While the world is witnessing cloud data breach incidents more often — micro-blogging website Twitter being the latest one — and governments the world over are looking for ways to ensure data security, India has also joined the chorus for a safe, secured cloud experience. The Telecom Regulatory Authority of India (TRAI) this month issued a consultation paper on cloud computing, inviting the stakeholders to join the debate on how to implement a secured cloud service. The fact is: Practically no work has been done in India till date on having an adequate legal framework to deal with cyber security and data security on the Cloud.
“India’s concerns on data security when it comes to cloud services are distinctly real and topical. A lot more work needs to be done in terms of protecting and preserving security of cloud data for the businesses and companies whose data is being stored on cloud servers in foreign shores,” says Pavan Duggal, one of the nation’s top cyber law experts. The TRAI paper, whose deadline to feed comments online is July 8, comes after Twitter co-founder Evan William’s account was compromised and hackers may have used malware to collect credentials of more than 32 million logins of Twitter users.
“The current legislations in India are not able to address the present and future issues arising in cloud computing services comprehensively. This is because the Information Technology Act, 2000, is completely silent on issues of cloud computing. Further, cloud security-related issues are completely missing in the said legislation,” Duggal, also a Supreme Court advocate, told IANS. The Indian Telegraph Act, 1885, is completely silent in the context of cloud computing. The Information Technology Act, 2000, has not addressed issues pertaining to cloud computing. According to the cloud service providers, cyber security is now a boardroom discussion and has emerged to be a key concern for IT and business managers alike.
“While there are concerns around data security in India, a lot of the technologists in the country are quite skilled and are aware of what needs to be done. By following practices such as segregation of duties, on-disk encryption, data redaction and robust identity management, India can tackle security constraints well,” explains Shailender Kumar, Managing Director, Oracle India, one of the global leaders in providing cloud services across the spectrum. The real security issue is when customers take older products that were not built for the nternet, rack them and put them on the Internet. “This makes those products vulnerable. But sometimes security is also used as a reason to avoid change because shifting to the cloud involves change. Though worrying, companies that adopt the cloud can emerge as winners,” Kumar states.
Nearly 46 percent of all spending on IT infrastructure (servers, storage and switches) globally will be towards cloud infrastructures by 2020, predicts market research firm IDC. Cloud computing accounted for about 33 percent of the total IT expenditure in 2015 across the world. In India, the overall cloud computing market reached $1.08 billion by the end of last year and IT/ITeS, telecom, manufacturing and government sectors contributed the largest to this. “Cloud service providers need to ensure secured, hacking-free services for Indian companies. This can be done by adopting latest international standards on cyber security. Further, all cloud service providers are intermediaries and are required to implement and maintain reasonable security practices and procedures while dealing with, handling or processing sensitive personal data in the cloud,” says Duggal.
The Indian law has already stipulated ISO 27001 as a standard for intermediaries who are dealing with, handling or processing sensitive personal data. According to Kumar, Oracle is focused on security. “Security is essential for all our products. We give customers the option of deciding which part and how much of their business migrates to the cloud. This enables us to allay fear and apprehensions about the security aspect,” states Kumar. The legal, policy and regulatory issues pertaining to cloud distinctly need to be addressed by appropriate national legislation, feel experts. Internet jurisdiction is one of the major legal challenges in the context of cloud computing as in a majority of times, the hardware of the cloud where third party data is located, is often placed outside the territorial boundaries of the relevant national laws.