“India’s Rapid Hybrid Cloud Expansion Is Outpacing Governance Maturity”

As hybrid and multi-cloud adoption accelerates across India, enterprises and government institutions are facing increasing pressure to balance cloud agility with data sovereignty, regulatory compliance, and security governance. With data localization mandates and the DPDP Act reshaping the regulatory landscape, gaps in visibility, identity management, and compliance validation have emerged as critical challenges. To explore why hybrid cloud governance has become a key blind spot and how organizations can address it, Rajeev Ranjan, Editor, Digital Terminal, spoke with Himanshu Kumar Gupta, Senior Director – Government Business & Channels, India & SAARC at Trend Micro, who shares insights on unified security, real-time governance, and embedding compliance into modern cloud strategies.

Rajeev: Why has hybrid and multi-cloud adoption become India’s biggest governance blind spot, especially with new data sovereignty and localization mandates taking effect?

Himanshu: Amidst increased digital transformation, organizations are prioritizing speed over structure which creates a governance challenge, particularly in hybrid and multi-cloud adoption. Gartner predicts 90% of organizations will adopt hybrid cloud by 2027, and India is projected to lead global cloud growth through 2030. However, this rapid expansion outpaces governance maturity.

The blind spot emerges from fragmented visibility across hybrid and on premise environments. Traditional security tools operate in silos, unable to track data movement or enforce consistent policies across clouds. With data sovereignty enforcement underway and sectoral mandates from RBI and SEBI requiring data localization, organizations lack unified mechanisms to prove where data resides, who accesses it, and whether cross-border transfers comply with regulations.

The complexity multiplies with shadow IT. Organizations struggle to map their actual cloud footprint, leaving gaps that expose sensitive data. We believe governance must shift from periodic audits to continuous visibility and automated compliance validation across all cloud environments.

Rajeev: With most cloud security failures linked to identity, access, and privilege mismanagement, what gaps do you see in how Indian organizations are currently handling IAM across distributed clouds?

Himanshu: Industry research indicates that majority of cloud security failures will result from customer misconfigurations, with IAM issues being primary contributors.

Indian organizations face three critical gaps. The first one is the inconsistent IAM policies across multiple clouds create privilege sprawl. Users receive excessive permissions that violate least privilege principles. Second, orphaned accounts from departed employees remain active, creating persistent backdoors. Third, Indian organizations lack centralized visibility into who has access to what across hybrid environments.

The challenge intensifies with a 25-60% cybersecurity talent deficit in India. Security teams cannot manually track permissions across thousands of identities and roles. Organizations need Cloud Infrastructure Entitlement Management that continuously discovers identities, maps permissions, detects anomalies, and automatically right-sizes access. Without this, IAM becomes a compliance exercise rather than active risk management.

Rajeev: How do fragmented cloud security tools across various cloud and on-prem environments create compliance and audit risks for Indian enterprises and government agencies?

Himanshu: Fragmented tools create a dangerous illusion of security while generating audit nightmares. Organizations typically deploy numerous point solutions for cloud security, each generating isolated alerts without context. Security teams spend valuable time correlating events manually instead of responding to actual threats.

For compliance, fragmentation means no single source of truth. When auditors question data localization or accessibility of privileged records, security teams must stitch together logs from multiple systems. This process is error-prone and time-consuming. Popular cost of data breaches reports linked majority of cloud breaches to misconfigurations that fragmented tools failed to detect comprehensively.

Under data protection laws and sectoral regulations, organizations face penalties up to ₹250 crores for non-compliance. Fragmented security cannot demonstrate continuous compliance or provide audit trails showing data handling throughout its lifecycle. Unified platforms eliminate these gaps by consolidating visibility, automating compliance mapping, and generating audit-ready reports across all cloud environments.

Rajeev: What role can unified cloud security platforms play in giving organizations real-time visibility, control, and audit readiness to meet India’s regulatory expectations?

Himanshu: Unified cloud security platforms transform compliance from reactive documentation to proactive governance. For instance, Trend Vision One™ Cloud Security exemplifies this approach by integrating cloud posture management (monitoring misconfigurations), workload protection (securing servers and containers), identity entitlement management (controlling access rights), and container security into a single platform that provides comprehensive visibility across hybrid and multi-cloud environments.

Real-time visibility means organizations can instantly answer critical questions like where does sensitive data actually reside or are misconfigurations exposing citizen information. The platform continuously discovers assets, assesses risks, and prioritizes remediation based on business impact rather than overwhelming teams with thousands of uncontextualized alerts.

For audit readiness, unified platforms automatically map security controls to various data law requirements, RBI guidelines, SEBI mandates and other regulations. They generate compliance reports showing data residency, access logs, and breach response capabilities. Automated policy enforcement ensures new cloud instances immediately receive security controls, eliminating configuration drift. This approach enables organizations to demonstrate continuous compliance rather than scrambling during audits.

Rajeev: How can sovereignty and compliance requirements be embedded directly into DevSecOps workflows so that governance becomes automatic rather than a post-deployment exercise?

Himanshu: Embedding compliance into DevSecOps requires shifting security left while maintaining development velocity. Organizations must integrate security checks directly into continuous integration and continuous deployment pipelines. These are the automated systems that build, test, and deploy code instead of treating governance as a deployment gate.

Infrastructure-as-code scanning detects policy violations before deployment. For example, scanning Terraform templates ensures storage buckets default to private, encryption is enabled, and data stays within specified regions. Container image scanning validates that only approved base images with no critical vulnerabilities reach production. Secret detection prevents accidental exposure of credentials in code repositories.

Trend Vision One™ enables this through pipeline-native protection that automatically enforces data residency policies, and blocks deployments violating security baselines. Developers receive immediate feedback within their workflows rather than discovering violations weeks later. This prioritises secure innovation at speed, ensuring sovereignty requirements are built-in from the first line of code.

Rajeev: With DPDP Act enforcement and stricter government directives on data residency, what strategic adjustments must Indian public sector and regulated industries make to balance cloud agility with national security obligations?

Himanshu: Three strategic adjustments are essential. The first is adopting continuous threat exposure management as policy standard. Unlike periodic assessments, CTEM provides ongoing discovery, risk prioritization, and validation across all digital assets. This proactive stance prevents incidents before they compromise citizen data or national security.

The second is to mandate unified security platforms over fragmented point solutions. Government agencies and regulated industries need platforms that seamlessly secure hybrid environments, correlate threats across domains, and translate technical risks into business terms for leadership. This consolidation reduces complexity while strengthening security posture and audit readiness.

The third imperative is to implement automated compliance validation. Organizations need platforms that continuously verify data residency, validate access controls, and generate real-time compliance dashboards aligned with regulatory requirements. We believe these adjustments enable organizations to pursue cloud agility confidently while fulfilling sovereignty obligations and maintaining citizen trust.

^{𝐒𝐭𝐚𝐲 𝐢𝐧𝐟𝐨𝐫𝐦𝐞𝐝 𝐰𝐢𝐭𝐡 𝐨𝐮𝐫 𝐥𝐚𝐭𝐞𝐬𝐭 𝐮𝐩𝐝𝐚𝐭𝐞𝐬 𝐛𝐲 𝐣𝐨𝐢𝐧𝐢𝐧𝐠 𝐭𝐡𝐞 WhatsApp Channel now! 👈📲}

^{𝑭𝒐𝒍𝒍𝒐𝒘 𝑶𝒖𝒓 𝑺𝒐𝒄𝒊𝒂𝒍 𝑴𝒆𝒅𝒊𝒂 𝑷𝒂𝒈𝒆𝐬} 👉 ^{Facebook, LinkedIn, Twitter, Instagram}