Cloud personal data protection
In the survey, how permissible is the storage of personal data (PD) transferred to operator companies in the cloud, does not always have an unambiguous answer. You need to make sure to what extent the servers of cloud providers meet the requirements for the protection of personal data, and determine the legal basis on which information will be transferred to storage in the cloud.
Key issues related to the possibilities of hosting PD in the cloud
The need to transfer personal data to storage in the cloud arises, for example, when working with accounting programs or CRM systems, in which the main information arrays are located on the server of the service provider. Thus, in the cloud there is personal information stored:
- in accounting;
- in the personnel department;
- in the customer service department.
In this regard, the heads of a legal entity have the following systemic questions:
- Is the placement of personal data information systems on cloud servers permissible according to the norms of Federal Law No. 152-FZ, Government Resolution No. 1119 and FSTEC orders?
- How should the cloud be built to provide adequate protection for personal data?
- What are the requirements for an operator who decides to store legally protected and confidential information in the cloud, what nuances should he take into account?
- How can a personal data system hosted in the cloud be certified?
- What exactly is a cloud provider responsible for in the area of personal data protection?
- What class of security systems out of four can be created in the cloud?
- How can a competitor's actions be taken into account in the threat model if it intends to attack databases stored in the cloud?
In most cases, if a company processes only the personal data of its employees and is not an operator, it will not have such questions. But if we are talking about a medical organization or an online store, the risk of being checked by the FSTEC of the Russian Federation or Roskomnadzor will force you to look for the right answers to these questions.
Organizations that are ready to shift the protection of personal data to a cloud provider must independently carry out the organizational measures required by the orders, while checking how well the cloud provider is prepared to solve technical problems. Most large companies have already brought their personal data protection systems in line with the requirements.
How cloud providers solve the problems of compliance with FSTEC requirements
Companies providing services that provide for the placement of personal data in the cloud, not wanting to lose customers, have brought their systems in line with the requirements. The distributed system base looks like this:
- automated workstations (AWS), on which direct data processing takes place, are located in the customer's office;
- the database containing personal data is located on a server located on the territory of the service provider;
- the server, based on the requirements of the caller ID, is located on the territory of the Russian Federation.
In this situation, three key elements of the system should be protected from external threats:
- AWP of users located in the client's office. The transfer of confidential information and personal data to tangible media or its other withdrawal outside the protected perimeter should be ensured by the client company of the cloud provider;
- a communication channel through which information is transmitted through telecommunication networks from the workstation to the provider's server;
- virtual machines in the cloud that host personal data.
Necessary technical measures
To ensure the security of those elements of a distributed system that are in their area of responsibility, providers have to solve certain technical problems. But a number of tasks are assigned to the operators themselves. Among them:
- ensuring that only certified technical measures are used to protect each of the system elements;
- when developing the configuration of the personal data protection system located at the client's site, creating an up-to-date threat model that takes into account both the risks associated with the illegitimate activity of users-employees of the personal data operator, and external ones, emanating from undefined external aggressors, who may be competitors, and hackers.
The operator is fully responsible for these two risks. The share of the cloud provider remains the following tasks, implemented using technical and organizational means:
- combating external activity aimed at the data transmission channel and carried out with the aim of distorting or intercepting traffic, provoking leakage of personal data into the external environment. The task is solved only with the help of cryptographic data protection tools certified by the FSB of Russia. The legal basis for the provision of such a service to the provider will be the corresponding agreement concluded between the client and the provider;
- training and monitoring of the provider's personnel. Certified means of differentiation of access rights will be required as relevant technical solutions. They need to be integrated into the platform. Also, the servers can host other certified tools that provide the necessary level of security of the information system, the task of which is to process personal data. This task should be solved exclusively at the expense of the provider's resources;
- development of a system of protection against external threats and intruders that can infringe on the servers of a cloud provider. Since it is difficult to distinguish between the areas of responsibility of the client-operator and the cloud provider, the task of protecting personal data also applies to the provider, and he must solve it at his own expense. Certified protections are installed on the servers of the service provider. If the client needs a higher level of system security than the provider has, the provider can install the required protection system based on an agreement with the client;
- taking into account the risks that may arise from neighbors in the cloud, who have decided to check the security level of the provider and are well acquainted with the security measures used by him when processing personal data. Such customers, if they turn out to be competitors, can cause serious damage by misusing or distributing personal data stored on servers. One of the ways to solve this problem will be the use of tools that delimit cloud server resources between clients. These funds must also be attested (certified) in accordance with the requirements of FZ-152 and the recommendations of FSTEC.
We can summarize: if the cloud service provider complies with the requirements of the Federal Law "On Personal Data" of regulatory authorities and uses certified software and technical protection measures that meet the requirements of regulatory authorities, the placement of databases containing personal data on the cloud is permissible. As the cloud is subject to the requirements for virtual objects, the use of certified hypervisors also becomes necessary. All this ultimately raises the cost of "cloud" services related to the processing of personal data, while self-certification of the system is impossible, it is provided by law only for information systems of operators.
When deciding to transfer part of the data sets containing trusted personal data to cloud servers, it is necessary to carefully check the technical training of the provider and conclude agreements with him on the use of services of the appropriate type.