By Shachi Solanki
In 2013 when the Government of India came up with its Cloud policy, it wanted its entities to adopt it as their first option to deliver services to the public. However, the “Cloud First” policy that was envisioned 10 years ago still faces a lot of hesitancy for a variety of reasons. A study carried out by DeepStrat, a New Delhi-based think tank, looked at the causes and spoke to experts and regulators across sectors to understand if the reasons are valid.
The study focussed on the use of Cloud in sectors designated by the government as Critical Information Infrastructure (CII). Sectors such as energy and power, health, BFSI are designated as CII since their “…incapacitation or destruction shall have debilitating impact on national security, economy, public health or safety”. The DeepStrat study chose these sectors for assessing Cloud adoption since these are the most sensitive sectors from a national security standpoint.
Broadly, the study found that despite the policy and the intent, the adoption of cloud has been quite low due to a number of reasons. Much of this stems from the worry around the security and residency of the data that is uploaded. There is a general feeling across sectors in India that data is safest if it is in a data centre that is physically located and controlled within the premises of the establishment.
However, as several recent major data breaches have shown, mere on-premise control of the data centre does not guarantee security. The massive data breach at India’s premier All India Institute of Medical Sciences (AIIMS) shows that merely ensuring on-premise storage of data is no guarantee against a breach. Instead, had the data been put on a public cloud, the chances of it being breached would have been significantly lower. This is because Cloud Service Providers (CSP) are hyper-scalers who offer their services to several entities.
This allows them to secure their cloud through the latest security controls, while also accessing a global intelligence feed that alerts them to the latest threats that could lead to data breaches. Going on cloud also offers several other major benefits such as making it easier to comply with existing regulations, optimising cost according to use and making the data accessible to all its authorised users, irrespective of their geographical location.
Insights from CII Stakeholders
Interviews with RBI officials revealed that there are two key factors to measure the success of digitisation in the financial sector – convenience and security. They believe that Cloud has clear advantages for the BFSI sector from several angles, such as better security, scalability, elasticity, faster turnaround time, and operational resilience. Shared services such as public or community Cloud, are especially useful for cooperative and regional banks, who cannot afford standalone solutions.
Interviewees from other sectors and Cloud security professionals echoed this sentiment. Cloud offers many benefits that can be leveraged by organisations to optimise their operations.
Despite that, there is no cloud policy for critical sectors in India. NCIIPC, the nodal agency designated to protect CIIs in India has protection guidelines, which have been in operation since 2015. This controls-based framework is a prescriptive model to manage cybersecurity in designated CII sectors. A technical assessment of the security controls reveal that many of them are no longer relevant and do not cater to cloud adoption.
Article continues below 
, you might also want to read:
- TRAI Doubles Down On The Need For An Industry Led Body To Regulate Cloud Services
- Nearly Half Of India’s Top 100 Companies Don’t Undertake Regular Cybersecurity Audits: Report
- RBI Imposes Penalty On Paytm Payments Bank For KYC, Cybersecurity Violations
Interviews with stakeholders from CII sectors also revealed that the root cause for hesitancy towards Cloud adoption is the lack of clear policy guidance, which does not inspire confidence at the board level in these organisations. The existence of multiple regulators also creates confusion in terms of compliance requirements. The need for an overarching cloud framework for CII has now been felt across sectors. While different sectors are at different stages of digitisation, capabilities to migrate to cloud have not matured in most CII entities.
The BFSI Sector has been the leader in cloud adoption because of principle-based guidelines from RBI and SEBI. Officials from RBI told DeepStrat that they use a principle-based approach instead of prescriptive measures. Pushing prescriptive measures leads to apprehensions in the industry, forcing them to find ways to get around them. They believe that any effective system must be built on a foundation of trust among stakeholders. Principle-based sectoral guidelines can be mapped on to the overarching cloud framework to meet sector-specific needs.
Best practices from other countries
Many other countries have grappled with similar issues in the past and created Cloud First policies that work for them.
Singapore, USA, and Australia have adopted a light touch, risks-based approach towards cloud security, while Japan and Germany tilt towards compliance-centric frameworks. All five jurisdictions have a few commonalities in their approaches – standardisation of frameworks across sectors, harmonisation with international standards, collaboration with stakeholders in framing policies, continual updating of regulations based on stakeholder feedback, and robust information sharing mechanisms. They also focus on providing extensive guidance for cloud adoption and third-party audits which gives CII entities the confidence to move their functions to cloud. Public-private-partnerships are emerging as the fulcrum of regulatory approaches of Singapore, Germany and USA. These partnerships foster trust, enable information sharing and contribute towards capacity building, resulting in robust cybersecurity postures.
Fostering greater cloud adoption in India
Best practices across the globe suggest several approaches that can help foster greater cloud adoption in India. There is a need for an overarching cloud framework for CII sectors and abundant guidance on cloud adoption. Harmonisation of sectoral regulations and standardisation of frameworks will mitigate scope for confusion and enable ease of doing business.
Most regulators that were studied prefer a principles or risks-based approach because they translate into better security postures. Adoption of a data classification framework for risk and impact assessment would be a good middle ground for India to take. Consultation and collaboration has emerged as the cornerstone of cybersecurity best practices across the world. This allows for formulation and implementation of robust policies, greater information sharing and shared responsibility among stakeholders. Lastly, capacity building initiatives and training of auditors can help enhance cybersecurity posture of CII as they migrate to cloud.
Shachi Solanki is one of the co-authors of the study and Deputy Chief of Operations at DeepStrat, a New Delhi-based think tank and strategic consultancy.
The study can be found here.
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!
