According to Market Data Forecast, the global big data market is projected to reach $199.6 billion by 2024. As the volume of data increases, the demand for tools for storage and processing grows. Allied Market Research reports that the big data analytics market was valued at $0.3 trillion in 2023 and is expected to reach $1.1 trillion by 2032.
Consequently, the need for information security is also rising. The more data there is, the more resources must be allocated for its protection.
In 2023, the National Cyber Incident Response Service KZ-CERT recorded a twofold increase in incidents among Kazakhstani companies — 34,500. According to Kaspersky Lab, nearly one in three Kazakh organizations (31%) fell victim to cyberattacks.
A correspondent from the Kapital.kz business information center reached out to experts from the Yandex Cloud platform in Kazakhstan and independent information security expert Evgeny Pitolin to learn how to establish protection within a company and in the cloud.
How the Growth of Data Volume Affects Information Security Requirements
Rami Muleis, head of the Cloud Trust team at Yandex Cloud, notes that the increase in data volume is linked to the rapid digitization in Kazakhstan, particularly in the fintech, government services, and marketplace sectors. “Digitization in Kazakhstan is progressing faster than the global average. The amount of data is growing, and its value is increasing. This allows businesses to gather as much information as possible about their customers and enhance service quality. However, without proper protection, opportunities for malicious actors also expand,” the expert points out.
It is important to consider not only newly implemented systems but also the existing infrastructure. “With massive data growth, more software is utilized for processing, and new systems are layered over old ones. Companies typically focus on security measures for the new infrastructure and may overlook the need to uniformly protect the entire perimeter,” reminds independent cybersecurity expert Evgeny Pitolin.
He emphasizes that the average cost of damages from data encryption and blocking can reach several million dollars. This includes downtime costs, infrastructure recovery, new equipment purchases, client compensation, and other expenses.
How Cloud Security Works: Who is Responsible for What
Rami Muleis explains that Yandex Cloud operates on a shared responsibility model, where the provider is responsible for its part, and the client is responsible for theirs, with these responsibilities clearly defined.
For instance, in the SaaS (Software as a Service) model, which powers services like Yandex DataLens for analytics and data visualization, the provider is responsible for almost all security aspects, while the client determines who has access to the system. In the IaaS (Infrastructure as a Service) model, providing computing resources such as virtual machines, the cloud is responsible for the security of hardware, networks, log collection, and environment availability, while the client is responsible for security within their virtual environment.
The more managed the service, that is, managed solutions, the broader the provider's area of responsibility . Regardless of the chosen cloud operating model, the Yandex Cloud team provides clients with consultations and training, notes Vasily Purgin, product architect for security at Yandex Cloud.
Companies can also select various cloud services and use them independently to protect their data. For example, Yandex Cloud offers solutions for managing credentials such as Yandex Identity Access Management, cryptographic data protection systems like Yandex Key Management Service and Yandex Lockbox, an information security event collection service Yandex Audit Trails, among others.
Rami Muleis reports that the platform recently launched a certification for IT specialists, confirming their knowledge and skills in working with Yandex Cloud services. The provider has also developed a Cloud Infrastructure Protection Standard, which includes step-by-step instructions and checklists for security settings.
Cloud Security vs. Security in the Cloud
Dmitry Kudinin, head of Compliance at Yandex Cloud, reminds us that it is essential to differentiate these concepts. While both the client and the provider are responsible for security in the cloud, the security of the cloud itself is solely the provider's responsibility. This can be assessed through certifications, case studies, and even pricing.
“When choosing a provider, I recommend checking certifications, studying client cases, and communicating with the team. It is also crucial to evaluate the breadth of services offered by the platform and the stated SLA (service level agreement). Another factor is price. Do not skimp on security: the necessary level of service can be found in the price segment no lower than average,” adds Evgeny Pitolin.
A reliable cloud provider should have certifications that comply with local and international standards. Basic information security requirements are defined by the International Organization for Standardization (ISO). Recently, Yandex Cloud in Kazakhstan successfully passed an audit for compliance with the ISO/IEC 27001 standard.
All services that handle payment card data must adhere to the PCI DSS protection standard, established by international payment systems Visa and MasterCard. Subsequently, other payment systems, such as China's UnionPay and Russia's Mir, joined this standard. Yandex Cloud in Kazakhstan complies with the latest version 4.0.1 of PCI DSS.
“The PCI DSS standard contains around 350 requirements, and if even one of them is not met, the organization does not receive a compliance certificate. Therefore, there are no companies that comply with the standard partially,” added Dmitry Kudinin.
Local requirements include the Law of the Republic of Kazakhstan No. 94-V on Personal Data Protection and the government decree of the Republic of Kazakhstan dated December 20, 2016, No. 832, which introduced unified requirements in the field of information and communication technologies and information security.
What Advantages Do Clouds Provide and Who Can Benefit from Them
According to Rami Muleis, cloud services significantly accelerate development, reducing time-to-market. However, the choice between cloud infrastructure and in-house capabilities depends on business specifics. The cloud will provide substantial savings for companies with seasonal demand, as resources can be quickly scaled up during peak demand and unnecessary servers can be turned off during downturns. Clients pay only for the resources they use.
As Rami Muleis notes, the cloud is especially beneficial for companies that regularly update their services. This includes retail, banks, and any high-load mass service systems. “One thing is a business that needs to update its website once a year; this can be managed with its own resources. Another is high-load applications that may require daily updates. This necessitates a different level of flexibility and scalability,” the expert comments.
For large companies, storing and processing massive amounts of data may be more cost-effective in their own infrastructure. However, this does not account for additional expenses, including establishing data protection processes and compliance with regulatory requirements. This is where the assistance of a cloud provider becomes valuable. A hybrid infrastructure, where part of the data is stored in the cloud and part in the company's own perimeter, may be suitable for such cases.
“Cloud solutions are beneficial for businesses that value rapid analytics and accessible ML technologies. Furthermore, we are developing scenarios for industrial companies and government organizations,” emphasizes Rami Muleis.
According to Vasily Purgin, cloud providers have been helping companies optimize IT infrastructure support costs for many years. “However, while before, clouds were chosen for development speed, flexibility, and scalability of infrastructure, now we see a new trend: