Peculiarity of Personal Data Protection in the Cloud
There are still many myths about cloud services. The most persistent ones are associated with the enterprise information security and risk of unauthorized access by insiders and competitors. There is no smoke without fire: reputation of the entire cloud market was tainted by hosting providers and free file-sharing networks that do not adequately protect their cloud environments. Just recall the stories of massive data leaks from hacked iCloud and Dropbox.
According to InfoWatch, despite the growing total number of information leaks, they are less and less caused by insufficient security of technical channels, including network links. This means that most providers use reliable equipment and the best security solutions. Nevertheless, today a significant part of reported leaks is caused by actions of dishonest employees of companies that use cloud services.
Aliens against friendlies
Strict cloud infrastructure access control reduces the risk of leaks caused by human factors. Data is encrypted and stored on a remote server, and it is not that easy to take the data from it and transfer to third parties. Access to cloud's sancta sanctorum – a Data Center – is restricted and reliably controlled by various technical means, including biometric identification of those provider's employees who are authorized to enter the Data Center building.
Local infrastructure of many companies is less protected, which causes many incidents. After having reviewed them, the Ponemon Institute (USA) came to the following conclusion:
Key causes of corporate data leaks include unattended computers, lost data media, and confidential data stored on notebooks.
Perimeter-wise cloud security
According to Gartner, by 2020, public clouds will face 60% less attacks than enterprise infrastructures. This also proves again that clouds are well-protected environments with DDoS attack detection and blocking systems, and firewalls. Moreover, automated monitoring system, integrity control system, and security event audit system are used to identify vulnerabilities in internal infrastructure. Various scans are performed regularly to detect new, ever-emerging vulnerabilities. For customers, these systems provide an adequate level of security. Specific services, such as web resource vulnerability scanning, in-cloud web app protection, or complete DDoS attack protection, can be purchased at extra cost.
Security of personal data – the most sensitive customer data
According to the Federal Law No.152, a certain level of security must be ensured when storing personal data (actually, any information by which a person can be identified). If personal data is stored in a cloud infrastructure, then not only cloud platform security requirements should be met, but certified tools should also be employed to protect personal data information system.
How is this implemented in practice?
A multi-level architecture is created, which includes perimeter tools for the platform access monitoring and control, tools to protect the platform and isolate customers’ virtual segments, and antiviruses for all platform components. On top of this, systems are deployed to protect the application used for data storing and processing. And – which is most important – all the tools employed must be certified by the Russian Federal Service for Technical and Export Control (FSTEC) or the Federal Security Service (FSB). The cloud platform's certificate indicates that the platform complies with regulations regarding personal data storage systems up to the third level of protection inclusively.
By the way, we are often asked where to store and process data of the first and second levels of protection, for example, a database with healthcare information of 100+ thousand Russian citizens. The answer is simple: migrate the system to a dedicated equipment in a data center. The reason is that currently none of hypervisors used in cloud platforms of popular Russian providers is certified, and thus formally none of them may be used to host personal data of the first and second levels of protection. Until the situation changes, we recommend deploying information systems with personal data of the first and second levels of protection on dedicated equipment in a reliable data center.
Whom should you entrust your protection to?
In Russia, there are about 10 cloud providers focused on offering services to large businesses, and an uncountable number of companies that host infrastructure and services for SMBs and individuals in their clouds. Naturally, providers of the first category offer more expensive, customized services and build platforms using proven solutions, since any leaks and other information security incidents can lead to financial and reputational risks. They specify in detail their operation rules in a strict SLA and can confirm a high degree of security with relevant documents, including the above-mentioned certificate of the cloud platform compliance with the requirements of the Federal Law No.152, certificate of compliance with ISO/IEC 27001 international standard for information security, and PCI DSS certificate. It is also important for a cloud provider to hold a full range of Tier III certificates issued by the Uptime Institute, including Tier III Gold Certification of Operational Sustainability, evidencing well-running data center operation processes.
Though PCI DSS certification mainly regulates dealing with payment cards and transfers, it also indicates a high level of protection. This document both confirms the existence of the appropriate information security tools and formalizes organizational matters, such as requirements for employees and their actions in case of incidents. In addition, it sets the requirements for the frequency of "auditing" activities, such as penetration tests, which a self-respecting cloud provider conducts once or twice a year. These measures help, among other things, reduce human factor impact by transferring it to a cloud service provider and its team.