Professional Documents
Culture Documents
The Role of MSSPs
The Role of MSSPs
CONTENTS
Introduction
04
Cloud Security Market in India
05
Typical Cloud Journey - Driver, Challenges & Outcomes
06
Industry Lens for drivers of Cloud Adoption &
Cloud Security considerations
11
Role of Managed Security Service Providers (MSSPs)
14
Modified Shared Responsibility Matrix
16
Final Observations & Remarks
18
INTRODUCTION
Since the COVID-19 lockdown digital transformation is quickly becoming a business imperative. It is no
longer just good to have, now that organizations need to engage digitally with their customers. Cloud
adoption is one of the technology areas that has seen growth during pandemic, given that it is one of the
best ways that IT leaders can solve the paradox of investing in digital transformation and cost optimiza-
tion.
However, the move to the cloud is not without concerns and complications, with security being recog-
nized as one of the key challenges to successful cloud adoption. This paper discusses the key drivers,
challenges with the cloud adoption and the role that Managed Security Service Providers (MSSP) play in
an organization’s cloud journey.
4
CLOUD SECURITY MARKET
IN INDIA
NASSCOM1 predicts that by 2022, IaaS market in India will be about USD 2.4bn, which will be about
2.4% of global market. Similarly, SaaS market in India will be around USD 3.4bn by 2022,
making it about 2.6% of global SaaS market.The total cloud market is expected to be USD 7.1bn in
2022. Among the sectors, BFSI and telecom sectors lag in cloud service adoption due to apprehensions
towards cloud security. Government sector leads the cloud adoption, representing 12-15% of total cloud
spend in India. Other sectors, besides Government sector, that are adopting cloud computing rapidly in
India are e-commerce, IT/ITeS.
• Digital India: India has over 48.08 million registered users on DigiLocker (October 2020 -
DigiLocker.gov.in), USD 24.3 bn digital payment transactions (January 2019 - Meity Report2) and multiple
digital platforms such as UPI, eKYC and Aadhaar. India is amongst the top 2 countries on many
dimensions of digital adoption such as smartphone adoption, internet subscribers, etc.
• Smart City: With multiple projects to push smart cities across many states, cloud adoption has rapidly
increased in India. Smart cities have multiple projects such as – smart transportation, smart security,
smart grid, e-Government initiatives, smart parking etc. that depends on data centers and cloud-based
services.
• Private Sector: The pandemic has pushed many organizations to adopt remote working solutions for
business continuity. To ensure business continuity in the new normal, organization are shifting focus from
CAPEX to OPEX leading to acceleration in cloud adoption.
1. This growth in cloud market is driving the growth in the cloud security market. Overall
the cloud security market in India grew 300% in the year 2018-2019 and is expected to
grow between 150-200% in the year 2019-2020.3
2. Global cloud security market is expected to grow at CAGR of 23-25%4 from 2019 to 2027
and is expected to reach USD 37bn by 2027.
1
Cloud – Next wave of growth in India, 2019 – NASSCOM. According to the report, cloud spending includes domestics spend on SaaS, IaaS (only public Cloud), PaaS, Cloud business process
services and Cloud management and security services.
2
January 2019 - Meity Report https://www.meity.gov.in/writereaddata/files/india_trillion-dollar_digital_opportunity.pdf
5 3
Gartner – Press Release - https://www.gartner.com/en/newsroom/press-releases/2019-08-26-gartner-forecasts-enterprise-information-security-spe
4
Analysts such as verifiedmarketresearch.com and marketsandmarkets.com estimates CAGR to be little over 25%, while alliedmarketresearch estimates CAGR to be about 23%.
TYPICAL CLOUD JOURNEY
DRIVERS, CHALLENGES & OUTCOMES
> Inherent benefits > Initial data > Procurement of > Robust cloud > Leveraging cloud
of cloud tech security and tech and security policy computing
enforcement privacy concerns implementation of > Availability of capabilities
availability and and organizational security controls ionternal external > Elevated customer
resiliency readiness > Security monitoring, security skill. experience
• Scale, changing > Lack of Operations and • Change mgmt Agile development
delivery models and availability of diverse security • Risk quantification and reduce time to
agility internal skills to skillsets > Effective market
manage cloud > Managing service management of :
> Surge in customer operations and > Improved business
demand continuity during • E2E Cloud reach
ocerall transformation security operations
> Business transformation. and administration > Advanced
compretition and > System and app portability and
> Roadmap to modifications to • Managing
changing partner change legacy identities and standardization
ecosystem suit cloud model
operations and access controls
> Infra cost systems > Adapting policies, • Cloud data
optimization processes, governance, and
> Selection of right governance and
cloud deployment privacy
compliance
model and & ROI
When any organization embarks on the journey of cloud adoption, typically the starting point is
understanding the drivers for such adoption and challenges that it may face. Above figure summarizes
DSCI-Tata Communications’ perspective.
Cloud lays a strong foundation for emerging technologies such as DARQ- Distributed ledger technologies
AI/ML, extended reality (XR) and Big Data. Business analytics, large scale data processing, and process
automation enabled on the cloud makes business more agile and meets evolving customer needs.
• Surge in customer demand: Emerging mobile technologies, affordable internet, and evolving banking,
finance, retail, communications are attracting many users towards online platforms.
6
Consumer services need quick response time, scalability, portability and agility requirements which are
driving organizations to opt for cloud.
• Infra cost optimization: Reduced IT cost is one of the key benefits in the cloud adoption journey.
Deployment on cloud offers ‘Pay as you go’ model – users only pay for instances, servers, storage and
applications based on usage.
User organizations are usually skeptical about data security on cloud. Questions such as “Who will have
access to my data?”, “Where will my data be stored?”, “Is the data well protected in case the system is
attacked?” are still being asked. Beside technical provisions, there are also legal and security compliance
issues to be solved. Policies and contracts are very important here and businesses are advised to look
through them carefully.
We have detailed the various challenges that an organization faces when they are migrating to the cloud
and the corresponding impact on security and privacy in the table below:
CHALLENGES
Selection of right 1. Right cloud deployment model can only Direct impact on
be selected when organizations evaluate
cloud deployment security and
business objectives in context of IT
architecture, cloud shared responsibility privacy.
model & ROI
matrix and availability of skillsets. The
selection of right model will impact the ROI
of the business.
7
Challenge Key focus areas Nature of impact
organizations respectively responsible for
specific functions. Companies need to
understand this split of responsibilities
and redesign internal processes
accordingly. For instance, for IaaS infra
and physical security stays with CSP and
rest of the security operations remains
with organization. In case of PaaS,
Operating systems, network including
hypervisor and infra security remain with
CSP and rest (user access, data,
application) are the organization’s
responsibility.
Organizational
1. Evaluate factors that influence the cloud Direct impact on
adoption in the organization.
security and privacy
readiness: Functional
2. Organizations are apprehensive (Security operations,
and change regarding the data ownership and security management, and
management due to the distributed computing. Having compliance).
risk mitigation plan and cloud adoption plan
understanding will have positive influence on
organization’s readiness. Plan must include
security design, flexible security controls,
processes that are required to be set up in
newly adopted environment.
8
ENFORCEMENT LEVEL CHALLENGES
9
Challenge Key focus areas Nature of impact
1. Certain security skills are much Direct impact on
Security monitoring, required on cloud.
security and
operations and - Expertise with encryption and data privacy.
diverse security loss prevention controls for content-rich
cloud applications
skill sets
- Sophisticated identity and access
management (IAM) skills and
multifactor authentication, including
tokenization, regardless of whether
organization deploying SaaS, PaaS, IaaS,
or a combination of those services.
10
INDUSTRY LENS FOR DRIVERS OF
CLOUD ADOPTION & CLOUD SECURITY
CONSIDERATIONS
Different industries have different reasons for adopting the cloud. The corresponding cloud security
considerations too vary from industry to industry. Below table summarizes this data :
5
NASSCOM 2019 report on Cloud Growth in India
6
https://cfo.economictimes.indiatimes.com/news/bfsi-sector-slow-and-reluctant-to-make-the-transition-to-cloud-netmagic-global-cfo/71370253
11
Sector Drivers for Cloud Cloud Security
Challenge Adoption
Nature of impact
Considerations
Companies in energy/power • The applications in the
sector are deploying technology to energy/power sector use OT to
help them gain operational monitor and control physical
efficiency and offer services that processes.
increase customer satisfaction. By
hosting various services on the • Complex environment given
Energy/Power cloud results in: that security of IT and OT systems
have to considered collectively.
Sector - Reduction in operational costs
- Improvements in productivity • BYOD and increase in threat
and asset utilization surface require companies to
manage the security for mobile
This helps organizations to be devices and apps used by
flexible and agile to respond to workers in the field. The
the changing customer demands systematic integration of IT eases
the work process load, although it
increases the risk to the critical
infrastructure.
12
Sector Drivers for Cloud Cloud Security
Adoption Considerations
1. Centralized storage of medical • Patient data is inherently
and patient information in cloud sensitive in nature and
for improved data management cloud-hosted healthcare data
and access needs to be safeguarded
Healthcare against external as well as
2. Robust backup and DR internal threats.
capabilities, which assures data
availability • Healthcare data and related
applications need to comply
3. Use of emerging technology with different security and
such as Big Data analytics and privacy regulations of data In
Artificial Intelligence algorithms on Indian context, The Digital
the cloud-stored patient data Information Security in
improves the outcome of medical Healthcare Act (DISHA) is the
research first step taken by the Indian
Government in the long journey
4. On-demand computing and to securing the healthcare data
storage capabilities reduces of patients in India.
operational costs around storing
patient data, analysing data for
research and enhancing existing
capabilities
13
ROLE OF MANAGED SECURITY SERVICE
PROVIDERS (MSSPs)
IT leaders want to apply the same level of security to their cloud infrastructure as they do to on-premise
solutions. While many IT leaders view this as the CSP’s responsibility, the fact is that ensuring security on
the cloud is a shared responsibility.
A. Cloud Service Providers are mainly responsible for security of physical layer utilities, infrastructure –
(servers, storage), orchestration of computing, networking resources and security of virtualization
technologies.
B. Whereas tasks such as protection of host instances, network traffic, application security, procurement
of security controls, active monitoring of incidents – response, data classification- encryption and
compliance are still responsibilities of the organization utilizing the cloud.
cloud coustmer
Identity and user access management (Access Control, Log Monitoring etc)
1. GRC
Data (Client - Server Data Encryption, SOC Ops, IR, Data protection and GRC)
2. PROCUMENT AND
IMPLEMENTATION
Operating System Application
From Right to Left Responsibility
(HIDS, End Point Protection) (VA, PT, AppSec and
of Cloud Customer Increases
Access Managment)
3. SECURITY
OPERATIONS
Network
4. SECURITY AUDITS (NGFW, IDS/IPS and
Monitoring)
Hypervisor Layer
Infrastructure Networking
2. VIRTUALIZATION
Physical Layer
3. NETWORKING Physical Layer Hypervisor Layer
Physical Layer
14
Handling security and data protection operations across different cloud service, deployment models are
complex tasks and create additional burden on businesses. There is need of direction/ support for
organizations to set up end-to-end security, to manage operation/ processes, and, to ensure compliance.
This is where Managed Security Service Providers (MSSPs) come in. Given below are some of the benefits
that MSSPs bring to the table:
1. An MSSP can help organizations build the right cloud security foundation, with a strategy that moves
enterprises effectively from assessment, through migration, to day-to-day management. By performing
continuous monitoring and regular testing, MSSPs can better determine the threats organizations
are facing and implement strategies to reduce data risk.
2. Since organizations are scaling at very fast pace, this brings in unique challenges towards cyber
security. Ability of MSSPs to ramp services up and down rapidly, can benefit organizations to
address the challenges brought in by the scale.
3. Additionally, organizations need not worry about any gaps in their in-house cloud security talent and
skill set.
4. Another set of benefits that MSSP brings in is orchestration and response ability.
5. An MSSP can help organizations to achieve and maintain regulatory compliance with things like the
Health Information Portability and Accountability Act (HIPAA), DISHA, GDPR, PCI DSS and other local
compliances.
6. Since volume and complexity of operation is rising, there is a need for continuous re-evaluation of
cloud infrastructure from security perspective. MSSPs bring extra hand to the client organization to
manage the complexity. MSSPs will use the right mix of cloud native and third-party applications to
ensure comprehensive cloud protection for an organization. Additionally, MSSPs are able to invest in
enhanced technology over what most companies can field for internal cybersecurity efforts.
Realizing the
Focus on Possibilities
Digitization of Business
Innovation Expansion
Focus on Servicing
Digitization Customers
Innovation Better
Client
Support Managing
Business Business
Agility & Operations
Scale
MSSP CSP
Offering
Realizing the
Security
Innovation
Capabilities
Possibilities
15
A MODIFIED SHARED
RESPONSIBILITY MATRIX
DSCI and Tata Communications are proposing a modified shared responsibility matrix where the cloud
security responsibility is shared between a customer, MSSP and CSP.
In this model, most of the subtasks under major tenets, not limited to the following, can be owned by
MSSPs on behalf of customer.
Hypervisor Layer
Infrastructure Networking
Physical Layer
Physical Layer Hypervisor Layer
Physical Layer
16
Selecting the Right MSSP
Cloud specific
capabilities
A. Comprehensive cloud security experience that includes availability of skills and talent to handle
multiple cloud providers.
B. Diverse set of clients – large enterprises, start-ups and SMBs – and from various sectors/verticals.
17
FINAL OBSERVATIONS &
REMARKS
As organizations embark on their journey to the cloud, they must keep in mind that that the cloud security
is not just a CSPs responsibility – it is a shared responsibility. The right MSSP can help organizations
offload most of these security responsibilities. The MSSPs can help organizations securely onboard an
organization on the cloud - procurement, deployment of security technologies and controls, manage
security operations - setting up end to end security and management and also investigate and remediate
any security incidents efficiently and cost effectively.
MSSPs by the nature of their work will be able to provide the right tools to achieve better visibility and to
detect and address threats quickly, regardless of where they occur on the cloud, ensuring effective pro-
tection across an organization’s entire digital estate.
5
18
Tata Communications is a digital ecosystem enabler that powers today’s fast-growing digital economy. The
Company enables the digital transformation of enterprises globally, including 300 of the Fortune 500 – unlocking
opportunities for businesses by enabling borderless growth, boosting product innovation and customer experience,
improving productivity and efficiency, building agility and managing risk. With its solutions orientated approach,
proven managed service capabilities and cutting-edge infrastructure, Tata Communications drives the next level of
intelligence powered by cloud, mobility, Internet of Things (IoT), collaboration, security and network services. Tata
Communications carries around 30% of the world’s internet routes and connects businesses to 60% of the world’s
cloud giants and 4 out of 5 mobile subscribers.
Cloud Security Services from Tata Communications help organisations securely operate and innovate on cloud.
Certified cloud professionals, experienced across multiple technologies, support and secure cloud deployments with
right provisioning and configurations.
Data Security Council of India (DSCI) is a not-for-profit industry body on data protection in India, setup by
NASSCOM®, committed towards making the cyberspace safe, secure and trusted by establishing best practices,
standards and initiatives in cyber security and privacy. DSCI works together with the Government and their agencies,
law enforcement agencies, industry sectors including IT-BPM, BFSI, CII, Telecom, Industry associations, data protection
authorities and think tanks for public advocacy, thought leadership, capacity building and outreach initiatives.
data-security-
DSCI_Connect dsci.connect dsci.connect dscivideo
council-of-india