn located in a public “cloud”?
    At the moment (with the existing regulatory framework) it is not possible to certify ISPDn located in a public “cloud” in the neighborhood of other clients' resources. This is due to the fact that the existing regulatory framework requires the certification of an object of informatization (in fact, these are data center / data centers of a cloud provider). This involves fixing the equipment used within a specific certificate of a particular ISPD. But in the context of cloud computing this is impossible, since the technology of "clouds" involves the use of the same hardware and software resources by different clients. In this case, there are no visible restrictions on the certification of a private “cloud”, since it is possible to single out a specific object (or objects) of informatization that is in the service of a particular organization, including an external one.

    - What are the tasks of ensuring IS assigned to the cloud provider?
    • Provide a set of organizational and technical protection measures, which allows customers to be unable to implement threats from service personnel and other customers located in the next cloud.
    • Provide security services (based on certified security features) that can be used by customers who place their ISPD in the cloud.

    - What guarantees exist that a competitor located in the same “cloud” in the neighborhood is reliably separated and cannot attack while inside the “cloud”?
    In fact, this is achieved by certification of virtualization mechanisms: a hypervisor of computing resources, a management system for a virtualized data network, a virtualization platform for a data storage system.

    - What determines what class of ISPDn can be built in a particular "cloud"?
    From the restrictions specified in the certificates of cloud protection means from the point of view of standards.

    Summarizing, I want to note that an important point from the point of view of placing ISPD in the "cloud" is its certification, i.e. availability of certificates for various elements of the cloud that implement security functions (hypervisor, security tools integrated into the cloud, security tools offered to customers as security services). At the moment, my colleagues and I are deploying CROC cloud security services based on certified security tools and there are plans to certify other components of the cloud platform in the near future.