More Cloud Service Providers to Get Government ContractsBut Will Smaller Firms Be Able to Meet Security Requirements?
The Ministry of Electronics and Information Technology is taking steps to have more cloud service providers serve the government. But some observers question whether the security requirements will prove too tough for smaller players to achieve.
MeitY is now accepting applications from CSPs to offer their services to government agencies at both the state and national level. The providers must spell out their efforts to maintain data security. Applications are due May 31.
The move comes shortly after MeitY announced its new requirements for cloud service providers serving the government to store their data in India for security reasons. (see: Cloud Providers Serving Government Must Store Data in India).
MeitY currently has a list of 11 CSPs that it's approved for government contracts. It now wants to expand the list and also give more scope of services to companies that are currently empanelled. Through these initiatives the government wants to ensure that its data stored in the cloud is secure and handled by companies that meet the required standards.
The scope of the proposed empanelment will be limited:
- Allowing new CSPs to offer their cloud services to government departments from specified data centers.
- Allowing existing provisionally empaneled CSPs to provide additional cloud offerings, data centers and deployment models.
Government departments will select the appropriate cloud offerings based, in part, on their risk and security profiles, according to MeitY.
But J. Prasanna, director at the Cyber Security and Privacy Foundation, contends that MeitY's requirements for cloud contractors serving the government include mainly technical certifications and compliance standards, stopping short of looking into the manpower and skills of the cloud providers for addressing cybersecurity challenges.
MeitY says the empanelled CSPs will provide a combination of deployment models, including:
- Infrastructure as a service;
- Platform as a service;
- Disaster recovery as a service;
- Dev/Test environment as a service;
- Virtual desktops as a service.
CSPs serving the government must be annually audited by Standardisation Testing and Quality Certification (STQC) or a MeitY-designated third-party auditor.
Among the other mandatory security requirements are:
- Provisioning, securing, monitoring and maintaining the hardware, network(s), and software that support the infrastructure and present virtual machines and IT resources;
- Complying with Cloud Security ISO Standard ISO 27017:2015, Privacy Standard ISO 27018:2015 and ISO 20000:9;
- Using a fully managed intrusion detection system to protect the cloud platform.
Some cloud service providers are pleased by Meity's latest efforts, but others express concerns.
"It is heartening to see that Meity has taken the right steps in incorporating security controls as part of the RFP. This is the right thought process where security is baked in to the platform rather than adopting the whack-a-mole approach where customers run for cover post a security incident.," says Rishikesh Kamat, vice president - Products & Services, Netmagic (An NTT Communication Company).
"It's good that the government has initiated this process again as this provides an opportunity for local CSPs to serve the government," says Sridhar Pinnapureddy, founder and CEO at CtrlS Datacenters.
But Rishikesh Kamat is concerned about whether government units will actually rely exclusively on CSPs approved by Meity. He claims that he has witnessed instances where government departments have gone for a cloud service provider that's not on Meity's list of approved vendors.
"I have seen a particular government department going for a CSP of its choice when it wasn't even listed," Kamat says. "The entire effort of empanelment falls flat if government departments themselves don't take the criteria seriously because of their vested interest and relationships they share with some CSPs. It makes sense to reach out to others only when listed CSPs aren't able to meet their requirements."
Netmagic is one of the 11 empanelled CSPs.
Kamat and others question whether smaller CSPs will be able to meet Meity's latest guidelines.
Dinesh Bareja, founder at Indiawatch.in, which offers cybersecurity guidance, notes: "I don't think small CSPs can survive long enough to comply with the full list of requirements as this size of compliance and expectations can only be fulfilled by the big players. We would soon see the international giants playing the field here in the country."
And Prasanna of the Cyber Security and Privacy Foundation Practitioners, also fears that big companies will have a competitive advantage when going after government contracts. "The empaneled list should not become a cartel for big companies," he stresses.
"The idea is that the CSPs should offer a bouquet of services from which the line departments can pick and choose as per their specific risk exposure and business priorities," says Kamat.
"Since the security controls asked for cover a wide range of security areas it is imperative that the CSP has the necessary solutions, teams and processes in place to deliver the solutions," Kamat notes.
While CSPs serving the government face the requirement of annual audits, some security experts question whether that's feasible or will prove effective.
Bareja, for example, questions whether STQC has the resources to carry out such auditing. "Also, the risk of a vanilla checklist - or rule book - audit is a big risk and one can only hope that this does not happen," he says.
And Prasanna argues that government audits have generally proven ineffective. "If audits were so effective, we wouldn't have witnessed so many breaches taking place in banks every month," he says.