Security in Yandex Cloud

A smart approach to architecture design and development, compliance with industry standards and legal requirements, infrastructure security and data protection.

We invest in security during the development and operation of the Yandex Cloud

Security by Design
The Security Development Lifecycle (SDL) helps us identify and manage risks when designing platform services and during their operation. SDL implementation reduces the number and severity of errors that lead to exploitable vulnerabilities.
Defense in Depth
Yandex Cloud security employs a set of security tools at different levels to safeguard against a single threat. This approach increases the cost of any potential attack and lets us quickly identify and prevent unauthorized activities of attackers.

Yandex Cloud complies with local regulatory requirements and meets industry standards


The General Data Protection Regulation (GDPR) provides for the collection and processing of personal data of individuals located in the European Economic Area. It was designed to strengthen personal data protection and ensure the transparency of data collection, storage, and processing.

ISO standards

We endeavor to ensure the systems and data our clients host at Yandex Cloud are secure. This is why we built an information security management system (ISMS) that satisfies the strict requirements of the International Organization for Standardization (ISO). The Yandex Cloud ISMS was audited by an international team from BSI. Based on their findings, we were certified ISO 27001, ISO 27017, and ISO 27018 compliant.

The standard defines the requirements for information security management systems, as well as for their implementation, operation, maintenance, and regular improvement. The ISO 27001 guidelines help organizations guarantee a high level of security for their core information assets.

The standard defines the requirements for information security management systems, as well as for their implementation, operation, maintenance, and regular improvement. The ISO 27001 guidelines help organizations guarantee a high level of security for their core information assets.

The standard includes a set of practical information security recommendations for cloud providers. These recommendations, specifically for cloud service providers, supplement the ISMS implementation requirements set out in ISO 27001.

The standard addresses the security of personal data processed by cloud service providers. The standard sets out practical information security recommendations for protecting the personal information that clients entrust to the cloud provider. These recommendations complement the requirements of the basic standard, ISO 27001.


PCI DSS contains a set of requirements for cardholder data protection. These requirements are mandatory and apply to all companies that process data from payment systems like Visa, MasterCard, American Express, JCB, and MIR.

Russian regulatory

The Yandex Cloud platform has received an accreditation of compliance of its personal data information systems with security requirements for information and personal data. The certificate confirms that the platform fully complies with all the requirements of Federal Law No. 152 “On Personal Data, ” Resolution No. 1119 of the Government of the Russian Federation, Order No. 21 of the FSTEC, and provides Level 1 security for processed personal data.

GOST R 57580

GOST R 57580 is a Russian national standard for the security of banking and financial transactions. The standard has been mandatory for all credit and non-credit financial organizations operating on the territory of the Russian Federation since its introduction on January 1, 2018.

The compliance of the cloud platform’s services with the requirements of this standard helps organizations hosting their systems and applications in the cloud to meet the requirements of the Central Bank and ensure compliance with the standard on the side of their systems running in the cloud.

Cloud Security Alliance

The Yandex Cloud platform is a corporate member of the Cloud Security Alliance, an international organization dedicated to developing and raising awareness of best practices in information security for cloud services.

Yandex Cloud meets the requirements of the Security, Trust, Assurance and Risk (STAR) program at Level 1: Self-Assessment.

We provide comprehensive security for our cloud infrastructure

Physical security

All Yandex Cloud availability zones are PCI DSS certified.

Yandex Cloud hardware resources are hosted in our own data centers in Russian Federation. All data centers are connected by our own communication channels.

The facilities are subject to continuous video surveillance.

Access to data centers is strictly regulated. Guests and Yandex Cloud employees who don’t permanently work there can only enter if permission is granted ahead of time.

The storage, destruction, and access to data bearing devices are subject to additional security measures.


The Yandex Security Operations Center (SOC) provides 24/7 monitoring of the cloud platform. Logs collected from various infrastructure components are sent to the SIEM system. Notifications are also sent there from various triggered security tools that monitor the security of physical server operating systems, databases, networks, and other platform infrastructure services. Automatic event correlation and the actions of SOC analysts allow us to identify security breaches early and respond quickly.

Data protection

The owner of data hosted in the cloud is always the cloud platform user. Yandex Cloud doesn’t use client data hosted on platform resources for any purpose other than to fulfill those outlined in the agreement and notifies the client of all incidents that affect the client’s data, except for cases otherwise established by applicable law or contract.

Data encryption

All cloud services store user data in encrypted form.

Yandex Object Storage encrypts data with a separate set of keys from other services prior to writing the data to a physical disk.

Managed DBMS services encrypt all backups before sending them to permanent storage. For encryption, a unique asymmetric encryption key pair is used for each user.

Data transferred over the internet is protected by the TLS protocol.

Deleting data

When data is deleted, a reliable cleanup method is used to ensure the data has been irreversibly deleted and can’t be restored. The terms, conditions, and timeline for permanently deleting data are set out in the Customer Agreement.

Shared responsibility

Systems using cloud services require security responsibilities be divided and shared by the client-owner of the system and the provider-owner of the cloud infrastructure used by the system. This division changes based on the cloud service model used by the client system (IaaS, PaaS).

On premise infrastructure
Data access management
OS and application security
Network security (Overlay)
Audit logs
Data storage and hardware security
Network security (Underlay)
Physical security and disaster recovery
Yandex Cloud

Launch securely in the cloud