CLOUD SECURITY IN THE

ERA OF DIGITAL INDIA

THE ROLE OF MSSPs
Table of

CONTENTS
Introduction
04
Cloud Security Market in India

05
Typical Cloud Journey - Driver, Challenges & Outcomes
06
Industry Lens for drivers of Cloud Adoption &
Cloud Security considerations
11
Role of Managed Security Service Providers (MSSPs)

14
Modified Shared Responsibility Matrix
16
Final Observations & Remarks
18
INTRODUCTION

Since the COVID-19 lockdown digital transformation is quickly becoming a business imperative. It is no
longer just good to have, now that organizations need to engage digitally with their customers. Cloud
adoption is one of the technology areas that has seen growth during pandemic, given that it is one of the
best ways that IT leaders can solve the paradox of investing in digital transformation and cost optimiza-
tion.

However, the move to the cloud is not without concerns and complications, with security being recog-
nized as one of the key challenges to successful cloud adoption. This paper discusses the key drivers,
challenges with the cloud adoption and the role that Managed Security Service Providers (MSSP) play in
an organization’s cloud journey.

4
CLOUD SECURITY MARKET
IN INDIA

NASSCOM1 predicts that by 2022, IaaS market in India will be about USD 2.4bn, which will be about
2.4% of global market. Similarly, SaaS market in India will be around USD 3.4bn by 2022,
making it about 2.6% of global SaaS market.The total cloud market is expected to be USD 7.1bn in
2022. Among the sectors, BFSI and telecom sectors lag in cloud service adoption due to apprehensions
towards cloud security. Government sector leads the cloud adoption, representing 12-15% of total cloud
spend in India. Other sectors, besides Government sector, that are adopting cloud computing rapidly in
India are e-commerce, IT/ITeS.

The cloud market in India is being driven by:

• Digital India: India has over 48.08 million registered users on DigiLocker (October 2020 -
DigiLocker.gov.in), USD 24.3 bn digital payment transactions (January 2019 - Meity Report2) and multiple
digital platforms such as UPI, eKYC and Aadhaar. India is amongst the top 2 countries on many
dimensions of digital adoption such as smartphone adoption, internet subscribers, etc.

• Smart City: With multiple projects to push smart cities across many states, cloud adoption has rapidly
increased in India. Smart cities have multiple projects such as – smart transportation, smart security,
smart grid, e-Government initiatives, smart parking etc. that depends on data centers and cloud-based
services.

• Private Sector: The pandemic has pushed many organizations to adopt remote working solutions for
business continuity. To ensure business continuity in the new normal, organization are shifting focus from
CAPEX to OPEX leading to acceleration in cloud adoption.

1. This growth in cloud market is driving the growth in the cloud security market. Overall
the cloud security market in India grew 300% in the year 2018-2019 and is expected to
grow between 150-200% in the year 2019-2020.3
2. Global cloud security market is expected to grow at CAGR of 23-25%4 from 2019 to 2027
and is expected to reach USD 37bn by 2027.

1
Cloud – Next wave of growth in India, 2019 – NASSCOM. According to the report, cloud spending includes domestics spend on SaaS, IaaS (only public Cloud), PaaS, Cloud business process
services and Cloud management and security services.
2
January 2019 - Meity Report https://www.meity.gov.in/writereaddata/files/india_trillion-dollar_digital_opportunity.pdf
5 3
Gartner – Press Release - https://www.gartner.com/en/newsroom/press-releases/2019-08-26-gartner-forecasts-enterprise-information-security-spe
4
Analysts such as verifiedmarketresearch.com and marketsandmarkets.com estimates CAGR to be little over 25%, while alliedmarketresearch estimates CAGR to be about 23%.
TYPICAL CLOUD JOURNEY
DRIVERS, CHALLENGES & OUTCOMES

DRIVERS CHALLENGES OUTCOMES

Adoption Initial level Enforcement Overcoming Expected end

key drivers challenges level challenges the challenges result

> Inherent benefits > Initial data > Procurement of > Robust cloud > Leveraging cloud
of cloud tech security and tech and security policy computing
enforcement privacy concerns implementation of > Availability of capabilities
availability and and organizational security controls ionternal external > Elevated customer
resiliency readiness > Security monitoring, security skill. experience
• Scale, changing > Lack of Operations and • Change mgmt Agile development
delivery models and availability of diverse security • Risk quantification and reduce time to
agility internal skills to skillsets > Effective market
manage cloud > Managing service management of :
> Surge in customer operations and > Improved business
demand continuity during • E2E Cloud reach
ocerall transformation security operations
> Business transformation. and administration > Advanced
compretition and > System and app portability and
> Roadmap to modifications to • Managing
changing partner change legacy identities and standardization
ecosystem suit cloud model
operations and access controls
> Infra cost systems > Adapting policies, • Cloud data
optimization processes, governance, and
> Selection of right governance and
cloud deployment privacy
compliance
model and & ROI

Figure 1: Cloud journey- drivers and challenges

When any organization embarks on the journey of cloud adoption, typically the starting point is
understanding the drivers for such adoption and challenges that it may face. Above figure summarizes
DSCI-Tata Communications’ perspective.

Cloud Journey - Drivers

• Inherent benefits of cloud: Resource optimization, quick policy enforcement across organization,
resiliency, besides scalability and higher availability. In order to meet end user’s requirements and
delivery expectations, scaling of infra-server, simple storage, and applications are easily possible over
cloud.

Cloud lays a strong foundation for emerging technologies such as DARQ- Distributed ledger technologies
AI/ML, extended reality (XR) and Big Data. Business analytics, large scale data processing, and process
automation enabled on the cloud makes business more agile and meets evolving customer needs.

• Surge in customer demand: Emerging mobile technologies, affordable internet, and evolving banking,
finance, retail, communications are attracting many users towards online platforms.

6
Consumer services need quick response time, scalability, portability and agility requirements which are
driving organizations to opt for cloud.

• Infra cost optimization: Reduced IT cost is one of the key benefits in the cloud adoption journey.
Deployment on cloud offers ‘Pay as you go’ model – users only pay for instances, servers, storage and
applications based on usage.

Cloud Journey - Challenges

Though cloud adoption is on rise, several concerns with respect to cloud security operations, security
governance and compliance are also coming to the fore.

User organizations are usually skeptical about data security on cloud. Questions such as “Who will have
access to my data?”, “Where will my data be stored?”, “Is the data well protected in case the system is
attacked?” are still being asked. Beside technical provisions, there are also legal and security compliance
issues to be solved. Policies and contracts are very important here and businesses are advised to look
through them carefully.

We have detailed the various challenges that an organization faces when they are migrating to the cloud
and the corresponding impact on security and privacy in the table below:

CHALLENGES

Challenge Key focus areas Nature of impact

Roadmap to change 1. Translation of legacy systems and Indirect impact on

operations to best fit cloud platforms is not
legacy operations security and
an easy task. The transformation, requires
organizations to create a thorough privacy.
and systems
roadmap with key milestones capturing
functionalities, and processes.

2. During cloud migration, organizations

need to ensure that the IT systems are
getting patched and updated, the process
are evolving, and due care is given to the
audit and compliance.

Selection of right
cloud deployment
model & ROI
1. Right cloud deployment model can only Direct impact on
be selected when organizations evaluate
security and
business objectives in context of IT
architecture, cloud shared responsibility privacy.
matrix and availability of skillsets. The
selection of right model will impact the ROI
of the business.

2. Deployment model has implications on

security responsibilities. Cloud requires a
shared security model, with Cloud Service
Provider (CSP)s and

7
 Challenge Key focus areas Nature of impact
organizations respectively responsible for
specific functions. Companies need to
understand this split of responsibilities
and redesign internal processes
accordingly. For instance, for IaaS infra
and physical security stays with CSP and
rest of the security operations remains
with organization. In case of PaaS,
Operating systems, network including
hypervisor and infra security remain with
CSP and rest (user access, data,
application) are the organization’s
responsibility.

Organizational
1. Evaluate factors that influence the cloud Direct impact on
adoption in the organization.
security and privacy
readiness: Functional
2. Organizations are apprehensive (Security operations,
and change regarding the data ownership and security management, and
management due to the distributed computing. Having compliance).
risk mitigation plan and cloud adoption plan
understanding will have positive influence on
organization’s readiness. Plan must include
security design, flexible security controls,
processes that are required to be set up in
newly adopted environment.

1. Based on our interaction with various Direct impact on

Initial data security stakeholders in industry, following concerns
come up:
security and
and privacy concerns privacy.
- Changed dynamics of security
compliance
- Protecting identities
- Data classifications, data storage
and data privacy
- User access management
- Security operations- monitoring
and administration
- Data backups

1. Right talent and skill sets are mandatory Direct impact on

Internal skills to for successful cloud adoption. With the
security and
manage cloud human element recognized as the most
vulnerable area of security, people with privacy.
operations, process, least knowledge on cloud operations,
and overall security configurations and monitoring can
lead to increased risk of security exposure.
transformation
2. Regulatory burden of new compliances,
data regulations and stringent security
audits on cloud demands special skill sets.

8
 ENFORCEMENT LEVEL CHALLENGES

Challenge Key focus areas Nature of impact

Managing service 1. Cloud transformation can be complex. It Indirect impact on
often involves stitching together solutions
continuity during security and
and processes that are disjointed, with
privacy.
transformation disparate interfaces. So, organizations
often partly move workload to cloud, while
running part of services from on-premise
to maintain service continuity during
transformation.

Systems, applications 1. System and application integrations Indirect impact on

needs to be managed and the
modification to suit security and
application/data must be transformed or
privacy.
cloud model modified when it passes between two
different platforms (E.g. On-prem to
cloud).

2. Ability to handle complex integrations to

suit cloud deployment/service model is
one of the key elements of cloud
enforcement.

Policies, processes, 1. Cloud technology is distributed in an Direct impact on

intrinsic way and as a result of this,
governance, and security and
compliance is a shared responsibility
privacy.
compliance among organizations and service
providers.

2. It also involves multiple stakeholders -

service providers, service brokers,
customers, and auditors and this may lead
to compliance challenges.

1. Organizations will need to decide

Procurement, whether they want to deploy the security
Direct impact on
implementation of tools provided by the CSPs or use security and
third-party offerings. privacy.
security tech/controls
2. They will need to conduct a gap analysis
for this purpose, basically understand the
risks that are mitigated by the set of tools
they currently own and then analyse if the
gaps can be met by the security tools that
a CSP natively offers.

9
 Challenge Key focus areas Nature of impact
1. Certain security skills are much Direct impact on
Security monitoring, required on cloud.
security and
operations and - Expertise with encryption and data privacy.
diverse security loss prevention controls for content-rich
cloud applications
skill sets
- Sophisticated identity and access
management (IAM) skills and
multifactor authentication, including
tokenization, regardless of whether
organization deploying SaaS, PaaS, IaaS,
or a combination of those services.

- Monitoring, analysis and response,

especially because virtualization
expands beyond servers and into
networks and storage.

2. Organizations must have visibility over

where enterprise data resides in the
cloud, data privacy offerings and, how to
integrate data protection policies in the
cloud with their own organization policies

10
INDUSTRY LENS FOR DRIVERS OF
CLOUD ADOPTION & CLOUD SECURITY
CONSIDERATIONS
Different industries have different reasons for adopting the cloud. The corresponding cloud security
considerations too vary from industry to industry. Below table summarizes this data :

Sector Drivers for Cloud Cloud Security

Adoption Considerations
1. Payment digitization • Though cloud adoption in
India has accelerated over the
2. Increasing customer demand last few years and continues to
for digital services grow at a rate of 25-30% but
BFSI comparatively adoption of cloud
3. Innovative banking solutions services remains low due to
that incorporates emerging concerns around data security
technologies and analytics and regulatory compliance –
especially for processing
4. Focus on service continuity and confidential customer data.5 6
business resilience
• Indian financial institutions are
required to comply to extremely
strict data regulations and
standards such as RBI cyber
security guidelines and
resilience requirements, RBI’s
other regulatory requirements
such as basic/advance cyber
security controls, SOC, risk
mitigation plan and ways to
protect customer information.

• BFSI players are deploying

private cloud solutions to gain
the benefits of the cloud while
making sure that the needs for
compliance and security are
maintained.

1. Manufacturers are adopting • Manufacturers often do not have

industry 4.0 solutions in areas like the expertise, time, tools to secure
production and supply chain the cloud as majority of resources
management that cannot be are non-technical. This requires
completely met by the company’s time investment to improve
Manufacturing existing IT infrastructure security processes and training
workforce to recognize threats
(MSME) 2. The underlying platform behind and malicious behaviour on cloud.
industry 4.0 is cloud computing
• Complex environment given that
3. Cost savings from upfront security of IT and OT systems have
capital investments allowing to considered collectively.
organizations to pursue
innovation

5
NASSCOM 2019 report on Cloud Growth in India
6
https://cfo.economictimes.indiatimes.com/news/bfsi-sector-slow-and-reluctant-to-make-the-transition-to-cloud-netmagic-global-cfo/71370253
11
 Sector Drivers for Cloud
Challenge Adoption
Companies in energy/power
sector are deploying technology to
help them gain operational
efficiency and offer services that
increase customer satisfaction. By
hosting various services on the
Energy/Power cloud results in:
Sector - Reduction in operational costs
- Improvements in productivity
and asset utilization
This helps organizations to be
flexible and agile to respond to
the changing customer demands
1. Flexibility and scalability - Cloud
allows ecommerce companies to
expand their presence as quickly
as their business grows.
E-commerce and Other 2. Elastic load balancing across
geographies, and robust backup
IT enabled Services and DR abilities.
3. Enforcement of compliance
across global standards is
comparatively easier on the cloud
12
Cloud Security
Nature of impact
Considerations
• The applications in the
energy/power sector use OT to
monitor and control physical
processes.
• Complex environment given
that security of IT and OT systems
have to considered collectively.
• BYOD and increase in threat
surface require companies to
manage the security for mobile
devices and apps used by
workers in the field. The
systematic integration of IT eases
the work process load, although it
increases the risk to the critical
infrastructure.
• Cloud adoption in energy sector,
may present compatibility and
various security integration
issues, such as integrating
security stack (DLP, WAF, NAC
etc.) and its compatibility with
potential cloud set up.
• Customers put a lot of trust in the
ecommerce provider they shop
with, sharing personal data and
sensitive payment information
with every purchase. Earning and
maintaining a customer’s trust is
critical to a fruitful relationship.
• Business data is transmitted to
the cloud side over the internet
and so it is essential that it is
encrypted.
• Since this sector outsources
many of its IT requirements, user
security and privacy management
risk are higher.
• Security concerns include
insecure interfaces and APIs,
authentication breakage.
• Global E-commerce organizations
require complete understanding of
varied data protection and privacy
regulations across the globe.
 Sector Drivers for Cloud
Adoption
1. Centralized storage of medical
and patient information in cloud
for improved data management
and access
Healthcare
2. Robust backup and DR
capabilities, which assures data
availability
3. Use of emerging technology
such as Big Data analytics and
Artificial Intelligence algorithms on
the cloud-stored patient data
improves the outcome of medical
research
4. On-demand computing and
storage capabilities reduces
operational costs around storing
patient data, analysing data for
research and enhancing existing
capabilities
Similar to other sectors, drivers
such as flexibility, scalability, data
sharing within state-agencies are
Government applicable to Government as well.
- Government started MeghRaj
Cloud Initiative to reap the
benefits stated above. It offers
variety of service models like
Platform as Service (PaaS),
Software as a Service (SaaS) and
Storage as a Service and others
for government departments and
agencies.
13
Cloud Security
Considerations
• Patient data is inherently
sensitive in nature and
cloud-hosted healthcare data
needs to be safeguarded
against external as well as
internal threats.
• Healthcare data and related
applications need to comply
with different security and
privacy regulations of data In
Indian context, The Digital
Information Security in
Healthcare Act (DISHA) is the
first step taken by the Indian
Government in the long journey
to securing the healthcare data
of patients in India.
• Government’s digitization
initiatives/ infrastructure is
exposed to security challenges
such as potential attacks
ranging from highly organized
groups, cyber terrorism, and
privacy challenges such as
protecting and maintaining
privacy of citizen’s financial,
healthcare and other sensitive
data.
ROLE OF MANAGED SECURITY SERVICE
PROVIDERS (MSSPs)

IT leaders want to apply the same level of security to their cloud infrastructure as they do to on-premise
solutions. While many IT leaders view this as the CSP’s responsibility, the fact is that ensuring security on
the cloud is a shared responsibility.

A. Cloud Service Providers are mainly responsible for security of physical layer utilities, infrastructure –
(servers, storage), orchestration of computing, networking resources and security of virtualization
technologies.

B. Whereas tasks such as protection of host instances, network traffic, application security, procurement
of security controls, active monitoring of incidents – response, data classification- encryption and
compliance are still responsibilities of the organization utilizing the cloud.

TRADITIONAL CLOUD SECURITY RESPONSIBILITY MATRIX

Responsibilities of LaaS PaaS SaaS

CLOUD CUSTOMER

cloud coustmer
Identity and user access management (Access Control, Log Monitoring etc)
1. GRC

Data (Client - Server Data Encryption, SOC Ops, IR, Data protection and GRC)
2. PROCUMENT AND
IMPLEMENTATION
Operating System Application
From Right to Left Responsibility
(HIDS, End Point Protection) (VA, PT, AppSec and
of Cloud Customer Increases
Access Managment)
3. SECURITY
OPERATIONS
Network
4. SECURITY AUDITS (NGFW, IDS/IPS and
Monitoring)

Responsibilities of Infrastructure Operating System Applications

CSP
CLOUD SERVICE

Networking Operating System

1. INFRA AND STORAGE
PROVIDER

Hypervisor Layer
Infrastructure Networking
2. VIRTUALIZATION

Hypervisor Layer Infrastructure

Physical Layer
3. NETWORKING Physical Layer Hypervisor Layer

Physical Layer

From Left to Right Responsibility Responsibilities which can be owned by MSSPs

behalf of customer and reduce burden on Responsibilities with CSP
of CSP Increases customer

14
Handling security and data protection operations across different cloud service, deployment models are
complex tasks and create additional burden on businesses. There is need of direction/ support for
organizations to set up end-to-end security, to manage operation/ processes, and, to ensure compliance.
This is where Managed Security Service Providers (MSSPs) come in. Given below are some of the benefits
that MSSPs bring to the table:

1. An MSSP can help organizations build the right cloud security foundation, with a strategy that moves
enterprises effectively from assessment, through migration, to day-to-day management. By performing
continuous monitoring and regular testing, MSSPs can better determine the threats organizations
are facing and implement strategies to reduce data risk.

2. Since organizations are scaling at very fast pace, this brings in unique challenges towards cyber
security. Ability of MSSPs to ramp services up and down rapidly, can benefit organizations to
address the challenges brought in by the scale.

3. Additionally, organizations need not worry about any gaps in their in-house cloud security talent and
skill set.

4. Another set of benefits that MSSP brings in is orchestration and response ability.

5. An MSSP can help organizations to achieve and maintain regulatory compliance with things like the
Health Information Portability and Accountability Act (HIPAA), DISHA, GDPR, PCI DSS and other local
compliances.

6. Since volume and complexity of operation is rising, there is a need for continuous re-evaluation of
cloud infrastructure from security perspective. MSSPs bring extra hand to the client organization to
manage the complexity. MSSPs will use the right mix of cloud native and third-party applications to
ensure comprehensive cloud protection for an organization. Additionally, MSSPs are able to invest in
enhanced technology over what most companies can field for internal cybersecurity efforts.

How MSSPs can help organizations manage their cloud security ?

Realizing the
Focus on Possibilities
Digitization of Business
Innovation Expansion

Focus on Servicing
Digitization Customers
Innovation Better

Client

Support Managing
Business Business
Agility & Operations
Scale
MSSP CSP

Offering
Realizing the
Security
Innovation
Capabilities
Possibilities

Optimizing Providing Core &

Cost & Reducing Emerging Technical
Efforts Capabilities

15
A MODIFIED SHARED
RESPONSIBILITY MATRIX

DSCI and Tata Communications are proposing a modified shared responsibility matrix where the cloud
security responsibility is shared between a customer, MSSP and CSP.

In this model, most of the subtasks under major tenets, not limited to the following, can be owned by
MSSPs on behalf of customer.

• Governance, Risk and Compliance

• Procurement and Implementation of security
• Security Operations
• Security SLAs and Audits

COMPREHENSIVE RESPONSIBILITY MODEL

CSP vs MSSP vs CUSTOMER

Digital Transformation of Invest in innovations and Increase

Organization business reach
BUSINESS RESPONSIBILITIES
WITH CUSTOMER
Business Process Effective Ops and Customer Experience
Management Improvement

LaaS PaaS SaaS

Procurement, implementation of security tech / controls
SECURITY RESPONSIBILITIES
OWNED BY MSSP
Data Protection (Classification, Encryption and Access Management)

Risk Quantification, Governance Compliance

Network Traffic Protection

Application: Vulnerability
Assessment and Testing
VM Instances/Container/
Host Sec

Security Operations - Monitoring, IR

Network Traffic Protection

SECURITY RESPONSIBILITIES Infrastructure Operating System Applications

OWNED BY CSP

Networking Operating System

Hypervisor Layer
Infrastructure Networking

Hypervisor Layer Infrastructure

Physical Layer
Physical Layer Hypervisor Layer

Physical Layer

16
Selecting the Right MSSP

There are 3 dimensions to assess an MSSP, as shown in the figure below:

• Assess number of clients (and

their scale) availing the MSSP

• Use POC to test some of the said

capabilities

Cloud specific
capabilities

Range of Ability to adapt

services and new ways of
specialization working

• Assess Value proposition of • Understand the Agility of MSSP

each MSSP, keeping future and to gain working understanding of
current requirements around new services.
elements- cloud assessment,
migration and cloud operations • Check for completeness of
integration and harmonization
of various services

The right MSSP should be able to provide:

A. Comprehensive cloud security experience that includes availability of skills and talent to handle
multiple cloud providers.

B. Diverse set of clients – large enterprises, start-ups and SMBs – and from various sectors/verticals.

C. Understanding of changing data-specific regulations and laws across multiple geographies.

Regular up-skilling of the workforce and adoption of new methodologies in security.

17
FINAL OBSERVATIONS &
REMARKS

As organizations embark on their journey to the cloud, they must keep in mind that that the cloud security
is not just a CSPs responsibility – it is a shared responsibility. The right MSSP can help organizations
offload most of these security responsibilities. The MSSPs can help organizations securely onboard an
organization on the cloud - procurement, deployment of security technologies and controls, manage
security operations - setting up end to end security and management and also investigate and remediate
any security incidents efficiently and cost effectively.

MSSPs by the nature of their work will be able to provide the right tools to achieve better visibility and to
detect and address threats quickly, regardless of where they occur on the cloud, ensuring effective pro-
tection across an organization’s entire digital estate.

5
18
Tata Communications is a digital ecosystem enabler that powers today’s fast-growing digital economy. The
Company enables the digital transformation of enterprises globally, including 300 of the Fortune 500 – unlocking
opportunities for businesses by enabling borderless growth, boosting product innovation and customer experience,
improving productivity and efficiency, building agility and managing risk. With its solutions orientated approach,
proven managed service capabilities and cutting-edge infrastructure, Tata Communications drives the next level of
intelligence powered by cloud, mobility, Internet of Things (IoT), collaboration, security and network services. Tata
Communications carries around 30% of the world’s internet routes and connects businesses to 60% of the world’s
cloud giants and 4 out of 5 mobile subscribers.

Cloud Security Services from Tata Communications help organisations securely operate and innovate on cloud.
Certified cloud professionals, experienced across multiple technologies, support and secure cloud deployments with
right provisioning and configurations.

To find out more, please visit:

https://www.tatacommunications.com/solutions/cloud/secure-managed-cloud/

Data Security Council of India (DSCI) is a not-for-profit industry body on data protection in India, setup by
NASSCOM®, committed towards making the cyberspace safe, secure and trusted by establishing best practices,
standards and initiatives in cyber security and privacy. DSCI works together with the Government and their agencies,
law enforcement agencies, industry sectors including IT-BPM, BFSI, CII, Telecom, Industry associations, data protection
authorities and think tanks for public advocacy, thought leadership, capacity building and outreach initiatives.

For more information, visit: www.dsci.in

Data Security Council of India

4th Floor, NASSCOM Campus, Plot No. 7-10, Sector 126, Noida, UP-201303

For any queries, contact: info@dsci.in

data-security-
DSCI_Connect dsci.connect dsci.connect dscivideo
council-of-india

All Rights Reserved © DSCI 2020

5