Ministry of Electronics and Information Technology (MeitY)
Overview
Ministry of Electronics and Information Technology (MeitY) embarked on MeghRaj cloud initiative to harness the benefits of Cloud Computing and accelerate delivery of e-services. MeitY undertakes empanelment of Cloud Service Offerings of the Cloud Service Providers (CSPs) that includes compliance to the empanelment requirements followed by an audit by Standardisation Testing and Quality Certification (STQC). MeitY empanelment is an important criterion for procurement of Cloud Services by Public Sector Units (PSUs), Nationalized Banks, Financial Institutions and Government Agencies / Autonomous Institutions / Statutory Bodies under Government of India / States / UTs and Local Governments within India.
Amazon Web Services India Private Limited, a reseller of Amazon’s Cloud Services (AWS Cloud Services), has Cloud Service Provider (CSP) empanelment from MeitY for cloud services offered from the AWS Asia-Pacific (Mumbai) and AWS Asia Pacific (Hyderabad) Regions. AWS Regions are designed to be autonomous and each AWS Region consists of a minimum of three, isolated, and physically separate Availability Zones (AZs) within a geographic area. The empanelment letters are available on AWS Artifact: AWS Asia Pacific (BOM) and AWS Asia Pacific (HYD). AWS also undergoes annual surveillance audit by STQC to ascertain continuous compliance. AWS Infrastructure Regions meet the highest levels of security, compliance, and data protection and the empanelment affirms that AWS Cloud Services meet government standards of quality, availability, and security.
AWS is architected to be the most secure global cloud infrastructure on which to build, migrate, and manage applications and workloads. Security and Compliance is a shared responsibility between AWS and the customer. AWS offers breadth of Security, Identity, & Compliance services that the customer (or their managed service providers) can use to manage and reduce security risk, and protect their networks and data. Please visit Best Practices for Security, Identity & Compliance page for further details.
FAQs
-
About Ministry of Electronics and Information Technology (MeitY) and MeghRaj – GI Cloud Initiative
- Ministry of Electronics and Information Technology (MeitY), Government of India, is responsible for enacting, reviewing, and enforcing policies relating to information technology, electronics, cyber-laws, IT related legislations, and internet in India. It assists in promotion of IT and IT enabled services including Digital Transactions, e-Governance, Cloud Adoption among other initiatives.
- MeitY embarked on a cloud initiative MeghRaj to harness the benefits of Cloud Computing. The focus of this initiative is to accelerate delivery of e-services in the country while optimizing ICT spending of the Government. MeitY has embarked upon several initiatives including publishing Strategic Direction paper on ‘Cloud Policy’ in 2013 and Empanelment of Cloud Service Offerings of CSP 2016 in order to proliferate the Cloud adoption across the various departments and agencies and streamline the processes involved.
- The Strategic Direction paper on ‘Cloud Policy’ in 2013, emphases that the existing applications, services, and projects funded by Government are to be assessed for migration to cloud while all new applications need to be cloud ready.
-
What criteria and assessments are used by MeitY for Empanelment of Cloud Service Offerings of the CSPs?
- For compliance to the government regulations and empanelment by MeitY, it is required that cloud services offered shall be hosted within India and data residency shall also be limited to the boundaries of India. In addition, CSP Empanelment RFP defines minimum requirements including compliance to IT Act 2000 (including 43A) and amendments thereof and global standards like ISO27001:2017, ISO27017:2015, ISO27018:2019, ISO20000-1:2018 among others.
- As part of the empanelment process, MeitY conducts the compliance check and initial assessment to ascertain that the CSP has submitted all the required documents as mentioned in the CSP Empanelment RFP. Post successful assessment by MeitY, the empanelment application is forwarded to Standardisation Testing and Quality Certification (STQC) Directorate, an attached office of the Ministry of Electronics and Information Technology for the audit of data centers and cloud service offerings. MeitY issues the Letter of Award of Empanelment to the CSPs which are successfully audited by STQC. CSPs also undergo an annual surveillance audit by STQC to ascertain compliance with the minimum security requirements specified by MeitY and also any additional requirements specified by MeitY.
-
Which AWS Regions are covered under MeitY empanelment?
- Amazon Web Services India, a reseller of AWS Cloud Services, has cloud service provider (CSP) empanelment from MeitY for cloud services offered from the AWS Asia-Pacific (Mumbai) and AWS Asia Pacific (Hyderabad) Regions. AWS Asia-Pacific (Hyderabad) Region is the second AWS Region in India to be fully empaneled by MeitY. In 2017, AWS India became the first global CSP in India to receive full empanelment for its cloud service offerings after the AWS Asia-Pacific (Mumbai) Region completed MeitY’s STQC (Standardization Testing and Quality Certification) audit.
- AWS Regions are designed to be autonomous and each AWS Region consists of a minimum of three, isolated, and physically separate Availability Zones (AZs) within a geographic area. Each AZ, a group of logical data centres, has independent power, cooling, and physical security. All AZs in an AWS Region are interconnected with high-bandwidth, low-latency networking, over fully redundant, dedicated metro fiber providing high-throughput, ultra-low-latency networking between AZs. All traffic between AZs is encrypted. AZs are located in separate and distinct geographical locations, far enough from each other to support customers’ business continuity, and near enough to provide low latency for high availability applications that use multiple data centres.
- The network performance is sufficient to accomplish synchronous replication between AZs. AZs make partitioning applications for high availability easy. If an application is partitioned across AZs, agencies are better isolated and protected from issues such as power outages, lightning strikes, tornadoes, earthquakes, and more. AZs are physically separated by a meaningful distance, many kilometers, from any other AZ, although all are within 100 km (60 miles) of each other. AZs give customers the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center. AWS customers focused on high availability can design their applications to run in multiple AZs to achieve even greater fault-tolerance.
- AWS infrastructure Regions meet the highest levels of security, compliance, and data protection. The empanelment affirms that AWS meets government standards of quality, availability, and security, and provides government organisations, public sector undertakings (PSUs), statutory bodies, and financial institutions mandated by the Securities and Exchange Board of India (SEBI) more scope to innovate with the world’s most comprehensive and broadly adopted cloud. Government organisations can improve e-governance standards and enable on-demand digital services for citizens and businesses across India. Similarly, financial services organisations can benefit from agile, efficient, and security-compliant cloud solutions at scale, providing consumers faster and secure digital banking, insurance, and payment innovations.
-
How does MeitY empanelment help customers?
- MeitY empanelment has become an important criterion for procurement by Government Departments / Ministries / Agencies / Autonomous Institutions / Statutory Bodies / Offices under Government of India or States or UTs or Local Governments or PSUs or Nationalized Banks within India (herein after referred to as Government Department) and Financial Institutions. The empanelment helps customer ensure that the empanelled CSPs meet the minimum technical and security guidelines defined by MeitY.
- The Agencies can procure the Cloud Services either directly from CSP or indirectly through a Managed Service Provider (MSP) including cloud & managed services or from a System Integrator for end-to-end services.
- Customers can store data in either Asia Pacific (Mumbai) or Asia Pacific (Hyderabad) Regions to maintain customer content within India and comply with the MeitY’s data residency guidelines. As a customer, you maintain full control of your content that you upload to the AWS services under your AWS account, and responsibility for configuring access to AWS services and resources. AWS will not move or replicate customer’s content outside of their chosen AWS Region(s) except as agreed with you. AWS provides capabilities that allow customers to encrypt, delete, and monitor the processing of their customer data. For more information, see the AWS Privacy webpage.
- We prohibit, and our systems are designed to prevent, remote access by AWS personnel to customer data for any purpose, including service maintenance, unless access is requested by customer, is required to prevent fraud and abuse, or to comply with law. Please refer to Privacy Feature of AWS Services for more information on controls.
-
Does customer need to define additional security requirements during cloud procurement?
- Security and Compliance is a shared responsibility between AWS and the customer. AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates and is responsible for protecting the infrastructure, including hardware, software, networking, and facilities, that runs all of the services offered in the AWS Cloud. AWS infrastructure Regions meet the highest levels of security, compliance, and data protection. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall.
- While MeitY has defined the minimum security requirements (“Security of the Cloud”) that need to be complied by the CSPs to get empanelled, government agencies are responsible for specifying the security services and features (“Security in the Cloud”) that need to be deployed and configured for their workloads depending on the services used, application risk profile and applicable laws and regulations.
- AWS is architected to be the most secure global cloud infrastructure on which to build, migrate, and manage applications and workloads. AWS offers breadth of Security, Identity, & Compliance services that the customer can use to manage and reduce security risk, and protect their networks and data.
- AWS Well-Architected helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for a variety of applications and workloads. Built around six pillars—operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability—AWS Well-Architected provides a consistent approach for customers and partners to evaluate architectures and implement scalable designs. Please visit Best Practices for Security, Identity & Compliance page for further details.
-
Where can I get copy of the Empanelment letter issued for availing AWS Cloud services?
- The empanelment letters are available on AWS Artifact: AWS Asia Pacific (BOM) and AWS Asia Pacific (HYD). AWS Artifact is a self-service central resource for on-demand access to security and compliance reports from AWS. Sign in to AWS Artifact in the AWS Management Console to download auditor-issued reports, certifications, accreditations, and other third-party attestations of AWS.