More Related Content
What's hot
What's hot (20)
Viewers also liked
Similar to 152 ready eng
Similar to 152 ready eng (20)
Recently uploaded
Recently uploaded (20)
152 ready eng
- 3. ABOUT CLOUD-152 Cloud-152 is a cloud infrastructure built in line with new requirements for personal data protection: Community cloud for allocation of personal data with protection level #2 and #3 Private cloud for allocation of personal data with protection level #1.
- 4. New Requirements for Data Protection and IT- infrastructure Providers
- 5. SETTING REQUIREMENTS FOR DATA PROTECTION Personal data are divided into 4 categories – protection levels. Each protection level has its own requirements for the personal data protection administration. These requirements vary depending on the type of threats relevant for each separate information system, as well as on the Internet connectivuty of the system.
- 6. FACTORS DESIGNATING DATA PROTECTION LEVEL Data category Subjects Number of subjects Type of immediate threats Employees Counterparties Public Special Biometric Other < 100,000 > 100,000 3 categories of threats
- 7. TYPES OF IMMEDIATE THREATS 1. Threats caused by undeclared (undocumented) capabilities in the system software. 2. Threats caused by undeclared capabilities in the application software. 3. Threats caused by other factors. Data category Subjects Number of subjects TYPES OF THREATS Threat type designation is not regulated.
- 8. PROTECTION LEVELS Data Category Operator’s Employees Number of Subjects Type of Vital Threats 1 2 3 (UDC* OS) (UDC* SW) (Without UDC*) Special No > 100,000 PL-1 PL-1 PL-2 No < 100,000 PL-1 PL-2 PL-3 Yes Biometric PL-1 PL-2 PL-3 Other No > 100,000 PL-1 PL-2 PL-3 No < 100,000 PL-2 PL-3 PL-4 Yes Public No > 100,000 PL-2 PL-2 PL-4 No < 100,000 PL-2 PL-3 PL-4 Yes * UDC– undeclared capabilities
- 9. INFORMATION PROTECTION MEANS PROTECTION LEVEL PL-1, PL- 2 PL-3 PL-4 TYPE OF THREATS 3 1, 2, 3 2 3 3 INTERNET CONNECTIVITY no yes - yes no - Computer equipment Class 5* Class 6 Intruder detection system Class 4 Class 5 Class 5 Virus protection means Firewall Class 4 Class 3 Class 4 Other information protection means Any safety specifications or tasks *Each category of tools has its own FSTEC classification.
- 10. INFRASTRUCTURE MODELS & REQUIREMENTS TO DATA PROTECTION Virtualization protection Firewalling Communication channels protection Physical security COLOCATION CLOUD
- 11. PROVIDER REQUIREMENTS FSTEC license for development and (or) production of information confidentiality protection means FSTEC license for confidential information technical protection FSS license for cryptographic protection means usage FSTEC certificates for utilized information protection means Lease/purchase agreement for utilized protection means
- 12. OUR APPROACH
- 13. INFRASTRUCTURE-152: WE OFFER Virtualization platform / hardware allocation in line with federal laws Integration of your IS tools / equipment into our solution architecture Attestation and maintenance of the IS*: threat model development documents preparation information system attestation information system maintenance *The service is provided in cooperation with partners.
- 14. OUR CERTIFICATES AND LICENSES Premier VSSP VMware Microsoft GOLD Hosting Provider Oracle Gold Partner SAP for Business All-in-One in Application Management and Hosting Services HP GOLD Partner ISO/IEC 27001:2013 ISO 9001:2011 Uptime Institute Management and Operations Uptime Institute Tier III Certified (Design) PCI DSS v. 3.0 ISAE 3402 FSTEC license #0763: for development and (or) production of information confidentiality protection means FSTEC license #1279: for confidential information technical protection FSS license #0011865 for provision of the services using cryptographic means
- 15. PHYSICAL SECURITY Multilevel access control Round-the-clock video monitoring; video records are stored during 3 months Individual fences for racks Access control system of the fence/rack, biometrics Dedicated video monitoring solutions (APC Netbotz, etc.) Extra sensors on rack doors opening Safe rack
- 16. NETWORK SECURITY FSTEC certified equipment and software Network segmentation in the cloud via VLAN and firewall of Check Point Security Gateway External networks interaction control via the intruder detection system of Check Point Security Gateway Cryptographic protection of communication channels GOST coding via the virtual crypto gateway S-Terra Second level coding using the MacSec protocol VPN organization using AES, 3DES coding
- 17. NETWORK SECURITY CLOUD-152 Cloud core switch’s ESXi ESXi ESXi ESXi S-Terra virtual gateway DataLine Admins Remote user sites Check Point Security Gateway’s (FW/IDS) DataCenter core switch’s Site-to-site VPN INTERNET
- 18. CLOUD-152: IAAS VERSIONS Private cloud for allocation of personal data with protection level #1 Community cloud for allocation of personal data with protection levels #2, #3 and #4 The standard solution offers a resilient architecture based on NORD-4 data centre. Disaster-proof cloud-152 can be also arranged based on NORD and OST data centres locations.
- 19. PRIVATE CLOUD-152 FOR DATA WITH PL-1 For the information systems processing personal data with protection level #1, an individual project is developed on the allocated hardware. This solution may be fail-safe or disaster-proof.
- 21. COMMUNTY CLOUD: PROTECTION MEANS All protection means used in Cloud-152 architecture are certified by FSTEC*: vGate R2 (virtualization protection means) CheckPoint IDS (intruder detection system) CheckPoint FW (firewall) Wallix (proxy server with sessions recording) Kaspersky (virus protection) S-Terra (VPN gateway) SecretNet and Sobol software and hardware (protection against unauthorized access) * Register of FSTEC certified protection means
- 22. INFRASTRUCTURE-152: ALGORITHM Threat model Migration to Cloud-152 Set of documents (OED***) System attestation**** Documents submission to Roskomnadzor Technical project** System audit* * For current projects/operating systems. Launch of the IS from the scratch commences with development of a threat model. ** Technical project includes a list of protection means corresponding to the level of protection of used personal data and type of threats immediate for the particular system. *** A set of documents includes: a threat model, technical project, organizational records, letter to Roskomnadzor **** The attestation includes compliance assessment of the threat model system to the technical project
- 23. Maximum allowable service downtime per month* ≥ 1,700 0.37h Maximum allowable service downtime per month*0.15h MIPS / 1 vCPU 250 IOPS/ 500 GB HDD IOPS Time of access to the VM disc≤20ms 99.982% availability of the data centre and network infrastructure 10 minutes response time 99.98% of the service availability for data with PL-3 99.95% of the service availability for data with PL-2 SLA: KEY PARAMETERS * including technological downtime (infrastructure maintenance)
- 24. SLA for data with PL-2: why 99.95% Reduced guaranteed availability of the service is caused by the prohibition of the remote access to the host under protection administration of personal data with protection level # 2. Manual reboot of the servers is only permissible for the IS with this data category.
- 25. $11 $3.23 $6.44 $0.12 $0.26$0.51 HDD SATA, for 1 Gb HDD SAS, for 1 Gb SSD, for 1 Gb RAM, for 1 Gb CPU, for 1 GHz Protection means, For vCPU HOW MUCH DOES IT COST?
- 26. INTERESTED, BUT STILL HAVE QUESTIONS? Contact us at +7 (495) 784 65 05 or cloud-152@dtln.ru if you have any questions on personal data protection options.