Thales banner

Data Security Compliance with Outsourcing of Information Technology Services Directions in India

Thales helps Regulated Entities comply with Directions by addressing the requirement for Usage of Cloud Computing Services.

Reserve Bank of India – Outsourcing of Information Technology Services Directions 2023

APAC

Indian Regulated Entities (REs) have been extensively leveraging Information Technology (IT) and IT enabled Services (ITeS) to support their business models, products and services offered to their customers. REs also outsource a substantial portion of their IT activities to third parties, which expose them to various risks.

To ensure effective management of attendant risks, the Reserve Bank of India (RBI) finalized the Outsourcing of Information Technology Services Directions, 2023 on 10 April 2023 and shall come into effect from October 1, 2023.

As one of the leaders in data security, Thales enables REs to comply with the control on the Usage of Cloud Computing Services of the Directions.

  • Regulation
  • Compliance

Regulation Overview

The RBI Outsourcing of Information Technology Services Directions have prescribed 9 control focuses with appendixes on the Usage of Cloud Computing Services, Outsourcing of Security Operations Centre and Services not considered under Outsourcing of IT Services.

Which organizations are subject to the Directions?

  • Schedule Commercial Bank including Foreign Banks located in India, Local Banks, Small Finance Banks, and Payments Banks but excluding Regional Rural Banks;
  • Primary (Urban) Co-operative Banks excluding Tier 1 and Tier 2 Urban Co-operative Banks;
  • Credit Information Companies (CICs);
  • Non- Banking Financial Companies (“NBFCs”); and
  • All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB and SIDBI).

When will the Directions be enforced?

RBI has given REs up to twelve months from the date of issuance of the Directions to re-visit their outsourcing arrangements and comply with the requirements enclosed under the Directions if such renewals are due before October 01, 2023, and has offered thirty-six months from the date of issuance of the Directions, if their agreements are due for renewal after October 01, 2023.

Definitions

  • Material Outsourcing of IT Services
    The term ‘material outsourcing of IT services’ means any service which “if disrupted or compromised shall have the potential to impact the RE’s business operations significantly”; or “may have a material impact on the RE’s customers in the event of any unauthorized access, loss or theft of customer information.”
  • Outsourcing of IT Services shall include outsourcing of the following activities:
    • IT infrastructure management, maintenance and support (hardware, software, or firmware);
    • Network and security solutions, maintenance (hardware, software, or firmware);
    • Application Development, Maintenance and Testing; Application Service Providers (ASPs) including ATM Switch ASPs;
    • Services and operations related to Data Centres;
    • Cloud Computing Services; and
    • Management of IT infrastructure and technology services associated with the payment system ecosystem.

The remaining services which are not considered as Outsourcing of IT Services or are included in Appendix III shall be considered as outsourcing of financial services and shall not be covered under these IT Outsourcing Directions.

Thales helps REs comply with the Outsourcing of IT Services Directions 2023 by addressing two of the controls and the requirement for Usage of Cloud Computing Services.

The Directions

Thales Solutions

Chapter – VI: Risk Management | 17. Risk Management Framework

 

(e) “…REs shall seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider…”

(f) “the RE remains responsible for understanding and monitoring the control environment of all service providers that have access to the RE’s data, systems, records or resources…”

CipherTrust Data Security Platform is an integrated suite of data-centric security products and solutions that unify data discovery, protection, and control in one platform. CipherTrust Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases. Among them:

Data Security Fabric provides a unified view of data across various platforms, enabling auditing across relational, NoSQL, mainframe, big data, and data warehouses.

(i) “… review and monitor the control processes and security practices of the service provider to disclose security breaches…”

CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) detects abnormal I/O activity, alerts or blocks malicious activity, and prevents ransomware from gaining control of endpoints and servers.

Imperva Data Security Fabric Threat Detection monitors data access and activity, providing visibility to identify risky data access for all users, including privileged ones. It delivers real-time alerts, policy violation blocking, and cost-effective data retention for audits.

Chapter – X: Exit Strategy

 

b) “… safe removal/ destruction of data, hardware and all records (digital and physical), as applicable…”

CipherTrust Enterprise Key Management streamlines and strengthens key management in cloud and enterprise environments, enabling REs to effectively delete encrypted information managed by CSPs.

Appendix – I | Usage of Cloud Computing Services

 

3. “…Cloud security is a shared responsibility between the RE and the Cloud Service Provider (CSP). REs may refer to some of the cloud security best practices, for implementing necessary controls…”

REs can take control of their cloud security and improve visibility with Thales CipherTrust Cloud Key Management (CCKM). CCKM offers a single pane of glass view for cloud-native users, ensuring protection of time and data. It supports Bring Your Own Key (BYOK) use cases across multiple cloud infrastructures and SaaS applications.

Hold Your Own Key (HYOK) enhances REs' control over encryption keys, allowing clear separation of duties and explicit delineation of responsibilities for cloud services activities with CSP.

6. Cloud Services Management and Security Considerations

a. Service and Technology Architecture

  • “… service and technology architecture supporting cloud-based applications is built in adherence to globally recognised architecture principles and standards…”

Thales offers integrated encryption and key management solutions to protect cloud-based applications for REs with BYOE and BYOK.

  • The Bring Your Own Encryption (BYOE) approach provides a separation of duty between REs and CSPs, allowing customers to use their own encryption and key management tools. Thales CipherTrust Transparent Encryption (CTE) and CipherTrust Tokenization offer advanced multi-cloud BYOE solutions for data mobility and centralized encryption key management.
  • CipherTrust Cloud Key Management (CCKM) supports Bring Your Own Key (BYOK) use cases across multiple cloud infrastructures and SaaS applications by providing cloud key management automation, key usage logging, and reporting, ensuring strong controls over the encryption key life cycles.
  • “… secure container-based data management, where encryption keys and Hardware Security Modules are under the control of the RE.”

Thales Luna Hardware Security Modules (HSM) provide organizations with dedicated hardware for crypto key control, offering a tamper-resistant environment for secure cryptographic processing, key generation, and encryption.

  • “… a standard set of tools and processes to manage containers, images and releases...”

CipherTrust Transparent Encryption Container Security delivers in-container capabilities for encryption, access controls, and data access logging, so organizations can establish strong safeguards around data in dynamic container environments.

  • “Multi-tenancy environments should be protected...”
  • “…The architecture should be resilient and enable smooth recovery … across the cloud architecture …”

CipherTrust Enterprise Key Management is a high-availability appliance that centralizes encryption key management for Thales Data Security Portfolio and third-party encryption solutions. It manages key life-cycle tasks, certificates, and secrets, and offers multi-tenency domains for added security.

b. Identity and Access Management (IAM)

Thales OneWelcome identity and access management solutions limit the access of internal and external users based on their roles and context.

  • SafeNet Trusted Access is a cloud-based access management solution that provides commercial, off-the-shelf multi-factor authentication with the broadest range of hardware and software authentication methods and form factors.
  • Thales converged badge solutions simplify the management of physical and logical access by consolidating all corporate security applications in a single user's badge.
  • The broad list of supported authentication methods meets the needs of a large variety of users and enables organizations to protect all their users and sensitive digital resources.

Recommended Resources

Data Security Compliance with Reserve Bank of India - Compliance Brief

Data Security Compliance with Reserve Bank of India - Compliance Brief

Indian Regulated Entities (REs) have been extensively leveraging Information Technology (IT) and IT enabled Services (ITeS) to support their business models, products and services offered to their customers. REs also outsource a substantial portion of their IT activities to...

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

Traditionally organizations have focused IT security primarily on perimeter defense, building walls to block external threats from entering the network. However, with today’s proliferation of data, evolving global and regional privacy regulations, growth of cloud adoption, and...

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.

PCI DSS

Mandate
Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.