Cloud security issues are cited as major obstacles to cloud adoption the world over, and India is no exception, with major hurdles to clear before mass adoption.
Indian companies are lagging behind in cloud adoption because Cloud Service Provider (CSP) data centers are located outside India, creating a general perception of insecurity.
Turning over control of the security of their IT infrastructure and data is an uncomfortable situation for any senior corporate manager, but cloud computing is hard to ignore because it provides cost benefits, elasticity and always-on features.
The report revealed that 54% of senior IT professionals surveyed in India consider cloud computing as a top business priority. But security is a major consideration, stopping many organizations from taking full advantage of the new utility computing model.
Key cloud security issues in India include location of service providers
Keith Prabhu, founder of the Cloud Security Alliance, Mumbai Chapter, said: “While Cloud Computing is expanding rapidly across the globe, Indian companies are lagging behind in adoption. The key security issues that are inhibiting the adoption of cloud in India are due to the geographical location of CSP data centers. Because none of the major and reputed CSPs have their data centers in India, companies find it difficult to take the decision to put their data on the cloud, which may come under scrutiny of US and EU laws.”
More resources about cloud security issues
Learn about the top cloud security issues facing Indian businesses
Listen to a podcast about cloud computing security and INFOSEC
Read about the biggest cloud computing security risks facing CIOs
In addition, the cloud is still perceived to be "somewhere out there" and inherently insecure. As a result, Indian CIOs prefer to keep data secure within their own firewalls, said Prabhu.
Organizations have to comply with regulations such as PCI DSS, SOX, HIPPA as well as the legal requirements stated in the IT Act 2000 and 2008. For example, any objectionable content should be removed from the cloud service within 36 hours of the content being reported, however, if the cloud service fails to remove it, the cloud service could be barred from operating; this could have a huge impact on other clients having their service hosted on the same cloud.
Prashant Mali, cyber law expert in India, said: “Indian companies using foreign cloud solutions today are now all non-compliant towards The IT Act 2000, specifically to The IT Rules of 2011 concerned with data handling.”
Contractual agreements are the key when it comes to selecting cloud vendors. Third-party audits should be baked into the contract to have reasonable assurance of security deployed at the cloud.
K K Mokey, director at security consultancy Network Intelligence, said there should be provision for the client to conduct a security assessment of the CSP’s setup.
“We have seen CSPs with some very lax security measures focus more towards cost-cutting, whereas some other CSPs implement best-in-class security measures. Responsibility lies on the client who is procuring the CSP’s service. They should definitely involve their legal team as well as risk team. Most importantly, they should develop a cloud strategy that addresses how they will adopt the cloud going into the future," said Mokhey.