Complying with Framework for Adoption of Cloud Services in India
Baseline standards for security and regulatory compliances for Regulated Entities in India
Securities and Exchange Board of India (SEBI) has introduced the Framework for the Adoption of Cloud Services by SEBI Regulated Entities (REs) in circular no. SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033 on March 6, 2023, which sets baseline standards for security and regulatory compliances. This framework is a crucial addition to SEBI’s existing guidelines on cloud computing and is designed to help REs implement secure and compliant cloud adoption practices.
The major purpose of this framework is to highlight the key risks and mandatory control measures that regulated entities (REs) need to put in place before adopting cloud computing. The framework also sets out the regulatory and legal compliances by REs if they adopt such solutions.
Thales offers integrated solutions that enable your organization to address the Framework for the Adoption of Cloud Services with a focus on Security Control and Concentration Risk Management Principles.
Regulation Overview
The circular for the Framework for the Adoption of Cloud Services lays out the risks unique to public cloud services to guide REs in developing their risk management strategy. It also notes some best practices for mitigating cloud-specific threats. If REs fail to establish the appropriate security measures, as recommended in the circular, the data that they place in the cloud could be at risk of being compromised by malicious actors; in turn, any resulting security incidents could affect the ability of REs to maintain their operational continuity and fulfillment of their legal obligations.
The framework is a principle-based framework that covers nine key aspects with the topics below:
The Framework for the Adoption of Cloud Services by SEBI Regulated Entities (REs) was introduced on March 6, 2023. The framework is an addition to already existing SEBI circulars /guidelines /advisories and comes into force immediately for all new or proposed cloud onboarding assignments/projects of the REs. For REs that are currently availing cloud services should ensure that wherever applicable, all such arrangements are revised and they should be in compliance with the framework within 12 months.
Thales offers integrated solutions that enable your organization to address the Framework for the Adoption of Cloud Services with a focus on Security Control and Concentration Risk Management Principles.
Protecting data at rest
Thales offers multiple solutions for data at rest that can coexist with native encryption provided by Cloud Service Provider (CSP).
Protecting data in motion
Thales High Speed Network Encryption (HSE) solutions secure data in motion as it moves across the network between data centers and headquarters, branch and satellite offices, to backup and disaster recovery sites, on premises and in the cloud.
CipherTrust Transparent Encryption encrypts files while leaving their metadata in the clear. In this way, CSP can perform their system administration tasks without gaining privileged access to the sensitive data residing on the systems they manage.
Adopting Bring Your Own Encryption (BYOE) & Bring Your Own Key (BYOK)
CipherTrust Cloud Key Manager supports Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) use cases across multiple cloud infrastructures and SaaS applications in a single interface. It provides auditing of key, strong key generation, and end-to-end key lifecycle management along with automatic key rotation, recovery and key revocation feature that is not available by any cloud provider’s managed Key Management System (KMS).
Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) provides a stronger separation of duty for the encryption keys, the RE can maintain control of their keys instead of entrusting them to the CSP.
CipherTrust Transparent Encryption provides transparent encryption and access control for data residing in Amazon S3, Azure Files and more. It also offers advanced multi-cloud Bring Your Own Encryption (BYOE) solutions to avoid cloud vendor encryption lock-in and ensure data mobility to efficiently secure data across multiple cloud vendors with centralized, independent encryption key management.
Protection of cryptographic keys
Thales Luna Hardware Security Modules (HSM) allow organizations to have dedicated Hardware for a greater degree of control and ownership over the crypto keys rather than with the Cloud Service Provider (CSP).
CSP agnostic solutions
CipherTrust Cloud Key Manager combines support for cloud provider BYOK service, and cloud key management that provides cloud consumers with strong controls over the encryption key life cycles for data encrypted by a cloud service provider.
Thales CipherTrust Transparent Encryption (CTE) and CipherTrust Tokenization offer advanced multi-cloud Bring Your Own Encryption (BYOE) solutions to avoid cloud vendor encryption lock-in and ensure data mobility to efficiently secure data across multiple cloud vendors with centralized and independent encryption key management.
This framework is a crucial addition to SEBI’s existing guidelines on cloud computing and is designed to help REs implement secure and compliant cloud adoption practices in India.
This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.
This paper describes security best practices for protecting sensitive data in the public cloud, and explains concepts such as BYOK, HYOK, Bring Your Own Encryption (BYOE), key brokering and Root of Trust (RoT). It explains the level of data protection that can be achieved by...
Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.
Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.