The Indian government is currently at odds with Virtual Private Network (VPN) service providers over its cybersecurity guidelines and has banned their employees from using anonymization services and third-party VPN providers like ExpressVPN, NordVPN and others for accessing work properties.
The Indian Computer Emergency Rescue Team (CERT-In) had lately issued certain directions to enhance cyber security by bridging the gap in cyber incidence analysis. The new directives mandate data collection, retention, and integration by data centers, VPS (Virtual Private Server) providers, cloud service providers, and VPN service providers. The government’s latest directives on the use of commercial VPN drew criticism from VPN providers in India as they are not willing to disclose the identity of their subscribers. This had led to companies like ExpressVPN, Surfshark and NordVPN announcing the removal of their servers from India which will go into effect from June 27.
In addition to refraining government employees from using VPN services, the directive has also asked employees to not upload/save internal, restricted or confidential government data on non-government cloud services like Google Drive or Dropbox. It has also restricted its employees from using external mobile application based services for scanning government documents.
The guidelines were issued by the National Informatics Centre (NIC), under the Ministry of Electronics and Information Technology (MeitY) to improve the security posture of the government.
As per the directive, all employees must strictly adhere to the guidelines. The instructions are also applicable for temporary, contractual/outsourced resources. The respective CISOs/Department heads have been assigned to act upon any reported non-compliance.