The government has informed the parliament that the Ministry of Electronics and Information Technology (MeitY) has empanelled cloud service offerings of both domestic and global cloud service providers for the storage of data by Indian authorities.
According to Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology and Skill Development and Entrepreneurship, empanelled cloud service offerings are recognised after an audit is conducted by the Standardisation Testing and Quality Certification Directorate to ensure international security standards are met. As per the minister, the terms and conditions of the empanelment require submission of a legal undertaking guaranteeing that the data shall reside in India and that there shall not be any legal framework outside Indian law that will be applicable to the operation of the cloud services.
Further, Chandrasekhar added that with the expansion of the internet, there has been a huge increase in the volume of data generated, stored and processed, putting the need to secure such data in the spotlight. He informed that the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 specifically provide that the disclosure of sensitive personal data or information by the body corporate to any third party requires prior permission from the provider of information, unless such disclosure has been agreed to in the contract between the body corporate and the provider of information or where the disclosure is necessary for compliance of legal obligations.
In a separate response to the Lok Sabha, the government said that ransomware incidents have grown over time with attacks across multiple sectors, including commercial and critical infrastructure. According to Chandrasekhar, threat actors have modernised their attack methodologies, evolved sophisticated tactics and adopted a wide range of attack campaigns. He added that ransomware actors exploit known vulnerabilities, compromised credentials of remote access services and phishing campaigns for gaining access into the infrastructure of organisations.
With regard to the All India Institute Of Medical Sciences (AIIMS) cyber attack, Chandrasekhar informed that, as per preliminary analysis, five servers of the institution were compromised by unknown threat actors due to improper network segmentation which caused operational disruption due to the non-functionality of critical applications. The minister asserted that a special advisory on security practices to enhance the resilience of the health sector entities has been communicated by the Indian Computer Emergency Response Team (CERT-In) to the Ministry of Health and Family Welfare, for sensitising health sector entities regarding the latest cyber security threats. It has also been suggested that the ministry may carry out a special audit through CERT-In-empanelled auditors on priority basis, comply with the findings of such audit and ensure implementation of security best practices.
