We are right in the midst of the Fourth Industrial Revolution, a time when technologies like IoT, AI, ML, robotics & 3D printing are becoming increasingly prevalent in our world. All these exciting technologies can only showcase their true potential if paired with a capacity for processing & delivering huge amounts of data. Therefore, planting our feet on the ground while all this is happening simply isn’t an option anymore.
So we’ve looked up to the skies, in particular the cloud, and the shifts are borderline tectonic. 60% of the world’s corporate data is now stored on the cloud and is expected to reach a figure of 200 zettabytes by 2025. Nowadays, the surge is seen most prominently in the APAC region, with BCG claiming that public cloud adoption in the region continues to outpace growth rates registered in North America & Europe.
India, in particular, saw a whopping 29.6% growth in its cloud market from 2021 to 2022, and expects to maintain this rate for the next 5 years. Optimism for the service has hit new levels, with NASSCOM believing cloud has the potential to account for 8% of our GDP in 2026, resulting in 14 million new jobs in the sector.
With so much of our information on the cloud these days, it is imperative to have safeguards in place to ensure utmost security when it comes to data. This is especially important in fields like finance, where regulation is essential for ensuring stability & integrity of our financial system. We must protect our customers and do our utmost to prevent financial crimes like money laundering, fraud, and insider trading.
To that end, back on the 6th of March this year, the Securities & Exchange Board of India (SEBI), the regulating authority for the Indian securities market, released a framework aimed at regulating and standardizing the use of cloud computing services by SEBI’s Regulated Entities (REs).
Now, does your organization qualify as one of SEBI’s REs? Yes, if they are one of the following:
- Stock Exchanges
- Clearing Corporations
- Depositories
- Stockbrokers Through Exchanges
- Depository Participants
- Asset Management Companies
- Mutual Funds
- Qualified Registrars to an Issue & Share Transfer Agent
- KYC Registration Agencies
Let’s now take a look at the 9 core principles that constitute this framework.
Principle 1: Governance, Risk & Compliance (GRC) Sub-Framework
This sub-framework sets in motion the defined structures & mechanisms for the 3 aforementioned facets. The governance sub-framework contains details of cloud adoption and types of services to be onboarded on cloud, post an analysis on data classification and criticality.
The risk management sub-framework deals with identifying your most prized assets, and the subsequent dangers that can possibly befall them.
Finally, the compliance sub-framework ensures you are in sync with the applicable regulations. An example is a possible country risk if your cloud service provider (CSP) is from another country – in that case, you should be fully aware of that country’s regulations.
Principle 2: Selection of CSPs
This principle sets an initial guardrail when it comes to selecting an ideal CSP, i.e., REs can only utilize CSPs empanelled by the Ministry of Electronics & Information Technology (MeitY) that store and process data exclusively in validly audited Indian data centres.
Principle 3: Data Ownership & Localization
The data ownership aspect of this principle entails that REs will retain complete ownership of all their data and logs, encryption keys, etc.
The localization aspect states that data should reside and be processed within the legal boundaries of India. So, for example, if you’re deciding to go with a foreign CSP, you must ensure that their processes come under the purview of the Indian legal system.
Principle 4: Responsibility of the Regulated Entity
The crux of this principle is to convey that the ultimate responsibility of cloud operations lies in the hands of the RE. Their primary responsibilities include availability of cloud applications, confidentiality, integrity & security of their data logs, and ensuring compliance.
However, some functions will be in the purview of the CSPs, Managed Service Providers and System Integrators, and it’s important to state that there is no joint or shared ownership for any function under these rules.
Principle 5: Due Diligence of the Regulated Entity
This principle requires the RE to undertake sufficient due diligence on the type of cloud model to be adopted, and the ideal CSP to undertake this.
Some criteria while evaluating a CSP to move ahead with includes:
- Financial soundness
- Ability to adhere to SLAs under adverse conditions
- Ability to seamlessly identify & segregate your data
- Processes involving proper screening of personnel and vendors before on-boarding
- Having controls in place to establish data ownership
Principle 6: Security Controls
This principle covers a gamut of security protocols you and your CSP must have in place:
- Watertight vulnerability management and patch management processes, including Vulnerability Assessment & Penetration Testing (VAPT)
- Access control mechanisms in place, which involves MFA for privileged accounts
- Data being encrypted in rest, in use and in motion
- Making sure the CSP keeps your data isolated and inaccessible to others in a multi-tenant cloud architecture
- Backup & recovery solutions, with checking done on the same at least twice a year
- Standard programs like Antivirus, firewall, intrusion prevention systems and Data Leak Protection (DLP) solutions
Principle 7: Contractual & Regulatory Obligations
This principle fixates mostly on compliance, to ensure your solutions adhere to all applicable laws, regulations and SEBI directives. While a lot of the requirements have been covered in previous principles, a particular example here is having a clear expunging agreement on the exit strategy with your CSP, so that your data is safeguarded moving forward.
Principle 8: BCP, Disaster Recovery & Cyber Resilience
A lot of the earlier principles focused on ways to prevent an incident or breach. This principle deals with measures you undertake once a incident occurs, so that you can recover your data and ensure business continuity. Once these procedures are set, testing becomes a mandate because doing so will help uncover gaps in your system before they become major problems.
Principle 9: Vendor Lock-In and Concentration Risk Management
And finally, the last principle deals with the possibility of you changing your CSP midway, helping you reduce risks associated with overdependence on a single CSP through distributed architectures. Easy migration, data portability and data interoperability are essential tenets of this principle.
So, there we have it. Of course, the actual SEBI circular goes way more in depth with these principles than we have – to be fair, the circular is 53 pages long – so you can look at the whole thing here.
And if you’re an RE that is yet to follow this framework, we recommend you get on it ASAP – time to comply ends about 3 months from now. Happy New Year and wish you all the best in your cloud journey!