Ofsure - our considerable experience and pragmatism leads to effective business outcomes – whatever the size of the commercial enterprise


+44(0)1926 494 362

global IT services global IT services global IT services global IT services global IT services
Encryption and digital security and privacy in India
Outsourcing 11th Dec 2014 Dinesh Bhalla

Before I begin it is important to state that this blog discusses considerations around issues related to communications in India that are regulated and backed by legislation and as such it is extremely important that proper legal advice is taken as part of any procurement process to ensure compliance with the law.

 

Doing business in India is generally safe with IT service providers putting in a lot of resources for security, the Indian Government for its part (IT Technology Act 2000 and amendment 2008) has stipulated severe penalties for corporate or Individual computer misuse and breaking digital security rules. For instance cyber attacking India critical national infrastructure (CNI) will be regarded as an act of terrorism.

 

This blog considers one aspect of digital privacy In India, encryption, there are currently no coordinated policies or rules regarding encryption methods, which weigh the requirements for commercial and personal privacy and security against and the requirements of national security enforcement agencies.

 

The Information Technology (certifying Authorities) rules 2000 from the Department of Telecoms (DOT) states that ISPs be limited to using 40-bit encryption and that higher encryption requires specific approval, the approval required the cryptographic keys to be lodged with the DOT.

 

The basis of current regulation in this area involves the need of the commercial community and that of National and State security. The government must balance the wish for India to become a thriving economic power house (India a good place to do business) and the need to protect its people.

 

The current state of affairs is a set of conflicting rules so it is important that whatever implementation is required network security and design are approved by the DOT. It should also be said that although India is a great place for BPOs and has developed tremendously, the evolution of encryption security standards lags behind.

 

The Information Technology Act 2000 does not specifically state the maximum or minimum level of encryption, this is expressed in the guidelines for the grant of license for operating Internet Services (ISP Guidelines) as allowed “ to use up to 40 bit key length in the symmetrical key algorithm or its equivalent in other algorithms without having to obtain permission from DOT, but for use of any encryption equipment higher than this limit the same can be done only with the prior approval of the DOT.”

 

Now having set this limit that corporates and individuals have to abide by when using ISP services there are various industry specific or regulatory requirements that mandate a higher level of encryption.

 

E.G The Stock Exchange regulator (SEBI) says 64 bit/128bit encryption standards are necessary. India’s Reserve bank of India (RBI), as well as the banking regulator, states that banks should use at least 128-bit encryption.

 

There are also other rules by the DOT under IT Security guidelines for the implementation and management of IT security which state that equipment used in the transmission of electronic communications i.e. Routers and Switches etc. must be equipped with suitable security software.

 

The Data Security Council of India (DSCI) in 2009 recommended changes to the encryption rules with the use of 256 bit AES encryption, however no changes have yet been made see

 

PDF

 

Despite the differences between the 40-bit encryption limit and the recommendations or mandates by specific sectors the issue has still not been resolved.

 

For overseas firms it is essential the contractor(s) used to provide infrastructure connectivity get prior approval from the DOT and that completing this step is placed as a contractual milestone, it is at this point the implemented level of encryption needs to be agreed. In obtaining the approval, all parties in the process must be involved, the Telco, ISP,  BPO Service provider,  and the end customer.

The DOT will require:

 

  • All necessary documentation and drawings, particular information such as IP address may have to be given (this can cause some concern to certain companies)

 

  • The DOT may want to carry out site inspections

 

  • They may restrict the type of data being transmitted

 

  • The DOT depending on the business or the type of implementation may require other government departments to be involved which may affect the implementation date

     
  • The service provider or the Telco may have to submit to the installation of monitoring equipment laid down by the DOT.

 

With regards to the wider issue of cyber security the Indian government Department of Electronics and Information Technology (DeitY) issued a National Security policy this can be found here.

It essentially consists of a framework around the governance for dealing with national and local security threats and especially India Critical National Infrastructure

I hope this blog has given readers some insights and emphasizes the necessity to ensure proper due diligence is taken when procuring services from India and the need to make sure that any procurement processes involving offshore services covers these areas. 

If after reading this blog you feel the need for professional support then please contact us at Ofsure. My email address is dinesh.bhalla@ofsure.com

Leave a Reply

Your email is never published nor shared. Required fields are marked *

No Comments

There are currently no comments for this blog post