Cloud Computing Compliance

Cloud Computing Compliance

Cloud Computing Compliance

Cloud computing is increasingly taking up an integral role in people’s daily life, as individuals functioning in the physical world or in the virtual sphere are shifting to web-based services “up in the cloud”. Wide-ranging benefits such as high availability, high scale & highly secure environment, generally associated with Cloud computing, has ensured the game-changing business abilities for firms and has accelerated commercial and social innovations. Cloud Services, however, are hardly a perfect solution as mistakes at any stage of the adoption process have the propensity to generate time-consuming and costly consequences. 

Among the several definitions of cloud computing proposed globally, TRAI in its Consultation Paper has referred to the definition adopted by the U.S. Department of Commerce, according to which cloud computing is a model enabling ubiquitous network access to a shared pool of configurable computing resources. Therefore, cloud services are essentially internet-based services which the customer may use on connected devices, unlike in the traditional model, where for example a software could be used only from the device it was physically installed.

Cloud computing refers to internet-based computing that allows organizations to access a pool or network of computing resources that are owned and maintained by a third party via the internet, on a use-and-pay basis. In other words, it is a model enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

In the cloud service environment, there are three main stakeholders: the cloud service provider (CSP), which could be an individual or a corporation, the customer (either individual or corporation) and the telecom service provider (TSP) / internet service provider (ISP).

Cloud compliance is the general principle that cloud-delivered systems must be compliant with standards that the cloud customers face. This is a very important issue with new cloud computing services, and it is something that lots of IT professionals look at very closely. Cloud compliance issues arise as soon as you make use of cloud storage or backup services. By moving data from your internal storage to someone else's you are forced to examine closely how that data will be kept so that you remain compliant with laws and industry regulations. Cloud compliance is about complying with the laws and regulations that apply to use the cloud. Most organizations are moving to the cloud because there are good business reasons to do so. The law does not prevent the adoption of the cloud. It does have however have a significant impact. When moving to the cloud it is important to know in which countries your data will be processed, what laws will apply, what impact they will have, and then follow a risk-based approach to comply with them. It is also important to know what security measures the law requires you to put in place.

Existing Legal Framework and Amendments proposed by TRAI
  1. Cloud computing services are primarily regulated (though indirectly) by the IT Act and Privacy Rules. In addition to the IT Act and Privacy Rules, the use of cloud computing in the banking and insurance sectors is subject to specific restrictions.
  2. The RBI’s guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks read along with the Report of Working Group of RBI on Electronic Banking set out specific requirements to be complied with by banks while engaging cloud service providers. These requirements, inter alia, relate to vendor selection, data security, a form of agreement, business continuity and disaster recovery or management practices.
  3. The Insurance Regulatory and Development Authority of India’s Guidelines on Information and Cyber Security for Insurers require insurers to comply with requirements, inter alia, in relation to data, application and network security, incident management, and information security audit while using services from a cloud service provider.
  4. The government retains the authority to intercept any information transmitted through a computer system, network, database or software for the prevention of serious crimes or under grave circumstances affecting public order and national security.
  5. There is no legislation in India that specifically recognises cloud computing. However, cloud computing services would fall under the ambit of the following:
    1. ‘Cloud services’ have been specifically recognised under the Integrated Goods and Services Tax Act 2017 (the GST Act) under ‘online information and database access or retrieval services’ and therefore the services rendered by cloud services providers would be subject to goods and services tax.
    2. Section 43A of the Information Technology Act 2000 (the IT Act) read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (the Privacy Rules) provide guidelines for the collection, use and protection of any sensitive personal data or information of natural persons by a body corporate that possesses, deals with or handles such data. The IT Act and the Privacy Rules together set out the regulatory framework for the creation, collection, storage, processing and use of electronic data (including personal and sensitive personal information recorded in electronic form) in India. Cloud computing services that deal with personal or sensitive personal information need to comply with the requirements set out under the Privacy Rules relating to security, encryption, access to the data subject, disclosure, international transfer and publication of policy statements. Cloud service providers in India may also be required to comply with the Information Technology (Intermediaries Guidelines) Rules 2011 (Intermediary Guidelines) prescribed under the IT Act.
    3. The government of India has a published a Personal Data Protection Bill, 2018 (the Bill) which if notified will overhaul the existing privacy and data protection framework in India. The Bill is in many respects similar to the EU’s General Data Protection Regulation and it, inter alia, enhances the stringency of obligations and corresponding penalties governing data protection from a customer perspective. The Bill has also set high standards for the processing of personal data within India and abroad and is expected to replace or amend the IT Act and the Privacy Rules in these respects.

TRAI had issued recommendations on ‘Cloud services’ in August 2017 which were adopted by the government in September 2018. These recommendations covered subjects such as the legal and regulatory framework for cloud services, a comprehensive legal framework for data protection, interoperability, and portability, a legal framework for CSPs operating in multiple jurisdictions, cost-benefit analysis, etc. In September 2018, the Department of Telecommunication (DoT) had sought additional recommendation from TRAI on terms and conditions of the industry body, eligibility, entry fee, the period of registration and governance structure. This consultation paper is a response to DoT’s request from TRAI. The existing guidelines are as follows:

  1. All CSPs to become a member of one of the registered industry body for cloud services and should accept the code of conduct prescribed to them. The code of conduct shall include provisions such as the adoption of a constitution towards its members, Membership, Creation of working groups, and Mandatory codes of conduct standards or guidelines that specifically include-
    1. QoS (Quality of Services) parameters
    2. Billing models
    3. Data security
    4. Dispute resolution framework
    5. Model SLA
    6. Disclosure framework
    7. Compliance to its codes and standards
    8. Compliance to guidelines
    9. Directions or orders issued by DoT
    10. Providing requisite information in stipulated timelines when sought by DoT/TRAI
  2. No restrictions should be imposed on the number of such industry bodies to ensure that there is freedom in functioning.
  3. DoT may issue instructions to such an industry body whenever it needs to perform certain functions and procedures to be followed.
  4. DoT may withdraw registration in case if it finds the instances of breach or non-compliance of directions of order given out.
  5. DoT to keep a close watch on the functioning of the body to ensure transparency and fair treatment to its members.
  6. A Cloud Service Advisory Group (CSAG) to be created and will consist of representatives from state IT departments, MSME associations, consumer advocacy groups, industry experts and representatives from Law Enforcement agencies.

The Telecommunications Authority of India (TRAI) has invited comments on a consultation paper that aims to provide a framework for registration of an industry body for cloud service providers (CSP). The paper cover issues such as eligibility criteria for registration, obligations, membership policy and other policy issues related to the governance structure of the cloud service provider’s industry body. Comments can be sent till November 20 and counter comments till December 4.