Security in Yandex.Cloud

Smart approach to architecture design and development, compliance with industry standards and legal requirements, infrastructure security and data protection.

We invest in security during the development and operation of the Yandex.Cloud

Security by Design

The Security Development Lifecycle (SDL) helps us identify and manage risks when designing platform services and during their operation. SDL implementation reduces the number and severity of errors that lead to exploitable vulnerabilities.

Defense in Depth

Yandex.Cloud security employs a set of security tools at different levels to safeguard against a single threat. This approach increases the cost of any potential attack and lets us quickly identify and prevent unauthorized activities of attackers.

Yandex.Cloud complies with Federal Law No. 152 and meets industry standards

FZ-152

The Yandex.Cloud platform satisfies the requirements under Federal Law No. 152 “On Personal Data”.

For the Yandex.Cloud services, measures were taken to protect personal data pursuant to Resolution No. 1119 and FSTEC Order No. 21 regarding requirements for 3rd-level protection.

GDPR

The General Data Protection Regulation (GDPR) provides for the collection and processing of personal data of individuals located in the European Economic Area. It was designed to strengthen personal data protection and ensure the transparency of data collection, storage, and processing.

ISO standards

We endeavor to ensure the systems and data our clients host at Yandex.Cloud are secure. This is why we built an information security management system (ISMS) that satisfies the strict requirements of the International Organization for Standardization (ISO). The Yandex.Cloud ISMS was audited by an international team from BSI. Based on their findings, we were certified ISO 27001, ISO 27017, and ISO 27018 compliant.

ISO 27001
ISO 27017
ISO 27018

The standard defines the requirements for information security management systems, as well as for their implementation, operation, maintenance, and regular improvement. The ISO 27001 guidelines help organizations guarantee a high level of security for their core information assets.

The standard defines the requirements for information security management systems, as well as for their implementation, operation, maintenance, and regular improvement. The ISO 27001 guidelines help organizations guarantee a high level of security for their core information assets.

The standard includes a set of practical information security recommendations for cloud providers. These recommendations, specifically for cloud service providers, supplement the ISMS implementation requirements set out in ISO 27001.

The standard addresses the security of personal data processed by cloud service providers. The standard sets out practical information security recommendations for protecting the personal information that clients entrust to the cloud provider. These recommendations complement the requirements of the basic standard, ISO 27001.

PCI DSS

PCI DSS contains a set of requirements for cardholder data protection. These requirements are mandatory and apply to all companies that process data from payment systems like Visa, MasterCard, American Express, JCB, and MIR.

We provide comprehensive security for our cloud infrastructure

Physical security

All Yandex.Cloud availability zones are PCI DSS certified.

Yandex.Cloud hardware resources are hosted in our own data centers in Russian Federation. All data centers are connected by our own communication channels.

The facilities are subject to continuous video surveillance.

Access to data centers is strictly regulated. Guests and Yandex.Cloud employees who don’t permanently work there can only enter if permission is granted ahead of time.

The storage, destruction, and access to data bearing devices are subject to additional security measures.

Monitoring

The Yandex Security Operations Center (SOC) provides 24/7 monitoring of the cloud platform. Logs collected from various infrastructure components are sent to the SIEM system. Notifications are also sent there from various triggered security tools that monitor the security of physical server operating systems, databases, networks, and other platform infrastructure services. Automatic event correlation and the actions of SOC analysts allow us to identify security breaches early and respond quickly.

Data protection

The owner of data hosted in the cloud is always the cloud platform user. Yandex.Cloud doesn’t use client data hosted on platform resources for any purpose other than to fulfill those outlined in the agreement and notifies the client of all incidents that affect the client’s data, except for cases otherwise established by applicable law or contract.

Data encryption

All cloud services store user data in encrypted form.

Yandex Object Storage encrypts data with a separate set of keys from other services prior to writing the data to a physical disk.

Managed DBMS services encrypt all backups before sending them to permanent storage. For encryption, a unique asymmetric encryption key pair is used for each user.

Data transferred over the internet is protected by the TLS protocol.

Deleting data

When data is deleted, a reliable cleanup method is used to ensure the data has been irreversibly deleted and can’t be restored. The terms, conditions, and timeline for permanently deleting data are set out in the Customer Agreement.

Shared responsibility

Systems using cloud services require security responsibilities be divided and shared by the client-owner of the system and the provider-owner of the cloud infrastructure used by the system. This division changes based on the cloud service model used by the client system (IaaS, PaaS).

Processes
On premise infrastructure
IaaS
PaaS
Data access management
OS and application security
Network security (Overlay)
Redundancy
Encryption
Audit logs
Data storage and hardware security
Network security (Underlay)
Physical security and disaster recovery

Client

Yandex.Cloud

Launch your infrastructure on a secure cloud platform

Please contact us with any security or migration-related questions