The new government order restrict employees from using third-party, non-government cloud platforms including Google Drive and Dropbox as well as virtual private network (VPN) services including NordVPN and ExpressVPN.
The order pass by the National Informatics Centre (NIC) has circulate to all ministries and departments and all government employees are require to comply with the directive, Gadgets 360 has learnt.
This new move by the government comes just weeks after directing VPN service providers and data centre companies to store their user data for up to five years.
Citing an increase number of cyberattacks and threat perception to the government, the 10-page document order employees to “not upload or save any internal, restrict, confidential government data or files on any non-government cloud service (ex: Google Drive, Dropbox, etc.).”
The document is title “Cyber Security Guidelines for Government Employees.“
In addition to restricting employees from using the popular cloud services, the government instructed employees through its directive to not use any third-party anonymisation services and VPNs, including NordVPN, ExpressVPN, Tor, and proxies.
As it direct the workforce to refrain from using “unauthorise remote administration tools” such as TeamViewer, AnyDesk, and Ammyy Admin, among many others.
Government employees are also direct to not use any “external email services for official communication” and conduct “sensitive internal meetings and discussions” using “unauthorise third-party video conferencing or collaboration tools.”
The government also order employees to not “use any external websites or cloud-based services for converting/ compressing a government document“.
Government also direct the workforce to not use “any external mobile app-based scanner services” including CamScanner for “scanning internal government documents.
The government ban CamScanner in 2020 as a part of its initial move to restrict China-based apps in the country.
Some government officials were still being using the app for scanning physical copies of their official documents.
Alongside restricting the usage of certain apps, the government’s order also direct employees to not ‘jailbreak’ or ‘root’ their mobile phones.
The directive also order employees to take measures including the use of complex passwords as well as updating passwords once in 45 days and updating operating system and BIOS firmware with the latest updates and security patches.
Government Order Said :
“All government employees, including temporary, contractual/ outsourced resources are require to strictly adhere to the guidelines mention in this document,”.
“Any non-compliance may be act upon by the respective CISOs/ department heads.”
The order was release on 10th June 2022 after a couple of revisions in the original draft made by the NIC.
It include inputs from India’s Computer Emergency Response Team (CERT-In) and was approve by the Ministry of Electronics and Information Technology (MeitY) secretary.
In April, the CERT-In issue a directive to make its mandatory for VPN service providers, data centres, virtual private server (VPS) providers, and cloud service providers to keep user data for five years or even longer.
The order will come into force from 28th June 2022.
As a result of that order, VPN service providers including NordVPN, ExpressVPN, and Surfshark have decide to remove their physical servers in the country as they follow no-log policies and are not technically capable of storing logs.
The major VPN entities as well as some digital rights groups have also raised privacy concerns for users in storing their data.
Companies including Facebook and Google also warn that the rules made by CERT-In could create a frightening environment.
