Navigating the CERT-In directions for business operations.
Regulations, community engagement and change.
On 28th April 2022 the Indian Computer Emergency Response Team (CERT-In) issued new directions (PDF) under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response, and reporting of cyber incidents for The Safe & Trusted Internet.
FAQ on the cyber security directions of 28th April 2022
These were not preceded by any public consultations, leading to confusion in the organizations and businesses impacted by these changes. The directons cover aspects related to the timeframe for reporting cyber security incidents, maintenance of the user identification data, transaction information for crypto exchanges and wallets, maintenance of customer details by data centers, cloud services, VPN providers, and maintenance of logs in the Indian jurisdiction.
What will be the impact of these directions on businesses?
Rootconf and Privacy Mode are co-organizing with FOSS United Foundation an event on the 20th May 2022 to discuss the impact of these directions on various businesses, along with discussing recommendations for the directive to fall in line with privacy and business requirements. This hybrid (online and on-site) event will be held at the Zerodha office in Bengaluru.
The event will help the audience gain a better understanding of the impact, especially around data governance and operational practices. The following key concerns will also be discussed.
- Gaps and unknowns in the text of the directions.
- Challenges in complying with the requirements criteria set in the directions.
- Impact on data governance strategies, risk management, and operational aspects of businesses.
- Methods of engagement to refine and improve such requirements.
A report based on a discussion regarding the impact of CERT-In on various businesses, that took place among many tech practitioners, is available here.
Hosted by
Supported by
Co-organizer
Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more
Partner
FOSS United is a non-profit foundation that aims at promoting and strengthening the Free and Open Source Software (FOSS) ecosystem in India. more
Recommendations on compliance timelines for SMEs and additional suggestions for improving ease of compliance
Submitted Jun 18, 2022
On 28 April 2022, CERT-In released directions for cybersecurity incident reporting. With the compliance deadline of 28 June fast approaching, industry bodies shared their concerns with CERT-In and MoS Rajeev Chandrashekhar on 10 June 2022.
At the meeting, MoS asked for suggestions for a reasonable time frame for Small and Medium Enterprises (SMEs) to comply with CERT-In’s directions. Rootconf organized a meeting with representatives from SMEs on 14 June 2022 to discuss the issue of compliance timeline. SME representatives opined that 300 days from 28 June 2022 is a reasonable time frame for complying with CERT-In’s directions.
The intention of this document is to collectively navigate through the new CERT-In directions published on 28th April 2022, with the SME community, and provide useful suggestions pertaining to the directions, such that there is ample time to incorporate them, and minimum friction in implementation. Additional suggestions that came up in the meeting are as follows:
A. Periodic consultations with industry bodies to discuss issues that emerge during compliance.
1. Increase clarity around logging data;
- Exact data logging requirements for service providers.
- The number of days that data is to be stored, as costs increase almost exponentially with time (a table with cost breakdown for storage is provided at the end of this document).
2. On incident reporting:
- Create a “good Samaritan” framework for individuals in organizations who report incidents. Complying with investigations should not be seen as a burden on the organization/ individual doing the reporting.
- Require reporting when systems are impacted due to DDoS/DoS attacks and not for every targeted scan. This will help cull the costs of compliance, as targeted scans happen very frequently. More specifically, reporting on DDoS attacks should be required even if systems are not impacted whereas, DoS attacks should be reported only if systems are impacted.
- Maintenance of a portal by CERT-In, with form-based submissions as a reporting mechanism to streamline the process. This way, reporters can easily ensure necessary data is furnished and can track the status of their submission.
3. Investigation participation of service providers, when required, over email, phone or remote video conferencing as opposed to being summoned in person.
4. Parity in compliance requests for both foreign and Indian companies. Typically the ask for data from Indian companies is much higher than when dealing with foreign companies.
5. Provide clarity on methods used by CERT-In to ensure security of the data they receive.
B. Organize training and capacity building for law enforcement officers.
-
Build knowledge around data access and sharing that are stipulated in the current sharing regulations. For example, intermediary rules need to be better clarified so that Service Providers are not under direct investigation for abuse of their platform by third party users
-
Manage incident reports handling of complex deployments.
C. Introduce certification-like approach for compliance.
- Help organizations to implement the requirements in a more structured manner. The compliance can thus be transparently evaluated based on the requirements.
D. Provide a wider range of options for customer validation.
-
Aadhaar-based customer validation via services such as digio.in and bureau.id, which do not collect a copy of Aadhaar but use it for name and address verification or Aadhaar signatures through separate OTPs
-
Vetting of third-party identity validation providers outside of India to facilitate foreign companies’ and nationals’ identity and address validation as many foreign nationals may not be comfortable providing passport scans.
Log retention cost breakdown:
| Tool | Type | Pricing Model |
|---|---|---|
| Datadog | SaaS | ingestion = 0.10 USD/GB/mo |
| 3d retention = 1.06 USD per million events / mo | ||
| 7d retention = 1.27 USD per million events / mo | ||
| 15d retention = 1.70 USD per million events / mo | ||
| 30d retention = 2.50 USD per million events / mo | ||
| 30+ d retention = Custom Pricing | ||
| NewRelic | SaaS | 100 GB free (logs, metrics, traces included) |
| 0.30 USD / GB above 100 GB | ||
| Pro, Enterprise Plans have 90d+ Retention with Data Plus | ||
| Have to contact sales for each plans for actual pricing | ||
| SumoLogic | SaaS | 3.00 USD/GB/month (annual commitment) |
| Free - 7d retention | ||
| Essentials - 365d | ||
| Enterprise Ops - custom | ||
| Enterprise Security - custom | ||
| Enterprise Suite - custom | ||
| Have to contact sales for actual pricing | ||
| AWS Opensearch (ElasticSearch fork) | IaaS | Cost of running n-master nodes of needed compute-capacity (which depends on index sizes and search frequency and query intensity) + m data nodes + EBS volume size + S3 backup / archival costs |
| There is a way to use S3 for archival of data beyond a certain number of days and then rehydrate the logs. Cost can be reduced further by intelligent tiering of S3 bucket and using glacier archival of unused / non-accessed logs. This is extremely organization need and structure dependent and cannot be computed on a per GB basis. | ||
| Instances range from: | ||
| General Purpose | ||
| - min: 0.036 USD/hr | ||
| - max: 3.017 USD/hr | ||
| Compute Optimized | ||
| - min: 0.113 USD/hr | ||
| - max: 2.347 USD/hr | ||
| Memory Optimized | ||
| - min: 0.167 USD/hr | ||
| - max: 3.92 USD/hr | ||
| Storage Optimized | ||
| - min: 0.25 USD/hr | ||
| - max: 7.987 USD/hr (storage optimized for faster access rates using NVMe Drives) | ||
| * It is advisable to run at least 1 master node + 1 data node per availability zone so effective min and max pricing should be 4x of pricing listed above per hr | ||
| * EBS volume and S3 storage costs are added over the compute costs | ||
| Grafana Cloud | SaaS | Pro Plan |
| - 8 USD/user | ||
| - 50GB logs | ||
| - 30d log retention | ||
| Advanced Plan, Enterprise stack | ||
| - Custom retention, contact sales | ||
| AWS CloudWatch | IaaS | Ingestion- 0.50 USD / GB |
| Store - 0.03 USD / GB | ||
| Analyze - 0.005 USD / GB data scanned | ||
| * vended logs (created by AWS on customer’s behalf by default are priced differently, scales per TB of ingestion, storage) |
Rootconf is invested in facilitating further interactions between CERT-In and representatives from the SME community to improve the state of cybersecurity in the Indian tech ecosystem.
Comments
Hosted by
Supported by
Co-organizer
Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more
Partner
FOSS United is a non-profit foundation that aims at promoting and strengthening the Free and Open Source Software (FOSS) ecosystem in India. more
{{ gettext('Login to leave a comment') }}
{{ gettext('Post a comment…') }}{{ errorMsg }}
{{ gettext('No comments posted yet') }}