Tieto - Transfer of International Companies’ Corporate IT Systems to Russia and their Local Support

Change in personal dataprotection law

Issues of the compliance withpersonal data law demands in Russia

©Tieto Corporation2

Current law allows storage and processing inEU and other countries. Dated July 2006New law requires personal data databases tobe located in Russia

Various interpretations:• Totally restricts foreign storageor• Still allows foreign storage if there is a

copy in Russiaand/or• Foreign processing is still allowed when

database is in Russia

o New law signed on 21st of July 2014 andwill come into effect on 1st of September2016

o Proclaimed purpose is to protect Russiandata after Snowden disclosures

o No common understanding yet in legaland IT society how to apply it in practice

o Still it raises Nordic companies concernabout foreign datacentre and cloudservices.

o Companies are evaluating migration toRussia

o On 1st of September 2015 new updatewas submitted to the Parliament

SummaryRussian personal data protection law has been updated


Legal scenarios

• *Data like name and contacts. Not including finance, health etc.

Scenarios:1. Soft. New law updates to allow basic* personal

data to be stored abroad according currentrequirements.

2. Strict. New law updates to specify all personaldata to be stored and processed exclusively inRussia.

3. Unclear. No updates when law comes intoeffect.


On 24 June 2014, the draft amendment to the Russian Federal Law On Personal Data and On Information,Information Technologies and Protection of Information have been introduced to the Russian Parliament. Theamendments were promptly signed off by the upper chamber of the Parliament – the Federation Council on 9July 2014. This draft law became law (the "Law") on 21 of July when it was signed by the President and comesinto effect on 1 September 2015.“A data operator when collecting personal data of the Russian citizens including, among others, on theInternet, must ensure that the personal data is recorded, systemized, accumulated, stored, updated andgathered by using the data bases which are situated in Russia.”• Personal data = eg. Name. Apparently, there are no exceptions for different types of Personal Data are made.• At this moment there are no Instructions or guidelines issued by any Government agency as to how the law shall be implemented.• Our customers are responsible for complying with personal data law (If they hire us for outsourcing services -> data handling

instructions -> act according to their instructions)• This affects all Tieto services, if personal data of Russian citizens is stored outside Russia.

Details on the law

Publications in media:• http://www.twobirds.com/en/news/articles/2014/global/amended-federal-law-on-personal-data-russia

• http://webforms.hannessnellman.com/SnapshotFiles/c00d649a-0118-40e9-9176-b464fd5394fa/Subscriber.snapshot?clid=98450347-0b08-4de3-998e-f384bdda127c&cid=7ae18867-1a46-401e-8124-a10a33f773c9&ce=a61Y475E62FTB8NLHK71uuZhxVzHw5om

http://www.twobirds.com/en/news/articles/2014/global/amended-federal-law-on-personal-data-russia

http://webforms.hannessnellman.com/SnapshotFiles/c00d649a-0118-40e9-9176-b464fd5394fa/Subscriber.snapshot?clid=98450347-0b08-4de3-998e-f384bdda127c&cid=7ae18867-1a46-401e-8124-a10a33f773c9&ce=a61Y475E62FTB8NLHK71uuZhxVzHw5om


Tieto solution


• To locate Russian personal data in Tieto datacenterin Moscow

• It’s operated by Tieto from EU with the necessarysupport from Tieto personnel in Russia

Tieto solution


Border

Russianlocation

Data collection of PD

Data Base with PD

Prohibited Allowed

Foreignlocation

Scheme of Personal Data (PD) processing

Dataprocessing

Use, transfer (distribution,provision of access),depersonalization, blocking,deletion, destruction ofPersonal Data

Dataprocessing

Dataprocessing

Data Base with PDData Base with PD

Data collection of PDData Base with PD

Prohibited Data collectionof PD

Data Base with PD


TietoCloud HUBs with “Capacity on Demand” services

Tieto Cloud HUBs ofData Centers- Moscow- Helsinki- Stockholm

http://h18004.www1.hp.com/products/servers/tc2120/index.html

























Moscow Data CentreMoscow DC located south ofMoscow, in a biggest DC complexand government scientific centre ofcomputing hardware.

It is also place with exeptionalsecurity, fire protection,independent power supply sourcesand massive Internet /data channelscommunication hub, offering Tier 3compliance.


International Certificates

10

The certificate coversall the activities ofTieto Russia,including MoscowData center,technology supportstaff, offices.


Our Solution - Capacity service at Tieto?• Tieto’s Capacity Services are built on top of the server and

network operations.• The services run on the shared, standardised

infrastructure consisting of shared IT hardware, sharedsystem software, shared applications, sharedmanagement systems, and shared operations staff.

• Capacity Services involve a variety of managed services,hardware, and software as a predefined package.

• Tieto takes care of customers’ needs and provides theright amount of capacity according to capacity planningperformed with the customer.

• Tieto has been successfully offering capacity servicessince 2006. Today, thousands of systems use CapacityServices.


Our solutionLowerTCO

Demandmanage-

ment

Risksharing

Agilityand

adaptability

• No capital investments• Better control over capacity costs,

more dynamic adaptation with theneeds.

• Reduced total cost of ownership(TCO)

• Shared capacity platforms, tools,resources etc. Agility to adaptchanges

Reserved physical capacity

Reserved virtual capacity

C = stepwise

C =capacity

T = timeti

C =capacity

T = timeti

C= citi,stepwise

configurable

©20

09Ti

eto

Cor

pora

tion

Connectivity andinformationsecurity services

Roman Sulitsky

Sales ExecutiveTieto, Managed [email protected]

© 2009 Tieto Corporation

Tieto ICT Infrastructure services

14

ServiceCentre

Consolidation&

Optimisation

Infrastructure Services

Business ApplicationServices

DigitalisedBusinessServices

DigitalWorkplace

Management

ApplicationOperations

ServerOperations

Messaging &collaboration Capacity

ServicesConnectivity

&Information

Security


Contents

15

1

2

3

4

Value proposition

Benefits

Business environment

Informationsecurity services


Contents

16

2

1

3

4


Value proposition

Benefits



Tieto Information Security definition

17

Information security services ensure businessinformation, applications and resourcesconfidentiality, integrity and availability by:

• Protecting the information against unauthorisedand/or unintentional disclosure, use andmodifications.

• Assuring the information accuracy, completenessand reliability

• Ensuring timely access to business information forauthorised users.


Information security - challenges

18

• The existing scattergun approach to IT security thatinvolves organisations deploying a range of point-based protection solutions is not good enough.

• Security architectures must be driven by businessneeds and sensitivity of the information, analysis ofthe risk and threats involved, and regulatorycompliancy requirements – rather than by adding onextra protection layers each time new threats pop up.

• Holistic information security management maximisesthe functional value of the existing securityinvestments, and extend the value by adding inintegrated management and operations services.


Drivers for Information security

19

• Information security is about managing threats andrisks related to enterprise Business applicationsand business data.

• The role of internet is growing, linking customers,suppliers and partners to value creating networks

• The ICT infrastructures are ever more complex,decentralised and consist of increasing number ofsoftware components opening new vulnerabilitiesand potential security holes.

• The more digitalised business processes, the morecentral and important is the role of informationsecurity

• => Leading to increased risks of business dataloss and information theft, intrusions, virus attack,information tampering, fraud etc.

Information risks

Operational liability risks

Interruption risks

Environmental risks

Storage & transport risks

Product liability risks

Intellectual property risks

Personnel risks

Business risks

Information risks


Information security market requirements

20

• Information security will increasingly become part of thecore ICT infrastructure. *

• Information security services have more holistic andbusiness centric approach

• Sourcing information security services from Managedsecurity services providers (MSSP) will become morepopular. *

• The complexity of information security operations willincrease due to new technologies, tools andcompetences required.

• Security-specific SLAs will be introduced.

• eLearning and other methods to increase the employeesgeneral skills and awareness concerning informationsecurity has become a key focus

• Security operations requires full global 24 / 7 / 365services.


Service value

Approach

Strategy

Economics

Objective

Recognise threatsManage vulnerabilities and risks

Holistic approach

Managed information security services

Business based security policySecurity management

Security operations

Improved operational continuityReduced risk of downtime

Ensure business dataconfidentiality, integrity

and availability

Information security services guidingprinciples

21


Contents

22

2

3

4

1

Value proposition


Benefits



Tieto value proposition

23

Recognisethreats

Managevulnerabilities

Holisticapproach


Recognise threats- and manage them as risks

24

• Recognise information security threats embedded inenterprise business operations and transform them tomanageable risks.

• Implement security policies to have a mechanism tocommunicate potential information security threatsand provide rules and instructions how those threatscan be avoided or mitigated

• Prioritise potential threats and direct the protectionactions against most likely threats (cost- benefit).

• Keep the recognised threats and vulnerabilitiesinventory up-to-date and provide early warningservices to increase proactively the informationsecurity services responsiveness

Managevulnerabilitie

s

Holisticapproach

Recognisethreats


Manage vulnerabilities & related risks -ensure business continuity

25

• Threats vary widely how they perpetrate damage,taking advantage of the complexity and heterogeneityof modern IT infrastructures (vulnerabilities).

• Most IT infrastructure elements that outwardly maylook identical can actually be different due to releaseversions installed and patches applied

• Vulnerabilities are often devised to take advantage ofvulnerabilities within particular code sets, such asparticular product versions, or even combination ofinter-operational products

• Tieto Information security services manage theserisks (vulnerabilities) proactively from the businesscontinuity point of view using worldwide informationnetwork and security technology supplier sources


s

Holisticapproach

Recognisethreats


Use holistic approach– Wide range of Expertise and solutions

26

• Tieto provides wide range of expertise, longexperience and tested solutions in Informationsecurity area.

• Tieto has a MSSP (managed security servicesprovider) type of approach, covering from strategiclevel security policies consultancy to operations andtechnology solutions

• Information security management consultancyservices to recognise threats and vulnerabilities,establish information security policies, consult ininformation security technology and solutions and addproactive audit and early warning services

• Information security services to operate on 24 / 7basis the information security platform and handlerelated alerts, incidents and service requests.


s

Holisticapproach

Recognisethreats


Contents

27

2

3

4

1

Value proposition


Benefits



Tieto Information Security Services Offering

28

Security Operations

Security Management

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

SecurityAudits

SecurityEarly

WarningsSecurity

ConsultancySecurity

Policy


• Information security policy helps you to put yoursecurity strategy into practice.

• Security policy is a result of clear, well-definedsecurity rules, which has been put togetherfrom the business point of view.

• Security policy gives the overall guidelines tothe organisation concerning informationsecurity topics.

• Global Network Security Management Policy

• Firewall Management Policy

• Data Access Authorisation and Protection Policy

• Virtual Private Networks Policy

• Mobile Computing Policy

• Voice Systems Security Policy

• IDS and Monitoring Policy

• Operating System Security Policy

• Web / E-mailContent Filtering Policy

• Directory Services Policy

• HW Sanitisation and Disposal Policy

• Network Security Documents Release Policy

• Third Party Connectivity Policy

• Vulnerability Assessment Policy

• Modem Usage Policy

• Wireless Policy

• Distributed Application Assessment Policy

• Security Patch Policy

• Authentication & Public Key Infrastructure Policy

• Remote Access Security Policy

• eMail and Instant Messaging Policy

• Server Registration & Decommissioning Policy

• User Administration Policy

• Password Policy

Information Security Policy

29

Security Management

SecurityAudits

SecurityEarly

Warnings

SecurityConsultancySecurity

Policy


• Information security consultancyprotects your business data andsystems effectively and consultsyour business management ininformation security strategy,architecture and security services.

Information Security Consultancy

30

Security Management

SecurityAudits

SecurityEarly

WarningsSecurity

PolicySecurity

Consultancy

Businessstrategy

Policies

Continuity

RiskFramework

LegalFramework

Processes

Technology

People & Skills

Identification

Forensics

Administration

Directories

Authentication

Authorisation

Access Controls

Audits

Risk Policy Vulnerability Audit

Secu

rity

Stra

tegy

Information Security Organisation

Secu

rity

Arch

itect

ure

Secu

rity

Serv

ices

Trus

ted

Bus

ines

sO

pera

tions


• The objective of security audits are to proactivelydiscover the ICT infrastructure vulnerabilities.

• An audit is a fast and thorough analysis of theorganisation’s ICT infrastructure security level.

• The result is a compact and clear report, whichprioritises the development areas, according totheir potential business impact.

• The service is provisioned as one-off audit ofcertain information security area or as on-goingautomated service e.g network client audits, policycompliancy audits

Information Security Audits

31

Security Management

SecurityEarly

WarningsSecurity

PolicySecurity

ConsultancySecurityAudits


• Ensures that Customer’s information securityorganisation are constantly aware of currentinternal vulnerabilities and general externalthreat level

• Early Warning service is based oninternational CVE system (CommonVulnerabilities and Exposures) andinformation sharing between securitytechnology suppliers.

• The service delivers notification ofvulnerabilities and examines which of thesewill affect the customer’s ICT infrastructure.

• Based on early warning notifications theCustomer can proactively plan countermeasures

• Early warning information is also used to setenterprise security alert level codes, to makethe enterprise more prepared to tacklespecified threats

Information Security Early Warnings

32

Security Management

SecurityPolicy

SecurityConsultancy

SecurityAudits

SecurityEarly

Warnings


Digitalised business Services

Information Security Operations

33

Business Application Services

Infrastructure Services

•Incident / Problem Management

•Service Request Management

•Business Impact Management

•User satisfaction & feedback

•Communication & Information Distribution

•elearning

•Identity management

•Customer Site Services

Service requests,Incident orproblem tickets

SystemsMonitoring

Routing toPartner

Security Operations

Self-Services

PhoneEmailWeb

AutomatedServices

Single pointof contact

ServiceDesk

24/7Control

Desk

Customer


• Centralised Security Desk to operateenterprise information security servicesand Service Desk to support users andhandle service requests

• 24 / 7 System monitoring, alerts andincident handling.

• Centralised security software updatedistributions e.g virus protection fingerprint updates

• Centralised automated software securitypatch distributions

• Centralised place to activate securitycounter measures, isolate problems tominimise damages and initiatemanagement escalations in case ofcatastrophe

Security Desk part of Tieto Service Centre

34


Identity Management

35

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Useraccount

management

Usercertificate

management

Metadirectory

managementSingle-sign-on


• Allows role-based and centralisedprovisioning and administration of useraccounts.

• Controls access rights for differentbusiness application, services and networkresources for example servers,applications, document repository, fileservices, remote access systems, andmainframes etc.

• Automated provisioning of accounts, sothat user can request new standardaccount and access rights as a self-servicevia the Customer Portal.

• When an employee leaves the company allaccount and access rights can be turnedinactive immediately and centrally deletedafter the quarantine period.

User account management

36

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Usercertificate

management

Metadirectory

management

Single-sign-on

Useraccount

management


• Centralised management of digital usercertificates stored on cryptographic smartcards or USB tokens.

• The service includes generation,certification, storage, archive, recoveryand revocation of keys

• User certificates are used to controlaccess to resources, platforms,applications, and databases. A user isauthenticated through a certificate storedon a cryptographic card or USB token.

• User certificate related service requestscan be dealt using self-services onCustomer portal.

User certificate management

37

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Useraccount

management

Metadirectory

management

Single-sign-on

Usercertificate

management


• Employees, customers and partners can bemanaged either one or in multiple andheterogeneous LDAP directories

• TE Meta directory management servicecombines heterogeneous LDAPenvironments into one meta-directory eithervia consolidation or by providing a meta viewand allowing interoperability (for example,based on X.500) across these differentLDAP-based directories.

• Supported LDAP directories include

• MS Active Directory

• iPlanet/SUN ONE

• Lotus Notes

• OpenLDAP

• etc.

Meta directory management

38

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Useraccount

management

Usercertificate

management

Single-sign-on

Metadirectory

management


Single sign-on

39

• How can users remember increasingnumber of passwords, without storingthem somewhere and compromisinginformation security?

• Recent Gartner study claims over 35% of all Service Desk incidents arerelated to resetting standard userpasswords.

• TE single sign-on service simplifiespassword-related operations withoutcompromising information security.

• Single sign-on service supports bothWeb and Non-Web applications

• Users can reset their passwordsthrough Customer Portal self-healingfunctionality

• TE Service Centre includes 24/7based password and access violationmonitoring and alert handling.

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Useraccount

management

Usercertificate

management

Metadirectory

managementSingle-sign-on


Boundary Protection

40

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Internetconnections

Partner andcustomer

connections

Intrusiondetection and

prevention

Enterprisee-Mail

Security

Web virusprotection &

content filtering


• Controlled and managed datagateway and channel betweenthe corporate network andInternet

• Firewall and proxy/cachemanagement

• Typical Internet connectionrelated information securitythreats are:

• IP Spoofing

• E-mail attacks

• Fragmentation attacks

• Backdoor & remoteadministration

• Service scanning

• MAC address verification

• Buffer overflows

• DNS reply spoofing

• FTP attacks

• Hidden file extensions

• Port scanning

• Syn Flood

• IP option irregularities

• DoS attacks

Internet connections

41

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Partner andcustomer

connections


prevention

Enterprisee-Mail

Security


content filtering

Internetconnection

s


• Provides secure point-to-pointaccess for customers and partnersto enterprise network to be able toshare business applications anddata

• Information security services:• Authentication / Access

Controls• Data encryption• Event accounting and

auditing• Access methods like; HTTP, XML,

FTP, EDI etc. are supported• Secure Internet connections to and

from customers like VPN, SSL etc.

Partner and customer connections

42

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Internetconnections


prevention

Enterprisee-Mail

Security


content filtering

Partner andcustomer

connections


• Intrusion detection and preventionservice monitors systems andnetwork traffic with the goalidentifying signs of unauthorisedintrusion.

• The service covers both host basedand network based approach and itincludes the Intrusion preventionwhich automatically prevent theattack from causing any damage.

• Intrusion detection and preventionservice deals with both internal andexternal intrusion attempts.

• The service includes keeping thesignature files up-to-date andcontinuously maintaining the pre-configured rule base.

Intrusion detection and prevention

43

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Internetconnections

Partner andcustomer

connections

Enterprisee-Mail

Security


content filtering


prevention


• Enterprise e-mail system isprotected against virus attacksand spam e-mails

• The information securitylevel can be furtherenhanced with e-mailcontent and imagecontrols and e-mailmessage encryptionservices.

• Enterprise e-mail system isprotected using 3-layerarchitecture

• Gateway level protection• Server level protection• Client level protection

Enterprise e-Mail informationsecurity

44

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Internetconnections

Partner andcustomer

connections


prevention


content filtering

Enterprisee-Mail

Security


• Monitors and controls inboundand outbound web traffic fromCustomer’s enterprise network toInternet.

• Prevents malicious code andunwanted computer programsand file content to enter inCustomers' terminal equipmentsand servers.

• Provides virus protection andcontent filtering infrastructure tomonitor and control the webtraffic according to Customerdefined security rules andInternet policy.

Web virus protection and content filtering

45

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Internetconnections

Partner andcustomer

connections


prevention

Enterprisee-Mail

Security


contentfiltering


Platform Security

46

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Web serverSSL certificatemanagement

Servervirus

protection

Mainframecryptography& key mgmt

Securitypatch

management


• The service provides a centralisedprocess for purchasing andcommissioning SSL certificates forCustomer's web servers.

• Certificates used are issued by wellknown and authorised SSL certificateproviders.

• Certificates are managed andmaintained in centralised repository

• Web server SSL Certificatemanagement service ensures thatdefined servers and server platformsare equipped with valid SSL certificatesat all time.

Web server SSL certificate management

47

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Servervirus

protection


Securitypatch

management

Web serverSSL

certificatemanagement


• The service provides a virus protectionto Customer’s servers and serverplatforms.

• The Service is operated from centralisedTE Service centre and technical support(Security Desk)

• Service monitors 24/7 basis that virusprotection system is operational andhandles possible discovered virusincidents.

• Virus signature file updates aredelivered automatically from SecurityDesk

• All security software updates are testedin a test environment before releasingthe updates to Customer environment.

Server virus protection

48

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement



Securitypatch

management

Servervirus

protection


• Mainframe cryptography and Keymanagement services consist ofinstallation, operations andmaintenance of cryptographic servicesfor mainframe production, testing andpossible backup environments.

• Mainframe cryptographic services areused for centralised management ofencryption keys for different businessapplications.

• Service provides application interfacefor centralised mainframecryptographic services and supportsdifferent application specific keymanagement models.

Mainframe cryptography and keymanagement

49

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement


Servervirus

protection

Securitypatch

management



• Security patch management service provides asingle point of control to maintain systems andplatforms version integrity and vulnerability level

• Security patch management is operated 24/7basis by TE Service centre and technicalsupport (Security Desk)

• Security patch management is a naturalextension of Early Warning service whichprovides proactive inputs which securitypatches should be deployed and when.

• Security patch management includes also”emergency patching” which is a forced priorityupdate normally deployed only in a case ofmajor catastrophe

• All published security patches are tested in atest environment before releasing the updatesto automated distribution.

Security patch management

50

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement


Servervirus

protection


Securitypatch

management


End-point Security

51

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Remoteclient

connections

Clientinformation

security


• Single client access to the enterprisenetwork, typically through the Internet (homeoffice PC, laptop access from airport or hotelroom, mobile phone accessing e-mail andcalendar over the cell phone network etc.)

• Supported access methods like VPN client,SSL VPN, RAS, GSM, xG

• Information security services:• Authentication / Access Controls• Data encryption• Event accounting and auditing

• Typical clients desktops, laptops, PDAs andsmart phones.

Remote client connections

52

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Clientinformation

security

Remoteclient

connections


• Centralised client virus, spy-ware and ad-ware protection

• Automated fingerprint file updates fromTieto Service Centre with recovery andclean-up support

• Personal firewall for mobile laptop users• Hard disk data encryption• Proactive information security scans

• Security and browser setting• Gatekeeper services when

connected to enterprise network• Security products installed and

operational

Client information security

53

Security Operations

PlatformSecurity

End-pointSecurity

BoundaryProtection

IdentityManagement

Remoteclient

connections

Clientinformation

security


Service governance

54

A governance model which improves service value, manages the servicelifecycle and service performance, costs and quality

Tieto Service Governance model Service Governance organisation

SVALeadership team

SLAManagement team

ITIL Delivery teamOperational governanceOptimising operations

Tactical governanceEnsuring performance

Strategic governanceImproving value


Contents

55

3

2

4

1

Value proposition


Benefits



Tieto as Managed Security Services Provider(MSSP)

Manage proactivelyvulnerabilities and increaseyour information securityservice responsiveness

Operate 24 / 7 yourinformation security

platform from centralisedSecurity Desk

Wide range ofindependent consultancyservices to protect your

enterprise businesssystems and data

Identify and managethreats and compliancy

issues, usinginformation security

policies

Changing perspectives

Roman SulitskySales Executive,Tieto, MS [email protected]