The au naturel pictures of Jennifer Lawrence and Kate Upton floating freely in cyberspace have serious national security implications for India. Hackers dug out what was considered by close to 100 celebrities as their private, intimate and completely secure moments and put it all out in the digital domain for everyone to see. In doing so they ensured that cybersecurity experts could no longer ignore the elephant in the room about cloud storage and services. A certain unacknowledged sense of disquiet about cloud storage and services has been a constant backdrop in the discussions dealing with security of data.
The cloud is here to stay. In fact it is increasingly adopted by corporate houses, government institutions, online retailing companies and financial service companies for reasons that range from substantial savings in capital expenditure to a drastic reduction in time-to-launch and time-to-market scenarios. The cloud also has special significance for electronic and digital governance. The US government, for instance, has saved close to 4 million US dollars since it shifted from Lotus Notes to Google’s cloud based email services. The savings primarily come from cuts in hardware, licensing and maintenance costs. Cloud services bring down the average cost of ownership of a digital property drastically. Gartner estimates that any organisation dealing with digital data or information technology services spends close to two-thirds of its annual budget in daily operations -- read maintenance, security, monitoring of traffic, managing downtimes and analysing server logs. The consultancy firm, in a comprehensive study across 500 major digital organizations, found that replacing traditional server farms with virtual ones (cloud) brought up to 50 percent more operational and infrastructural efficiency for companies and institutions. The utility and business logic of cloud computing, storage and services cannot be overstated, or underestimated for that matter. What has always been the unspoken Achilles’ heel of digital society and economy, more so after being underpinned predominantly on a cloud framework, has been the security of data.
India’s ambitious electronic and mobile governance initiatives and its plans to develop 100 smart cities are going to be based on a foundation of technology, software and data, much of which will be stored, processed and retrieved on the cloud. The country is already in the process of investing Rs 11 lakh crores for its e-governance initiatives, a massive budget that’s comparable to the 2010 GDP of Finland and Chile. The plan to develop 100 smart cities is officially expected to cost slightly over RS 7000 crore. Realistically, however, developing each city is expected to cost at least RS 1000 crore, which makes the overall spending touch a substantial RS 100,000 crore. Both plans require a substantial investment of public and private funds. They also need a fundamental reorientation of the way India has been dealing with data until now. Identifying, capturing, storing, retrieving and then creating a networked intelligence and knowledge framework out of various data points requires an overarching layer of business and governance analytics tools that can only be rolled out on a cloud ecosystem. In short both public and private data will be put up on similar kinds of virtual servers to those that hackers were able to break into so easily to access intimate celebrity photographs and videos. It’s in this context that India has to deal with data security within the cloud environment not just as an aspect of cybersecurity but as an independent issue requiring a different mindset, thought process and operational plan.
The first aspect of creating an autonomous policy framework is to establish a clear conceptualisation of a cloud as a model rather than just a service: one that (as defined by NIST) enables on-demand ‘network access to a shared pool of configurable computing resources’ with zero downtime, minimal uptime and service provider requirements. By configuring the cloud as a model, autonomous policy frameworks for the cloud subsystems of Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS) can be established. Such a clear cut definition and associated policy formulations are currently absent or, at best, ill-defined. It would be good for the Indian policy makers to seriously look at the American National Institute of Standards and Technology (NIST) deployment model. It consists of a private cloud, where the infrastructure is completely and exclusively used by a single organisation, a public cloud, for open use by the general public, a hybrid cloud, which is often used as a gated resource network by public-private partnership services, and a community cloud, which, as the name indicates, is used exclusively by a group sharing specific interests. Such a deployment model creates a transparent arena of virtualisation, which is a necessary component of a cloud ecosystem, allowing for risks associated with virtual machines and data to be identifiable and manageable. For instance, the hypervisor software that manages communications between a physical server’s memory, CPU and virtual machines allowing for quick provisioning and decommissioning of a virtual computing environment, is also a critical vulnerability that allows hackers to gain access to sensitive data. A clearly specified deployment model allows for a realistic risk assessment and management environment to be formulated.
The second aspect is to identify information security standards, protocols, procedures, processes and guidelines that take into account the specific deployment model and the subsequent service models emerging from it. Currently, standards and protocols on information security and data security don’t specifically deal with the cloud ecosystem and the unique challenges of confidentiality, integrity and availability of data that they throw up. With India entering into a more advanced phase of electronic and mobile governance, service and delivery frameworks are increasingly becoming specific. A good example of this process is the way the Pradhan Mantri Jan Dhan Yojana (PMJDY) is creating a more focused financial inclusion model based on the RuPay debit card as opposed to the more broad-based inclusion models created by the Aadhaar system. Both are, however, fundamentally dependent on the cloud ecosystem, even though each one’s security requirements are completely different. It’s here that Indian policy makers would do well to understand the global security systems and standards that have evolved over the past several years. These standards cater to different forms of financial data security, IT service delivery and control environment. The Indian e-governance platforms, especially those dealing with financial and business transaction services, can take a leaf out of Google’s book - Google became ISO 27001 certified in May 2012. Such a certification allows for an independent third party audit, which in turn makes security protocols and systems robust allowing them to identify and manage new threats. In this context the American Federal Information Security Management Act (FISMA) of 2002 and the Federal Risk and Authorisation Management Programme (FedRAMP) should be of special interest for Indian policy makers. The third aspect is to rapidly strengthen the specialised digital forensics capacity within India. Data security for the cloud ecosystem can never be foolproof. Cybercrimes of various degrees will always be committed. While most of the cyber raiders, and hackers, might stop at DoS attacks and overloading of servers with continuous bot requests, there are increasing instances of more sophisticated attacks. Amazon’s wireless retail site saw a cross-site scripting attack in April 2010 that allowed hackers to access customer credentials. Similarly, but more worryingly, the data breach at Target in 2012 resulted in over 100 million people losing their personal and credit card information. India is completely unprepared to deal with cyberattacks of this scale and policy makers must look to create a specialised cadre of digital forensic experts. The digital forensics university in Gujarat is a good beginning. Such institutions, however, need to be quickly set up in all states, and the expertise generated should percolate down to district and block levels. The private sector must start to proactively share their expertise, and experts, with government institutions. India will become a digital society. It is also deploying all the right pieces and infrastructure for a digital economy. The foundation for both, without any doubt, will be the cloud ecosystem. That ecosystem, however, needs to be protected through a robust policy and legal framework that acknowledges the emerging concerns and realities of data security and privacy.
The author is a Senior Fellow at the Observer Research Foundation (ORF), Fellow of the National Internet Exchange of India (NIXI) and Contributing Editor of Governance Now
This article originally appeared in Governance Now.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
PREV
