Virtualization for banks: how to ensure compliance with STO BR IBBS

This article focuses on the industry standard for information security STO BR IBBS. The article is final in a series of publications, telling about the limitations arising from the deployment of information systems at the professional provider of IT infrastructure services, such as PCI compliance with PCI DSS standard and 161-FL requirements.

 

What does STO BR IBBS stand for?

Standard of Bank of Russia for information security (IS) for organizations in the Russian banking system (STO BR IBBS) describes a unified approach to the construction of information security assurance system to meet the requirements of the Russian legislation. It applies to the organization of the Russian banking system and to the organization, conducting assessment of their compliance with information security requirements of the standard. Periodically, there is information that the actions of this standard will apply to all organizations controlled by the Central Bank, including non-bank financial institutions (investment companies, investment funds, insurance companies, pension funds, pawnshops, trust companies).

It is important to note that this standard, according to the law, is a recommendation. However, standards and other standardization documents are subject to obligatory execution by the organizations, if they voluntarily decide to accede to the standard. According to the Central Bank of the Russian Federation, today 510 organizations have joined the standard.

                                                       Composition of STO BR IBBS           

Normative documents of the Bank of Russia Summary
Standards
Bank of Russia Standard: “Information security of organizations in the Russian banking system. General Provisions “(STO BR IBBS-1.0-2014) Determines the overall concept of building a comprehensive information security system, general requirements for information security, as well as requirements to the system of information security management
Bank of Russia Standard: “Information security of organization of the Russian banking system. Methods for assessing the conformity of the information security organizations of the Russian banking system with STO BR IBBS-1.0– 2014 requirements “(STO BR IBBS-1.2-2014) Standardizes approaches and methods for the assessment organizations that ensure information security of the Russian Federation requirements conformity with STO BR IBBS
Bank of Russia Standard: “Information security of organizations in the Russian banking system. Information security audit STO BR IBBS-1.1-2007 “(STO BR IBBS-1.1-2007 Defines the basic scheme and basic principles and steps of the audit by the IS Organization BS RF.
Recommendations
Recommendations in the field of standardization of the Bank of Russia “Information security of the organizations in the Russian banking system. Preventing leaks of information “(RS BR IBBS-2.9-2016) Contains recommendations for the protection of confidential information against possible leakage, including recommendations for determining the categories of potential insiders and potential channels of information leakage.
Recommendations in the field of standardization of the Bank of Russia “Information security of the organizations in the Russian Federation banking system. Ensuring information security in the use of virtualization technology “(RS BR IBBS-2.8-2015) Establishes the basic directions to ensure information security when using virtualization technology and makes recommendations in each area.
Recommendations in the field of standardization the Bank of Russia “Information security of the organizations in the Russian Federation banking system. Resource information security “(RS BR IBBS-2.7-2015) It defines the purpose of realization of resource maintenance of information security and the methodology to assess the maturity and effectiveness of information security systems (SOIB).
Recommendations in the field of standardization of the Bank of Russia “Information security of the organizations in the Russian Federation banking system. Information security in the stages of automated banking systems life cycle “(RS BR IBBS-2.6-2014) Makes recommendations to ensure the information security of automated systems at all stages of the life cycle, from requirements specification design to decommissioning
Recommendations in the field of standardization of the Bank of Russia “Information security of the organizations in the Russian Federation banking system. Management of information security incidents “(RS BR IBBS-2.5-2014) Gives recommendations on the implementation of the processes to implement, operate, monitor and maintain at a proper level of information security incident management
Recommendations in the field of standardization of the Bank of Russia “Information security of the organizations in the Russian Federation banking system. Methods of information security risk assessment of the breach “(RS BR IBBS-2.2-2009) Defines a common approach to assessing the risks of violation of information security and risk assessment procedures for information security violations.
Recommendations in the field of standardization of the Bank of Russia “Information security of the organizations in the Russian Federation banking system. Information Security Compliance Self-Assessment Guide The banking system of the Russian Federation, the requirements of STO BR-IBBS standard 1.0 “(RS BR IBBS-2.1-2007) Defines the direction and methods of self-assessment in these areas.
Recommendations in the field of standardization the Bank of Russia “Information security organizations in the Russian Federation banking system. Methodical recommendations in the field of information security documentation in accordance with the requirements of STO BR IBBS-1.0 “(RS BR IBBS-2.0-2007) Describes the structure of the required documents in the field of information security in accordance with the requirements of STO BR IBBS

 

Source: IBS DataFort, 2016

It should be noted that many large organizations of the banking system already widely use virtualization technology on its own infrastructure capacity, while medium-sized and small organizations often consider placing information systems with a professional provider of IT infrastructure services, using modern technology, including virtualization.

 

 

 

Virtualization complying with STO BR IBBS

One of the most common arguments against the transfer of information systems to an outside IT service provider is the inability to comply with the requirements of STO BR IBBS. But such a transfer is possible. The requirements for information security with access control and registration, using antivirus and cryptographic protection, Internet resources are shared between physical and virtual computing environments. However, the data processing in a virtual environment has its own characteristics, which need special attention.

Let us consider in more detail in the document “Recommendations for standardization of Bank of Russia. Information security organizations the Russian banking system. Ensuring information security in the use of virtualization technology “(RS BR IBBS-2.8-2015)”. It contains 8 groups of recommendations, such as the separation of the flow of information and isolation of virtual machines, ensuring information security of virtual machines and their images, server components, virtualization, storage area network (SAN), ARM users (terminals and personal electronic computers) used in the implementation virtualization technology user workstations, as well as monitoring and definition of the roles of IS staff and the delimitation of powers of operating personnel.

The structure of services to provide computing power and data storage capacity of the IT infrastructure offered by IBS DataFort, includes, among other things, information security services, which correspond to all of the above recommendations

Services to implement the recommendations of the STO BR IBBS

Recommendations Services provided by IBS DataFort to implement the recommendations
Recommendations for the separation of the flow of information and isolation of virtual machines
Determines the need for the placement of virtual machines of different safety circuits on different host servers, accessing the virtual machine only with Workstation included in the PTP safety circuit (limit of not less than 3 of the OSI model level, as well as with the help of certified information security), the allocation of separate logical areas of RAM VM with different safety circuit groups, ban of the exchange of information between the VM using the general resources of the physical host server, and others. Certified* methods of protecting the  virtualization:

– firewall;

– Means of protecting virtualization platforms;

– Implementation of the recommendations on virtualization settings in order to enhance its information security

Recommendations to ensure the information security of virtual machines
Identifies the need for documenting the life cycle of basic VM images, each selected accommodation GIS for individual VMs or SVT, a dedicated testbed deployment and further verification of basic images on the subject of information security, the implementation of GIS and software updates, etc. Certified* methods of protecting the virtualization: documented process lifecycle basic VM images, including a full scan of the image data and integrity.
Recommendations to ensure the information security of virtualization server components
Identifies the need for dedicated workstations to administer the virtual platform and a ban on the ability to administer with other workstations; Use of GIS from unauthorized access, control of input-output ports on the server hardware, logging of all critical events information security, detection of malicious code, and others. Certified* methods of protecting the virtualization:

– firewall:

– Means of protecting virtualization platforms.

– Anti-virus protection (including certified * means and at the hypervisor level)

• Protection of the information against unauthorized access (including certified * means) using a multifactor authentication

• Infrastructure Monitoring

• Monitoring and recording of information security events, including the certified means

Recommendations to ensure the information security of virtual machines
The necessity to protect the VM from malware, integrity monitoring, control and registration of user access and others. Certified* methods of protecting the virtualization:

– Means of protecting virtualization platforms.

– Anti-virus protection (including certified * means and at the hypervisor level)

• Protection of the information against unauthorized access (including certified * means) using a multifactor authentication

Recommendations for ensuring information security user workstations used in the implementation of virtualization users’ workstations
The necessity of controlling APM input output ports (organizational or technical measures), lack of configurability of workstations by users, the use of a trusted OS boot procedures, user identification and authentication server components virtualization and others. Certified* methods of protecting the virtualization:

– Means of protecting virtualization platforms.

• Control and prevention of leakage of confidential information (DLP)

• Implementation of information security management system confirmed by ISO 27001

• Protection of the information against unauthorized access (including certified * means) using a multifactor authentication

Recommendations for Information Security Monitoring
It is recommended to use automated information security monitoring procedures Certified* methods of protecting the virtualization:

– Means of protecting virtualization platforms.

• Monitoring and recording of information security events, including certified* methods

• Implementation of information security of management system confirmed by ISO 27001

• Support for information activities in the field of information security

Recommendations for the composition of roles and division of powers of operating personnel
Identifies the need for separation of the roles of staff on information security administrators (AIB) and the Administrator virtual machine (AVM) Certified* methods of protecting the virtualization:

– Means of protecting virtualization platforms.

– firewall

Recommendations to ensure the information security storage
Identifies the need for separate logical partitions for each circuit security and others Certified* methods of protecting the virtualization:

– Means of protecting virtualization platforms.

– firewall;

– The possibility of providing customer services on the basis of two geographically separated platforms, united in a single network.

 

Source: IBS DataFort, 2016

 

* Under the certified methods, the methods that are certified in the Russian Federation FSTEC are implied

It is important to point out that the functions built into the platform of the certified by RF FSTEC virtualization environment protection system in one way or another are used to implement the recommendations of all categories. Embedded hypervisors mechanisms are also used. A workplace administrator’s virtual platform implemented all the recommendations of the STO BR IBBS, including the use of certified two-factor authentication systems.

Analysis of the composition of the Bank of Russia recommendations regarding the use of virtualization technologies shows that there are no technical difficulties and restrictions on their performance do not exist. Using the standard services of professional IT infrastructure providers will significantly reduce the cost of ownership of the infrastructure and related security solutions and significantly reduce the time of deployment of information systems.

Based on years of experience providing services to financial institutions, IBS DataFort offers companies in the banking sector, including those falling under the requirements of STO BR IBBS, well-established and proven to be useful cases of professional and safe services for the provision of IT infrastructure, such as the creation of a reserve ( disaster recovery, DR) platform for information systems; the transfer of non-core, in terms of core business, information systems, for example, HR systems, circuit design and testing using provider’s resources.

Ivan Gusev, Director of IBS DataFort information security