Page 1 of 2
					
				Indian Data Security: Keeping your bride in your best friend's house
				Posted: 13 Dec 2017 10:34
				by shiv
				I am hoping to get some useful inputs on this topic. The issue is so easy to describe, and yet so important that I don't even know if a thread can be made out of this. We have a lot of itvity people on BRF and they will only react to this with a "ho hum, so what's new?". It is all well known, but it is not known to many people who matter.
I have deliberately started this thread in this forum because of its national security implications. 
It's like this. For those of us living in India every single detail - the amount you have in your bank, your shares, investments your tax records are all stored in servers mostly in the USA. And the US has a law that requires entities in the US to allow the US government to access anything they want, anytime they want from any repository. 
OK, I might say. I don't care if CIA looks at my financial records. In fact I would have a good laugh if someone was secretly operating my phone camera and recording me in my toilet. But that is not the problem. The problem is, as I see it two fold:
1. Technically the US could block access to all data from everyone in India and literally collapse the economy. 
I doubt if they would do that, but what worries me more is:
2. Do the GoI, the RBI and the armed forces know where there data is stored. If they are keeping anything "online" in "secure servers" - some one is laughing his guts out somewhere in the world. he can read and access every bit of it.
Just look at Wikileaks and you can see the sort of stuff that is accessible. 
To what extent do the armed forces know that data that goes over the internet - even if encrypted - is ultimately being collected and stored somewhere in the US? 
We have long accused the Indian government of not having a Pakistan policy. But it appears that the GoI has no policy to ensure that all Indian data - say all data from nationalized banks, all data from Aadhaar, all data about armed forces ranks and pensions, all LIC data etc is stored in Indian serves secured by Indians in India
The armed forces have a NICnet. Is that NICnet absolutely secure? or is there one little server in some office where some enthusiastic individual feels it is best to send out messages to all staff on WhatsApp? "Mess duty roster for this week is.." "Happy Diwali"etc. There are people who think that Whatsapp is secure and private. I recently heard a friend praise Apple for the diligence they showed in protecting "Our privacy". How to educate him. People with such ideas are at the top in our society, They are leaders.
What is worse is that we consider ourselves to be IT superpower. But all our IT people are working for multinational corporations who would oppose any government move to shift  Indian data to Indian servers. And these companies - eg Facebook, Google, Amazon etc have deep pockets and will be able to pay off any politician or bureaucrat  to shut him up and stop him from doing anything to shift Indian data into India. That aside - nowadays when I talk to parents of young people they swell with pride as they say "Oh my son works  for Google". "My son in law works for Amazon". If these biggies oppose Indian plans to keep Indian data in India we are screwed Screwed royally in the "new colonization". As  nation we are so mentally colonized by the maya of western assurances that we will refuse to believe it when someone says there is a huge risk in letting our data float around in US servers to be shared by 3 letter agencies. 
What information can we collect as a crowd to show Indians how thin the ice that we are standing on happens to be. I would be happy for any anecdotes, information, data whatever that forumites may be able to provide.
Or - if you disagree with me vehemently and know that al is vel - please say so..
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 13 Dec 2017 10:51
				by A Deshmukh
				Great idea - to raise this serious issue.
All our computers have foreign OS. foreign browsers. 
With newer technology, anything is a bytes stream (voice, video, screen grabs, geolocation, apart from routine data) that can be easily recorded on a third party server without informing the user. 
I am myself fiddling around such code and easily enabling this.
Any electronic device being used in Govt offices is suspect and potentially a leak.
India desperately needs Indian OS, Indian tools, which are secure.
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 13 Dec 2017 17:50
				by shiv
				Unfortunately, this thread is like "doomsday is coming" - "Sky is going to fall on Thursday"  Even I would ignore anyone who said that. 
But it remains an important subject because there is now the potential to cause serious disruption and no one in power seems particularly concerned. 
Is there anyone who knows anything about this subject?
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 13 Dec 2017 17:55
				by Karthik S
				I don't think Govt is even thinking in these terms. Wasn't there a news about senior politicians using gmail etc for their official purposes. So all confidential info can be ready by you know whom. Heck, we are even cavalier about Chinese phones flooding in Indian market. There was recent news (this week or the last) that there are 42 apps that Chinese intelligence is using to spy on us.
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 13 Dec 2017 19:21
				by shiv
				Karthik S wrote:I don't think Govt is even thinking in these terms. Wasn't there a news about senior politicians using gmail etc for their official purposes. So all confidential info can be ready by you know whom. Heck, we are even cavalier about Chinese phones flooding in Indian market. There was recent news (this week or the last) that there are 42 apps that Chinese intelligence is using to spy on us.
Thx
http://zeenews.india.com/india/china-sp ... 61277.html
NEW DELHI: In a fresh advisory issued to the troops posted at the international border, the Intelligence Bureau (IB) has warned that China could be collecting vital information about the Indian security installations through its popular mobile phone apps and devices.
According to reports, the advisory issued by the DIG (Intelligence) has directed the troops posted along the Line of Actual Control (LAC) to either delete a number of mobile applications from their smartphones or reformat the devices altogether to guard against online espionage attempts from across the border. 
The IB advisory contains a list of about 42 popular Chinese apps, including WeChat, Truecaller, Weibo, UC Browser and UC News, which pose a grave threat to India's security.
There is a possibility of these apps transmitting sensitive personal data to the Chinese authorities, which could be a major security disaster, the advisory states.
The fresh advisory comes at a time when the troops from both sides continue to maintain high alertness levels along the LAC after the resolution of a bitter border stand-off over Doklam.
Based on inputs received from the intelligence agencies, the armed forces regularly warn its officers and other ranks to avoid using Chinese apps in a bid to thwart the possible leak of vital info to the hostile neighbouring country via China-made mobile devices.
The Army, as well as the central armed police forces like the Indo-Tibetan Border Police, are deployed along the 4,057km LAC, which stretches from Ladakh to Arunachal Pradesh. 
The IAF, for instance, had earlier asked all its officers and airmen as well as their families to avoid using Chinese Xiaomi smartphones and notebooks on the ground that they could transfer user data to remote servers located in China.
The note comes at a time when several Indian cybersecurity experts have raised concerns about the possible espionage attempts by the Chinese hackers and various military intelligence agencies of China.
The warning from IB pertains to Android as well as IoS apps. 
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 13 Dec 2017 19:24
				by shiv
				http://www.thehindubusinessline.com/inf ... 022791.ece
Route domestic Net traffic via India servers, NSA tells operators 
 New Delhi, Aug. 14:  
The Deputy National Security Advisor has asked the Telecom Department to look at ways to route domestic Internet traffic via servers within the country.
This follows the recent expose of the US Government accessing Internet data from across the globe, including users of Google and Facebook in India, through servers located in that country.
The NSA has asked the DoT to look at the possibility of making it mandatory for all telecom and Internet companies to route local data through the National Internet Exchange of India (NIXI). For example, an e-mail sent from Delhi to Mumbai may now be routed through servers in the US for which the ISPs need to buy international bandwidth. If all the ISPs connect to the NIXI then this data can be kept within the country.
“Such an arrangement would limit the capacity of foreign elements to scrutinise intra-India traffic,” said one of the officials who attended a recent meeting to discuss this issue. Senior officials from the DoT, NIXI and National Security Coordination Secretariat were present in addition to the Deputy NSA.
At present only about 10 per cent of the domestic traffic is bzeing routed through the NIXI. Formed in 2003-04, NIXI was supposed to act as a local router of Net traffic but not many operators have connected to it. “Deputy NSA stated that efforts should be made to ensure that 100 per cent intra-India traffic was routed within India. This may necessitate a review of the formula for charges levied by NIXI,” the official said.
Cost-saving plan
While security concerns may be driving this proposal, if this happens then Internet companies could save on the cost of buying international bandwidth. This will in turn lead to lower data tariffs. However, this is not the first time that this proposal has been mooted. This system was first suggested by Telecom Regulatory Authority of India in 2007. An internal DoT committee had also backed the proposal in 20102 but the DoT has not made any serious attempts in putting a policy in place until now. But Government officials said the PRISM expose in the US has brought in urgency at the highest level. 
 
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 13 Dec 2017 19:28
				by shiv
				There are financial arguments being made - apparently US GDP will go down if we shift data to India. This link says it will be cost more for india - but the post above this says it will be cheaper.I think it will be cheaper and safer to keep data in India. US will fight because their money collection will come down
https://itif.org/publications/2017/05/0 ... -they-cost
These studies show that data localization and other barriers to data flows impose significant costs: reducing U.S. GDP by 0.1-0.36 percent; causing prices for some cloud services in Brazil and the European Union to increase 10.5 to 54 percent; and reducing GDP by 0.7 to 1.7 percent in Brazil, China, the European Union, India, Indonesia, Korea, and Vietnam, which have all either proposed or enacted data localization policies.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 13 Dec 2017 19:52
				by arshyam
				Thanks for starting this, shiv sir. This area is something we as a country don't really care about, or are blissfully unaware. 
Let me share some links to get started:
Data Protection Authority Proposed - Swarajya
Data Protection Authority Proposed: A committee, which was set up to draft a data protection and privacy bill, has come up with a white paper calling for setting up a data protection authority, data audit, registration of data collectors, enacting provisions for protecting children’s personal information, defining penalties and compensation in case of a data breach. The Justice B N Srikrishna committee has released a 200-page document inviting comments from the public on various issues such as the definition of personal data and proposed penalties for misuse of data. The deadline for sending feedback is 31 December. The committee was set up on 31 July following a government decision to make Aadhaar compulsory for all its services. The government has given the panel three months to suggest a draft bill.
Here is the white paper: 
Data Protection Framework for India - they are inviting comments.
According to this Swarajya piece, the we may not insist on data residency though: 
India’s Data Protection Law Takes Shape by Arihant Pawariya. 
Cross border flow of data is today’s reality. One can’t afford to indulge in data nationalism without suffering grave economic consequences especially services driven economies like India which brand themselves as deliverers of services at inexpensive prices. Some countries have come up with adequacy test and classify other countries based on the quality of data protection they provide. They enter into data trade agreement with each other just like the goods or services trade agreement.
Countries like China, Australia or Russia mandate data localisation - storing data of individuals in their own country - but this has proved to be costly. In India’s case, we may not go for data localisation as an overall strategy. However, we must certainly do so for countries such as China which are hostile. We can also mandate that companies operating in highly sensitive data localise it here. However, imposing blanket localisation may do more harm than good.
FWIW, I am not sure how much of the above is from the paper itself, and how much is the author's opinion.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 13 Dec 2017 22:54
				by abhik
				shiv wrote:Karthik S wrote:I don't think Govt is even thinking in these terms. Wasn't there a news about senior politicians using gmail etc for their official purposes. So all confidential info can be ready by you know whom. Heck, we are even cavalier about Chinese phones flooding in Indian market. There was recent news (this week or the last) that there are 42 apps that Chinese intelligence is using to spy on us.
Thx
http://zeenews.india.com/india/china-sp ... 61277.html
NEW DELHI: In a fresh advisory issued to the troops posted at the international border, the Intelligence Bureau (IB) has warned that China could be collecting vital information about the Indian security installations through its popular mobile phone apps and devices.
...
 
There are some very serious concerns, take for example location information - 
How Does Google Maps Know Where Traffic Is?
The answer is one part creepy, one part cool: Google gets its information from you, according to Business Insider. The company uses the Location Services function on Apple and Android phones to track your coordinates. If you have the Location Services capability enabled for Google Maps, you're constantly sending real-time data about your whereabouts and the time it takes you to get from place to place. Google combines everyone’s data to determine the concentration of cars on the roads and how fast they are moving. (Or aren’t moving, depending on your situation.)
 
If you open google maps app you can view 'timeline' - it gives you a list of every place you have visited, when you have visited, what route you have take etc. And google probably has this data for 100s of millions of users (if not billion+) worldwide. Now just imagine if you could get your hands on this type of real time data on the movements of enemy soldiers! Remember reading (rumors) that Russia used this type of info to target Ukrainian forces with artillery strikes with devastating effect. A lot of the 'Chinese' apps listed ask for location permissions - I have no doubt the data is being shared with the chinese intel/mil and is being are mined appropriately. Of course everybody is waking up only now because the data is going to big bad China, and not benevolent US which IIRC runs the largest operation of mass electronic surveillance in our country.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 13 Dec 2017 23:09
				by sudeepj
				This is a timely topic, but what is the basis for this claim:
For those of us living in India every single detail - the amount you have in your bank, your shares, investments your tax records are all stored in servers mostly in the USA.
  
Most banks and local companies have their own IT infrastructure, all located within India.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 13 Dec 2017 23:19
				by nam
				I don't card companies like Visa/Mastercard follow this rule. Bank account details may be in India, but transaction data goes through card company servers, which will be outside india.
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 13 Dec 2017 23:23
				by nam
				The topic gets more muddier with the usage of cold providers like AWS & Microsoft Azure.  Although they give the option of choosing a India based data-center, unless it is audited to be true you cannot be sure that choosing such a option means data will in India.
Russia has very strict law of citizen data. I have seen companies wanting to do business need to replicate their applications in Russia, with it's own local data source.
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 00:24
				by ramana
				sudeepj, Its not the details but the big picture of cyber security or lack thereof.
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 19:15
				by shiv
				sudeepj wrote:This is a timely topic, but what is the basis for this claim:
For those of us living in India every single detail - the amount you have in your bank, your shares, investments your tax records are all stored in servers mostly in the USA.
  
Most banks and local companies have their own IT infrastructure, all located within India.
 
The most honest answer I can give you is "This is what I have heard"
I don't believe that there is any requirement for data to be stored in India. But let me state my view here. Forget about where the data is stored - most banks and bank staff don't have a clue that data requires storage somewhere and that somewhere can be anywhere in the world. But I believe most of it is in the US where the service is offered at the most competitive prices. 
There is no requirement for banks to insist that they data should be stored in India. On a personal level I have about 4-5 bank accounts . The "foreign banks" among these had online access for over a decade. But the Indian nationalized banks have gone online only in the last 4-5 years. they are real newbies. Their sites are set up by some IT companies who are not asked where the data is stored. That is - bank pays IT company to deign website and store data. What the company does is up to them.
So I don't have the confidence that you have in making the claim that the data is stored in India. That would be a dangerous delusion if untrue and I have every reason to believe that it is not true. Indian insurance companies are only now going online. The insurance company that I deal with most frequently got its online access for clients bug free only this year after 4-5 years of irritating rubbish.
Compared to the slick sophistication of some foreign banks - many Indian PSU banks and Insurance companies have interacted with their IT developers to develop the most clunky and unusable web access for users - which is full of bank jargon and acronyms that no user can understand clearly showing that neither bank nor their IT developers (who follow the bank's suggestions) have any clue about how the public must use the portal. These people are ham-fisted newbies and I do not believe for one second that they are aware of where the data is stored although they are pretty strict when it comes to user verification and 2-step transactions as required by the government.
That apart people "in the know" ("chaiwalas") have told me that data is stored in the US and I have posted a link above where the US says that its GDP stands to fall by more than 1% if nations start storing their data locally
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 19:55
				by viveks
				I suppose there is no need to get 2 concerned as long as outlook exists. They have a "khoju laal" attitude towards things. 
 
  
Their ancestors produced some of the finest ideas and inventions...most particularly Sir Thomas Alva Edison... who thought that something extra ordinary should light up his house so that he does not have continuous itch to put oil in the Laltein or use koila to light and keep people warm. If you believe in these ideas and see your house lit with electricity every night, use wifi...haha
They folks have a reputation to keep and they will continue doing so. If anything bad happens to us ...then probably we have been served notice and should face consequences. These folks have and will continue to produce great people...like it or not. Most of us should simply keep learning and continue forward.
Bin Ladin would have hated them so much...he would have been totally foreign to the ideas of innovation. His home would have continued to be lite by Laltein.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 21:02
				by A Nandy
				Regarding the spying and mass surveillance thing, western govts and the chinis have hit upon the jackpot with our usage of their mobile phones and browsers. They can remotely turn on the camera of our phone and laptops or the microphone and of course they are going to use it. Why would they not use it if they can screw us sitting at home. 
After all who in India is checking these devices for remote software or hardware exploits or is bothered to block them. That camera on your phone its not really off and through our cross linking of devices and usage of gmail or whatsapp across them, they can easily find out the exact device whose camera or microphone to turn on.
Seriously if this Amazon Echo sh!t takes off there is no need for them to actually employ human beings to spy anymore in India or elsewhere 
 
We have no control unless we have complete control over the hardware we are using.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 21:03
				by nam
				A simple search about icicibank.com and sbi tells me, icicibank ips are owned by Tata telecom, while Sbi by it's IT department.
Seems SBI has dedicated data center.
Icici may be outsourced to TCS, who use Tata Telecommunication. 
This however is no guarantee that data or copies of data are in India.
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 21:42
				by schinnas
				I know for a fact that vast majority of bank and financial data is stored in India. All government data is stored in India. Amazon had to open a data center in Mumbai to get indian finance industry to start using AWS, their cloud  service. Microsoft and i think IBM have their cloud services including data centers in India. Google has it in Singapore.
It is very unlikely for most of our internet companies to store our data in US. Even if they use American cloud service providers such as AWS or Google or Microsoft, the data is likely to be either in India or close to India such as Singapore. 
The reason is physics. Even at speed of light, it will take about half a second for data to travel from US to India under ideal conditions. Its neither economical nor efficient to store data half way across the world.
The real danger is not whether data is stored in India, but how secure our data is. It is very easy for see aye yea to find out phone numbers of our armed forces by hacking into army payroll records and track whether they are at any given time. With proliferation of chinese phones, they may aim to do that sometime as well. It gives them accurate, real time and unprecedented intelligence.
We need to make secure phones with location info turned off, data encrypted, etc., for our armed forces personnel and for those working in strategic areas. 
Given that AADHAR is linked to everything now, for good and persistent hackers it will be posible at some point to know pretty much everything about everyone all the time. 
Google knows lot lot more about Indians, their behavior, mobility patterns, eating habits, sleeping habits, real time traffic information, etc., than any govt agency.
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 21:52
				by schinnas
				Armed forces should just be asked to switch off mobiles during conflict times.
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 22:15
				by arshyam
				^^That's no guarantee, unless the battery itself is pulled out.
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 22:17
				by sudeepj
				What Schinnas said is my impression too. Most Indian financial data is stored within India, but not data for services such as Uber, Amazon orders, facebook etc. Most of these companies have liaisons with the CIA and by running data analytics on the 'crowd sourced' information can figure out movements of army units, decision making in the govt. etc. 
Itll be better if the govt. of India builds or outsources the 'hardening' of consumer devices to an Indian OEM, and these can be the standard devices issued for mil./diplomatic/govt. functionaries to use. Just to give an example, a cellphone can be hacked and its mike turned on to spy on an individual of interest. Consumer electronics is a big wide door through which almost anyone can walk in and snoop on decision making etc.
On the cloud side, what is needed is a legal framework that makes sure that consumer data stays within India. Many countries such as Russia/China have these laws, I think India should too.
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 22:48
				by periaswamy
				Keeping servers in the country is only part of the issue. All of these machines are on the internet, so allowing access to the data of Indian companies and Indian resources of value, is equivalent to just moving the data out of the country for all practical purposes.
 How the US govt. uses the amazon cloud is instructive, since they have the capability to force these companies to setup their services to not violate information siloing to keep data from external hackers in the regular amazon.com commercial cloud network. 
Even though Amazon owns the servers and the machines in the cloud, the US govt insists that Amazon relinquish physical security of these machines to the govt. and also assist with monitoring and maintaining network security of this cloud. So these machines are all housed in a building that is owned and run by the US govt.(these are typically some anonymous warehouse building in the middle of some wilderness, with high power cables and networking cables running into the building being the only indication that it contains a few thousand servers).  So Amazon runs all of the govt's services in a completely different set of machines that is isolated from the general network of amazon.com.  Within the cloud, these companies have the technology to isolate the processing and data of different accounts in the govt. from each other securely -- so that information in an amazon account for one group of users is insulated and protected from the eyes of other govts.
Even if the servers are located in India,  if the vendor has access to the data from a remote location or hands over the keys to the CIA in US territory to compromise servers in India (as demanded by US law), then these servers may as well be located in the US. 
Ditto for servers that are not related to the cloud too. American companies must not be allowed access to data in India, and India must have strict rules of moving this data out of India -- what data needs protection in this manner can be figured out by considering that the US govt. can and will use all of this data against India (think human intelligence) if it is allowed to. Just some random thoughts.
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 22:52
				by RoyG
				I don't know much about computers but I think Shiv's concerns are warranted especially when we are now shifting into a very complex hybridized war. If you want to win you have to have complete control over your hardware, software, and data.
In the age of nuclear weapons and means to deliver them, you can't barge in through the front door anymore. You have graduate your attack starting at the lowest rung of the escalation chain (identity) until part of the country agrees to secede and help you fight. 
For that you start with social media, blackmail, and limited cyber and then as you begin cracking the country from within you escalate the cyber offensive and shift to economics. WhatsApp, FB, Twitter, etc. in our case are being used to bolster the Muslim and Christian identity and create a foothold within the country. You can all guess what will be next if this continues unabated...
Doval has repeatedly talked about securing the cyber front so things are obv being done quietly. However, long lasting change can only come about by changing the strategic culture. It's hard for many to quickly move over from Gmail, hotmail, yahoo when we are so accustomed to using them and not think about the bigger picture. This is what Nehruvian Idealism has done to many within the gov.
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 22:58
				by RoyG
				periaswamy wrote:Keeping servers in the country is only part of the issue. All of these machines are on the internet, so allowing access to the data of Indian companies and Indian resources of value, is equivalent to just moving the data out of the country for all practical purposes.
 How the US govt. uses the amazon cloud is instructive, since they have the capability to force these companies to setup their services to not violate information siloing to keep data from external hackers in the regular amazon.com commercial cloud network. 
Even though Amazon owns the servers and the machines in the cloud, the US govt insists that Amazon relinquish physical security of these machines to the govt. and also assist with monitoring and maintaining network security of this cloud. So these machines are all housed in a building that is owned and run by the US govt.(these are typically some anonymous warehouse building in the middle of some wilderness, with high power cables and networking cables running into the building being the only indication that it contains a few thousand servers).  So Amazon runs all of the govt's services in a completely different set of machines that is isolated from the general network of amazon.com.  Within the cloud, these companies have the technology to isolate the processing and data of different accounts in the govt. from each other securely -- so that information in an amazon account for one group of users is insulated and protected from the eyes of other govts.
Even if the servers are located in India,  if the vendor has access to the data from a remote location or hands over the keys to the CIA in US territory to compromise servers in India (as demanded by US law), then these servers may as well be located in the US. 
Ditto for servers that are not related to the cloud too. American companies must not be allowed access to data in India, and India must have strict rules of moving this data out of India -- what data needs protection in this manner can be figured out by considering that the US govt. can and will use all of this data against India (think human intelligence) if it is allowed to. Just some random thoughts.
Look at the US response to Russia sometime back. They kicked them off the SWIFT system and cut their credit card access. These guys are straight up nasty when it comes to being #1. We have it in us to topple them but we cant do it by ceding control in cyberspace.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 23:08
				by nam
				Having a cloud data center in India is no guarantee that the data is secure.  It is so easy to move data to a different location. 
Unless there is a extreme level of real time monitoring, there is no way to make sure data stays within the country.
Every piece of important data needs to be redundant. There is nothing preventing Amazon to place a copy of their Indian data center data in US. 
If you think an audit can find it out, it is very easy to fudge the trail. Shut down the link to a US data center when Indian GOI auditors comes and start again once they leave. 
Databases nowadays have in built replication features, where you just let it know the IP address of the replication and shut it down when not needed! 
There is a reason why NSA likes direct link in to Google and other's servers, rather than fiddling around with submarine cables.
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 23:12
				by nam
				arshyam wrote:^^That's no guarantee, unless the battery itself is pulled out.
No guarantee even after that. A 3350 Nokio phone power requirement would be easily concentrated on a small battery. Enough to communicate with a mobile tower, even if you remove the main battery.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 14 Dec 2017 23:36
				by vasu raya
				shiv wrote:
Compared to the slick sophistication of some foreign banks - many Indian PSU banks and Insurance companies have interacted with their IT developers to develop the most clunky and unusable web access for users - which is full of bank jargon and acronyms that no user can understand clearly showing that neither bank nor their IT developers (who follow the bank's suggestions) have any clue about how the public must use the portal. These people are ham-fisted newbies and I do not believe for one second that they are aware of where the data is stored although they are pretty strict when it comes to user verification and 2-step transactions as required by the government.
Generally usuability studies are done with end users from different backgrounds, maybe this is an area where NIC people can certify desi websites, with usability comes adoption, if Bhuvan were to succeed in this, it could be a competitor to Google maps, same with CDAC developed software for desi inter-language translation, now google translate is doing it in an accessible way. Its a huge assumption though that NIC itself is savvy with Usability as it comes from a public sector background. The expectation is public can shift allegiance if you have real alternatives.
Then comes availability, and GoI can make cloud available with all the intended security, if Amazon can do it in Mumbai, GoI could easily replicate it across the country with enough investment, now NIC can have hosting for websites that cannot afford their own IT Infrastructure and currently rely on overseas providers. btw, USG doesn't trust Amazon cloud enough to put their data on it and prefers dedicated private cloud like another poster pointed out.
NIC being a cloud provider is like BSNL vs. private telecom providers whose ecosystem is well established and yet only recently did CERT-IN folks mentioned mobile apps that could be Chinese spyware. what can be done as an interim measure though is they can create mirrors for Google Playstore and IOS Appstore on the NIC cloud that are sanitized because the spyware discovered went past the parent app hosting sites filteration. Google play services and other associated services are central to Android and if its used as a highway...then it should be tackled next.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 15 Dec 2017 00:20
				by viveks
				
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 15 Dec 2017 09:52
				by deejay
				schinnas wrote:Armed forces should just be asked to switch off mobiles during conflict times.
Acchaa? Armed Forces only? Why? Armed Forces do not deserve to use mobiles to talk to families at times of conflict? Your secrets are with the Bureaucrats and Ministers etc. The Armed Forces have some guidelines for people to use social media. Basic steps are in place. There are people who have been careless and newer threats keep appearing. A blanket ban or disabling of mobile etc will be counter productive. Plus in areas of J&K and large parts of NE we are always in conflict. Personnel go on leave from these places even at times of most critical moments of conflict. 
On the border, LC etc the mobile connection anyway does not work. One has to come inland to communicate with family or use Sat Phones. 
BMS are coming in and these will be deployed on front-lines with secure web connections and real time battlefield information. Far from switching off mobile, we will be fighting and communicating future wars using mobile. Solutions have to enable technology to the last mile and not deny technology.
Data with armed forces are handled under OpsSec requirements. Quite often they are not transmitted in digital format. Despite issues of past leaks etc, I think as of now the data security is better organised under military than the civil groups. How will this morph into a networked BMS is something services are writing papers today.
IAF is now using AFCELL which is a totally isolated system and network. You cannot login to internet using AFCELL handset. AFCELL weakness is the hardware we use which are all from CISCO I think. However, IA and IN will find it difficult to implement the AFCELL kind of solution.
GOI data is more accessible through individual leaks than servers being tapped. I know that the NSA is working overtime to restrict this.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 15 Dec 2017 09:56
				by shiv
				deejay wrote:
IAF is now using AFCELL which is a totally isolated system and network. You cannot login to internet using AFCELL handset. AFCELL weakness is the hardware we use which are all from CISCO I think. However, IA and IN will find it difficult to implement the AFCELL kind of solution.
GOI data is more accessible through individual leaks than servers being tapped. I know that the NSA is working overtime to restrict this.
Thanks for your inputs deejay.
Why would IA and IN find it difficult to implement such a solution?
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 15 Dec 2017 10:13
				by deejay
				shiv wrote:deejay wrote:
IAF is now using AFCELL which is a totally isolated system and network. You cannot login to internet using AFCELL handset. AFCELL weakness is the hardware we use which are all from CISCO I think. However, IA and IN will find it difficult to implement the AFCELL kind of solution.
GOI data is more accessible through individual leaks than servers being tapped. I know that the NSA is working overtime to restrict this.
Thanks for your inputs deejay.
Why would IA and IN find it difficult to implement such a solution?
 
AFCELL has its own towers and is usable only in the functional range of towers. IAF majorly operates from fixed bases and can get its personnel to use this service 99% of the time. There are occasions where personnel are deployed away from IAF bases and those will need to use other means.
IA and IN however have operational deployments away from fixed and permanent bases. Comms here cannot switch therefore to a tower based system.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 15 Dec 2017 10:53
				by KrishnaK
				shiv wrote:
The most honest answer I can give you is "This is what I have heard"
I don't believe that there is any requirement for data to be stored in India. But let me state my view here. Forget about where the data is stored - most banks and bank staff don't have a clue that data requires storage somewhere and that somewhere can be anywhere in the world. But I believe most of it is in the US where the service is offered at the most competitive prices. 
 Data can't be anywhere in the world for most part. Indian banks AND software companies that make banking systems are usually aware of these issues. Even PSU banks have strict controls - in cases I've seen (admittedly 10-15 years ago) they own the actual hardware, software backups etc. PSU bank auditors have a fairly good idea of controls, my father was one.
 There is no requirement for banks to insist that they data should be stored in India. On a personal level I have about 4-5 bank accounts . The "foreign banks" among these had online access for over a decade. But the Indian nationalized banks have gone online only in the last 4-5 years. they are real newbies. Their sites are set up by some IT companies who are not asked where the data is stored. That is - bank pays IT company to deign website and store data. What the company does is up to them.
 Creating banking software is not creating a website 

. Back in the day when I used ICICI, their password security was far more advanced than services in the US - they offered a web keyboard + other security features. Indian companies are major banking software providers
Finacle Finacle is used by banks across 84 countries that serve over 450 million customers.
 That apart people "in the know" ("chaiwalas") have told me that data is stored in the US and I have posted a link above where the US says that its GDP stands to fall by more than 1% if nations start storing their data locally
That's not what the article says, it says instead data localization can cause GDP to fall in the US as well as Brazil, China, EU, India,..
This report first analyzes the privacy and security “justifications” nations offer for enacting barriers to data flows, concluding that, while such policies may be well intentioned, these rationales are generally not valid. (A forthcoming Information Technology and Innovation Foundation report will focus on a third motivation—to enable surveillance and government access for law enforcement—and will explain how governments need to develop a revised framework to help them determine jurisdiction over data while also facilitating cooperation among governments.) The report then examines the economic rationales countries provide to justify their data-localization policies, explaining the shortcomings in those arguments and noting that such policies impose large costs on countries’ own economies. The report then proceeds to review the emerging body of research that estimates the cost of barriers to data flows in terms of lost trade and investment opportunities, higher information technology (IT) costs, reduced competitiveness, and lower economic productivity and GDP growth. These studies show that data localization and other barriers to data flows impose significant costs: reducing U.S. GDP by 0.1-0.36 percent; causing prices for some cloud services in Brazil and the European Union to increase 10.5 to 54 percent; and reducing GDP by 0.7 to 1.7 percent in Brazil, China, the European Union, India, Indonesia, Korea, and Vietnam, which have all either proposed or enacted data localization policies.
The reason is simple, although I don't understand how the numbers are calculated - it costs a lot more to duplicate the infrastructure required. For example a multi national provider like Google will have rules on how and where data on say an Irish person's personally identifiable information can be stored etc. Different rules in EU vs US all increases the cost of such implementation, audit, etc.
India should investigate and insist on data localization where it makes sense - protecting the privacy of its citizens, etc and focus on creating economies of scale elsewhere. Data will automatically reside closer to the users at that point.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 15 Dec 2017 11:01
				by UlanBatori
				I don't see what the problem is. Most of the operators at these server centers are poor Pakistanis, IOW, our kind of people onlee. Even if they understand our data, they won't give it to US government.  
 
 
What's wrong with Abdul in Rawalpindi knowing that PeeAref postor shiv is actually Brigadier General Hamidullah Maheswaran Pillai who lives at "Sayonara", House No. XII/237, Opposite Golf Course 16th Hole, Dharward, Assam, and drives a Jaguar XL with numberplate (deleted to protect privacy).
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 15 Dec 2017 11:03
				by Karthik S
				UlanBatori wrote:I don't see what the problem is. Most of the operators at these server centers are poor Pakistanis, IOW, our kind of people onlee. Even if they understand our data, they won't give it to US government.  
 What's wrong with Abdul in Rawalpindi knowing that PeeAref postor shiv is actually Brigadier General Hamidullah Maheswaran Pillai who lives at "Sayonara", House No. XII/237, Opposite Golf Course 16th Hole, Dharward, Assam, and drives a Jaguar XL with numberplate (deleted to protect privacy).
 
What's wrong with Abdul in Rawalpindi knowing that PeeAref postor shiv is actually Brigadier General Hamidullah Maheswaran Pillai who lives at "Sayonara", House No. XII/237, Opposite Golf Course 16th Hole, Dharward, Assam, and drives a Jaguar XL with numberplate (deleted to protect privacy). 
 
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 15 Dec 2017 11:05
				by KrishnaK
				nam wrote:There is a reason why NSA likes direct link in to Google and other's servers, rather than fiddling around with submarine cables.
 That reason is strong encryption.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 15 Dec 2017 17:18
				by Singha
				http://www.news18.com/news/tech/microso ... 05299.html
MSFT cloud now in use by 70 of top100 BSE cos and 29 state govts. 
soothing news indeed.
 
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 15 Dec 2017 17:26
				by nam
				KrishnaK wrote:nam wrote:There is a reason why NSA likes direct link in to Google and other's servers, rather than fiddling around with submarine cables.
 That reason is strong encryption.
 
https://www.usatoday.com/story/news/nat ... d/2772721/
If the servers are owned by US companies, it is as simple as getting the private key from the company.
For a cloud service, it is even easier for MSFT & Amazon.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 15 Dec 2017 17:29
				by schinnas
				
Nothing wrong with this. Microsoft accomplished this by investing in quality data centers in India before others. Data centers that operate in India work through Indian laws and we can always mandate to have these wrapped by our own firewall similar to how China does it. We cannot do it if it was outside the country. Most of these are just renting hardware (Infrastructure as a service) unlike AWS where companies often do deep integration. This would enable these companies to migrate to a Tata cloud or Infosys cloud at a later point. My concern here is more around missed economic opportunity. 
One of the biggest failures of TCS and Infy is their fixation on low end "body shopper" strategy and inability to think beyond it. They had all the opportunity to create a network of data centers and offer best in class cloud services in all of South asia and south east asia. They can move from being provider of IT services to provider of infrastructure services as well. With some friendly regulation, we could have created a multi-billion local cloud market in India. Now all these revenues will go to Microsoft and Amazon. Tata even had its own telecom company as well to bootstrap it. Totally unpardonable. 
If anyone remembers, Amazon did not plan to start a data center in India 3 to 4 years ago and Jeff Bezos even used it as a bargaining chip in his discussions with Modi-ji... "you cut some slack in terms of FDI in multi brand retail and eCommerce and we will invest so many billions in data centers in India". Luckily Modi ji didn't blink and finally Amazon was forced to open data centers here without much government incentive in order to compete against Microsoft.
 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 15 Dec 2017 19:05
				by nam
				The issue of Microsoft owned Indian data center is about the authority of access. it does not matter if the servers are in India or in Siberia, as long as the "owners" who hold the keys are in US. 
The bosses in US decide who gets access to these computers. They might allow Indians to maintain them, but there is no law preventing an US citizen to have God rights on the Indian data center computers. 
Unless these are audited, there is no way to know who can access them.
			 
			
					
				Re: Indian Data Security: Keeping your bride in your best friend's house
				Posted: 16 Dec 2017 04:40
				by vasu raya
				Few years back it came to light that a certificate issuing company was itself hacked, it may be prudent for GOI to create a Certificate issuing Authority of its own and if need be use it as a second padlock on the data by encrypting with it. Fun bit is its like two people inserting their respective keys for missile launch.
Again assumption is someone cannot break the encryption by brute force, usually increasing the number of bits in the encryption keys also increases the pain of hacking it.