Policy Name: 2.

19 Cloud Security Policy

1 PURPOSE
To define the Organization desired practices regarding Cloud Security.
2 SCOPE
This policy applies to all business functions and its information systems, information assets and all
communication and network connections that use or plan to use cloud computing services or cloud
infrastructure services. Information systems, communications and network connections include, but
are not limited to network devices such as routers and firewalls, servers and mainframes and operating
systems, databases and applications.
a. Data
b. Application
c. Functions
d. Process
e. Network connections
f. Underlying Hardware
The assets are to be evaluated on the following factors:
I. Determine how important the data or function is to Insurance Company
II. Analyze the impact of the scenarios:
i. The asset becoming widely public and widely distributed
ii. An employee of the Cloud service provider accessing the asset
iii. The process or function being manipulated by an outsider
iv. The process or function failing to provide expected results
v. The information/data being unexpectedly changed
vi. The asset being unavailable for a period of time
3POLICY
The objectives of this policy are:
a. To ensure that the cloud service is in accordance with the business and security requirements and
relevant laws and regulations for:
b. Provisioning and Commissioning of Cloud Services.
c. Operations and Management of Cloud Services.
d. De-commissioning of Cloud Services.
e. To evaluate the following factors in cloud adoption decisions:
i. Technical adequacy for porting the application to the Cloud – Assess the application profile to
ensure it is a right fit to be ported to the Cloud.
ii. Risk including availability requirements, regulatory, compliance and statutory requirements, data
sensitivity.
iii. Control over intrusion decisions, vulnerability monitoring, denial of service attacks.
Any deviation from this policy shall be treated through risk management and exception management
as defined in the ICSP
3.1 Cloud Service Models
Cloud service delivery is divided among Four archetypal models
Cloud Software as a Service (SaaS)
1. The capability provided to the consumer is to use the provider’s applications running on a cloud
infrastructure.
2. The applications are accessible from various client devices through a thin client interface such as a
web browser (e.g., web-based email).
3. The consumer does not manage or control the underlying cloud infrastructure including network,
servers, operating systems, storage, or even individual application capabilities, with the possible
exception of limited user specific application configuration settings.
Cloud Platform as a Service (PaaS)
1. The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-
created or acquired applications created using programming languages and tools supported by the
provider.
2. The consumer does not manage or control the underlying cloud infrastructure including network,
servers, operating systems, or storage, but has control over the deployed applications and possibly
application hosting environment configurations.
Cloud Infrastructure as a Service (IaaS)
1. The capability provided to the consumer is to provision processing, storage, networks, and other
fundamental computing resources where the consumer is able to deploy and run arbitrary software,
which can include operating systems and applications.
2. The consumer does not manage or control the underlying cloud infrastructure but has control over
operating systems, storage, deployed applications, and possibly limited control of selected networking
components
Business Process as a Service (BPaaS)
1. The capability provided which includes, business process outsourcing (BPO) services that are
sourced from the cloud and constructed for multitenancy
2. The Services are often automated, and where human process actors are required, there is no overtly
dedicated labor pool per client
3.2 Cloud Deployment Models
1. Public Cloud- Cloud infrastructure owned and operated by a third-party organization selling cloud
services and available on a rental basis to the general public or a large industry group
2. Private Cloud - Cloud infrastructure is owned and operated solely for a single organization. It may
be managed by the organization or a third party and may exist on-premises or off premises.
3. Hybrid Cloud- Cloud infrastructure is a composition of two or more different cloud infrastructures
(private, community, or public) that remain separate entities, but are bound together by standardized
or proprietary technology that enables data and application portability (e.g., load balancing between
clouds).
3.3 Compliance
Organization shall ensure compliance with various IRDAI guideline and related laws, regulations and
guidelines issued by the regulating authority in India as applicable
3.4Cloud security lifecycle
Governance and risk management, while the deployment model may define accountability and
expectations.
Organization shall ensure before signing an agreement with the cloud service provider, to the
complete approval of all the mandatory controls.
3.4.1 Authentication
It shall be ensured that the Cloud Service Provider supports various Multi-factor authentication
mechanisms.
Authorization shall be followed as per the existing “Information and Cyber Security Policy, Security
Domain Policy, Section 2.2 – ‘Asset management’, subsection 3.2.2.3 – ‘Authorization Inventory’”.
Organization shall affirm that the cloud service providers authentication process, access control,
accountability and logging is in line with applicable regulatory and legal requirements. Customer data
shall be protected from any unauthorized access.
3.4.2 Physical Security Controls
The Physical Security Controls shall be followed according to the existing “Information and Cyber
Security Policy, Security Domain Policy, Section 2.15 – ‘Physical and Environment Security’”.
The additional physical security controls are mentioned as follows:
 Organization shall ensure that the Cloud Service Provider complies with the appropriate security
controls of the infrastructure. Effective physical security shall ensure that centralized management
system allows for correlation of inputs from various sources, including property, authorized
employees.
 It shall be recommended to opt for Cloud service providers that conform to the ISO 27001 standard
for physical and environmental security.
3.4.3 Infrastructure Security (for private cloud and IaaS for public cloud)
Design of the Cloud environment shall be based on appropriate security guidelines such Cloud
Security Matrix by Cloud Security Alliance or as per guidelines defined by IS Team. The IS team
shall perform an assessment of private Cloud services prior to roll out based on industry standards and
IS policy provisions.
An infrastructure standard shall be defined and implemented for commissioning of cloud
infrastructure including servers and network equipment. The standard shall consider legacy
infrastructure or provision for reuse or retiring the same if required. The standard shall also include
minimum security baseline standard.
Appropriate tools / procedures shall be put in place for managing and monitoring infrastructure
operations including Cloud characteristics such as storage utilization, provisioned allocation vs. actual
utilization, host machine uptime, virtual machine uptime, network uptime and infrastructure and
application response times, patch management, change management, incident management, antivirus
management.
Infrastructure integration architecture shall be defined for integration within the data center and across
multiple data center.
All applications and infrastructure elements shall be evaluated for their suitability to operate on the
Cloud environment prior to migration, including checks for compatibility and information security
baseline. A procedure document shall be made available for performing such a migration. Necessary
approvals from Security and Business shall be obtained at various stages during migration as defined
in the existing “Information and Cyber Security Policy, Security Domain Policy, section 2.5 -
Information Systems acquisition and development. Cloud infrastructure shall follow the existing
Organization’s Information Systems Maintenance policy including access control, change
management, Data security, backup and restoration, patch management, job scheduling, capacity and
performance management, malicious software management, vulnerability management, and IT
service management.
3.4.4 Network Security
Network security consists of security services that restrict or allocate access and distribute, monitor,
log, and protect the underlying resources services.
It shall be followed according to the existing “Information and Cyber Security Policy, Security
Domain Policy, Section 2.11. ‘Network Security’”.
Also, Organization shall ensure that the cloud service provider has documented and tested processes
for:
a. Access controls, for management of the network infrastructure
b. Traffic filtering provided by firewalls
c. Creating secure Virtual Private Networks (if VPN is offered)
d. Intrusion detection / prevention
e. Mitigating the effects of DDoS (Distributed Denial of Service) attacks
f. Logging and notification, so that systematic attacks can be reviewed.
3.4.5 Data Isolation
In case of utilization of cloud services, Organization shall ensure that its data is adequately isolated in
the cloud environment.
Organization’s data on the cloud shall be isolated such that it can operate as a separately managed
entity/entities.
Mechanisms shall be established to ensure appropriate isolation exists at the network, operating
system, application layer and database.
For a multi-tenant cloud environment, the following shall be ensured:
 Mechanisms shall be defined for separating the usage of storage, memory, and routing. The
isolation of applications and data shall be ensured. In an isolated architecture, the data shall be
segregated into its own database instance. For multi-tenancy, an architectural and design approach
shall be adopted to economies of scale, availability, management, segmentation, isolation, and
operational efficiency.
 For the application deployed on the Cloud using native multi-tenancy features offered by the
application, privacy of data across tenants or entities shall be ensured through appropriate access
control mechanisms. Application shall clearly log business errors and technical errors separately to
support separation of duties between business users and data center operator.
3.4.6 Data Classification
Data Classification shall be followed in accordance with the existing “Information and Cyber security
policy, Security Domain Policy, Section 2.1 – ‘Data Classification’”.
3.4.7 Encryption
As defined in the existing “Information and Cyber Security Policy, Security Domain policy,
Section2.12 – ‘Cryptographic Controls’”, Organization shall ensure that appropriate cryptographic
controls are applied to data depending upon its classification as per encryption requirements defined
in the data classification policy.
Organization shall ensure that a unique set of encryption key(s) are utilized, in accordance with the
existing “Information and
Cyber Security Policy, Security Domain Policy, Section 2.12 – ‘Cryptographic Controls”.
Organization shall ensure that the cloud service provider support Key Management Interoperability
Protocol (KMIP). KMIP provides a standardized way to manage encryption keys across diverse
infrastructures.
Organization shall prefer Hardware encryption keys, in compliance with the Federated Information
Processing Standard (FIPS) 140 2-3 and above, whenever compatible.
Organization shall devise encryption, key management procedures in accordance with the already
existing Organization’s information security policy for the following:
a. To encrypt data in transit, at rest, backup media
b. To Secure key store
c. To protect encryption keys
d. To ensure encryption is based on industry/ government standards
e. To Limit access to key stores
f. Key backup and recoverability
g. To test these procedures
3.4.8 Application Security
Organization shall ensure Application Security for applications hosted over the Cloud in accordance
with the existing “Information and Cyber Security Policy, Security Domain Policy, Section 2.5 –
‘Information Systems acquisition and development’, subsection –‘Application Security’”.
3.4.9 Incident Management
The incident management for cloud services shall be followed in accordance with the existing
“Information and Cyber Security Policy, Security Domain policy, Section 2.10 - ‘Incident and
Problem Management’”.
3.4.10 Business Continuity and Disaster Recovery
Organization shall ensure Business Continuity for cloud services shall be in accordance with the
existing “Information and Cyber Security Policy, Security Domain Policy, Section 2.13 – ‘Business
Continuity Management and Disaster Recovery’”.
In addition, Organization shall also audit the Cloud service provider’s disaster recovery plan and
ensure it meets Organization’s requirements. At minimum, the following shall be considered:
i. The ability to retrieve and restore data following data loss incidents.
ii. The cloud service provider shall provide Organizational disaster recovery testing report that would
be extensive, covering from exercise scope to the final outcome and recommendations.
iii. Make sure the DR (Disaster Recovery) solution is capable of maintaining the same levels of
security measures and controls utilized in normal operation mode.
iv. Assure that the Disaster recovery solution is owned and managed completely by the contracted
Cloud Service Provider.
It is recommended to opt for cloud service providers who are BS25999 or ISO 22301 certified.
Business Continuity Plans shall be in place for cloud sourced services based on regular BCP and
provisions for the same shall be included in Organization contracts.
A confidential document containing account information for business continuity purposes shall be
maintained
3.4.11 Exception Management
An “exception” shall be defined as circumstances when a particular policy or standard; security
program requirement; or security best practice cannot be fully implemented.
Organization shall develop, publish and implement administrative, technical and physical safeguards
in an effort to adequately protect the confidentiality, integrity and availability of its assets on an
exception basis.
The Exception Management for Cloud Services shall be followed in accordance with the existing
“Information and Cyber Security Policy, General Guidelines, Section 1.8 –‘Exceptions’”.
3.5 Off boarding of cloud service provider
Upon termination of contract, all data transferred by Insurance Company, or generated by the third
party for Insurance Company, shall be handed over to Organization. Evidence shall be provided to
Organization for deletion and purging of all copies of data at service provider site/s
When in transit, data shall be subject to stringent controls based on the classification of data as laid
down in the Information and Cyber Security Policy: Security Domain Policy, Section 2.1 – ‘Data
Classification’.
Upon termination of services, the service provider shall provide a certificate to ensure that de-
commissioning has been carried out and further access shall not be provided to Organization
employees.
3.6 Virtualization
In cloud computing, majority of logical separation controls are not physical, it is enforced through
logical system and application controls designed to help ensure data segmentation and integrity across
the platform. The mechanism for providing this separation of data and services is “virtualization”.
3.6.1 Evaluation of Cloud Service Provider virtualization environment
Organization shall evaluate the Cloud service providers’ virtualization hardening guidelines and
policies and evaluate the third-party gap assessment against technology risk assessment checklist.
This includes but not limited to:
a. Disable or remove all unnecessary interfaces, ports, devices and services;
b. Securely configure all virtual network interfaces and storage areas;
c. Establish limits on VM resource usage;
d. Ensure all operating systems and applications running inside the virtual machine are hardened;
e. Validate the integrity of the cryptographic key- management operations;
f. Harden individual VM virtual hardware and containers;
3.6.2 Virtualization Security
Organization shall ensure that the Cloud security provider has controls to guarantee that only
authorized snapshots/ images are taken and that these snapshots’/ images’ level of classification,
storage location and encryption is incompliance with the production virtualization environment.
Organization shall assure the following controls are applied as a part of hypervisor security:
a. Organization can access the Hypervisor administrative access log reports.
b. Hypervisor complete logging is enabled.
Organization shall ensure that the cloud service provider gives assistance of trusted Virtual Machines
(VM) and those VMs were made in compliance with the hardening guidelines.
The cloud service provider shall provide Organization with its complete vendor list that will have
access to Organization’s data; at any point throughout the duration of the agreement. The Cloud
Service Provider shall update Organization about any change in the vendor list.
For multi-tenancy through virtualization,
 Application shall be explicitly tested and qualified using virtualization product that is deployed
within the Cloud. Application vendor shall provide sizing considering deployment under virtualized
environment. Alternatively, vendor shall provide sizing based on physical servers and state the
overhead with specific virtualization product.
 Application image shall be available for the virtualization product used. Each virtual machine shall
be allocated resources commensurate with projected transaction. Resource consumption shall be
periodically monitored against actual load so that necessary refinements can be carried out.
 Putting different tiers of the application onto separate physical boxes shall allow passing
communication between tiers to go through physical network and facilitate implementation of firewall
policies to allow communication only between VMs belonging to the same company. Also, using
different disk partitions to isolate VMs belonging to different companies can provide further isolation.
3.7 Legal, Regulatory and Contractual Requirements
3.7.1 Contractual Requirements
Organization shall sign a non-disclosure agreement (NDA) with the cloud service provider before
providing any service. All aspects relating to privacy, confidentiality, security and business continuity
shall be fully met.
If the vendor is certified under the Cloud Security Alliance Trust or is providing control information
under the Cloud Trust Protocol, and if the scope of services provided to Organization is included
under the scope / statement of applicability for the certification, the vendor shall be exempt from the
requirement for periodic audits by Organization. However, in such a scenario, the vendor will be
required to furnish the following:
o A self-certificate of compliance to all IS provisions in the contract
o Copy of a valid certification demonstrating that the scope of services provided to Organization is
included under the scope / statement of applicability for the certification
o In order to be able to enforce performance, information security and other controls to address
outsourcing risks, Organization shall build the right to audit as part of contract with vendors.
Information Security department shall be engaged during the establishment of Service level
agreements (SLAs) and contractual obligations to ensure that security requirements are contractually
enforceable.
Organization shall prepare a service contract addressing the following domains:
a. Architectural Framework
b. Governance, Risk Management
c. Clarity on Cloud service provider’s role and Organization’s role
d. e-Discovery searches
e. Expert testimony
f. Primary and secondary(logs) data
g. Location of storage
h. Contract termination
i. Ownership of data
Organization shall ensure that the Service Level Agreement(SLA) reflect the applications and data
availability requirements in the occurrence of planned or unplanned disruptions or outages, business
continuity and disaster recovery planning and backup and redundancy mechanisms defined by
Organization.
Organization shall include the financial remedies in the event of a business disruption in the SLA.
Third party service providers shall be empaneled for the cloud services of Organization only after a
contract is signed between Organization and the service provider.
The contracted terms and condition shall be approved and drafted by the Legal department of
Organization for safeguarding the interest of Organization in consultation with Compliance, Risk and
Information Security departments.
Automated tools shall monitor and track SLA's and generate reports to project the impact on costs,
ROI etc.
The provisioning process shall be completely automated.
3.7.2 Contractual clauses on Data Privacy
Organization shall assure that it retains the “Exclusive” right to data ownership throughout the
duration of the agreement. Ownership includes all copies of data available with cloud service provider
including the backup media copies, if any. Organization shall ensure that the cloud service providers
are not permitted to use Insurance Company’s’ data for advertising or any other non-authorized
secondary purpose Organization shall contractually assure that they are informed of any confirmed
breach immediately without any delay. For suspected breach, Organization shall be informed within 4
hours from the time of breach discovery.
Organization shall contractually require that the cloud service provider be responsible for any
financial losses or penalties that may occur in event of a cloud service provider breach.
Organization shall contractually require that the cloud service provider will completely eliminate any
trace of data/ information at the termination of the Contract as agreed in the contract.
Organization shall contractually require and ensure that the cloud service provider will fulfill the data
and media destruction and sanitization controls.
Organization shall ensure that the cloud service provider complies with the requirement of return of
data to Organization. There shall be no Vendor-lock in by the cloud service provider.
5.7.3 Legal Requirements
Organization shall ensure that the Cloud service provider’s own data privacy policy is in compliance
with the applicable laws in Organization. Also, the cloud service provider shall adhere to all
regulatory and legal requirements of the country.
Data and processes in Cloud Computing shall comply with both Indian and international laws when
Organization availing the Cloud service has an international presence. Legal compliance shall be
ensured when using the Cloud service.
5.7.4 Regulator Independence
Organization shall contractually agree with the cloud service provider that the infrastructure and
applications are made available for audit/ inspection by the regulators of the country. Regulator shall
have access to all information resources that are consumed by Insurance Company, though the
resources are not physically located in the premises of Organization.