Thales banner

Complying with Framework for Adoption of Cloud Services in India

Baseline standards for security and regulatory compliances for Regulated Entities in India

Framework for Adoption of Cloud Services by Securities and Exchange Board of India (SEBI)

Test

Securities and Exchange Board of India (SEBI) has introduced the Framework for the Adoption of Cloud Services by SEBI Regulated Entities (REs) in circular no. SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033 on 6 March 2023, which sets baseline standards for security and regulatory compliances. This framework is a crucial addition to SEBI’s existing guidelines on cloud computing and is designed to help REs implement secure and compliant cloud adoption practices.

The major purpose of this framework is to highlight the key risks and mandatory control measures that regulated entities (REs) need to put in place before adopting cloud computing. The framework also sets out the regulatory and legal compliances by REs if they adopt such solutions.

Thales offers integrated solutions that enable your organisation to address the Framework for the Adoption of Cloud Services with a focus on Security Control and Concentration Risk Management Principles.

  • Regulation
  • Compliance

Regulation Overview

The circular for the Framework for the Adoption of Cloud Services lays out the risks unique to public cloud services to guide REs in developing their risk management strategy. It also notes some best practices for mitigating cloud-specific threats. If REs fail to establish the appropriate security measures, as recommended in the circular, the data that they place in the cloud could be at risk of being compromised by malicious actors; in turn, any resulting security incidents could affect the ability of REs to maintain their operational continuity and fulfilment of their legal obligations.

The framework is a principle-based framework that covers nine key aspects with the topics below:

  • Developing a public cloud risk management strategy that takes into consideration the unique characteristics of public cloud services;
  • Implementing strong controls in areas such as cyber security, data protection and cryptographic key management
  • Expanding cyber security operations to include security of public cloud workloads
  • Managing cloud resilience, outsourcing, vendor lock-in and concentration risks
  • Ensuring that staff have the skills to manage public cloud workloads and risks.

The Framework for the Adoption of Cloud Services by SEBI Regulated Entities (REs) was introduced on 6 March 2023. The framework is an addition to already existing SEBI circulars /guidelines /advisories and comes into force immediately for all new or proposed cloud onboarding assignments/projects of the REs. For REs that are currently availing cloud services should ensure that wherever applicable, all such arrangements are revised and they should be in compliance with the framework within 12 months.

Thales offers integrated solutions that enable your organisation to address the Framework for the Adoption of Cloud Services with a focus on Security Control and Concentration Risk Management Principles.

Protecting data at rest

Thales offers multiple solutions for data at rest that can coexist with native encryption provided by Cloud Service Provider (CSP).

Protecting data in motion

Thales High Speed Network Encryption (HSE) solutions secure data in motion as it moves across the network between data centers and headquarters, branch and satellite offices, to backup and disaster recovery sites, on premises and in the cloud.

CipherTrust Transparent Encryption encrypts files while leaving their metadata in the clear. In this way, CSP can perform their system administration tasks without gaining privileged access to the sensitive data residing on the systems they manage.

 

Adopting Bring Your Own Encryption (BYOE) & Bring Your Own Key (BYOK)

CipherTrust Cloud Key Manager supports Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) use cases across multiple cloud infrastructures and SaaS applications in a single interface. It provides auditing of key, strong key generation, and end-to-end key lifecycle management along with automatic key rotation, recovery and key revocation feature that is not available by any cloud provider’s managed Key Management System (KMS).

Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) provides a stronger separation of duty for the encryption keys, the RE can maintain control of their keys instead of entrusting them to the CSP.

CipherTrust Transparent Encryption provides transparent encryption and access control for data residing in Amazon S3, Azure Files and more. It also offers advanced multi-cloud Bring Your Own Encryption (BYOE) solutions to avoid cloud vendor encryption lock-in and ensure data mobility to efficiently secure data across multiple cloud vendors with centralised, independent encryption key management.

 

Protection of cryptographic keys

Thales Luna Hardware Security Modules (HSM) allow organisations to have dedicated Hardware for a greater degree of control and ownership over the crypto keys rather than with the Cloud Service Provider (CSP).

 

CSP agnostic solutions

CipherTrust Cloud Key Manager from Thales combines support for cloud provider BYOK APIs, cloud key management automation and key usage logging and reporting, to provide cloud consumers with strong controls over encryption key lifecycles for data encrypted by cloud services.

Thales CipherTrust Transparent Encryption (CTE) and CipherTrust Tokenisation offer advanced multi-cloud Bring Your Own Encryption (BYOE) solutions to avoid cloud vendor encryption lock-in and ensure data mobility to efficiently secure data across multiple cloud vendors with centralised and independent encryption key management.

Recommended resources

Addressing The Requirements of The Framework for Adoption of Cloud Services by SEBI Regulated Entities

Addressing The Requirements of The Framework for Adoption of Cloud Services by SEBI Regulated Entities - Compliance Brief

This framework is a crucial addition to SEBI’s existing guidelines on cloud computing and is designed to help REs implement secure and compliant cloud adoption practices in India.

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

Best Practices for Cloud Data Protection and Key Management - White Paper

Best Practices for Cloud Data Protection and Key Management - White Paper

This paper describes security best practices for protecting sensitive data in the public cloud, and explains concepts such as BYOK, HYOK, Bring Your Own Encryption (BYOE), key brokering and Root of Trust (RoT). It explains the level of data protection that can be achieved by...

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens - regardless of where the organisation is headquartered.

PCI DSS

Mandate
Active Now

Any organisation that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbour” clause.