India's telecom sector is a vital component of the nation's socio-economic development, and a focal point for India’s economic and technological progress. Apart from significant contribution to the country's GDP, the sector has been pivotal in bridging the digital divide. It serves as an innovation catalyst, provides a foundation for the growth of digital startups and promotes entrepreneurship across various sectors, enables the delivery of government services online,and improves efficiency and transparency in public administration.
As a result, it has a risk universe that’s arguably more complex and fast-changing than any other sector and is subject to many security and privacy-related regulations.
Keeping guidance current
In our earlier blog; we explored how Google Cloud was helping telecom operators around the world to maintain compliance with regulations while adopting public cloud. We also published a whitepaper in October 2024 providing an Insight into Indian Telecom Regulations, covering applicable regulations (such as the Unified Licensing Agreement, the Telecommunications Act of India and the NCIIPC Guidelines for Protection of Critical Information Infrastructure) and the measures supported by Google Cloud to help telecom customers comply with these regulations.
In this update, we assess the Telecom Cyber Security Rules published in Nov 2024.
Key Requirements of the Telecom Cyber Security Rules, 2024
The Telecommunications Act, 2023 guided by the principles of Samavesh (Inclusion), Suraksha (Security), Vriddhi (Growth), and Tvarit (Responsiveness), aims to achieve the vision of Viksit Bharat (Developed India). The Telecom Cyber Security Rules mark a significant shift in the telecom cybersecurity landscape, emphasizing robust compliance and cyber resilience.
A cornerstone of the new regulation is the mandate for telecom entities to adopt a comprehensive telecom cyber security policy which must encompass various critical aspects, including risk management to identify and prevent potential vulnerabilities, rigorous testing procedures such as vulnerability assessments, penetration testing and network hardening to ensure the resilience of telecom networks, rapid response mechanisms to address security incidents effectively, and to investigate and understand the root causes of security breaches. The regulations also outline specific measures for threat mitigation and network testing. Telecom entities are obligated to proactively identify and mitigate security risks that could impact their networks and services. Additionally, telecom operators are required to establish Security Operations Centres (SOCs) to continuously monitor their networks for potential threats and to effectively address any cyber security incidents that may occur.
This emphasis on a structured policy with specific components like risk management and testing signifies a move towards a proactive and preventative security stance, rather than a reactive approach to cyber threats. By mandating these elements, the government intends to ensure that telecom entities establish and maintain a well-defined and regularly reviewed security framework.
How Google Cloud supports compliance with the Telecom Cyber Security Rules, 2024
Google Cloud offers a wide range of capabilities that can help telecom companies manage many of the key requirements outlined in the Telecom Cyber Security Rules, 2024. This includes cloud-based tooling, security consultancy services and security advisory information in blogs and whitepapers.
| Requirement from the Telecom Cyber Security Rules, 2024 | How Google Cloud Can Help |
| Collect, store, and analyze telecoms data (excluding content) for cybersecurity purposes. | To enable secure data collection, storage, and potential sharing as required by the government, Google Cloud offers a variety of cloud scale secure storage options, including Cloud Storage (ideal for unstructured data), BigQuery (ideal for applying analytics and AI to structured data at scale) and Bigtable (ideal for time series data). Granular identity and access management controls and comprehensive audit logs ensure that only authorized entities can access the collected data, and all access attempts are recorded for accountability and compliance purposes. These features provide telecom entities with the necessary infrastructure to securely manage and potentially share data with the government in accordance with the regulatory requirements. |
| Ensure that such data is stored and maintained in strict confidentiality and prevent any unauthorised access thereto; | All data storage platforms in Google Cloud support robust encryption mechanisms, with data encrypted by default both at rest and in transit. Google Cloud provides a Key Management Service with options for Customer Managed Encryption Keys, backed by hardware storage in a Hardware Security Module. Keys can also be stored in an External Key Manager. Encryption in use can also be implemented via Confidential Computing. For additional guidance, refer to this whitepaper on data security in Google Cloud. |
| Adopt a telecom cyber security policy covering risk management, risk identification, vulnerability assessment and prevention of security incidents. | Security Command Center is a cloud-based risk management solution that centralizes security and risk data, enabling users to proactively identify, analyze, and remediate security issues across their cloud environment.. It summarizes security posture, identifies misconfigurations and vulnerabilities, detects suspicious incidents and provides recommendations for remediation. Attack Path Simulation via a digital twin can be used to identify and prevent potential security incidents before they happen. Policy enforcement tools like Organization Policy allow administrators to centrally define and enforce security standards across their cloud resources, ensuring adherence to the established cyber security policy. For customers that need additional support, Mandiant offers consulting services including Cyber Risk Management, Threat and Vulnerability Management and Cyber Defense Assessment These capabilities allow telecom entities to operationalize their cyber security policies effectively across their cloud infrastructure, reducing the risk of inconsistencies or oversights. |
| Implement network testing including hardening, vulnerability assessment and penetration testing | As part of Google Cloud, Mandiant offers Technical Assurance services including Penetration Testing, Red Teaming and various Security Assessments, to systematically verify network security and identify vulnerabilities in your security systems and processes. |
| Implement a rapid action system to deal with security incidents, including forensic analysis of security incidents to ensure learnings from such incidents. | There is a recent Google Cloud blog that explains how Google implements high-quality threat detection at scale. For customers looking for additional assistance, Mandiant’s Incident Response services and related services such as Compromise Assessments, Cyber Defense Assessments, Table Top Exercises and Security Training can help. |
| Conduct periodic cyber security audits ... and share audit reports with the Central Government | Audit Manager helps customers automate their compliance audit process on Google Cloud. Audit Manager can automatically assess workloads against compliance requirements, identify compliance gaps and risks, gather evidence required for audit and provide comprehensive audit reports. |
| Establish Security Operations Centres (SOCs) ... monitor telecom cyber security and security incidents, intrusions and breaches | The Defender’s Advantage is a Google Cloud guide to cyber defense (based on six critical security functions) which captures our view on best practices for security operations. We have also published architectural guidance on implementing preemptive cyber defense. |
| Maintaining details of threat actors impacting their telecom services or networks | The Google Threat Intelligence platform combines VirusTotal crowd-sourced threat intelligence, Mandiant curated threat intelligence, Digital Threat Monitoring across the dark web and Attack Surface Management (monitoring vulnerabilities in your external websites). These capabilities provide visibility of threat actors, campaigns, vulnerabilities and indicators of compromise and can be operationalized via Google Security Operations, in other (third-party) SIEM platforms or via an API. Google Cloud also publishes a regular blog on Threat Intelligence, including articles that relate to Telecoms network threats. |
| Maintain command logs of operation and maintenance; | Audit Logs are enabled by default in Google Cloud, capturing logs of administrative access and configuration changes. Audit logs help you answer "who did what, where, and when?" within your Google Cloud environment. |
| Maintaining all specified records or logs for a period specified by the Central Government on the portal and making them available to authorized personnel | Audit Logs are stored for 400 days in Google Cloud Logging. All security alerts in the Google Security Operations platform are stored for a minimum of 12 months. Audit logs and security alerts can be exported via platforms such as Cloud Storage or BigQuery for further analysis or for sharing with third parties. |
| Appoint a Chief Telecommunication Security Officer (CTSO). | Google Cloud’s Office of the CISO provides security advisory services to senior security leaders around the world. We regularly publish blogs on Security & Identity topics, including “Cloud CISO Perspectives”. We also maintain a “Board of Directors Insights Hub” to help senior security leaders work with their boards around topics of cybersecurity, risk governance and security transformation. |
| Report security incidents to the government within six hours ... and provide more detailed reports within 24 hours. | The SOAR (Security Orchestration & Automated Response) function within Google Security Operations can help support these requirements. Automatic alerts can also be created based on defined criteria with Cloud Logging and Cloud Monitoring. |
| Meet data residency requirements (from the Unified Licensing Agreement) | Google Cloud offers two cloud regions located in India (Mumbai and Delhi NCR), enabling telecom operators to choose to store their data within the geographical boundaries of the country to meet data residency requirements. Additionally, the Assured Workloads for India Regions offering provides further enhanced controls related to data residency and access for sensitive workloads. |
In summary:
Google Cloud provides a robust and secure infrastructure and a comprehensive suite of security and compliance tools and services that can assist telecom operators in India to effectively navigate the evolving regulatory landscape, strengthen their cybersecurity posture, and address the Telecom Cyber Security Rules, 2024, and other relevant regulations.