TMI BlogFramework for Adoption of Cloud Services by SEBI Regulated Entities (REs)X X X X Extracts X X X X X X X X Extracts X X X X ..... seline standards of security and for the legal and regulatory compliances by the RE. The framework shall be seen as an addition to already existing SEBI circulars /guidelines /advisories. 2. Objective: The major purpose of this framework is to highlight the key risks, and mandatory control measures which REs need to put in place before adopting cloud computing. The document also sets out the regulatory and legal compliances by REs if they adopt such solutions. 3. Applicability: The framework shall be applicable to the following REs: i. Stock Exchanges ii. Clearing Corporations iii. Depositories iv. Stock Brokers through Exchanges v. Depository Participants through Depositories vi. Asset Management Companies (AMCs)/ Mutual Funds (MFs) vii. Qualified Registrars to an Issue and Share Transfer Agents viii. KYC Registration Agencies (KRAs) 4. Transition Period i. The framework shall come into force with immediate effect for all new or proposed cloud onboarding assignments/ projects of the REs. ii. REs which are currently availing cloud services (as on date of issuance of this framework) shall ensure that, wherever applicable, all such ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... able for hybrid cloud deployments. In view of the above, hybrid cloud deployment is permitted, subject to the conditions specified herein. ii. Deployment of any other cloud model is prohibited unless explicitly permitted under this framework. However, as the field of cloud computing is a dynamic and emerging area, SEBI may allow deployment of other models after due consultations. The same may be specified by SEBI from time to time. 6. Approach: The cloud framework is a principle-based framework which covers Governance, Risk and Compliance (GRC), selection of Cloud Service Providers (CSPs), data ownership and data localization, due- diligence by REs, security controls, legal and regulatory obligations, DR BCP, and vendor lock-in risk. The principles are broadly stated guidelines to set the standards by which RE must comply with while adopting cloud services. The principles are stated below: i. Principle 1: Governance, Risk and Compliance Sub-Framework ii. Principle 2: Selection of Cloud Service Providers iii. Principle 3: Data Ownership and Data Localization iv. Principle 4: Responsibility of the Regulated Entity v. Principle 5: Due Diligence by the Regul ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... gh the IT services/ functionality may be outsourced (to a CSP), RE is solely accountable for all aspects related to the cloud services adopted by it including but not limited to availability of cloud applications, confidentiality, integrity and security of its data and logs, and ensuring RE s compliance with the laws, rules, regulations, circulars, etc. issued by SEBI/Government of India/ respective state government. Accordingly, the RE shall be responsible and accountable for any violation of the same. iii. The cloud services shall be taken only from the Ministry of Electronics and Information Technology (MeitY) empaneled CSPs. The CSP s data center should hold a valid STQC (or any other equivalent agency appointed by Government of India) audit status. For selection of CSPs offering PaaS and SaaS services in India, RE shall choose only such CSPs which: 1. Utilize the underlying infrastructure of MeitY empaneled CSPs for providing services to the RE. 2. Host the application/ platform/ services provided to RE as well as store/ process data of the RE, only within the data centers as empaneled by MeitY and holding a valid STQC (or any other equivalent agency appointed by Gove ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... API Application Programming Interface 3 BCP Business Continuity Planning 4 CISO Chief Information Security Officer 5 CSP Cloud Service Provider 6 DDOS Distributed Denial-of-Service 7 Dev Development Environment 8 DR Disaster Recovery 9 IPS Intrusion Prevention System 10 LAN Local Area Network 11 MeitY Ministry of Electronics and Information Technology 12 MII Market Infrastructure Institution 13 MPLS Multiprotocol Label Switching 14 MSP Managed Service Pro ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... . It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises 3 Public Cloud The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider 4 Hybrid Cloud The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability. 2. Cloud Service Models - A. The definitions of various cloud service models (as per NIST) [Ref: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-145.pdf ] are given below: i. Infrastructure as a Service (IaaS) : The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computin ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... KYC Registration Agencies, and QRTAs) and Market Infrastructure Institutions (Stock Exchanges, Clearing Corporations, and Depositories) regulated by SEBI. 4. Key Management - In the context of encryption/ decryption, a key is typically a random string of bits generated to hide (encrypt) or reveal (decrypt) data. A key is most commonly used along with an algorithm (method) for encryption/ decryption of data. Therefore, Key management refers to management of cryptographic keys in a system, including their (keys ) generation, exchange, storage, etc. 5. Hardware Security Module (HSM) - A Hardware Security Module is a device that is used for management of Keys, as well as for implementing various functions like encryption, decryption, authentication, etc. Principle 1: Governance, Risk and Compliance Sub-Framework 1. Governance, Risk and Compliance (GRC): The REs shall put in place an effective GRC sub-framework for cloud computing to enable them to formulate a cloud strategy suitable for their circumstances/ needs. The RE shall also adhere with the governance framework mentioned in various circulars issued by SEBI. The various aspects that shall be considere ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... by SEBI/ Government of India/ respective state government. iv. In order to ensure the smooth functioning and adherence with the GRC sub-framework, it is mandated to divide the roles and assign the responsibilities as given below: 1. Role of the Board/Key Management Personnel (KMP) - The Board/KMP shall be responsible for: a. Approval of cloud governance model and cloud risk management approach, and setting up processes for smooth on boarding on cloud while adhering with all legal, regulatory, technical and business objectives. b. Review of cloud governance model and cloud risk management approach as per requirement of the RE. However, the review shall be mandatorily conducted at least once every year. c. Setting up the administrative responsibility of senior management. 2. Role of Senior Management - The senior management shall be responsible for: a. Preparation of and adherence with various policies related to cloud adoption. b. Periodic assessment of cloud deployments and mitigation of risks arising out of the same. c. Continually monitoring and responding to the risks and intimating the same to board in a timely manner. d. Assessment, at least o ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... egistration outside of India, exposes the RE to country risk. To manage such risk, wherever applicable, the RE shall closely monitor the CSP s country s government policies and its political, social, economic and legal conditions on a continuous basis, and establish sound procedures for mitigating the country risk. This includes, inter alia, having appropriate contingency and exit strategies. In principle, arrangements shall only be entered into with parties operating in jurisdictions generally upholding confidentiality clauses and agreements. The governing law of the arrangement shall also be clearly specified. viii. Contingency: The RE shall have appropriate contingency and exit strategies. The RE shall ensure that availability of records to the RE and the supervising authority are not affected under any circumstances, even in case of liquidation of the CSP. ix. Miscellaneous : Any other risk factors deemed relevant/ material by the RE. Principle 2: Selection of Cloud Service Providers 2. Selection of CSPs: The RE shall ensure that the following conditions are met while choosing any Cloud Service Provider (CSP): i. The storage/ processing of data (DC, DR, ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... e not affected by adoption of cloud services, the storage/ processing of data (DC, DR, near DR etc.) including logs and any other data/ information pertaining to RE in any form in cloud shall be done as per the following conditions: 1. The data should reside/be processed within the legal boundaries of India. 2. However, for the investors whose country of incorporation is outside India, the REs shall keep the original data/ transactions/ logs, available and easily accessible in legible and usable form, within the legal boundaries of India. The RE shall ensure that the above-mentioned requirements are fulfilled at all times during adoption/ usage of cloud services. iv. It is to be noted that the REs are ultimately responsible and accountable for security of their data (including logs)/ applications/ services hosted in cloud as well as ensuring compliance with laws, rules, regulations, etc. issued by SEBI/ Government of India/ respective state government. Accordingly, RE shall put in place effective mechanism to continuously monitor the CSP and comply with various regulatory, legal and technical requirements notified by SEBI or any other Government authority from time to t ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... and CSP (and MSP/SI wherever applicable), there should be a clear delineation and fixing of responsibility between the RE and the CSP (and MSP/SI wherever applicable) for each sub-task/ line-item within the clause. This delineation shall also be added explicitly in the agreement (as an annexure) signed between the RE and the CSP (and MSP/SI wherever applicable). v. In view of the fact that a CSP is not a RE, the RE shall continue to have ultimate responsibility and liability for any violation of the laws, rules, regulations, circulars, etc. issued by SEBI or any other authority under any law, regardless of any delineation/ demarcation of responsibilities envisaged in the aforesaid paragraphs. Principle 5: Due Diligence by the Regulated Entity 5. Due Diligence by the RE (with respect to CSPs): i. The REs should evaluate the need, implications (financial, regulatory, etc.), risks, benefits, etc. of adopting cloud computing. The RE shall also conduct its due diligence with respect to CSPs beforehand and on a periodic basis to ensure that legal, regulatory, business objectives, etc. of the RE are not hampered. The due diligence shall be risk-based depending on the critic ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ty, data privacy, etc. 9. CSP s ability to ensure compliance with this framework as well as all applicable rules/ regulations/ circulars issued by SEBI from time to time. 10. Any other additional criteria that the RE considers appropriate/ as per RE's requirement. Principle 6: Security Controls 6. Security Controls [For CSPs offering PaaS/ SaaS services, in the event any particular security control does not apply to their specific deployment model, such CSPs have to ensure that their vendor/ partner/ sub-contractor providing the underlying infrastructure/ platform fulfils the requirement of the security controls. The RE shall deploy the services of only those PaaS/ SaaS providers which have a back-to-back, clear and enforceable agreement with their vendor/ partner/ sub-contractor for the same. ]: The RE shall ensure its compliance with the applicable circulars (for example cybersecurity circular, systems audit circular, DR-BCP circular, etc.)/ guidelines/ advisories, etc. issued by SEBI. Further, in reference to the security controls for adoption of cloud computing [An indicative mind-map of security controls for cloud deployments is given in Appendix-B ], t ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ey management is being done by CSP for platform level encryption (for example, full disk encryption or VM level encryption), RE shall assess and ensure that the entire Key lifecycle management is being done by CSP in a secure manner. v. Secure User Management [ Any type of access/ user provided to SEBI/ any law enforcement agency of Government of India or state government shall be exempt from this clause ] : Wherever the user management is done by CSP, the RE shall ensure that role based access and rule based access are strictly followed by CSP for its resources and it shall be based on the principle of least privilege. The following shall also be ensured: 1. Administrators and privileged users shall be given only minimal administrative capabilities for a pre-defined time period, and in response to specific issues/ needs. 2. With respect to administrative privileges/ users, the following shall also be followed: a. All administrative privileges/ users shall be tracked via a ticket/ request by the CSP, and the same shall be provided to the RE on request. Further, the RE shall also track any additional privilege granted to any user by the CSP. b. Acces ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... n the Cloud : RE shall perform risk-based assessment and place adequate controls depending on the criticality of the data/ services/ operations (placed in cloud environment) under the purview of RE. Some of the common controls (including but not limited to) that RE shall put in place are: 6.2.1. Vulnerability Management and Patch Management: The RE shall have a well-defined Vulnerability Management policy in place and should strictly adhere with the same. The policy should also address the vulnerability management aspects of the infrastructure /services /etc. managed by RE in the cloud. The components managed by RE shall be up to date in terms of patches/OS/version etc. The patch management policy shall also mandate timely patch application. 6.2.2. Vulnerability Assessment and Penetration Testing (VAPT): The VAPT activity undertaken by RE should cover the infrastructure and applications/services hosted by the RE on cloud. The VAPT tactics, tools and procedures should be fine-tuned to test and assess the cloud native risks and vulnerabilities. VAPT should also be conducted before commissioning of any new system. Additionally, the VAPT activity sha ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... manage the account of the RE assigned by CSP. ii. To mitigate the risks, the interface shall have Two Factor Authentication (2FA)/ Multi Factor Authentication (MFA). For additional security, measures such as dedicated lease lines may be explored. The access logs and access list to the interface should be strictly monitored (by RE and CSP). The traffic to and from the interface shall be regulated through firewall, Intrusion prevention system, etc. 6.2.6.2. Internet facing interfaces: Any interface which is exposed to public at large on the internet in the form of a service/API/etc. is considered as internet facing interface. Adequate security controls such as IPS, Firewall, WAF, Anti DDOS, API gateways etc. should be in place and additional controls such as 2FA authentication, SSL VPN solutions shall also be considered. 6.2.6.3. Interfaces connected between RE s/relevant organizations (Through P2P or LAN/MPLS etc.) and CSP: Security controls such as IPS, Firewall, WAF, Anti DDOS, etc. shall be in place and additional controls such as IPSEC VPN shall be adopted, wherever necessary, to secure such interfaces. 6.2.7. Secure Software Development ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ll be adopted, which ensures that the RE retains the control and management of cryptographic keys that would be uploaded to the cloud to perform data encryption. b. Bring Your Own Encryption (BYOE) approach shall be followed by the RE. 2. In case BYOK and BYOE approaches (as given above) are not implemented by RE, the RE shall conduct a detailed risk assessment and implement appropriate risk mitigation measures to achieve equivalent functionality/ security to BYOK and BYOE approaches. 3. Generating, storing and managing the keys in a Hardware Security Module (HSM) shall be implemented in a dedicated HSM to have complete control of Key management. However, it is to be noted that HSM should be designed in fault tolerance mode to ensure that the failure of HSM should not have an impact on data retrieval and processing. 6.2.10. End Point Security: The RE shall ensure that the data security controls in the nature of anti-virus, Data Leak Prevention (DLP) solution etc. are installed and configured on the cloud deployments for effective data security. The RE shall also evaluate the baseline security controls provided by the CSP and may demand additional c ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... s offering PaaS/SaaS services, REs shall deploy the services of only those CSPs which have a back-to-back, clear and enforceable agreement with their vendor/ partner/ sub-contractor providing their underlying infrastructure/ platform for fulfilling the requirements provided in this Principle. ]: i. A clear and enforceable cloud service provider engagement agreement should be in place to protect RE s interests, risk management needs, and ability to comply with supervisory expectations. ii. The contractual/agreement terms between RE and CSP shall include the provisions for audit, and information access rights to the RE as well as SEBI for the purpose of performing due diligence and carrying out supervisory reviews. RE shall also ensure that its ability to manage risks, provide supervision and comply with regulatory requirements is not hampered by the contractual terms and agreement with CSP. iii. The contract/agreement shall be vetted with respect to legal and technical standpoint by the RE. The agreement shall be flexible enough to allow the RE to retain adequate control over the resources which are on boarded on cloud. The agreement should also provide RE the r ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... rs) to fulfil all the requirements provided in various applicable circulars/ regulations issued by SEBI, and the same shall be ensured by the RE. 5. The RE shall ensure that appropriate clauses/ terms (including SLA clauses) are added in the agreement (signed between RE and CSP) to enforce the above-mentioned audit/ VAPT requirements. vi. Contract/Agreement should have adequate provisions regarding the termination of contract with CSP, and appropriate exit strategies to ensure smooth exit without hindering any legal, regulatory or technical obligations of the RE. vii. As part of exit strategy, a clear expunging clause shall be defined in agreement with CSP, which shall state that whenever the RE intends to expunge the data, CSP shall securely and permanently erase the RE s data in disks, backup devices, logs, etc. and no data shall remain in recoverable form. However, it is the responsibility of the RE to ensure that the minimum retention requirements for data (including logs) as prescribed by SEBI/ Government of India/ respective state government are met and that the required data, logs, etc. are archived, even if the RE moves out of the cloud/ changes CSPs. ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... party. 11. Specifying the resolution process for events of default, insolvency, etc. and indemnities, remedies, and recourse available to the respective parties. 12. Contingency plan(s) to ensure business continuity planning, RPO/RTO, and recovery requirements. 13. Provisions to fulfill the search and seizure requirements (as provided above in this principle) and audit/ VAPT requirements (as provided above in this principle). 14. Right to seek information (by RE/ SEBI) from the CSP about the third parties (in the supply chain) engaged by the CSP. 15. Clauses making the CSP contractually liable for the performance and risk management practices of its sub-contractors. 16. Obligation of the CSP to comply with directions issued by SEBI in relation to the activities of the RE on boarded on cloud. 17. Termination rights of the RE, including the ability to orderly transfer the proposed cloud onboarding assignment to another CSP, if necessary or desirable. 18. Obligation of the CSP to co-operate with the relevant authorities in cases involving the RE as and when required. 19. Clauses for performing risk assessment by CSP with respect to ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... accountable for all aspects related to the cloud services adopted by it including but not limited to availability of cloud applications, confidentiality, integrity and security of its data and logs, and ensuring RE s compliance with the applicable laws, rules, regulations, circulars, etc. issued by SEBI/ Government of India/ respective state government. 2. The RE shall explicitly and unambiguously specify the party (RE or CSP/MSP/SI) which is responsible for ensuring compliance with each clause of the applicable SEBI circulars (for example cybersecurity circular, systems audit, etc.) in its audit reports. There shall be no joint/ shared ownership for any of the clauses. In case the responsibility of ensuring compliance (for any clause) rests with both parties, the task shall be split into sub-tasks/line-items, and for each sub-task/line-items, the responsible party shall be indicated in the report. 3. The RE shall ensure that the demarcation/ delineation of responsibilities is provided for each clause of the applicable SEBI circular(s). 4. In view of the above requirements, as well as to ensure effective monitoring of cloud deployments by REs, reporting of comp ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ion of cloud-ready and CSP agnostic solutions (such as implementing multi-cloud ready solutions) which can facilitate the RE in migrating the solutions as and when necessary, with minimal changes. Exit strategies shall be developed, which should consider the pertinent risk indicators, exit triggers, exit scenarios, possible migration options, etc. iii. The RE shall also take measures to implement data portability and inter-operability as part of exit/ transfer strategy. iv. In order to mitigate the risk arising due to failure/ shutdown of a particular CSP, and to limit the impact of any such failure/ shutdown on the securities market, SEBI may specify concentration limits on CSPs (thereby setting a limit on the number of REs that a CSP may provide its services to). 10. Recommendations: i. RE may opt for any model of deployment on the basis of its business needs and technology risk assessment. However, compliance should be ensured with this cloud framework as well as other rules/ laws/ regulations/ circulars made by SEBI/ Government of India/ respective state government. ii. REs are solely accountable for all aspects related to the cloud services adopted by them inc ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ices between the RE and CSP (and MSP/SI wherever applicable). There shall be no joint/ shared ownership for any function/ task/ activity between the RE and CSP. If any function/ task/ activity has to be performed jointly by the RE and CSP, there should be a clear delineation and fixing of responsibility between the RE and the CSP (and MSP/SI wherever applicable) for each sub-task/ line-item within the task. The same should be a part of the agreement (as an annexure) between the RE and the CSP (and MSP/SI wherever applicable). vi. Similarly, there should be an explicit and unambiguous delineation/ demarcation of responsibilities between the RE and CSP (and MSP/SI wherever applicable) for ensuring compliance with respect to circulars (for example cybersecurity and cyber resilience circular, outsourcing circular, BCP-DR etc.) issued by SEBI from time to time. There shall be no joint/ shared ownership for ensuring compliance with respect to any clause. If compliance for any clause has to be jointly ensured by RE and CSP (and MSP/SI wherever applicable), there should be a clear delineation and fixing of responsibility between the RE and the CSP (and MSP/SI wherever applicable) fo ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ct/ agreement with CSP) mandating that CSP extends full cooperation to SEBI while conducting the above-mentioned activities. x. The cloud framework should be read along with the circulars (including circulars on outsourcing, cybersecurity, BCP-DR, etc.), directions, advisories, etc. issued by SEBI from time to time. xi. Transition Period: 1. For the REs which are not utilizing any cloud services currently, the framework shall be applicable/ come into force from the date of issuance. 2. For the REs which are currently utilizing cloud services, upto 12 months shall be given to ensure their compliance with the framework. Additionally, such REs shall provide regular milestone-based updates as follows: SN. Timeline Milestone 1 Within one (1) month of issuance of framework REs shall provide details of the cloud services, if any, currently deployed by them. 2 Within three (3) months of issuance of framework The REs shall submit a roadmap (including details of major activities, timelines, etc.) fo ..... X X X X Extracts X X X X X X X X Extracts X X X X
|
