INTRODUCTION
In recent times, various companies have started using cloud solutions to save up on infrastructural costs and for easy development and deployment of Information Technology services, The entities that provide such cloud services are called Cloud Service Providers (hereinafter referred to as the “CSPs”) These CSPs provide various cloud computing services based on the need and requirement of the clients. Though these cloud computing services provide a wide range of benefits to the users; due to internet accessibility, a threat of cyber-attacks persists.
The Securities and Exchange Board of India (hereinafter referred to as “SEBI”) released a Consultation Paper on the framework for adopting cloud computing services The SEBI has twofold intentions; to encourage the CSPs to expand and also regulate the Cloud Services in order to curtail its abuse. The article provides a brief overview of the framework issued by SEBI and the necessary principles it prescribed for the CSPs.
CONCEPT OF CLOUD COMPUTING
Cloud computing is a platform that enables convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. In other words, Cloud computing is the delivery of hosting services that are provided to a client over the Internet.
The main characteristics of Cloud Com[putting are on-demand self-serv Clouds models can be broadly classified into three types: Private Clouds, Public Clouds and Hybrid Clouds; these clouds have several distinctive characteristics. Another major classification that is present in the sector is the Cloud Service Models which are namely, Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).
THE SEBI CONSULTATION PAPER: BRIEF HIGHLIGHTS
The framework SEBI has proposed through this paper highlights the key risks and control measures that Registered Entities (hereinafter referred to as “REs”) need to ensure before adopting cloud-based solutions. also, It further sets out the regulatory and legal compliances by the RE if . Once it comes into effect, the framework shall be applicable to all REs adopting such cloud-based solutions. Those already availing of such services would have to comply with the same within a timeline as notified.
It has been established by the SEBI that no limitations are to be laid on the deployment model to be used by the RE. Moreover, the REs have the option to adopt any cloud services based on their business and technology risk assessment.
Furthermore, the IT services can be outsourced, but the REs would be solely responsible for the confidentiality, integrity, and security of its data and logs and for ensuring compliance with the prevailing laws. Additionally, the Service Provider shall be registered with the Ministry of Electronics and Information Technology (hereinafter referred to as “MeitY”).
In the case of the public cloud model, the RE should ensure that the data remains isolated and is not accessible to any other tenant and also provide additional security controls if required.
The RE shall also retain complete ownership of the data and associated data, encryption keys, logs, etc. residing in the cloud. The RE should ensure that its agreement with the CSP covers security controls, legal and regulatory compliances, clear demarcation of roles, and liabilities, appropriate services, performance standards, etc. The Data shall be encrypted at any lifecycle stage (at rest, in transit, in use), source or location to ensure confidentiality, privacy, and integrity.
Moreover, the cloud deployments of RE shall be monitored through the in-house Security Operations Centre (hereinafter referred to as the “SOC”), a third-party SOC, or a managed SOC. Necessary provisions for audit and inspection of CSP and its sub-contractor or engaging a third-party auditor to conduct an audit and inspection should be included.
PRINCIPLE-BASED APPROACH
The SEBI through the consultation paper provides a principle-based framework that covers Governance, Risk and Compliance, , data localization, data ownership and process visibility, access, risk assessment and due diligence on CSPs, security controls, legal and regulatory obligations, Business Continuity and Business Continuity Planning (hereinafter referred to as “DR and BCP”) and vendor lock-in. The principles shall act as guidelines to set standards to which the REs must comply. The following principles are laid down:
Governance, Risk, and Compliance Sub–Framework
Under Principle 1, the RE shall have a board-approved governance model for cloud computing and should include the strategies to be adopted like the service models, deployments models, etc; the type of service which would be onboarded to the cloud considering the relevant factors; the measures to ensure the protection of stakeholder’s interests; Complying with a legal and regulatory requirement, etc.
The board shall also approve a separate framework for cloud risk management. A clearly identified and named resource who shall be responsible for the security of the deployments in the cloud should be appointed. The RE should ensure regulatory and legal compliance. The RE shall also divide the roles and assign responsibilities to the various persons as prescribed by the framework.
Moreover, a Grievance Redressal Mechanism should be in place to ensure that the rights of the investors and stakeholders are intact. There should be a management structure to monitor and control the activities and services deployed on the cloud. Furthermore, the RE shall conduct regular audits of the cloud deployments and shall monitor the CSP’s country’s government policies and its political, social, economic, and legal conditions continuously, and establish sound procedures for mitigating the country’s risk.
Data Residency and Sovereignty
Principle 2 provides for the storage processing of data including logs and any other data pertaining to RE in any form in the cloud should be done as per the following conditions:
1. The data should reside/be processed within the legal boundaries of India.
2. The data should reside/ be processed within the MeitY empaneled CSPs’ data centers holding valid Standard Testing and Quality Certificate (hereinafter referred to as “STQC”) or any other equivalent agency appointed by the Government of India audit status.
Data Ownership and Visibility in CSPs Infrastructure and Processes
As per Principle 3, the RE shall retain complete ownership of its data and associated data, encryption keys, logs, etc. residing in the cloud. The CSP shall provide visibility to RE as well as SEBI regarding the infrastructure and processes, and shall allow the RE to check the integrity and security of the cloud computing services and compliance with applicable policies and regulations.
The RE is ultimately responsible and accountable for the security and compliance of the data including logs, applications, and services hosted in the cloud
Responsibility for the Cloud solution
Under Principle 4, the RE is solely accountable for all aspects related to the cloud service including the availability of cloud applications, confidentiality, integrity and security of its data and logs, and ensuring RE’s compliance, etc. The concept of “shared responsibility” or “joint ownership” for any function or task or activity between the RE and CSP is not permitted.
Due Diligence by the RE
Principle 5, provides that the RE shall conduct its due diligence regarding CSPs beforehand and on a periodic basis to ensure that the legal and regulatory objectives are not hampered.
The due diligence shall be risk-based depending on the criticality of the data or services or operations planned to be onboarded on the cloud
Security Control
Principle 6 for Security Control obligates the RE to ensure compliance with the circulars, guidelines, and advisories issued by SEBI. The RE shall perform the assessment of CSPs to ensure that there are adequate security controls. These controls include Vulnerability Management Patch Management, and Monitoring: Incident Management among others prescribed in the paper.
The RE shall perform a risk-based assessment and place adequate controls depending on the criticality of the data, services and operations (to be placed in a cloud environment).
The RE shall deploy continuous monitoring to review the technical, legal, and regulatory compliance of CSP and take corrective measures wherever necessary. RE shall adopt appropriate Secure Software Development Life Cycle (SSDLC) processes to ensure security. The RE shall ensure the confidentiality, privacy, and integrity of the data through encryption and shall also ensure that data security controls such as anti-virus, Data Leak Prevention (DLP) solution, etc. are installed and configured on the cloud deployments for effective data security.
Contractual and Regulatory Obligations
Under Principle 7, the contractual terms between RE and CSP shall envisage the provisions of an audit by the RE, and information access rights to the RE as well as SEBI for due diligence and supervisory reviews.
The RE shall also ensure that their ability to manage risks, provide supervision, and comply with regulatory requirements is not hampered by the contractual terms and agreement with CSP.
The RE should retain adequate control over the resources which are onboarded on the cloud and the right to intervene with appropriate measures to meet legal and regulatory obligations.
Moreover, any other government agency or RE may conduct direct audits and inspections at any time, with prior notice, perform a search and seizure of data, and engage a forensic auditor to identify root cause of any incident.
BCP, Disaster Recovery & Cyber Resilience
Under Principle 8, the RE shall assess its BCP framework and ensure that it complies with the proposed cloud framework and other guidelines and the circulars issued by SEBI. The RE shall also assess the capabilities of the cyber resilience of CSP which can be periodically assessed by conducting DR drills.
Vendor Lock-In and Concentration Risk Management
Principle 9 provides that the RE shall assess their exposure to CSP lock-in and concentration risks. The risk evaluation shall be done before the Contract and shall be reviewed on a periodic basis.
In order to mitigate the CSP concentration risks, RE shall work on cloud-ready and CSP agnostic solutions such as implementing multi-cloud-ready solutions that can facilitate the RE in migrating the solutions as and when necessary with minimal changes and the exit strategies should also be developed.
Thus, the principles are developed to encourage the development and expansion of cloud services and also are regulated by the SEBI.
AMLEGALS REMARKS
The Consultation Paper on Framework is a positive step taken by SEBI for the regulation of Cloud Computation Services. The framework provides a detailed set of guidelines that the Registered Entities should comply with and ensure that they are accountable to the stakeholder. The Registered Entities have to ensure that there is Cloud Service Providers comply with the regulations laid down by the SEBI. The consultation paper is a positive step That would provide comprehensive protection and regulation for Cloud Services but would require effective implementation.
– Team AMLEGALS assisted by Mr. Niloy Ghosh (Intern)
For any queries or feedback, please feel free to get in touch with tanmay.banthia@amlegals.com or himanshi.patwa@amlegals.com.
Leave a Reply