Correct hosting for ispdn. Why are the servers of most cloud providers not suitable for processing personal data? Which hosting to choose - Russian or foreign - so as not to violate the Law on Personal Data? Computing center hosting-pr

Federal Law "On Personal Data" of July 27, 2006 N 152-FZ

Publications
Since September 2015, the regulation on the localization of storage of personal data (242-ФЗ dated July 21, 2014) came into force in the Russian Federation. This innovation, of course, turned out to be one of the main drivers in the Russian hosting and cloud computing market, forcing both personal data operators and hosting providers to once again think about how to ensure compliance with such a seemingly simple entity as website, the requirements of the legislation on personal data.

Despite the fact that the Federal Law of July 27, 2006 N 152-FZ "On Personal Data" was adopted quite a long time ago, not everyone has adapted to it and learned to execute it. Partly due to the large number of normative documents and regularly issued amendments to them. Today they come from four departments: the Government, Roskomnadzor, FSTEK and the FSB. And also thanks to the rather balanced position of the regulator, which, instead of the policy of hammering in nails, chose the strategy of smooth but inevitable tightening of the nuts.

If big business and government authorities, as the most disciplined market participants, have for the most part already brought their personal data information systems (ISPDN) in line with the legislation, then medium and small businesses are only now beginning to realize that for their further existence and development, everything - so it will be necessary to get out of the shadow, including in terms of the implementation of legislation on personal data, especially since this very shadow remains less and less and it is already starting to be lacking for everyone.

What should the owner of the website, which collects and stores personal data of users, do (for example, in the personal account of the online store)? Let's try to figure it out together.

If a website collects personal data, then it is a personal data information system and is subject to 152-FZ

Here is what Roskomnadzor itself says about this: “According to paragraph 9 of Art. 3 of the Federal Law "On Personal Data", the personal data information system is a set of personal data contained in databases and information technologies and technical means that ensure their processing. If the website meets the specified requirements, it is an information system. "

What is personal data, we all intuitively know, but it is important to understand what it is from the point of view of legislation. According to clause 1 of Article 3 of Federal Law No. 152-FZ, personal data is any information relating directly or indirectly to a specific or identifiable individual. That is, it is practically anything: from TIN to hair color and shoe size, not to mention a phone number and address, be it email or postal.

Thus, an online store or just a website where there is a personal account or user registration, online ordering, booking, payment, delivery, etc. etc., in terms of 152-FZ, all this is a personal data information system (ISPDN), and its owner is the operator of personal data.

Personal data law takes into account trends in cloud computing and outsourcing

Much has been said and written about the relevance and prospects of IT outsourcing, especially for companies in the small and medium-sized business sector, so in this article I will not agitate the reader “for the clouds”. Moreover, we all know so well that most sites on the Internet are hosted on the public web servers of hosting service providers.

There are many reasons for this, but the main one is undoubtedly the common desire of companies to save money, to get a cheap web service with high availability. Creation of your own computing infrastructure with reliability at least comparable to that of a Tier-III data center costs millions of rubles. First, you need an appropriate room: not a corridor, not a basement, not an attic, so that it will not be flooded, and so that outsiders do not have access there. We need ventilation and air conditioning, and with a certain amount of redundancy. It is necessary to organize an autonomous and backup power supply. To do this, you need to put a diesel generator set somewhere. Finally, we need physical security and service personnel. In addition, for guaranteed service availability, you will have to buy a full set of spare parts for server and network equipment. That is, instead of one server, you actually have to buy two.

Naturally, with the development of cloud computing, virtualization technologies and a clearly pronounced trend towards outsourcing, more and more companies from the SMB sector are striving to transfer their information systems from "under-desk" system units to cloud computing resources located in computing centers that meet modern industrial standards.

A certain amount of personal data is stored and processed in the information systems of any enterprise. It can be both the personal data of the company's employees and the data of customers or counterparties. Corporate information systems are quite diverse, both functionally and technologically. It can be an accounting automation system, for example, 1C and a site with a user's personal account and an online store. At the same time, these information systems, as a rule, are interconnected - they transfer information to each other, including personal data.

According to clause 3 of Article 3 of 152-FZ, the processing of personal data is any action (operation) or a set of actions (operations) performed using automation tools, or without using such tools with personal data, including collection, recording, systematization, accumulation , storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Thus, the placement of ISPD on the provider's server is nothing more than outsourcing, at least, of such functions for processing personal data as: recording, storing, reading (retrieving), transferring and deleting.

According to clause 2 of Article 3 152-FZ, an operator (of personal data) is a legal entity or an individual who independently or jointly with other persons organizes and (or) carries out the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data, to be processed, actions (operations) performed with personal data.

Accordingly, the hosting provider, which has assumed the functions of storing and transferring personal data, is their operator, along with the owner of the site (the information system that processes this personal data) and, according to the law, is obliged to take certain measures to ensure their security. In fact, everything is not so bad and we must pay tribute to the authors of the Law "On Personal Data" No. 152-FZ and Government Decree No. 1119 dated 01.11.2012, which provided for the transfer by the operator of personal data of part of the processing functions for outsourcing to third parties.

Legal regulation of hosting websites that process personal data on hosting provided by a third party

The operator of personal data has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, on the basis of an agreement (instruction) concluded with this person. The person who processes personal data on behalf of the operator is obliged to comply with the principles and rules for the processing of personal data provided for by the current legislation. The operator's order must define a list of actions with personal data that will be performed by the person processing personal data, and the purpose of processing, the obligation of such a person to maintain the confidentiality of personal data and ensure the security of personal data during their processing must be established, and must also be indicated requirements for the protection of processed personal data (clause 3, article 6 152-FZ).

Thus, the hosting provider, like the owner of the site, is the operator of personal data processed on the site and is responsible for their availability, safety and security. With only one difference - the owner of the site is responsible to the subjects of personal data, and, in cases stipulated by law, is obliged to obtain permission from the subjects to process personal data, and the hosting provider, as an authorized person, is responsible to the owner of the site, receives personal data from him and stores them, but is not responsible for obtaining permission from subjects.

In general, the topic of obtaining consent from subjects for the processing of their personal data is very large and interesting and, of course, deserves a separate article.

Delineation of the areas of responsibility of the hosting provider and the site owner for compliance with the requirements for the protection of personal data

Agree, it would be unfair to shift all responsibility for the security of personal data to the hosting provider. Indeed, often, he has no idea who, how and on what the site hosted on his server is written. What passwords are used to authorize access to personal data, in what form they are stored, and whether they are used at all.

According to Government Decree No. 1119 (paragraphs 13 - 16), in order to ensure the required level of protection of personal data when processing it in information systems, the following requirements must be met:

№	Requirement PP 1119	Required security level	Area of responsibility
	Organization of the regime for ensuring the security of the premises in which the information system is located	UZ-4; UZ-3; UZ-2; UZ-1;	Hosting provider;
	Ensuring the safety of personal data carriers		Hosting provider;
	Approval by the head of the operator of the list of persons who have access rights to personal data
	Use of certified information security tools (passed the procedure for assessing compliance with legal requirements)		Hosting provider;
	Appointment of an official responsible for ensuring the security of personal data	UZ-3; UZ-2; UZ-1;	Site owner; Hosting provider;
	Access to the content of the electronic message log is possible only for persons who have appropriate access rights	UZ-2; UZ-1;	Site owner; Hosting provider;
	Automatic registration in the electronic security log of changes in the authority of the operator's employees to access personal data	UZ-1;	Website owner, hosting provider
	Creation of a structural unit responsible for ensuring the security of personal data	UZ-1;	Website owner, Hosting provider

The hosting provider must have a Roskomnadzor license to provide communication services

As you know, for the provision of communication services, a license from Roskomnadzor is required. This follows, for example, from clause 36 of article 12 of the Federal Law of 04.05.2011 No. 99-FZ "On licensing certain types of activities."

According to the list of names of communication services included in the license to carry out activities in the field of rendering communication services, approved by Decree of the Government of the Russian Federation of 18.02.2005 No. 87), licensed communication services include, inter alia:

Telematic communication services (hosting belongs to them);
Communication services for data transmission, with the exception of communication services for data transmission for the purpose of transmitting voice information.

To host sites that process personal data, the hosting provider must have a FSTEC license

The Federal Service for Technical and Export Control (FSTEC of Russia) - regulates activities related to the technical protection of information, deals with issues of state policy in this area of legislation, standardization, licensing, and also conducts relevant inspections.

Since the hosting provider, as an authorized person under the contractual commission, is the operator of personal data, he is obliged to take technical measures to protect them, that is, to provide services for the technical protection of information, which, in accordance with the regulation on licensing activities for the technical protection of confidential information , approved by the Decree of the Government of the Russian Federation of February 3, 2012 N 79 refer to licensed activities.

The organizational and technical measures to ensure the security of personal data, approved by FSTEC order No. 21 dated 02/18/2013, include:

identification and authentication of access subjects and access objects;
access control of access subjects to access objects;
limitation of the software environment;
protection of machine storage media;
registration of security events;
anti-virus protection;
detection (prevention) of intrusions;
control (analysis) of the security of personal data;
ensuring the integrity of the information system and personal data;
ensuring the availability of personal data;
protection of the virtualization environment;
protection of technical means;
protection of the information system, its communications and data transmission systems;
identifying incidents and responding to them;
configuration management of ISPD and SZPDn.

To carry out work to ensure the security of personal data, it is allowed to engage, on a contractual basis, third-party organizations licensed for the technical protection of confidential information (clause 2, paragraph 2 of FSTEC Order No. 21).

A number of measures to ensure the security of personal data require the hosting provider to have an FSB license

The composition of measures to ensure an appropriate level of protection of personal data, according to Order of FSTEC No. 21, includes the following measures:

Implementation of secure remote access of subjects of access to access objects through external information and telecommunication networks (UPD.13);
Ensuring the protection of personal data from disclosure, modification and imposition (input of false information) during its transmission (preparation for transmission) through communication channels that go beyond the controlled area, including wireless communication channels (ZIS.3);
Ensuring the authenticity of network connections (interaction sessions), including for protection against substitution of network devices and services (ZIS.11);

Based on the essence of these measures, it is clear that for their implementation it is necessary to use cryptographic information protection means (CIPF). As you know, issues related to the use of cryptographic information protection devices in the Russian Federation are regulated by the Federal Security Service (FSB of Russia).

According to the regulation on licensing activities for the development, production, distribution of encryption (cryptographic) means, approved by the Decree of the Government of the Russian Federation of 04.16.2012 No. 313, the list of works that make up the licensed activity includes:

Development of secure, using cryptographic means, information and telecommunication systems;
Installation, installation, adjustment of cryptographic means and, protected with their use, information and telecommunication systems;
Maintenance of cryptographic facilities;
Transfer of cryptographic means and information and telecommunication systems protected with their use;
Provision of information encryption services.

The computing center of the hosting provider must be located on the territory of the Russian Federation

From September 1, 2015 in the Russian Federation came into force the regulation on the localization of storage and certain processes of personal data processing, defined in the Federal Law No. 242 of July 21, 2014 "On Amendments to Certain Legislative Acts of the Russian Federation in terms of clarifying the procedure for processing personal data in information and telecommunication networks ", according to clause 1 of article 2 of which, when collecting personal data, including through the information and telecommunications network Internet, the operator must ensure the recording, systematization, accumulation, storage, clarification (update, change), retrieval personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.

At the same time, it is important to note that the cross-border transfer of personal data, as such, is not prohibited, but is regulated by law. You can read more about this in Art. 12 152-FZ.

Briefly about the main thing

So, let's summarize the above.

A website is a personal data information system if its functionality allows you to enter, store or view personal data. A good example is almost any site with a personal account, the ability to book online, order or purchase with delivery, etc.

Online processing of customer personal data is not only a necessity for modern e-commerce, but also ample opportunities for marketing, the description of which deserves a separate article.

The owner of the site, which is the ISPDN, is obliged to submit a notification to Roskomnadzor, in which it is indicated: what personal data he stores and processes, where the servers on which the ISPD function are physically located. You can read about this in my article "How to submit a notification to the RKN and not get into trouble."

The agreement with the hosting provider, in addition to the quantitative and qualitative characteristics of computing resources, must contain an order for the processing of personal data, indicating a specific list of actions that will be performed with them, it must indicate the goals and procedure for processing personal data, requirements to their protection, and the provider's responsibility for the security of personal data should be established.

In addition to the standard Roskomnadzor licenses for the provision of telematic communication services for hosting companies, in order to protect personal data processed on customer sites, the hosting provider must have a FSTEC license for technical protection of confidential information and an FSB license for the provision of services related to the use of encryption (cryptographic ) funds.

And finally, the provider's server, which physically stores personal data, must be located in the Russian Federation.

So, this article discusses many, but far from all, aspects of hosting ISPD on the computing resources of cloud service providers. More detailed information can be obtained from the following documents and information resources:

Legislation

Decree of the Government of the Russian Federation of 01.11.2012 N 1119 "On approval of requirements for the protection of personal data during their processing in personal data information systems"
Order of the FSTEC of Russia dated February 18, 2013 No. 21 On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems
Telegram Passport will allow you to identify the identity of the user. All the necessary documents and data will need to be uploaded to Telegram once, and then it will be possible to instantly transfer them to Telegram partners. It is planned that by the time the new service is launched, it will be possible to use the services of several such partners, including Qiwi.
More details ...

Since the server is not located at your home, you do not have access to it, and even more so you cannot influence the policy of the data center in any way, then you simply do not have the opportunity to comply with a number of legal requirements. The only thing left is to find a hosting that meets the requirements of the law.

I'm not Begete now, I wrote them a letter about their FSTEC license for the protection of confidential information. They answered vaguely, like I'm not me and not mine, we are just these and in general we shouldn't ... To summarize, they do not have a license, which means that by and large the site that collects personal data cannot be kept there. I climbed on the Internet (not very tight yet) and so far found only RU-CENTER with a license.

License for the development and (or) production of means of protecting confidential information
LICENSE No. 0917 dated September 20, 2011

License for technical protection of confidential information
LICENSE No 1594 dated September 20, 2011
Copyright holder: Joint Stock Company "Regional Network Information Center"
License validity period: unlimited

Hosting confidential information at RU-CENTER

From March 6, 2012 RU-CENTER starts providing a new service - hosting of confidential information.
Hosting of confidential information is the placement of a site on the Internet with the application of additional measures to protect information.
This service will allow you to fulfill a number of mandatory requirements of the current legislation (Law N 152-FZ), which are presented when processing personal data.
In addition to the basic methods of data protection and storage of information used in other RU-CENTER services, hosting of confidential information offers:

specialized certified equipment that allows you to carry out a number of actions to protect information during network access;
additional restriction of physical access to the equipment on which the service is provided;
daily backup (2 copies);
accounting of used physical media;
MySQL dedicated to each service.

The main consumers of the new service are small and medium-sized businesses, online stores, forums, marketing research systems and many other Internet resources, which, when processing and storing personal data of users, must comply with the requirements of the legislation of the Russian Federation (Law N 152-FZ).

Actually the question is, how are they in terms of quality?
And if anyone finds other hosters with a FSTEC license to protect confidential information, post them in this thread.

After the entry into force of clause 4 of part 2 of article 19 of the Federal Law of July 27, 2006 No. 152-FZ "On personal data", each company is obliged to bring its information systems and processes related to the processing of personal data in accordance with the requirements of the Legislation of the Russian Federation ...

What does this mean for legal entities?

Organizations are obliged to ensure the protection of human and civil rights and freedoms when processing their personal data, including the protection of the rights to privacy, personal and family secrets. Thus, they become “personal data processing organizations”. The Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Media (Roskomnadzor), FSTEC and the FSB of Russia will monitor compliance with the requirements of the Legislation.

Federal law applies to companies of any organizational form - these are state bodies, federal and municipal institutions: banks, insurance companies, medical institutions, telecom operators, online stores, retail chains, manufacturing companies and other organizations that process personal data received from employees, clients and other individuals and legal entities.

The responsibilities of the operating organization include:

ensuring the legality of the processing of personal data;
building a personal data protection system in accordance with the requirements of the FSTEC and the FSB of Russia;
sending a notification to Roskomnadzor;
development of internal documentation;
performance of qualification tests or conformity assessment;
systematic updating of the personal data protection system.

Often, this turns out to be a difficult and costly task, including due to the need to obtain a document confirming the effectiveness of the measures taken to protect personal data. That is why most companies prefer to optimize this process by looking for a reliable partner with a ready-made solution in an external virtual infrastructure.

For all legal entities on the territory of Russia to comply with the law of the same name FZ-152, we - hosting a website in cooperation with WELLSERVICE - offer a less costly and time-consuming solution: transferring storage and processing of personal data into a secure cloud system, which we call - "ISPDN in the cloud ".

Servers for personal data information systems (ISPDN) are provided to any companies located in the territory and being residents of the Russian Federation.

What is ISPDN in the cloud?

The ISPDN in the Cloud product is a separate secure virtual server at your chosen rate, fully complying with the requirements of FZ-152.

Each ISPDN in the cloud is a completely isolated object. This means that access to your ISPD from the hosting provider is blocked using certified security measures and is absolutely confidential!

Confidentiality of processed information is achieved through:

Access to data located on ISPDN in the cloud is limited by means of protection against unauthorized access (NSD) certified by the FSTEC of Russia and by using the functions of the virtual machine hypervisor (which is part of the certified protection means).
Data transmitted via communication channels from the terminal of the organization-operator of personal data to the network interface of the virtual machine is encrypted using a cryptographic information protection tool (CIP) certified by the FSB of Russia. Disk images of virtual machines are also encrypted using CIPF.
None of the data centers has any access keys to the cryptographic information protection tools located in the client's virtual machine. So, for example, to load the operating system on a VPS, the client independently enters the password from the cryptocontainer containing the system partition. This procedure is implemented using an operating system loader specially developed by our company on a virtual machine. At the same time, the access keys can be regenerated by the user of the virtual machine at any time, and the encrypted container can be re-encrypted accordingly.
The availability and integrity of the processed information is ensured by the use of reserved communication channels, reliable data storage systems, cooling devices and uninterruptible power supplies. Our partners are the best data centers in Russia: Miran, IXCellerate, KIAEHOUSE.

What does ISPDN in the cloud give to companies in Russia?

Simple procedure: we will undertake the entire range of organizational, legal and technical work - the development of a security threat model, the concept of the protection system, the certification methodology, the direct performance of certification tests and the issuance of a certificate of conformity. Choosing our product "ISPDN in the cloud", you DO NOT NEED TO OBTAIN THE CONSENT OF PERSONAL DATA SUBJECTS when collecting them.

Substantial savings: our product frees the customer company from the costs of creating and owning a secure IT infrastructure for storing, processing and protecting personal data. Moreover, the placement of ISPDN in the cloud is provided as a service, the customer company does not have capital costs.

Our advantages:

the secure system "ISPDN in the cloud" has passed all the necessary attestations as fully complying with all the requirements of the legislation of the Russian Federation in the field of personal data;
full compliance with the requirements of the FSTEC and the FSB of Russia of all hardware, software, and network elements of the system;
you do not need to obtain the consent of the subjects of personal data when collecting them;
consultations and support at all stages of implementation and work with the product.
a full package of organizational, administrative and regulatory documents;
no capital costs.

What is the service delivery process?

Registration of a representative of the customer company on our website and the subsequent filling out of the application form for the service "ISPDN in the cloud": the need for certification, the details of the organization, type of activity.

Depending on the ISPDN requirements, you choose a suitable tariff plan with the required server parameters: disk size and RAM.

Conclusion of an agreement for the provision of the ISPDN service in the cloud and payment.

Based on the data provided, we will prepare for you a set of organizational, administrative and regulatory documents, including a provision on personal data, an ISPD classification act, a threat model and other necessary documents. A specialist of our company will check the correctness of filling out and approving these documents.

We agree with you on the date of the on-site certification of the workplace. After the departure of a specialist and checking all the requirements for the workplace, you will receive a certificate of conformity and the entire package of documents certifying the full compliance of your ISPD with the requirements and standards No. 152-FZ "On Personal Data" and all by-laws.

Our licenses and certificates

* The cost of a secure ISPDN server with a package of documents and an attestation procedure when paid for 1 year.

The sale of secure infrastructure for storing and processing personal data according to the presented tariff plans is carried out with a minimum period of 1 year.

When ordering the first server in ISPDN, an installation fee of 11,300 rubles is charged.

Before proceeding with the analysis of 152-ФЗ, you should know that there is also law 242-ФЗ, which entered into force on September 1, 2015, which is a normative act that amended another fundamental source of law - ФЗ № 152, adopted in July 2006. The adoption of the law on "localization of personal data" was accompanied by extensive coverage of the legislative initiative in various media, as a result of which two main myths on Federal Law No. 242-FZ:

Russians are now prohibited from posting their personal data (sites) abroad;
all foreign companies were banned from receiving and processing personal data of Russians on servers outside the Russian Federation.

Federal Law No. 242-FZ provides that “when collecting personal data, including via the Internet, the operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation ". In case of non-observance of the law, access to a site caught in the primary collection and storage of personal data of Russian citizens on databases located within the jurisdiction of the Russian Federation may be limited.

Can I use hosting abroad

The law does not prohibit placement of any site (database) on servers located on the territory of countries that have signed the Council of Europe convention ETS No. 108, as well as cross-border transfer of personal data... According to the Council of Europe Convention No. 108 "On the Protection of Individuals with regard to Automatic Processing of Personal Data," ratified by Russia, Article 12, Part 2, provides that the countries that have acceded to it will not prohibit or place under special control information flows of personal data going to the territory the other party to the Convention, and Art. 25 prohibits any reservations to the Convention.

This means that the use of hosting abroad (not within the Russian Federation), as well as the storage and processing of personal data, is considered legal if the hosting is located in one of the countries that have signed the Convention: Austria, Belgium, Bulgaria, Denmark, Great Britain, Hungary, Germany, Greece, Ireland, Spain, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Finland, France, Czech Republic, Sweden, Estonia, as well as, as follows from the explanations of Roskomnadzor, in the countries ensuring adequate protection of personal data. These are countries that have national regulatory legal acts in the field of personal data protection and an authorized supervisory body for the protection of the rights of personal data subjects: Andorra, Argentina, Israel, Iceland, Canada, Liechtenstein, Norway, Serbia, Croatia, Montenegro, Switzerland, South Korea, Japan.

Where should personal data be stored

Physically, the site and the database can be hosted by any country that has signed the Council of Europe Convention ETS No. 108. The Law contains a requirement for the operator to ensure the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, but the Law does not prohibit the storage of personal data of Russians on servers outside the territory of the Russian Federation. The only condition is that initially personal data is collected and processed in the Russian Federation. But, we repeat, this does not prohibit the cross-border transfer of personal data and work with it in the countries that have signed the Convention.

Hosting compliance JIHOST 152-FZ

Jikhost fully complies with 152-FZ through the use of replication and cross-border transfer of personal data.

A schematic of the princes' work is described below:

Hosting Jikhost compliance with 152-FZ Any change in the site's database, including when transferring personal information, the database is replicated to a server located in the Russian Federation, thus ensuring the constant relevance and completeness of data in accordance with the Law. Then the data is replicated to the local server database, with which the site subsequently works. This circular pattern works all over the place. Moreover, if only data reading is required, then it occurs without replication, directly from the local database. In addition to compliance with 152-FZ, this scheme of work increases the performance, fault tolerance and reliability of the hosting.