Complying with Framework for Adoption of Cloud Services in India

Regulation Overview

The circular for the Framework for the Adoption of Cloud Services lays out the risks unique to public cloud services to guide REs in developing their risk management strategy. It also notes some best practices for mitigating cloud-specific threats. If REs fail to establish the appropriate security measures, as recommended in the circular, the data that they place in the cloud could be at risk of being compromised by malicious actors; in turn, any resulting security incidents could affect the ability of REs to maintain their operational continuity and fulfillment of their legal obligations.

The framework is a principle-based framework that covers nine key aspects with the topics below:

• Developing a public cloud risk management strategy that takes into consideration the unique characteristics of public cloud services;
• Implementing strong controls in areas such as cyber security, data protection and cryptographic key management
• Expanding cyber security operations to include security of public cloud workloads
• Managing cloud resilience, outsourcing, vendor lock-in and concentration risks
• Ensuring that staff have the skills to manage public cloud workloads and risks.

The Framework for the Adoption of Cloud Services by SEBI Regulated Entities (REs) was introduced on March 6, 2023. The framework is an addition to already existing SEBI circulars /guidelines /advisories and comes into force immediately for all new or proposed cloud onboarding assignments/projects of the REs. For REs that are currently availing cloud services should ensure that wherever applicable, all such arrangements are revised and they should be in compliance with the framework within 12 months.

Thales offers integrated solutions that enable your organization to address the Framework for the Adoption of Cloud Services with a focus on Security Control and Concentration Risk Management Principles.

Protecting data at rest

Thales offers multiple solutions for data at rest that can coexist with native encryption provided by Cloud Service Provider (CSP).

• CipherTrust Transparent Encryption
• CipherTrust Tokenization
• CipherTrust Application Data Protection
• CipherTrust Manager

Protecting data in motion

Thales High Speed Network Encryption (HSE) solutions secure data in motion as it moves across the network between data centers and headquarters, branch and satellite offices, to backup and disaster recovery sites, on premises and in the cloud.

CipherTrust Transparent Encryption encrypts files while leaving their metadata in the clear. In this way, CSP can perform their system administration tasks without gaining privileged access to the sensitive data residing on the systems they manage.

Adopting Bring Your Own Encryption (BYOE) & Bring Your Own Key (BYOK)

CipherTrust Cloud Key Manager supports Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) use cases across multiple cloud infrastructures and SaaS applications in a single interface. It provides auditing of key, strong key generation, and end-to-end key lifecycle management along with automatic key rotation, recovery and key revocation feature that is not available by any cloud provider’s managed Key Management System (KMS).

Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) provides a stronger separation of duty for the encryption keys, the RE can maintain control of their keys instead of entrusting them to the CSP.

CipherTrust Transparent Encryption provides transparent encryption and access control for data residing in Amazon S3, Azure Files and more. It also offers advanced multi-cloud Bring Your Own Encryption (BYOE) solutions to avoid cloud vendor encryption lock-in and ensure data mobility to efficiently secure data across multiple cloud vendors with centralized, independent encryption key management.

Protection of cryptographic keys

Thales Luna Hardware Security Modules (HSM) allow organizations to have dedicated Hardware for a greater degree of control and ownership over the crypto keys rather than with the Cloud Service Provider (CSP).

CSP agnostic solutions

CipherTrust Cloud Key Manager combines support for cloud provider BYOK service, and cloud key management that provides cloud consumers with strong controls over the encryption key life cycles for data encrypted by a cloud service provider.

Thales CipherTrust Transparent Encryption (CTE) and CipherTrust Tokenization offer advanced multi-cloud Bring Your Own Encryption (BYOE) solutions to avoid cloud vendor encryption lock-in and ensure data mobility to efficiently secure data across multiple cloud vendors with centralized and independent encryption key management.