The cloud allows you to achieve positive results, mainly to increase security by applying measures. In addition, by using cloud technologies, the client receives the following advantages:
- there is no need to build an expensive, difficult-to-maintain, and unevenly used computing infrastructure;
- there is no need to ensure the conditions for the functioning of the computing infrastructure (power supply, climate control, firefighting, etc.);
- ease of mobility and access from different user devices;
- Reduction of Total Cost of Ownership (TCO);
- no need to hire expensive specialists;
- speed and ease of deployment of additional computing power without additional interaction with the provider;
- The ability to easily and quickly reduce the cost of computing infrastructure while reducing performance requirements;
- Ease of recovery in case of accidents and other dangerous and unforeseen events.
What To Look For When Choosing A Provider Offering Services “According To FZ-152.”
Choosing a provider takes work since it must be a proven, reliable and responsible company. A potential performer (let’s call it that) should honestly answer the question of what the maximum level of security he provides in the cloud, indicating the type of actual threats neutralized. And it is better to see the above – ask the supplier to confirm compliance with the declared level of protection.
For example, request a document confirming an external audit by an independent contractor. Ideally, this could be a certificate, although cloud attestation is quite tricky.
In addition, the provider should have a threat model for the protected segment of the cloud and, if necessary, familiarize the client with it, including a description of measures and ways to neutralize current threats. The contract with the provider must consider the points provided for in part 3 of Article 6 of the Law “On Personal Data,” including information about the type of current threats and levels of protection.
Beware – “Beacon Words”!
When searching for a cloud provider, consider “beacon words.” If there are terms on the company’s web page: PD security class, typical, special ISPDN, license to work with personal data, certification and certification of the cloud for compliance with the requirements of the FSB – you should be wary since such words are no longer used in the modern lexicon.
In addition, there is no attestation according to the requirements of the FSB, and it has yet to be.
Additionally, it is worth paying attention to how backup and recovery are provided in terms of disaster tolerance and territorial distribution. The provider must be prepared to provide a certified crypto gateway[6] as an additional or essential service in the work organization.
As a result of the established relationship with the provider, the client receives a contract in which the level of protection is prescribed and security measures are defined. This suggests that the operator’s obligations for the technical protection of PD have been fulfilled, which is enough to confirm the requirements of the legislation.
It is essential to understand that it is optional to conclude a contract with the provider immediately. Any adequate provider is always ready to offer the opportunity to test the cloud IaaS service to understand whether the service offered is suitable for solving the client’s problems.