Navigating the CERT-In directions for business operations.
Regulations, community engagement and change.
Recommendations on compliance timelines for SMEs and additional suggestions for improving ease of compliance
Submitted Jun 18, 2022
On 28 April 2022, CERT-In released directions for cybersecurity incident reporting. With the compliance deadline of 28 June fast approaching, industry bodies shared their concerns with CERT-In and MoS Rajeev Chandrashekhar on 10 June 2022.
At the meeting, MoS asked for suggestions for a reasonable time frame for Small and Medium Enterprises (SMEs) to comply with CERT-In’s directions. Rootconf organized a meeting with representatives from SMEs on 14 June 2022 to discuss the issue of compliance timeline. SME representatives opined that 300 days from 28 June 2022 is a reasonable time frame for complying with CERT-In’s directions.
The intention of this document is to collectively navigate through the new CERT-In directions published on 28th April 2022, with the SME community, and provide useful suggestions pertaining to the directions, such that there is ample time to incorporate them, and minimum friction in implementation. Additional suggestions that came up in the meeting are as follows:
A. Periodic consultations with industry bodies to discuss issues that emerge during compliance.
1. Increase clarity around logging data;
- Exact data logging requirements for service providers.
- The number of days that data is to be stored, as costs increase almost exponentially with time (a table with cost breakdown for storage is provided at the end of this document).
2. On incident reporting:
- Create a “good Samaritan” framework for individuals in organizations who report incidents. Complying with investigations should not be seen as a burden on the organization/ individual doing the reporting.
- Require reporting when systems are impacted due to DDoS/DoS attacks and not for every targeted scan. This will help cull the costs of compliance, as targeted scans happen very frequently. More specifically, reporting on DDoS attacks should be required even if systems are not impacted whereas, DoS attacks should be reported only if systems are impacted.
- Maintenance of a portal by CERT-In, with form-based submissions as a reporting mechanism to streamline the process. This way, reporters can easily ensure necessary data is furnished and can track the status of their submission.
3. Investigation participation of service providers, when required, over email, phone or remote video conferencing as opposed to being summoned in person.
4. Parity in compliance requests for both foreign and Indian companies. Typically the ask for data from Indian companies is much higher than when dealing with foreign companies.
5. Provide clarity on methods used by CERT-In to ensure security of the data they receive.
B. Organize training and capacity building for law enforcement officers.
-
Build knowledge around data access and sharing that are stipulated in the current sharing regulations. For example, intermediary rules need to be better clarified so that Service Providers are not under direct investigation for abuse of their platform by third party users
-
Manage incident reports handling of complex deployments.
C. Introduce certification-like approach for compliance.
- Help organizations to implement the requirements in a more structured manner. The compliance can thus be transparently evaluated based on the requirements.
D. Provide a wider range of options for customer validation.
-
Aadhaar-based customer validation via services such as digio.in and bureau.id, which do not collect a copy of Aadhaar but use it for name and address verification or Aadhaar signatures through separate OTPs
-
Vetting of third-party identity validation providers outside of India to facilitate foreign companies’ and nationals’ identity and address validation as many foreign nationals may not be comfortable providing passport scans.
Log retention cost breakdown:
| Tool | Type | Pricing Model |
|---|---|---|
| Datadog | SaaS | ingestion = 0.10 USD/GB/mo |
| 3d retention = 1.06 USD per million events / mo | ||
| 7d retention = 1.27 USD per million events / mo | ||
| 15d retention = 1.70 USD per million events / mo | ||
| 30d retention = 2.50 USD per million events / mo | ||
| 30+ d retention = Custom Pricing | ||
| NewRelic | SaaS | 100 GB free (logs, metrics, traces included) |
| 0.30 USD / GB above 100 GB | ||
| Pro, Enterprise Plans have 90d+ Retention with Data Plus | ||
| Have to contact sales for each plans for actual pricing | ||
| SumoLogic | SaaS | 3.00 USD/GB/month (annual commitment) |
| Free - 7d retention | ||
| Essentials - 365d | ||
| Enterprise Ops - custom | ||
| Enterprise Security - custom | ||
| Enterprise Suite - custom | ||
| Have to contact sales for actual pricing | ||
| AWS Opensearch (ElasticSearch fork) | IaaS | Cost of running n-master nodes of needed compute-capacity (which depends on index sizes and search frequency and query intensity) + m data nodes + EBS volume size + S3 backup / archival costs |
| There is a way to use S3 for archival of data beyond a certain number of days and then rehydrate the logs. Cost can be reduced further by intelligent tiering of S3 bucket and using glacier archival of unused / non-accessed logs. This is extremely organization need and structure dependent and cannot be computed on a per GB basis. | ||
| Instances range from: | ||
| General Purpose | ||
| - min: 0.036 USD/hr | ||
| - max: 3.017 USD/hr | ||
| Compute Optimized | ||
| - min: 0.113 USD/hr | ||
| - max: 2.347 USD/hr | ||
| Memory Optimized | ||
| - min: 0.167 USD/hr | ||
| - max: 3.92 USD/hr | ||
| Storage Optimized | ||
| - min: 0.25 USD/hr | ||
| - max: 7.987 USD/hr (storage optimized for faster access rates using NVMe Drives) | ||
| * It is advisable to run at least 1 master node + 1 data node per availability zone so effective min and max pricing should be 4x of pricing listed above per hr | ||
| * EBS volume and S3 storage costs are added over the compute costs | ||
| Grafana Cloud | SaaS | Pro Plan |
| - 8 USD/user | ||
| - 50GB logs | ||
| - 30d log retention | ||
| Advanced Plan, Enterprise stack | ||
| - Custom retention, contact sales | ||
| AWS CloudWatch | IaaS | Ingestion- 0.50 USD / GB |
| Store - 0.03 USD / GB | ||
| Analyze - 0.005 USD / GB data scanned | ||
| * vended logs (created by AWS on customer’s behalf by default are priced differently, scales per TB of ingestion, storage) |
Rootconf is invested in facilitating further interactions between CERT-In and representatives from the SME community to improve the state of cybersecurity in the Indian tech ecosystem.
Comments
Hosted by
We care about site reliability, cloud costs, security and data privacy
Supported by
Co-organizer
Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by:
more
Partner
FOSS United is a non-profit foundation that aims at promoting and strengthening the Free and Open Source Software (FOSS) ecosystem in India.
more
{{ gettext('Login to leave a comment') }}
{{ gettext('Post a comment…') }}{{ errorMsg }}
{{ gettext('No comments posted yet') }}