Areas Of Responsibility Of The Customer And The Cloud Provider

Since Russian legislation imposes several requirements on processing and storing personal data (PD), companies have already placed their own PD in the provider’s cloud. Earlier, our colleagues from IT-GRAD have already told us what personal data is and the principles of working with them.

Now let’s talk about how not to violate the law and comply with the requirements of the regulator, what responsibility is assigned to the PD operator and the provider, and what the client should know when choosing a provider of personal data hosting services according to FZ-152[1]. These and other questions will be answered in today’s article.

The Regulator’s Position On The Cloud

Even though Roskomnadzor is often criticized for its lack of modernity, the regulator’s position on the use of the cloud is still favorable. The comment below says that the legislation does not establish technological restrictions on the collection or storage of PD and allows the use of any technology:

Is it possible to use cloud technologies as a database (SaaS)[2], PaaS[3], or SAP[4])? Including if these technologies are provided by companies that have their own or rented servers in Russia (like the same SAP), the client does not have exact information about which servers will be involved in a particular moment of work.

242-FZ[5], as well as draft by-laws developed in pursuance of this law, do not establish any technical requirements prescribing the need for the personal data controller to use any specific technologies in collecting and storing personal data. Thus, the operator can use cloud technologies. Still, at the same time, it is obliged to provide and, if necessary, to know and be able to document the location of secret databases on the territory of the Russian Federation.

At the same time, personal data during the collection period should be recorded on the territory of the Russian Federation in the cloud or locally.

Outsourcing Security – General Requirements

The outsourcing of PD processing and the organization of technical protection of personal data is directly provided for by Russian legislation, including the law “On Information Technologies and Information Protection.” At the same time, the operator of the information system (IS) should take measures to ensure the security of the infrastructure:

• prevention of unauthorized access (DLS);
• timely detection of NCD facts;

The Law “On Personal Data” also provides for the outsourcing of PD processing. Still, the essential elements of such outsourcing are the contract and the consent of the PD subject. Quite strict requirements are imposed on the content of the contract. It is necessary:

• Generate a list of actions (operations) to be performed;
• Determine the purpose of pd processing (after achieving this goal, personal data should be destroyed or impersonal; it is a violation to use the MHP to achieve other purposes);
• Introduce obligations to observe the confidentiality of PD;
• ensure security;
• Comply with the requirements in Article 19 of the Federal Law “On Personal Data.”

Areas Of Responsibility Of The PD Operator

Before you can move your data to the cloud, you need to allocate responsibilities correctly. The PD operator, planning the migration to the cloud and understanding what data will be transferred, must decide for himself:

• What type of threats he considers relevant and determine the level of security of the PD information system (ISDN);
• Determine the composition of security measures based on a set of primary and adaptive measures, as well as reflect in the contract with the provider what security measures the supplier will take;
• to build a private model of actual threats for its IP segment;
• Implement a protection system in its IP segment.

Also Read: 7 Technologies Transforming The Supply Chain

What A Responsible Cloud Provider Should And Can Do

The service provider, in turn, must:

• Obtain licenses from the FSB, FSTEC (Federal Service for Technical and Expert Control), and if data transmission is additionally organized or telematic services are provided, then a license from the Ministry of Communications;
• Determine the type of current threats and the maximum level of protection for the cloud;
• Build a private model of current cloud threats.
• Implement a protection system in the cloud;
• Provide the operator with the ability to deploy additional security features (PaaS or IaaS);
• Help the customer with the implementation of security measures on the client side.