Cloud Providers Serving Government Must Store Data in IndiaSecurity Leaders Weigh In on the Challenges in Following MeitY Mandate
To help ensure that data is properly protected, the Ministry of Electronics and Information Technology has mandated that all cloud service providers that handle government data store it on servers in India and not in other countries.
The guidelines require that cloud service providers' contracts with the government must clearly state that all services and data will be guaranteed to reside in India. MeitY says cloud vendors must include in the contract the details on the location of the data that they are processing, storing or hosting for the government.
Although most cloud service providers have hosted websites and servers outside India due to perceived cost advantages as well as business continuity and legal concerns, it's now critical to locate the data within India to take appropriate security and legal measures in case of cyberattacks, some cybersecurity experts say (see: Parliament: Store Critical Data in India).
"The new guidelines will have a positive impact on the cloud service providers who can now take advantage of data localization and seek the government's support on any legal implications it might face," says Prashant Mali, a Mumbai-based attorney who's an international cybersecurity expert.
But Ritesh Bhatia, founder director at V4WEB, a company that specializes in creating secured websites and cybercrime investigations, contends the government has taken a lackadaisical approach towards ensuring that its cloud partners establish adequate security for storing critical data in India. He claims the government's data privacy and regulatory policy is too weak.
The new mandate means that cloud service providers will need to invest in new infrastructure to store critical data and secure legacy applications, some security practitioners point out (see: Insurers Face New Security Mandates).
Control Over Data
Puneet Bhasin, cyber law expert at Cyberjure Legal Consulting in Mumbai, contends the mandate is a good move because it will help cloud service providers to improve control over data and take the right security steps.
But in addition to creating an indigenous infrastructure, it's critical that the government collaborate with cloud service providers and create a strong threat information sharing platform, says S. Sriram, co-founder at iValue Solutions, a managed service provider.
And Mali points out that a key challenge in shifting to domestic data storage will be handling the migration without data loss.
Securing the Indigenous Data
MeitY has certified 11 companies that can provide cloud solutions to government departments. Among them are Microsoft, HP, IBM India, Tata Communications, Bharat Sanchar Nigam Limited, Net Magic IT Services, Sify Technologies and CtrlS Data Centers.
The government requires these companies to go through rigorous Standardisation Testing and Quality Certification.
According to the new MeitY guidelines, the cloud service agreements will now need to specify the providers' facilities and services are certified to be compliant to the following standards:
- ISO 27001 - The data center and cloud services should be certified for the latest version of the standard;
- ISO/IEC 27017:2015 - Code of practice for information security controls based on ISO/IEC 27002 for cloud services and Information technology;
- ISO 27018 - Code of practice for protection of personally identifiable information in public clouds
- ISO 20000-9 - Guidance on the application of ISO/IEC 20000-1 to cloud services
- PCI DSS - Standard for storing, processing and transmitting credit card information.
Focusing on More Than Cost
In taking steps to ensure data security, the government must look beyond entering contracts with the lowest-cost cloud services provider, experts say.
"More often than not, lowest price is the criteria for purchase, impacting the quality of design, solution and services - which is not good for critical initiatives involving sensitive data of crores of people," Sriram says.
Bikash Barai, co-founder at FireCompass, an AI-based assistant for IT security decision makers, adds: "What could help is when it comes to a situation where you don't want to compromise on your security, the mindset to go for cheap things needs to change. While government has issued security guidelines for cloud service partners, it has to do away with the concept of L1 bidding, which may not deter corruption, but it definitely jeopardises the quality of implementation and security of data."
L1 refers to the lowest bidder who generally wins government contracts.
Barai contends the government needs a stronger risk management program. "Apart from preventing threats, the government needs strong investments in incident response and recovery," he says. "Additionally, one should develop predictive capability, like threat intelligence, to identify possible threats before they become real."
The government departments also should take into account its legal obligations to disclose its outsourcing arrangements and the circumstances under which data may be disclosed to cloud partners, MeitY says. And in the event of termination of the outsourcing agreement, the government must ensure that all customer data is completely retrieved from the service provider, the guideline says.