"Linxdatacenter" offers cloud infrastructure services under cloud 152-fz in systems of security levels III and IV for storing personal data in information systems. We are included in the register of personal data operators, certified by FSTEC and FSS.
Compliance with personal data legislation and minimizing the risk of critical data loss
Regulatory compliance
Assigning experts to support equipment and ensure compliance with the requirements of the Federal Law-152
Focus on core business processes
Improving the resilience and availability of IT systems
Increased fault tolerance
Regular hardware upgrades and software updates by a competent provider
Timely hardware and software updates
Ready-made architecture for personal data processing system under data protection level 2 to 4 in a matter of 2 hours
Low one-time costs and reduced cost of ownership of personal data processing system
Cloud platform based on TIER III data center; SLA up to 99.95%
Control of data access at the virtual and physical level
Over 20 years in the IT industry, licensed by FSTEC and FSB
Expert statements and certificates of conformity with the requirements of personal data law (FZ-152)
BEST, money transfer and payments operator
The customer faced a technical issue with a persistent BGP session flag with Linxdatacenter hardware. We examined the problem and found out that one of customer’s hosts was under a DDoS attack.
Because of the distributed nature of the attack, traffic couldn’t be filtered effectively, and disconnecting the host from the external network wasn’t an option. The attack stopped after changes in the server configuration, but resumed the day after. A 5.5 Gbps attack overloaded the junctions with internet providers, affecting other Linx Cloud users. To mitigate the effects of the attack, we employed a dedicated DDoS protection service.
To ensure the continuous availability of resources hosted in Linx Cloud, we rerouted all the customer’s traffic through StormWall Anti-DDoS system. The attack was stopped within half an hour. To prevent future cyberattacks, we organized all connections to the customer’s resources through the StormWall network.
A large international developer of IT solutions for monitoring and logistics of medications.
To meet the legal requirements in Russia, the customer needed a virtual server and network environment hosted in a Russian datacenter.
Linxdatacenter launched two identical instances of the customer’s IT resources in cloud platforms based in Moscow and Saint Petersburg datacenters. Both instances included a development environment and a production environment running on WMware technologies.
To meet the requirements of the Russian personal data law, we used a cryptographic solution provided by a local developer. A connection to AWS was established over an encrypted channel.
If you process large volumes of personal data, including special and biometric personal data
processing large volumes of personal data
If you are planning to localize your IT infrastructure in Russia to comply with Federal Law-152
localization of IT infrastructure
If you are building your own secure information system for storing and processing personal data
creation of your own personal data storage
Individual advice and planning for improving your personal data processing system
Regulatory compliance
In-depth interviews with stakeholders within the company involved in processing personal data
Audit of documentation on personal data processing and storage
Researching the technical aspects of the personal data processing system
Security audit of personal data processing system using software and hardware security scanners. Identification of vulnerabilities in network architecture and hardware configuration
Recommendations for improvement of personal data processing system and related business processes to minimize the risks associated with the processing and storage of personal data
A detailed report on the compliance with the requirements of the Personal Data Law of Russia
The list of specific steps to organize the processing of natural resources in accordance with 152-FZ and international safety standards
According to the law, any identifiable information about a person is considered personal data, including name, contact details, gender, and so on. The law applies to both customers and employees. In other words, if you work with people, you are almost certainly subject to the Personal Data Law.
Within the framework of the Personal Data Law, anyone processing personal data is considered an “operator”. It’s enough to keep personal records, use a CRM, or track website users with Yandex Metrika or Google Analytics.
Companies working in financial services, healthcare, education, hospitality, telecommunications, advertising, and retail are the most prone to inspections from regulators.
In the context of FZ-152, personal data processing systems are represented by business applications, mail systems, directory services (e.g., Microsoft Active Directory, Novell eDirectory), and other widely used software.
The law requires companies operating in Russia to store and process personal data locally, set up business processes and internal policies, and employ technical solutions to protect it.
Roskomnadzor, FSB and FSTEC. Roskomnadzor is allowed to run inspections and decide on sanctions.
Under the Labor Code of Russia, the people responsible for the processing of personal data are liable for direct compensation of damages caused by improper management of personal data.
The Civil Code of the Russian Federation allows a citizen to demand compensation from an organization in case of moral or material damage caused by improper management of personal data.
Depending on the set of violations, administrative liability includes fines of up to 100,000 rubles for individuals, up to 800,000 rubles for officials, up to 20,000 rubles for individual entrepreneurs, and up to 18 million rubles for organizations.
Criminal liability for violation of the law on personal data can be qualified under a number of articles that provide for punishment up to imprisonment for up to 4 years.
Roskomnadzor has the right to block the websites of violators of the Personal Data Law.
The operator of personal data may entrust operations with personal data to a third party called a processor. However, the processor’s liability is limited: the operator determines the purposes and the procedures of personal data processing and stays accountable to the state and the personal data subjects.
When personal data is processed in the cloud under the Infrastructure-as-a-Service model (IaaS), the responsibility of the operator and the processor can be clearly distinguished.
The processor is responsible for the hardware and software conformity to the requirement of the law up to hypervisor level.
The operator is responsible for virtual machines, operating systems, and applications installed.
By default, the operator is responsible for information security, but can task the processor to provide the respective services under the Security-as-a-Service model (SECaaS). Such services may include antivirus protection, firewall, VPN, and so on.
© 2022
Taras Chirkov, Head of Data Center in St. Petersburg in St. Petersburg
Konstantin Nagorny, chief engineer of data center in St. Petersburg. in St. Petersburg
Data center is a complex IT and engineering object, which requires professionalism at all levels of management: from managers to technical specialists and executors of maintenance works. Here's how we helped our client put operational management in corporate data centers in order.
Management is in the lead
The most advanced and expensive IT equipment will not bring the expected economic benefits if proper processes of engineering systems operation in the data center, where it is located, are not established.
The role of reliable and productive data centers in today's economy is constantly growing along with the requirements for their uninterrupted operation. However, there is a big systemic problem on this front.
A high level of "uptime" - failure-free operation of a data center without downtime - depends very much on the engineering team that manages the site. And there is no single formalized school of data center management.
And there is no single formalized school of data center management. ⠀ ⠀
Nationwide
In practice, the situation with the operation of data centers in Russia is as follows.
Data centers in the commercial segment usually have certificates confirming their management competence. Not all of them do, but the very specifics of the business model, when a provider is responsible to the client for the quality of service, money and reputation in the market, obligates them to own the subject.
The segment of corporate data centers that serve companies' own needs lags far behind commercial data centers in terms of operational quality. The internal customer is not treated as carefully as the external customer, not every company understands the potential of well-configured management processes.
Finally, government departmental data centers - in this regard, they are often unknown territory due to their closed nature. An international audit of such facilities is understandably impossible. Russian state standards are just being developed.
This all translates into a "who knows what" situation. "Diverse" composition of operation teams composed of specialists with different backgrounds, different approaches to the organization of corporate architecture, different views and requirements to IT departments.
There are many factors that lead to this state of affairs, one of the most important is the lack of systematic documentation of operational processes. There are a couple of introductory articles by Uptime Institute which give an idea of the problem and how to overcome it. But then it's necessary to build the system by your own efforts. And not every business has enough resources and competence for that. ⠀ ⠀⠀⠀
Meanwhile, even a small systematization of management processes according to industry best practices always yields excellent results in terms of improving the resilience of engineering and IT systems.
Case: through thorns to the relative order
Let's illustrate by the example of an implemented project. A large international company with its own data center network approached us. The request was for help to optimize the management processes at three sites where IT systems and business-critical applications are deployed.
The company had recently undergone an audit of its headquarters and received a list of inconsistencies with corporate standards with orders to eliminate them. We were brought in as a consultant for this as a bearer of industry competence: we have been developing our own data center management system and have been educating on the role of quality in operational processes for several years.
Communication with the client's team began. The specialists wanted to get a well-established system of data center engineering systems operation, documented on the processes of monitoring, maintenance and troubleshooting. All this had to ensure optimization of the infrastructure component in terms of IT equipment continuity.
And here began the most interesting part.
Know thyself
To assess the level of data centers in terms of compliance with standards, you need to know the exact requirements of the business to IT systems: what is the level of internal SLA, the allowable period of equipment downtime, etc.
It became clear right away that the IT department did not know exactly what the business wanted. There were no internal criteria of service quality, no understanding of the logic of their own infrastructure.
Colleagues simply had no idea what the permissible downtime for IT-related operations was, what the optimal system recovery time in case of a disaster was, or how the architecture of their own applications was structured. For example, we had to figure out whether a "crash" of one of the data centers would be critical to the application, or if there were no components affecting the application.
Without knowing such things, it is impossible to calculate any specific operational requirements. The client recognized the problem and increased coordination between IT and the business to develop internal requirements and establish relationships to align operations.
Once an understanding of the IT systems architecture was achieved, the team was able to summarize the requirements for operations, contractors, and equipment reliability levels.
Improvements in the process
Our specialists traveled to sites to assess infrastructure, read existing documentation, and checked the level of compliance of data center projects with actual implementation.
Interviews with the responsible employees and their managers became a separate area of focus. They told what and how they do in different work situations, how the key processes of engineering systems' operation are arranged.
After starting the work and getting acquainted with the specifics of the task the client "gave up" a little: we heard the request "just to write all the necessary documentation", quickly and without deep diving into the processes.
However, proper optimization of data center "engineering" management implies the task to teach people to properly assess the processes and write unique documentation for them based on the specifics of the object.
It is impossible to come up with a working document for a specific maintenance area manager - unless you work with him at the site continuously for several months. Therefore this approach was rejected: We found local leaders who were willing to learn themselves and lead their subordinates.
Having explained the algorithm of documents creation, requirements to their contents and principles of instructions ecosystem organization, for the next six months we controlled the process of detailed writing of documentation and step-by-step transition of the personnel to work in a new way.
This was followed by a phase of initial support for work on the updated regulations, which lasted one year in a remote format. Then we moved on to training and drills - the only way to put the new material into practice.
What's been done
In the process, we were able to resolve several serious issues.
First of all, we avoided double documentation, which the client's employees feared. To this end, we combined in the new regulations the regulatory requirements applied to various engineering systems as standard (electrics, cooling, access control), with industry best practices, creating a transparent documentation structure with simple and logical navigation.
The principle of "easy to find, easy to understand, easy to remember" was complemented by the fact that the new information was linked to the old experience and knowledge of the employees.
Next, we reshuffled the staff of service engineers: several people turned out to be completely unprepared for the change. The resistance of some was successfully overcome in the course of the project through the demonstration of benefits, but a certain percentage of employees turned out to be untrained and unresponsive to new things.
But we were surprised by the company's frivolous attitude to its IT infrastructure: from the lack of redundancy of critical systems to the chaos in the structure and management.
In 1.5 years the engineering systems management processes have been pumped up to the level that allowed the company's specialists to successfully report "for quality" to the auditors from the headquarters.
With the support of the operating component development pace the company will be able to pass any existing certification of data centers from leading international agencies.
Summary
In general, the prospects of consulting in the field of operational management of data centers, in our opinion, are the brightest.
The process of digitalization of the economy and the public sector is in full swing. Yes, there will be a lot of adjustments in the launch of new projects and plans for the development of old ones, but this will not change the essence - the operation should be improved at least to improve the efficiency of already built sites.
The main problem here: many managers do not understand what thin ice they are walking on, not paying proper attention to this point. The human factor is still the main source of the most unpleasant accidents and failures. And it needs to be explained.
Government data center projects are also becoming more relevant now and require increased attention in terms of operations: the scope of government IT systems is growing. Here, too, the development and introduction of a system of standardization and certification of sites will be required.
When the requirements to public data centers in Russia at the level of legislation will be reduced to a standard, it can be applied to commercial data centers, including for the placement of public IT resources.
The work in this area is ongoing, we are participating in this process in consultation with the Ministry of Digital and by building competencies for teaching courses on data center operation at the ANO Data Center. There is not much experience on such tasks in Russia, and we believe that we should share it with colleagues and clients.
BEST, money transfer and payments operator
The customer faced a technical issue with a persistent BGP session flag with Linxdatacenter hardware. We examined the problem and found out that one of customer’s hosts was under a DDoS attack.
Because of the distributed nature of the attack, traffic couldn’t be filtered effectively, and disconnecting the host from the external network wasn’t an option. The attack stopped after changes in the server configuration, but resumed the day after. A 5.5 Gbps attack overloaded the junctions with internet providers, affecting other Linx Cloud users. To mitigate the effects of the attack, we employed a dedicated DDoS protection service.
To ensure the continuous availability of resources hosted in Linx Cloud, we rerouted all the customer’s traffic through StormWall Anti-DDoS system. The attack was stopped within half an hour. To prevent future cyberattacks, we organized all connections to the customer’s resources through the StormWall network.
BEST, money transfer and payments operator
The customer faced a technical issue with a persistent BGP session flag with Linxdatacenter hardware. We examined the problem and found out that one of customer’s hosts was under a DDoS attack.
Because of the distributed nature of the attack, traffic couldn’t be filtered effectively, and disconnecting the host from the external network wasn’t an option. The attack stopped after changes in the server configuration, but resumed the day after. A 5.5 Gbps attack overloaded the junctions with internet providers, affecting other Linx Cloud users. To mitigate the effects of the attack, we employed a dedicated DDoS protection service.
To ensure the continuous availability of resources hosted in Linx Cloud, we rerouted all the customer’s traffic through StormWall Anti-DDoS system. The attack was stopped within half an hour. To prevent future cyberattacks, we organized all connections to the customer’s resources through the StormWall network.
Thank you for your inquiry, we will get back to you shortly!