Assure a seamless trading experience for investors by monitoring your cloud deployments using Site24x7
Ensure your cloud environment is SEBI-compliant
Stock exchanges and related entities deal with highly sensitive data daily, such as trade information, customer details, and financial transactions. The Securities and Exchange Board of India (SEBI), the regulatory authority for the securities market in India, protects the interests of investors and ensures that the data stored by regulated entities (REs) is secure.
According to SEBI, "REs include stock exchanges, clearing corporations, depositories, stock brokers through exchanges, depository participants through depositories, asset management companies/mutual funds, qualified registrars to an issue and share transfer agents, and know your customer (KYC) registration agencies."
Cloud adoption and security
"In recent times, the dependence on cloud computing for delivering IT services has been increasing," according to SEBI. When REs adopt the cloud for their deployments, it offers them continuous availability, transaction integrity, investor confidence, and secure interconnectivity for collaboration. However, this also comes with new cybersecurity risks and challenges, including potential cyberattacks aimed at disrupting trading activities, unauthorized access to sensitive market data, manipulation of stock prices, and theft of financial and personal information.
Challenges faced by REs
SEBI has chalked out a regulatory and legal compliances framework that REs adopting cloud solutions are expected to adhere to by March 6, 2024, titled the Framework for Adoption of Cloud Services by SEBI REs.
Some common cybersecurity and data management challenges faced by REs when they adopt private, community, hybrid, and public cloud models may include:
- Lack of visibility across different cloud models defined by the National Stock Exchange of India Ltd (NSE), such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
- Management of various deployments from different consoles.
- Compliance to regional data security and privacy standards for public cloud services.
- Malfunctions in the system of the stockbroker, including malfunction in its hardware, software, networks, processes, or any products or services provided by the stockbroker in the electronic form due to inadequate infrastructure, cyberattacks, procedural errors, or process failures in the broker’s own systems or the one outsourced from any third parties.
- Resource contention issues during peak load.
- Managing applications involved in trading, order management systems, risk management systems, market data systems, and settlement and clearing systems.
- Slower transactions affecting the end-user experience during peak load.
- Meeting SLAs and SEBI regulations.
About ManageEngine Site24x7
Site24x7 from ManageEngine, a division of Zoho, is a full-stack observability platform that monitors modern IT infrastructures and cloud deployments and provides detailed monitoring insights, graphs, dashboards, reports, and instant alerts for seamless business operations. With 15 years of research and development, ManageEngine Site24x7 helps businesses stay vigilant against cyberattacks. Site24x7 monitors websites, servers, applications, networks, and the cloud. Site24x7 caters to the monitoring needs of leading banks and financial services in India and globally.
How can Site24x7 help REs stay SEBI-compliant?
The SEBI framework outlines mandatory controls and baseline security measures that REs and cloud service providers (CSPs) must implement. Here's a list of important requirements (a brief of SEBI's framework) and how Site24x7 can help REs:
Data ownership and localization
"The storage/processing of data (data collection (DC), data recovery (DR), near DR) including logs and any other data/information about RE in any form in cloud should reside/be processed within the legal boundaries of India." – SEBI framework
Site24x7 has its own data centers for data storage. With a primary data center in Chennai and a secondary data center in Mumbai, data is localized within the country's boundaries.
Privileged access
"Administrators and privileged users shall be given minimal administrative capabilities for a pre-defined time and in response to specific issues/needs. With respect to administrative privileges/users, the following shall also be followed:
All administrative privileges/users shall be tracked via a ticket/request by the CSP, and the same shall be provided to the RE on request. Further, the RE shall also track any additional privilege granted to any user by the CSP.
The necessary auditing and monitoring of the above shall be done by CSP and any anomalies shall be reported to the RE." – SEBI framework
Site24x7 lets you control not only user addition and deletion, but also users' access levels in your account. With different roles and role-based access privileges, admins can choose who should access what and for how long. Your organization can assign a super admin in Site24x7, who can set boundaries between billing details, administrative features, and network operations. Secure login features like multi-factor and biometric authentication further add another level of security.
Data in motion encryption
"The data within the cloud shall be encrypted. Session encryption or data object encryption in addition to the encryption provided at the platform level (Ex. TLS encryption) shall be used wherever any sensitive data is in transit." – SEBI framework
When data travels over the internet from your browser to Site24x7 data centers or other third parties (while using third-party integrations), Site24x7 adapts the transport layer security (TLS) to all its connections. The connections are authenticated and the data is encrypted. Read more about Site24x7's encryption.
Data-at-rest encryption
"Encryption needs to be done with strong encryption algorithms. Data object encryption, file level encryption or tokenization in addition to the encryption provided at the platform level shall be used." – SEBI framework
Encryption at rest (EAR) protects against any possible data leak due to server compromise or unauthorized access. Encryption is done at the application layer using the AES-256 algorithm. Our in-house Key Management Service (KMS) generates and maintains the keys for encryption.
Data deletion
"The RE shall ensure that the agreement with the CSP contains clause(s) for safe deletion/erasure of RE’s information. The clause should cover various scenarios like business requirement of RE, exit strategy, etc." – SEBI framework
Site24x7 stores the performance data of monitored resources for a year. However, after you terminate your account, your data will be automatically deleted from our active database within six months and from our backups within three months after that. Learn more about our data deletion policy.
24/7 security monitoring
"Monitoring shall cover all components of the cloud. Additionally, the CSP shall continuously monitor the alerts generated and take appropriate actions as per the defined timelines." – SEBI framework
Maintain secure trading and brokerage websites, and secure your brand's reputation with Site24x7's web security monitoring capabilities, which that monitors website defacement, SSL/TSL certificates, and domain expiration, and more among others. Analyze your system, and application logs, and critical events with instant alerts to track any critical deviations or vulnerabilities using Site24x7 AppLogs.
Complement Site24x7's monitoring with ManageEngine's suite of products
ManageEngine serves as a one-stop shop for all your IT management needs. Leverage it's benefits and achieve complete SEBI compliance effortlessly.
Patch management
"RE shall ensure that CSP has a vulnerability management process in place to mitigate vulnerabilities in all components of the services that the CSP is responsible for (i.e. managed by the CSP). The RE shall assess and ensure that the patch management of CSP adequately covers the components for which the CSP is responsible (i.e. components managed by the CSP). The patch management framework shall include the timely patching of all components coming under the purview of CSP." – SEBI framework
ManageEngine Patch Manager Plus identifies, acquires, tests, deploys, and monitors software patches across your stock broking network. Using this software, you can ensure that your systems and applications are up to date with the latest security patches, bug fixes, and enhancements, reducing vulnerabilities and improving overall system stability for secure trading.
Features for reliable performance of trading servers, applications, and market data systems
Compliance checks for your AWS deployments
Site24x7 performs compliance checks to verify if your cloud infrastructure adheres to top security standards and certifications, including the Payment Card Industry Data Security Standard (PCI DSS) and Center for Internet Security (CIS) Benchmarks. Use this Site24x7 guidance report to verify how secure your AWS cloud applications and services are.
Capacity planning for your peak load
Stock market opening and closing hours generally experience increased trading volume and volatility. Stock broker servers also run at peak load during significant economic events, such as major corporate announcements or economic data releases. This is where IT admins need to play their systems to ensure an uninterrupted trading experience for customers. Site24x7's capacity planning helps with scaling the infrastructure, ensuring optimal system performance, and securing business continuity.
All-in-one monitoring
Site24x7 is a one-stop shop for monitoring the availability, performance, and transactions of:
- Stock exchange and brokerage firm websites.
- The stock market servers; brokerage servers; database servers that store client data and market history data; mutual fund web application servers; order management servers that are responsible for receiving and processing trade orders from clients or trading platforms; and compliance servers that manage KYC processes—the entire allied infrastructure hosted on-premises or the cloud.
- Networks that host these share trading activities.
- Applications that host trading platforms, market data platforms, and market research tools.
AIOps
Site24x7's AI-powered observability platform analyzes the peak load and off-peak characteristics of the market infrastructure and provides suggestions for resource planning and allocation. It also detects off-seasonal patterns and anomalies and notifies admins to secure your transactional infrastructure from threats. System admins can also configure IT automation for repetitive tasks and auto-heal common issues, saving time and workforce labor.
For LAMAs
Stock exchanges can use Site24x7's APIs to connect to the NSE's logging and monitoring mechanisms (LAMAs) and report the following every five minutes:
- Key parameters of applications, systems, and networks.
- The status of critical systems including client connectivity, order management systems, risk management systems, and exchange connectivity.
Summing up
Site24x7, already serving India's leading financial, investment, and insurance firms like Cholamandalam MS General Insurance and IIFL Finance, has the expertise and a thorough understanding of SEBI and the Indian stock market.
Being a part of Zoho, security and privacy are always the top priority at Site24x7. SEBI's deadline for compliance with the framework is coming up soon. Schedule a demo to see for yourself how Site24x7 can help with cloud security, affirm a secure trading experience for your clients, and foster a reliable IT environment for your business.
Comments (0)