Best practices to comply with SEBI Cloud service adoption


In response to the increasing incidents of technical glitches in the financial sector, the Securities and Exchange Board of India (SEBI) has taken a proactive approach by forming a task force. This group has developed a comprehensive framework to address the challenges and risks associated with adopting cloud computing solutions. The framework aims to guide SEBI regulated entities (REs) in implementing robust risk management strategies for cloud adoption.

SEBI’s cloud computing framework:

The primary objective of the SEBI framework is to reduce the risks associated with cloud adoption by establishing essential access and data controls. Providing a principles-based approach, the framework describes mandatory controls and basic security measures for REs and cloud service providers (CSPs). It addresses governance, risk management, compliance and other crucial aspects to ensure a secure transition to cloud computing.

SEBI’s framework is designed to help REs manage risks associated with cloud adoption. The framework includes nine high-level principles:

  • Governance, risk and compliance sub-framework
  • Cloud Service Provider Selection
  • Data ownership and data localization
  • Responsibility of the regulated entity
  • Due Diligence for Regulated Entities
  • Security checks
  • Contractual and regulatory obligations
  • Business continuity planning, disaster recovery and cyber resilience
  • Supplier lock-in and concentration risk management

Understanding cloud computing:

Cloud computing is the provision of on-demand computing services over the Internet, including storage, processing power, applications and software. It allows users to access computing resources from anywhere with an Internet connection, providing scalability, ease of deployment and reduced maintenance costs.

Overview of SEBI regulations for securing cloud data:

The SEBI regulatory framework sets out specific requirements for regulated entities aimed at strengthening cloud data security. The main provisions of this framework include:

  • Mandatory adoption of Hardware Security Modules (HSM) and Key Management Systems (KMS)
  • Protecting data in use with encryption
  • Retaining key control in cloud services

Key elements of the framework:

The framework highlights the importance of a robust risk management strategy for cloud adoption, guiding REs in assessing risks, implementing controls, monitoring compliance and ensuring compliance with regulatory standards. The guidelines apply to various financial market entities, including stock exchanges, clearing companies, depositories, securities dealers, mutual funds, asset management companies, registration agencies KYC and qualified registrars for share issuance and transfer agents.

Implementation schedule:

REs that are not currently using any cloud services should adhere to the framework immediately. Those already using cloud services have a transition period of up to 12 months to ensure compliance. During this period, REs should assess their technology risk, align with business needs and implement necessary measures to comply with SEBI guidelines.

CryptoBind Solutions versus SEBI Guidelines:

JISA Softech offers comprehensive solutions designed to enable organizations to effectively address the challenges posed by the framework for adopting cloud services. As businesses migrate their applications to new infrastructures, the need for a robust solution to protect data, both on-premises and in the cloud, becomes paramount.

Securing cryptographic keys:

CryptoBind HSM, a dedicated Hardware security module, provides organizations with a secure environment for key management and cryptographic operations. With CryptoBind HSM, organizations maintain full control over cryptographic keys, from generation to destruction. This ensures that sensitive keys remain inaccessible and uncontrolled by the CSP, providing organizations with a greater degree of control and ownership over their crypto assets.

Ensuring data security at rest and in motion

Our encryption strategy uses column- and application-level encryption to keep data secure at rest and in motion. By encrypting files while leaving their metadata unencrypted, we enable cloud service providers (CSPs) to perform essential system administration tasks without requiring privileged access to sensitive data. This approach strikes a delicate balance, enabling transparent management while preserving the confidentiality of protected information.

Comprehensive cryptographic key management

CryptoBind KMS (key management system) is a centralized solution that facilitates automated key updates and distribution across various applications. With CryptoBind KMS, organizations can effectively manage the entire lifecycle of symmetric and asymmetric keys. This system supports robust business processes, contributing to compliance with internal and external audits, thereby building confidence in key management practices.

Bring your own key (BYOK)

JISA Softech introduces BYOK, giving customers the power to own their keys. With the ability to bring their own master keys, organizations can establish key management policies and enforce strict access controls. This level of control ensures that only authorized entities can access and decrypt data, reducing the risk of unauthorized access and potential data breaches.

Bring Your Own Encryption (BYOE)

In the BYOE framework, the Hardware Security Module (HSM) acts as an intermediary between the organization and the Cloud Provider’s storage systems. Additionally, the HSM handles all cryptographic processing tasks, providing an additional layer of security and control for organizations using cloud storage systems.

Our offerings are designed to help organizations seamlessly integrate the security measures specified in the framework. These solutions enable organizations to strengthen the security of their cloud data, protect sensitive information, and efficiently meet regulatory requirements.

For more details on SEBI compliance and optimal implementation of necessary solutions, do not hesitate to contact us. The JISA Softech team is committed to providing comprehensive solutions and support, ensuring that your organization not only meets the required standards but also strengthens its data security in compliance with SEBI regulations. Contact us today for an expert consultation and advice.

Contact us:


Leave a comment