Experts: personal data will be the main target of cybercriminals in the foreseeable future.
- When: 04 July 2019
Any personal data, be it a scanned passport, IIAN or TIN - can easily be used by criminals, for example, for processing electronic signatures in the certification center, says Boris Merkulov, cloud solutions and information security engineer of Linxdatacenter. “Access to such a signature will further allow them to establish and close the limited liability company, sign payment documents, apply to banks for loans on behalf of the person whose data have been stolen. Looking closer to the history of the latest major data leaks in the world, then the focus on PD will be obvious. Professional solutions in the field of information security that ensure compliance with the requirements of laws on personal data are no longer an option but a necessity,” - the expert noted.
Natalia Neverovskaya, the partner of the law firm Unicomigal, agrees with him. “Not long ago mostly foreign companies contacted us about issues concerning PD, today there is a flurry of such requests from literally everyone – from serious business players to theaters, museums, libraries and medical clinics. New formats of provided services and the penetration of digital tools in areas focused on the final consumer (trade, banks, insurance) have seriously expanded both the volume of PD used by modern economies and the list of data types that fall under this definition. Today, PD assumes any individuals’ personal information that enables to identify person: a phone number, an IP address, a nickname on various Internet sources – all of that is PD”, - said Natalya Neverovskaya.
Thus, any company and organization today become an operator of data, and, therefore, it has certain duties and restrictions defined by law.
Olga Ermakova, Senior Legal Counsel and Compliance Specialist of Linxdatacenter, mentioned the importance of complying with all phases of the PD protection project. The most important stage is the audit, since its results reveal the current situation with PD processing in the organization, outline the architecture of the future solution, assign the roles of the employees responsible for the project. For example, it is the audit stage that is needed to appoint a project manager who will be responsible for data processing as well as further contacts with Roskomnadzor.
The second important stage is the awareness of the continuity of the tasks related to work on PD in the structure of the company's business processes. Any changes in business processes, state structures, legislation updates and law enforcement practice oblige the company to update all regulations, processes, architecture, models of current threats, etc.
The participants of the seminar noted the prospect of the need to bring the requirements of the Russian 152-FZ and the European GDPR to a common denominator, as well as the role of staff training in the PD protection processes. The law gives a certain freedom: each operator independently decides what data to store, in what way and how long to store it and how to destroy, etc. Internal policies of organizations in the field of data protection should not only be developed, but also communicated to employees. “After business processes audit, obtaining of a conclusion, modeling threats and determining the necessary level of PD protection, the creation of statement of work, technical project and directional documentation begins. The introduction of the PD protection system today is implemented on the basis of this set of project documentation only and according to the specified sequence of actions, - emphasizes Olga Ermakova.
Experts agreed that it is reasonable to outsource projects of PD protection to a contractor whose competences combine the necessary level of legal and technical expertise. “Such an approach will require more time, money and will not provide a large selection of suitable performers, but it guarantees 100% compliance with the requirements of the law, protects PD of individuals at the proper level, and also guarantees an understanding of all the subtleties of processing personal data in relation to the tasks of a particular business,” Olga Ermakova.
The local information protection system of virtual machines consumes a lot of computing resources, slows down their speed and increases the load on the network. The transfer of PD processing to the cloud of an external service provider allows you to ensure a high speed of the IT system and the business processes linked to it while meeting all requirements related to information security. It is ensured by an agentless approach to the implementation of a complex of information security measures in clouds, when antiviruses, scanners and other tools gain access to IT system resources without installing an agent program on the same server, which increases the speed of scanning virtual machines, ports, network nodes and other.
Clouds also provide the ability to scale any IT resources in order to provide the necessary level of data protection upon request depending on the requirements of the company. For example, VMware virtualization tools used as part of Linxdatacenter cloud services allow you to emulate the IT components of your IT infrastructure, including NSX Edge Gateway type software switches, to guarantee complete security for all connections.
The seminar was organized by Linxdatacenter, an international expert in high-tech solutions for data storage, cloud services and telecommunications, with the information support of the Russo-British Chamber of Commerce and the Finnish-Russian Chamber of Commerce in Moscow.
The latest news