Are you ready to comply with India's VPN logging and broader IT directive?

On April 28 India announced new IT directives that require verbose logging of almost all IT activities, report infosec incidents within six hours of detection, keeping records of customer IP addresses for clouds and VPNs and much more … with compliance required next Tuesday. Oh and Cert-IN is happy for you fax in reports of security incidents, which is deeply weird because the rationale is to give Indian authorities better intelligence about threats.

How are your compliance efforts coming along?

Have anyone bothered trying?

I’ll get right on that as soon as they crack down on scam call centers.

Or Never, same difference.

a great excuse to stop outsourcing 90% of my department to India.
They don’t get anything done anyway, all they do is make unapproved commits at 3am and break everything and then log off and wait for me to log on and fix it without even telling me shit is broken.

Honestly I was joking because I dont have to deal with that, but I could for real. Get a central log server. Graylog is probably the best cookie cutter setup that could get you going pretty quickly.

Fuck, this is news to me, and we have one staff member based in India.

Do I just need to enable extreme verbose logging of that user’s VPN activities for up to 6 months?

Does anyone actually care? I actually heard about this from SurfShark, a commercial VPN. They’re just shutting down their Indian servers, and somehow or other using servers elsewhere “with an Indian IP” whatever that means.

We tend to just let India do their own thing in my company.

Every year or two we get asked to implement telephony services in India but give up after two or three meetings due to the conplexity of the regulatory requirements and the fact the local offices dont want to actually pay for anything. Actually I am due to start this loop again soon. Who knows one day this project might make it beyond the planning phase.

If you sleep for 8 hours with notifs off, and get hacked in the first 2 hours of sleep, you are outside the 6 hour mandatory requirement and can go about your day.

Fuck, what is this going to do to every single one of my US-based vendors’ support teams?

Considering that Indian police have trouble enforcing already existing laws I don’t think this will affect anyone that doesn’t live in or work with India.

Why would I care about what third world countries require?

Where do touch find all this info? Looking for good places to subscribe for big updates like this

Sure, Im fully in compliance with GDPR

or, politely, “India, Molon Labe”

Which workarounds can i do to connect to India then? I mean I used India to get cheap Gsuite and so on?

*Indian Police shows up*

Hello police, if you look at these 4 computers by the entrance, this is a legitimate call center. Don’t look at the other 5 rows of 10 PC’s each, and the cash handoffs for payments, or our banking trail/s, don’t Google our organizations name, or…

Oh look a pile of rupees by the door. Byeeeeeee.

Yep, receive dozens a week, all from virign media

Why are they able to break your production environment without approvals? PR gates should solve this.

Outsourcers are usually a separate company. They might have to provide logs, but I can’t imagine it would include logs belonging to their customers as well.

If it does, then I can see *MANY* big companies ending contracts with India quickly.

It’s not even a matter of disliking the rules. It would violate things like HIPAA and PII laws. It would mean no longer being able to ensure your own business privacy or customer privacy.

Pray to IT Jesus for me. My entire server team is being outsourced to India (Accenture) I’m a nervous wreck. I watch too many India scam call videos and my faith is low.

For international companies that have offices in India I bet they do. It could end up being a huge cash grab in fines for their government.