Data security for 21st century India

While the world is witnessing cloud data breach incidents more often -- micro-blogging site Twitter being the latest one -- and governments across the world are looking for ways to ensure data security, India has also joined the chorus for a safe and secure cloud experience.

The Telecom Regulatory Authority of India (TRAI) this month issued a consultation paper on cloud computing, inviting the stakeholders to join the debate on how to implement a secure cloud service.

The fact is that practically no work has been done in India till date on having an adequate legal framework to deal with cyber security and data security on the Cloud.

"India's concerns on data security when it comes to cloud services are distinctly real and topical. A lot more work needs to be done in terms of protecting and preserving the security of cloud data for the businesses and companies whose data is being stored on cloud servers in foreign shores," says Pavan Duggal, one of the nation's top cyber law experts.

The TRAI paper, whose deadline to feed comments online is July 8 comes after Twitter co-founder Evan Williams's account was compromised and hackers may have used malware to collect credentials of more than 32 million logins of Twitter users.

"The current legislations in India are not able to address the present and future issues arising in cloud computing services comprehensively. This is because the Information Technology Act, 2000, is completely silent on issues of cloud computing. Further, cloud security-related issues are completely missing in the said legislation," Duggal, also a Supreme Court advocate said.

The Indian Telegraph Act, 1885, is completely silent on the context of cloud computing. The Information Technology Act, 2000, has not addressed issues pertaining to cloud computing.

According to the cloud service providers, cybersecurity is now a boardroom discussion and has emerged to be a key concern for IT and business managers alike.

"While there are concerns around data security in India, a lot of the technologists in the country are quite skilled and are aware of what needs to be done. By following practices such as segregation of duties, on-disk encryption, data redaction and robust identity management, India can tackle security constraints well," explains Shailender Kumar, Managing Director, Oracle India, one of the global leaders in providing cloud services across the spectrum.

The real security issue is when customers take older products that were not built for the Internet, rack them and put them on the Internet."This makes those products vulnerable. But sometimes security is also used as a reason to avoid change because shifting to the cloud involves change. Though worrying, companies that adopt the cloud can emerge as winners," Kumar states.

Nearly 46 percent of all spending on IT infrastructure (servers, storage, and switches) globally will be towards cloud infrastructures by 2020, predicts market research firm IDC. Cloud computing accounted for about 33 percent of the total IT expenditure in 2015 across the world. In India, the overall cloud computing market reached $1.08 billion by the end of last year and IT/ITeS, telecom, manufacturing and government sectors contributed the largest to this.

"Cloud service providers need to ensure secured, hacking-free services for Indian companies. This can be done by adopting latest international standards on cyber security. Further, all cloud service providers are intermediaries and are required to implement and maintain reasonable security practices and procedures while dealing with, handling or processing sensitive personal data in the cloud," says Duggal.

The Indian law has already stipulated ISO 27001 as a standard for intermediaries who are dealing with, handling or processing sensitive personal data.

According to Kumar, Oracle is focussed on security. "Security is essential for all our products. We give customers the option of deciding which part and how much of their business migrates to the cloud. This enables us to allay fear and apprehensions about the security aspect," states Kumar.

The legal, policy and regulatory issues pertaining to cloud distinctly need to be addressed by appropriate national legislation, feel experts.

Internet jurisdiction is one of the major legal challenges in the context of cloud computing as in a majority of times, the hardware of the cloud where third party data is located is often placed outside the territorial boundaries of the relevant national laws.