Welcome Guest Login | Register | Site Map | | Make TelecomTiger my homepage     
Telecom News
Enterprise |  Policy & Regulation |  Mobiles & Tabs |  Corporate |  VAS |  People Movement  |  Technology  |  LTE

Blog

 
 



Reimagining Cloud Security in the Indian Context

Dr. Debabrata Nayak, Chief Security Officer - Huawei Telecommunications (India) Co., Pvt. Ltd.
 
  Dr. Debabrata Nayak |  | 23/12/2016

Reimagining Cloud Security in the Indian Context

 

Enterprises are leveraging the power of software to modernise their IT infrastructure to run operations with tranquility, drive extreme automation, re-imagine legacy business processes and remain agile through an ideal mix of public, private and hybrid clouds. All this, while proactively countering the growing security threat landscape and optimising the cost of operations.

In this emergent Indian cloud ecosystem, Security, Privacy and Trust Challenges are increasingly relevant. Therefore, cloud computing is of increasing interest and importance to policymakers, regulatory authorities, telecom operators and enterprises.

                                       

Opportunities and threats

 

First and foremost, the Indian regulator needs to develop a pan-Indian ‘cloud strategy’ that will serve to support growth and jobs and build an innovation advantage for India. However, the concern is that currently a number of challenges and risks with respect to security, privacy and trust exist that may undermine the attainment of these policy objectives.

 

At the outset itself, it will be important to undertake an analysis of the technological, operational and legal intricacies of cloud computing, taking into consideration the Indian dimension and the interests and objectives of all stakeholders (citizens, individual users, companies, cloud service providers, regulatory bodies and relevant public authorities).

 

This article represents an evolutionary progression in understanding the implications of cloud computing for security, privacy and trust. As such, we intend to offer additional value for policymakers beyond a comprehensive understanding of the current theoretical or empirically derived evidence base which will understand the cloud computing and the associated open questions surrounding some of the important security, privacy and trust issues.

 

Enterprises should evaluate and manage the security of their cloud environment with the goal of mitigating risk and delivering an appropriate level of support. These include: ensuring effective governance, risk and compliance processes; audit operational and business processes; manage people, roles and identities; include  proper protection of data and information and implementing  privacy policies; assess the security provisions for cloud applications; and understand the security requirements of the exit process

Managing the new cloud environment

Data is at the core of information security concerns for any organisation, whatever the form of infrastructure that is used.  Cloud computing does not change this, but cloud computing does bring an added focus because of the distributed nature of the cloud computing infrastructure and the shared responsibilities that it involves.  Security considerations apply both to data at rest (held on some form of storage system) and also to data in motion (being transferred over some form of communication link), both of which may need particular consideration when using cloud computing services.

There are two categories of accounts in cloud platform operation and maintenance: one is the operation and maintenance staff personal accounts, such accounts can be used user ID to log identifies VPN, fortress machine, and achieve strong audit log. Another is a technical account, such an account is a shared account. For routine or emergency operation and maintenance, it can be bound to an individual or operation and maintenance team.

There are a growing number of specifications and standards which relate to privacy and the protection of PII. One of the most significant for the use of cloud services is ISO/IEC 27018 – "Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors." As its title implies, it specifically covers public cloud services which are processing PII. ISO/IEC 27018 is based on the ISO/IEC 27001 information security management system standard and on the set of security controls found in the ISO/IEC 27002 standard. These standards provide the underlying security foundation for the processing of PII in a cloud service. ISO/IEC 27018 extends these standards with an additional set of controls based on the privacy principles of the ISO/IEC 29100 standard – Privacy Framework, which describes the processing of PII generally and which should itself also be consulted by cloud service customers: From a security perspective, it is important that once the customer has completed the termination process, "reversibility" or "the right to be forgotten" is achieved - i.e. none of the customer's data should remain with the provider. 

The provider must ensure that any copies of the data are wiped clean from the provider's environment, wherever they may have been stored (i.e. including backup locations as well as online data stores).  Note that other data held by the provider may need "cleansing" of information relating to the customer (e.g. logs and audit trails), although some jurisdictions may require retention of records of this type for specified periods by law.

If the above are implemented well, then Indian enterprises will be able to leverage the best of the cloud environment in an Indian context.

    
 mail this article    print this article    Show and Post Comment
  
 Comments
  Comment

 

Name (required)  
Email address (required)    
Whitepaper
Maintain Business Continuity with Cisco ASR 9000 nV Technology
It is a virtual chassis solution where a pair of ASR 9000 routers acts as a single device by maintaining a single contr...read more
Simplify Your Network with Cisco ASR 9000 nV Technology
With the new Cisco Network Virtualization (nV) technology in the Cisco ASR 9000 Series Aggregation Services Routers, se...read more
Cisco Small Cell Solution: Reduce Costs, Improve Coverage
It is designed to address the challenge of mobile service coverage and to expand network capacity...read more
Other Blog
Over legislation is the biggest problem of telecom industry, says B K Syngal
Vodafone-Idea merger: There should be no Spectrum cap for airwaves acquired through auction, says B K Syngal
Reliance Jio’s strategy of free services has boomeranged, high end customers have left it
Reliance JIo: It may not be a repeat of Monsoon Hungama
The war between Reliance Jio and incumbent operators is following the same old path, with new arguments
Reliance Jio: there is no such thing as a free lunch
Government and consumers to be the biggest beneficiaries of Reliance Jio’s 4G services
Mukesh Ambani’s Reliance Jio responds to the charges of incumbent Cellular Operators led by Sunil Mittal’s Bharti Airtel
Is full mobile number portability (MNP) another big scam? B K Syngal argues that decision to implementation MNP will help only Telcordia and Syniverse and will burden consumers with unnecessary costs
Mismanagement of business by Indian telcos like Tata Teleservices is the real cause of flight of foreign capital and not policy paralysis, argues B K Syngal
The Opportunity That the Telcos Missed
Vodafone tax evasion case and its historical FDI pattern is a classical example of crony capitalism
Disrupt or be Disrupted: Telcos begin upcycling metadata to level US-based OTTs
Telecom operators want everything free in the name of consumers, comments Syngal on spectrum auction
India's Tryst with Broadband
Stitch in time to save ‘churn’!
The Real Scam