Govt restricts VPN, Cloud Services for its employees to maintain ‘security posture’

The central government has restricted its employees from using third-party virtual private networks (VPN) and anonymisation services.

According to an Economic Times report, the directive has barred its employees to avail services provided by companies including ExpressVPN, Nord VPN and Tor, according to a new directive issued by the Indian Computer Emergency Response Team (Cert-In) and National Informatics Centre (NIC).

The directive has also asked the employees not to store any internal, restricted or confidential data files on any non-government cloud services such as Google Drive or Dropbox.

The directive comes days after companies like NordVPN, ExpressVPN and Surfshark proclaimed that they are removing their servers from India following the government’s new cybersecurity guideline that will go live from June 27.

The NIC, which operates under the Ministry of Electronics and Information Technology, said that it has laid the guildelines to improve the “security posture” of the government.

Also read: What India’s new VPN rules mean for you

In order to sensitise the government employees and contractual/outsourced resources and build awareness amongst them on what to do and what not to do from a cyber security perspective, these guidelines have been compiled,” ET quoted the in internal document, titled Cyber Security Guidelines for Government Employees.

The NIC has also restricted the employees from using any external mobile app-based scanner services such as CamScanner for scanning “internal government documents.”

“By following uniform cyber security guidelines in government offices across the country, the security postures of the government can be improved,” the directive mentions.

Despite, several VPN providers’ objections to the directions raising concerns around privacy of customers using their services.

The CERT-In mandated that the VPN providers will be required to maintain logs including names of customers, their IP addresses and other details, for five years, beginning June 27.

Earlier, Rajeev Chandrasekhar, minister of state for information technology said that a VPN provider, data centre operator, cloud provider or enterprise is obliged to know the users of the infrastructure and if there is a detected cyber breach from one of the users, it is mandated to produce the data required for taking action. He also noted that if the entities do not comply, the government will have to take appropriate action, but did not specify the steps that the government will take.