Cloud computing is gaining popularity due to its ability to reduce emissions related to commuting and provide access to a wide range of resources through cloud storage. Cloud computing encompasses various elements such as networks, servers, storage, applications, and services, all of which are accessible remotely. By storing data on remote servers within an online data storage system, cloud computing contributes to the reduction of paper waste and eliminates the need for physical storage. Additionally, it offers numerous benefits such as cost savings on IT infrastructure, scalability, business continuity, accessibility from anywhere and with any device, improved performance and availability, and quick application deployment. These advantages make cloud computing an appealing option for organizations looking to streamline operations and leverage technology efficiently.
SEBI, through Circular No. SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033 dated 06.03.2023 has exercised its powers conferred under Section 11(1) of the SEBI Act, 1992. This circular has been introduced to specify the key risks and mandatory control measures that Regulatory Entities (RE) must be aware of before adopting cloud computing. The purpose is to protect the interests of investors. The framework outlined in the circular establishes baseline standards for security and compliance with legal, technical, and regulatory requirements. It is important to note that REs are solely accountable for all aspects related to cloud services. They must ensure compliance with this framework within 12 months from the date of issuance.
This Cloud computing framework has four types of deployment models viz.
i) public cloud
ii) community cloud
iii) private cloud and
iv) hybrid cloud
These are the following framework principles:
1. Governance, Risk and Compliance Sub-Framework
2. Selection of Cloud Service Providers
3. Data Ownership and Data Localization
4. Responsibility of the Regulated Entity
5. Due Diligence by the Regulated Entity
6. Security Contracts
7. Contractual and Regulatory Obligations
8. BCP, Disaster Recovery & Cyber Resilience
9. Vendor Lock-in and Concentration Risk Management
It is recommended to exclusively obtain cloud services from cloud service providers (CSPs) that are empanelled by the Ministry of Electronics and Information Technology (MeitY). Choosing CSPs from MeitY's empanelled list is advisable to ensure compliance with relevant standards and security protocols.
The cloud service models offer different levels of control and responsibilities, catering to various needs and preferences of users and businesses. There are three primary types of cloud service models such as:
i) Infrastructure as a Service (IaaS): This model offers virtualized computing resources such as virtual machines, storage, and networks. Users retain control over operating systems, applications, and storage, while the cloud service provider (CSP) manages the underlying infrastructure.
ii) Platform as a Service (PaaS): This model provides users with a development platform that includes operating systems, programming languages, and development tools. The CSP takes care of the underlying infrastructure, allowing users to focus on application development and deployment.
iii) Software as a Service (SaaS): This model allows users to access software applications hosted in the cloud. Users can utilize the software without the need to handle the underlying infrastructure or maintenance tasks, as these responsibilities are managed by the CSP.
By understanding these different cloud service models (IaaS, PaaS, and SaaS), organizations can make informed decisions about the type of cloud services that best suit their requirements.
1. Governance, Risk and Compliance (GRC):
To ensure effective governance, risk management, and compliance (GRC) in the context of cloud computing, Regulatory Entities (RE) should establish a comprehensive GRC sub-framework. This sub-framework should consider the following aspects:
i) Cloud governance: Establish policies, procedures, and structures to ensure proper governance of cloud services and their usage.
ii) Cloud risk management: Identity, assess, and mitigate risks associated with cloud computing.
iii) Compliance with the applicable legal and regulatory aspects: Ensure compliance with relevant laws, regulations, circulars, and guidelines.
iv) Grievance Redressal: Establish mechanisms to address grievances and resolve disputes related to cloud services.
v) Monitoring and control: Implement a monitoring and control mechanism to track and manage cloud deployments.
vi) Country risk: Assess and manage risks related to the jurisdiction where cloud services are hosted or provided.
vii) Contingency and exit strategies: Develop plans and procedures to handle contingencies, service disruptions, or termination of cloud services.
2. Selection of Cloud Service Providers:
For the selection of CSPs offering PaaS and SaaS services in India, RE must choose only those CSPs that ensure the following:
i) All data storage and processing related to the RE is conducted within the data centres of CSPs empanelled by MeitY with valid STQC audit status and
ii) CSP must have a clear and enforceable agreement with partners/vendors/sub-contractors ensuring the compliance of this framework Principles issued by SEBI.
3. Data Ownership and Data Localization:
All data, logs, encryption keys, etc ownership shall be retained by RE. The RE, SEBI and other Government authorities always have the right to access any or all the data at any or all point in time. CSPs must provide visibility to RE as well as SEBI into CSP's infrastructure.
RE shall always store data including logs and other information in legible and usable form within the legal boundaries of India during the adoption/usage of cloud services.
4. Responsibility of the Regulated Entity:
RE shall be solely responsible for the availability of cloud applications, confidentiality, integrity and security of its data and logs and other aspects related to cloud service. RE should also ensure compliance with applicable laws, rules, regulations, circulars etc issued by SEBI/ the Government of India/ respective state government.
There shall be no ‘joint/shared ownership’ for any function/task/activity between RE and CSP (and Managed Service Provider (MSP)/System Integrator (SI) wherever applicable). There shall be a clear delineation and fixing of responsibility with respect to all activities of the cloud services, explicitly in the agreement signed between the RE and the CSP. RE shall be held accountable for any violation of the laws, rules, regulations, circulars, etc issued by SEBI or any other authority.
5. Due Diligence by the Regulated Entity:
RE shall conduct due diligence of the CSP periodically, depending on the criticality of the data/services/operations. This is to ensure that legal, regulatory, and business objectives are not hampered and to assess the capabilities and suitability of the CSP before engagement.
RE shall consider the following criteria during the due diligence process:
i) Financial soundness of CSP,
ii) Security risk,
iii) Ability to enforce agreements,
iv) CSP’s ability to ensure compliance, etc.
6. Security Controls:
RE shall check the following security controls for the adoption of cloud computing :
Vulnerability Management and Patch Management Process: RE must ensure that the CSP mitigates vulnerabilities in all components of the services they are responsible for. The CSP should conduct Vulnerability Assessment and Penetration Testing (VAPT) within the prescribed timelines, covering the infrastructure and services hosted by RE on the cloud. The components managed by RE should be up to date in terms of patches, OS, versions, etc.
Continuous monitoring: The CSP should continuously monitor alerts, and appropriate actions should be taken within defined timelines. Monitoring should cover all components of the cloud.
Incident Management: The CSP should have an Incident Management policy, procedures, and processes in place to detect, respond to, and recover from any incidents at the earliest.
Secure User Management: Rule-based access should be strictly followed, and necessary auditing and monitoring should be conducted by the CSP. All administrative privileges should be tracked through a ticket request.
Multi-Tenancy: Any access by other tenants or unauthorized access by CSP's resources to RE's data should be considered an incident or breach.
Management interface: The management interface should have Two-Factor Authentication (2FA), or Multi-Factor Authentication (MFA) enabled.
Secure Software Development: RE should adopt Secure Software Development processes for dealing with cloud-native development concepts.
7. Contractual and Regulatory Obligations:
A clear and enforceable engagement agreement between RE and the CSP shall include provisions for audit and information access rights to the RE and SEBI. The agreement should also grant the RE the right to intervene with measures to meet legal and regulatory obligations. Adequate provisions with appropriate clauses/terms, including SLA clauses, should be added to the agreement.
SEBI/CERT-In/any other government agency shall have the authority to conduct direct audits and inspections of the CSP's resources at any time. They may also perform search and seizure of CSP's resources pertaining to RE.
A clear expunging clause should be included as a part of the exit strategy. This clause should state the procedure for data expungement when the RE intends to remove the data.
8. Business Continuity Planning (BCP), Disaster Recovery & Cyber Resilience:
RE shall ensure that BCP frameworks comply with this cloud framework as well as other guidelines. RE should develop an effective contingency plan to cope with disruptions or shutdowns of cloud services. The plan should include strategies and procedures to ensure business continuity and timely recovery in the event of any service interruptions or disruptions in cloud services.
9. Vendor Lock-in and Concentration Risk Management:
Before entering into a contract/agreement with a CSP, RE shall assess its exposure to CSP lock-in and concentration risk. This assessment is necessary to mitigate the risks that may arise from the failure or shutdown of the CSP. RE should carefully evaluate the terms and conditions of the agreement and consider strategies to mitigate vendor lock-in and concentration risks. This may include diversification of cloud services across multiple CSPs or incorporating provisions in the agreement that allows for easy transition or migration to alternative CSPs if needed.
10. Transition Period:
For RE that does not currently utilize cloud services, this framework shall be applicable from the date of issuance.
RE that currently uses cloud services shall comply with this framework within 12 months from the date of issuance. Regular milestones and updates should be implemented to ensure progress towards full compliance within the specified time frame.
SN. | Timeline | Milestone |
1. | Within one (1) month of issuance of the framework | REs shall provide details of the cloud services, if any, currently deployed by them. |
2. | Within three (3) months of issuance of the framework | The REs shall submit a roadmap (including details of major activities, timelines, etc.) for the implementation of the framework. |
3. | From three (3) to twelve (12) months of issuance of framework | Quarterly progress report as per the roadmap submitted by the RE. |
4. | After twelve (12) months of issuance of the framework | Compliance with respect to the framework to be reported regularly |
Conclusion:
Cloud computing has transformed the technology landscape by offering scalability, cost-efficiency, easy accessibility, security, and data backup and recovery. Businesses can easily allocate resources based on their specific needs, eliminating the need for upfront capital investments. Pay-as-you-go models ensure cost-efficiency by charging only for resources used. Cloud services allow users to access data and applications from anywhere with an internet connection. Robust security measures protect data from unauthorized access, and backup and disaster recovery solutions ensure its integrity. By leveraging cloud computing, businesses can focus on core objectives and respond to market dynamics effectively. Cloud computing offers a range of benefits for streamlined operations and effective technological leverage.
Authored by Sushma Gowda, Associate at Metalegal Advocates. The views are personal and do not constitute legal opinion.