Cloud adoption has been pivotal for financial institutions that need data management. Organizations are spending more on cloud computing technologies nowadays. For example, Gartner predicts the spending on public cloud services to reach US$600 Bn by 2023. One of the significant costs for which organizations spend more is cloud security. Data regulations, like PCI-DSS and GDPR, ensure better data protection for financial transactions. Likewise, India has specific guidelines for regulated entities (REs) overseen by the Securities and Exchanges Board of India, or SEBI.
SEBI has introduced a framework for such REs to adopt cloud-based infrastructure and technologies. The main objective of the framework is to ensure all the critical risks of data leaks are identified and addressed while adopting cloud computing. So, compliance with SEBI guidelines is crucial if you are a regulated entity using a cloud service like AWS. This article will focus on the framework, the new set of guidelines released on 6th March 2023, and how to ensure you follow all the SEBI guidelines for REs on AWS.
Overview of SEBI Regulations
On November 9th, 2022, SEBI introduced a framework for regulated entities highlighting key risks and measures for information access while adopting cloud-based solutions. Regulated entities that need to comply with these SEBI guidelines are,
- Stock exchanges and stockbroker companies
- Clearing corporations and depositories
- Asset management companies
- Boards of trustees of mutual funds
- Association of Mutual Funds in India (AMFI),
- KYC Registration Agencies,
- Qualified Registrars to an Issue
SEBI’s framework for cloud computing
According to this cloud framework, there are no limitations to the deployment model for businesses, and REs can adopt cloud computing based on their requirements. REs can choose to outsource the IT services with a cloud-based solution but need to be accountable for all the aspects, like,
- Confidentiality
- Data security,
- Compliance with the SEBI guidelines
- Access control,
- Data privacy of users.
Cloud computing technologies allow financial institutions to manage massive data through servers, storage, networks, and software services. SEBI’s guidelines are designed to safeguard the information regulated entities store using cloud computing services.
Types of security threats and challenges regulated entities face
Regulated Entities face many security threats like malware, ransomware, social engineering, and more.
Phishing attacks
REs can face phishing attacks with attackers targeting internal employees through social engineering practices. These attackers gain access to sensitive data through access to internal employee credentials. Employees are tricked into clicking on some links received through email or other mediums to gain access to the credentials.
Malware
Malware attacks can be invasive and cause massive data leaks. Regulated entities can face such attacks due to remote code injections or access to backdoor vulnerabilities for attackers on the servers’ hosting data.
Ransomware
Such attacks happen due to specific user data being stolen by attackers through system vulnerabilities. Attackers ask for a ransom to release the data to users or organizations.
SQL injections
SQL injections can expose data and compromise the integrity of systems. It is a type of vulnerability that allows attackers to execute malicious SQL statements on your database, especially if user data is concatenated with the SQL commands. Attackers can gain access and execute attacks.
Other challenges that most REs face apart from the cybersecurity attacks are
- Protection of intellectual property rights, licenses, or contracts of the data owners is a massive challenge in maintaining compliance.
- Maintaining security across multiple architectures, platforms, programming languages, and different applications can be a challenge.
- Coping with the ethical and legal conders of storing sensitive information.
Guidelines for Cloud Service Providers (CSPs)
SEBI has specific guidelines for CSPs that you need to keep in mind while choosing one for your business.
- Conduct risk assessment and due diligence before selecting a cloud service provider (CSP).
- Ensure all the data ownership terms are checked before entering into a service level agreement (SLA) with CSP.
- Ensure that the CSP complies with the SEBI regulations in India and data regulations from other international regulatory standards like, HIPAA and PCI-DSS.
- CSP has no adverse impact on the security, confidentiality, integrity, and availability of the data and systems of the Regulated Entities.
- Need adequate access and control over data and systems hosted on the cloud.
- Implement security measures such as encryption, authentication, firewall, and backups.
- Monitor and audit the security of their AWS cloud services regularly and report incidents or breaches to SEBI within 24 hours.
- Maintain all the records of cloud services and data transactions for at least five years.
- Make all the records available to SEBI or other authorities.
Complying with the above guidelines is essential for your organization. This is why you must choose a CSP with enhanced cloud security features. Amazon Web Services, or AWS, comes with tons of features that ensure high-performance cloud computing and secure infrastructure. AWS can provide regulated entities with many advantages, including
- Better scalability – features to adjust computing capacity as required without costly hardware or software requirements.
- Enhanced security – has various layers for data and application security, including encryption, firewalls, access control, and compliance audits.
- Cost efficiency – is higher because Regulated Entities need to pay only for the resources they use.
Nonetheless, AWS also presents some risks and challenges for regulated entities, such as:
- AWS must meet the legal and regulatory requirements of SEBI guidelines.
- Regulated Entities need to consider the impact of AWS services on data privacy and protection obligations.
- Regulated entities may struggle to migrate their data and applications from AWS to another cloud provider.
Apart from the risks of vendor lock-in or legal concerns, regulated entities must consider the new set of guidelines released by SEBI on 6th March 2023.
SEBI’s New Framework of Cloud Adoption for Regulated Entities
SEBI’s guidelines for entities under its regulation utilizing cloud services, issued on March 06, 2023, comprise a set of regulations to ensure the security and compliance of data and systems hosted on cloud platforms. The guidelines encompass the following facets:
Data Storage, Data Protection Requisites, and Access Control Measures.
The guidelines mandate that all data concerning regulated entities (REs) should be domiciled and processed within the geographical confines of India. REs should have unfettered dominion and oversight over their data.
The guidelines further require REs to effectuate encryption, masking, anonymization, and other data protection techniques. Moreover, REs should practice rigorous access control policies and mechanisms to ensure higher security for data on cloud platforms.
Requisites for data backups and disaster recovery
The guidelines require REs to have a comprehensive data backup and disaster recovery blueprint for their cloud-based systems. Further, cloud service providers must have adequate backup and recovery capabilities. REs should be able to switch between different CSPs in case of interruption or failure.
Optimal practices for managing AWS privileges
The guidelines recommend REs abide by the principle of least privilege for granting permissions to AWS resources. Further, it emphasized using role-based access control (RBAC) to assign roles and responsibilities to different users and groups.
The new guidelines suggest using multi-factor authentication (MFA) for accessing AWS accounts with regular audits.
Leveraging Cloudlytics CSPM for Adherence to SEBI’s New Framework
Cloudlytics cloud security posture management (CSPM) is a solution that enables entities registered with SEBI to comply with guidelines for data storage, protection, and access control. It facilitates continuous security assessment improving compliance with SEBI’s new framework.
- Implementing Cloudlytics CSPM helps regulated entities to encrypt data using AWS KMS and AWS S3.
- It satisfies SEBI’s data protection requirements by enabling backup and disaster recovery using AWS Backup and AWS S3 Glacier.
- AWS IAM and AWS Organizations help meet SEBI’s access control requirements.
Cloudlytics CSPM also provides real-time monitoring, analysis, and reporting on security risks across AWS accounts and resources. It meets SEBI’s reporting requirements by generating audit logs and reports using AWS CloudTrail and AWS Config. Cloudlytics CSPM adheres to the principle of least privilege and employs AWS Security Hub and AWS GuardDuty to manage AWS privileges in compliance with best practices.
Benefits of Cloudlytics CSPM for SEBI-registered Entities on AWS Cloud
- Improve your security posture by persistently monitoring and remedying misconfigurations, vulnerabilities, and threats throughout your AWS resources and accounts.
- Customization of RBAC policies and reports to your specifications will bolster efficacy.
- Enhance your visibility and control with a centralized view of the cloud environment.
- Optimize your cloud usage and minimize costs with granular and actionable insights
Conclusion
Regulated entities operating on the AWS cloud must comply with SEBI guidelines to ensure improved security, governance, and performance. However, meeting these requirements presents various challenges. You can use Cloudlytics, an intelligent CSPM tool, to eliminate cybersecurity risks, automate compliance checks, generate reports, and send alerts for violations. Further, you can use such a tool to ensure data management and security. So, if you’re an AWS cloud-based regulated entity seeking to attain SEBI compliance with ease and confidence, reach out to us today for more information.