wordpress blog stats
Connect with us

Hi, what are you looking for?

Towards Greater Cloud Adoption in CII sectors

Critical Information Infrastructure (CII) sectors are those designated by the Government of India as such, due to the key role they play in maintaining the upkeep of vital areas such as national security, economy, public health and more.

By Shachi Solanki

In 2013 when the Government of India came up with its Cloud policy, it wanted its entities to adopt it as their first option to deliver services to the public. However, the “Cloud First” policy that was envisioned 10 years ago still faces a lot of hesitancy for a variety of reasons. A study carried out by DeepStrat, a New Delhi-based think tank, looked at the causes and spoke to experts and regulators across sectors to understand if the reasons are valid.

The study focussed on the use of Cloud in sectors designated by the government as Critical Information Infrastructure (CII). Sectors such as energy and power, health, BFSI are designated as CII since their “…incapacitation or destruction shall have debilitating impact on national security, economy, public health or safety”. The DeepStrat study chose these sectors for assessing Cloud adoption since these are the most sensitive sectors from a national security standpoint.

Broadly, the study found that despite the policy and the intent, the adoption of cloud has been quite low due to a number of reasons. Much of this stems from the worry around the security and residency of the data that is uploaded. There is a general feeling across sectors in India that data is safest if it is in a data centre that is physically located and controlled within the premises of the establishment.

However, as several recent major data breaches have shown, mere on-premise control of the data centre does not guarantee security. The massive data breach at India’s premier All India Institute of Medical Sciences (AIIMS) shows that merely ensuring on-premise storage of data is no guarantee against a breach. Instead, had the data been put on a public cloud, the chances of it being breached would have been significantly lower. This is because Cloud Service Providers (CSP) are hyper-scalers who offer their services to several entities.

This allows them to secure their cloud through the latest security controls, while also accessing a global intelligence feed that alerts them to the latest threats that could lead to data breaches. Going on cloud also offers several other major benefits such as making it easier to comply with existing regulations, optimising cost according to use and making the data accessible to all its authorised users, irrespective of their geographical location.

Advertisement. Scroll to continue reading.

Insights from CII Stakeholders

Interviews with RBI officials revealed that there are two key factors to measure the success of  digitisation in the financial sector – convenience and security. They believe that Cloud has clear advantages for the BFSI sector from several angles, such as better security, scalability, elasticity, faster turnaround time, and operational resilience. Shared services such as public or community Cloud, are especially useful for cooperative and regional banks, who cannot afford standalone solutions.

Interviewees from other sectors and Cloud security professionals echoed this sentiment. Cloud offers many benefits that can be leveraged by organisations to optimise their operations.

Despite that, there is no cloud policy for critical sectors in India. NCIIPC, the nodal agency designated to protect CIIs in India has protection guidelines, which have been in operation since 2015. This controls-based framework is a prescriptive model to manage cybersecurity in designated CII sectors. A technical assessment of the security controls reveal that many of them are no longer relevant and do not cater to cloud adoption.

Article continues below ⬇, you might also want to read:

Interviews with stakeholders from CII sectors also revealed that the root cause for hesitancy towards Cloud adoption is the lack of clear policy guidance, which does not inspire confidence at the board level in these organisations. The existence of multiple regulators also creates confusion in terms of compliance requirements. The need for an overarching cloud framework for CII has now been felt across sectors. While different sectors are at different stages of digitisation, capabilities to migrate to cloud have not matured in most CII entities.

The BFSI Sector has been the leader in cloud adoption because of principle-based guidelines from RBI and SEBI. Officials from RBI told DeepStrat that they use a principle-based approach instead of prescriptive measures. Pushing prescriptive measures leads to apprehensions in the industry, forcing them to find ways to get around them. They believe that any effective system must be built on a foundation of trust among stakeholders. Principle-based sectoral guidelines can be mapped on to the overarching cloud framework to meet sector-specific needs.

Best practices from other countries

Advertisement. Scroll to continue reading.

Many other countries have grappled with similar issues in the past and created Cloud First policies that work for them.

Singapore, USA, and Australia have adopted a light touch, risks-based approach towards cloud security, while Japan and Germany tilt towards compliance-centric frameworks. All five jurisdictions have a few commonalities in their approaches – standardisation of frameworks across sectors, harmonisation with international standards, collaboration with stakeholders in framing policies, continual updating of regulations based on stakeholder feedback, and robust information sharing mechanisms.  They also focus on providing extensive guidance for cloud adoption and third-party audits which gives CII entities the confidence to move their functions to cloud. Public-private-partnerships are emerging as the fulcrum of regulatory approaches of Singapore, Germany and USA. These partnerships foster trust, enable information sharing and contribute towards capacity building, resulting in robust cybersecurity postures.

Fostering greater cloud adoption in India

Best practices across the globe suggest several approaches that can help foster greater cloud adoption in India. There is a need for an overarching cloud framework for CII sectors and abundant guidance on cloud adoption. Harmonisation of sectoral regulations and standardisation of frameworks will mitigate scope for confusion and enable ease of doing business.

Most regulators that were studied prefer a principles or risks-based approach because they translate into better security postures. Adoption of a data classification framework for risk and impact assessment would be a good middle ground for India to take. Consultation and collaboration has emerged as the cornerstone of cybersecurity best practices across the world. This allows for formulation and implementation of robust policies, greater information sharing and shared responsibility among stakeholders. Lastly, capacity building initiatives and training of auditors can help enhance cybersecurity posture of CII as they migrate to cloud.

Shachi Solanki is one of the co-authors of the study and Deputy Chief of Operations at DeepStrat, a New Delhi-based think tank and strategic consultancy.

Advertisement. Scroll to continue reading.

The study can be found here.

STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...


RBI Deputy Governor Rabi Shankar called for self-regulation in the fintech sector, but here's why we disagree with his stance.


Both the IT Minister and the IT Minister of State have chosen to avoid the actual concerns raised, and have instead defended against lesser...


The Central Board of Film Certification found power outside the Cinematograph Act and came to be known as the Censor Board. Are OTT self-regulating...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ