Cybersecurity

SECURITY · MFA · GCC INDIA · COMPLIANCE

Updated: May 11, 2026

enterprise security illustration MFA compliance
8 Minutes Read

GCC Security Teams Are Mandating MFA. Are Your Vendors Ready? 

GCC MFA compliance is now a vendor selection criterion, not an internal IT project. Global headquarters are requiring it from Indian GCC partners, most of whom are not yet fully compliant. Here is what the mandate covers, why it is accelerating, and how to close the gap before the next audit. 

Proactive Data Systems Security Practice  |  Cisco Preferred Security Partner, India  |  Last reviewed: May 2026 

GCC mandate observations and compliance gap data verified against Proactive Data Systems client engagements, Bangalore, Hyderabad, Pune, and Chennai, 2024-2026.

Up Front 

  • GCC headquarters in the US, UK, and Europe are adding MFA to standard vendor security questionnaires. For Indian GCC teams in Bangalore, Hyderabad, and Pune, this is no longer a future requirement. It is a current audit item. 
  • The mandate is not just about logging in with a second factor. It covers privileged access, remote access, VPN authentication, and in many cases, application-level access controls for any system that touches client data. 
  • Cisco Duo is the MFA platform most frequently specified by name in GCC security policies -- because it is what most global HQs already run. Deploying Duo closes the compliance gap and eliminates a separate vendor conversation. 
  • A GCC vendor that cannot confirm MFA compliance in a security questionnaire risks losing preferred vendor status. This is already happening in Bangalore and Hyderabad. The window to act before the next review cycle is short.

The Phone Call Every GCC IT Head in Bangalore Is Getting Right Now 

It starts with a vendor compliance questionnaire. Twelve to twenty pages, sent from a security team in London, New York, or Tokyo to their Indian GCC partner. The questions are standard: endpoint management, network segmentation, data handling, access controls. 

Then there is Question 14. Or Question 9. Or Section 3, Item 2. The exact position varies. The question does not confirm that multi-factor authentication is enforced for all users accessing corporate systems, VPN, and applications handling client data. 

The GCC IT team in Whitefield, HITEC City or Hinjewadi looks at the question. Looks at their setup. Calls their security vendor. And discovers that 'we use passwords and a VPN client' is not the answer that keeps the contract. 

This is not a hypothetical. It is the most common conversation Proactive Data Systems is having with GCC IT teams in Bangalore, Hyderabad, and Pune in 2025 and 2026. (Proactive Data Systems field observation, GCC security engagements, India, 2024-2026.) 

Why It Is Happening Now, Not Two Years Ago 

The pressure comes from three directions arriving at the same time. 

Global CISO mandates. After a wave of supply chain attacks targeting outsourced IT operations -- several of which originated in Indian delivery centres used by US and European financial services firms, global security teams tightened vendor requirements. MFA moved from recommended to required on most global enterprise security frameworks between 2022 and 2024. The Indian GCC partners are the last link in that chain to be formally audited. BFSI GCCs in Chennai and Bangalore, where Standard Chartered, DBS, and multiple US investment banks operate large delivery centres, are among the first to receive formal compliance mandates from global HQs. 

India's DPDP Act. The Digital Personal Data Protection Act, enacted in 2023, creates legal liability for organisations that fail to protect personal data. MFA is not explicitly named in the Act, but it is the single most effective technical control for preventing unauthorised access to systems holding personal data. Legal teams at GCC operators are now treating MFA deployment as a compliance risk item, not just a security best practice. 

Cyber insurance requirements. Major cyber insurers, including Lloyd's of London syndicates, AIG, and Beazley, began requiring MFA as a policy condition for coverage renewals from 2022 onwards. Organisations that cannot confirm MFA enforcement for remote access and privileged accounts face coverage exclusions or premium loadings. Indian GCC operations that fall under their parent company's global cyber insurance policy are now discovering that the policy conditions travel with the coverage. Non-compliance does not just fail an audit. It creates an uninsured exposure. (Proactive Data Systems GCC engagement observation, 2024-2026; Lloyd's of London cyber underwriting guidelines, publicly available.)

What the questionnaire actually asks 

Most GCC vendor security audits now cover five MFA-related items: (1) Is MFA enforced for all remote access and VPN? (2) Is MFA enforced for privileged accounts and administrator access? (3) Is MFA enforced for access to systems holding client data? (4) Are MFA logs retained and auditable? (5) What is the MFA platform in use, and is it centrally managed? A 'partially deployed' or 'in progress' answer to any of these is a risk flag in most audit frameworks.

What Most Indian GCC Vendors Actually Have -- and Where the Gap Is 

The honest picture, based on Proactive assessments of GCC environments in Bangalore and Hyderabad: most have MFA deployed for some users, on some systems, in some contexts. Almost none have it fully deployed across all the areas the questionnaire covers. 

Across GCC environments assessed by Proactive Data Systems in Bangalore and Hyderabad, privileged administrator access and developer access to production systems are the two areas most consistently uncovered by MFA -- and the two areas auditors check most carefully after confirming VPN protection. (Proactive Data Systems GCC security assessments, 2024-2026.)

Access scenario  Typical status  Audit risk 
Corporate VPN remote access  MFA enforced  Usually covered 
SaaS applications (Salesforce, ServiceNow)  Partial -- varies by app  Gap in most environments 
Privileged / admin accounts  Often not enforced separately  High-risk gap -- auditors flag this first 
On-premises applications with client data  Rarely covered  Critical gap for DPDP and global mandates 
Developer access to production systems  Almost never covered  Highest-risk gap in GCC environments 
Break-glass / emergency access accounts  No MFA -- by design  Needs documented exception process 

Based on Proactive Data Systems GCC security assessments, Bangalore and Hyderabad, 2024-2026.

The gap is never where IT teams think it is. It is not VPN. It is developer access to production systems and on-premises applications that were built before MFA was on anyone's radar. 

Why Cisco Duo Is the Platform Most GCC HQs Are Specifying 

When a GCC security questionnaire specifies an MFA platform by name -- which a growing number now do -- it is almost always Cisco Duo. The reason is straightforward: most global HQs already run Duo for their own workforce, and they want vendor MFA to be auditable from the same management console. 

For Indian GCC vendors, this has a practical implication. Deploying Duo does not just close the compliance gap. It eliminates the conversation about whether the MFA platform meets the parent company's standards, because it is the parent company's standard. 

Cisco Duo integrates with Active Directory, Azure AD, Okta, and most RADIUS-based systems without a rip-and-replace of existing infrastructure. A 500-person GCC operation in Bangalore can be fully deployed in 30 days with no impact to end-user productivity on day one -- because Duo supports a phased rollout that starts with the highest-risk access scenarios and expands from there. 

The 30-Day Path to Compliance 

Most GCC IT teams approach MFA deployment make it harder than it needs to be. The right approach is not a full identity infrastructure overhaul. It is a phased deployment that closes the audit gaps in priority order.

Week  Action  What it closes 
Deploy Duo for VPN and remote access  Closes the most common questionnaire gap immediately. Visible to auditors on day 8. 
Enforce MFA on privileged and admin accounts  Closes the highest-risk gap. Auditors check this first after VPN. 
Extend to SaaS apps handling client data  Closes DPDP and most global mandate requirements for data-touching systems. 
Document break-glass process and generate audit logs  Closes the audit trail requirement. Produces the evidence the questionnaire asks for. 

At the end of week four, a GCC vendor can answer every MFA item on a standard security questionnaire with a yes, a platform name (Cisco Duo), and an audit log reference. That is what closes the compliance gap. 

What an Audit-Ready MFA Policy Actually Looks Like 

Deploying MFA and being audit-ready for MFA are not the same thing. Auditors from global HQ security teams -- and increasingly from third-party audit firms hired by GCC clients -- check four specific items beyond whether Duo is installed. 

Audit item  What auditors check  Common gap 
Policy documentation  Written MFA policy naming covered systems, exemptions, and enforcement date  MFA deployed but never documented formally 
Privileged account coverage  Evidence that admin and service accounts are MFA-enforced, not just user accounts  User MFA complete, admin accounts excluded 
Exception management  Documented process for break-glass and emergency access, with log review cadence  Break-glass accounts exist with no documented process 
Audit log retention  MFA authentication logs retained for minimum 90 days, accessible for review  Logs exist but not formally retained or exportable 

Cisco Duo generates audit logs in a format most GCC compliance frameworks accept directly. The Duo Admin Panel exports authentication reports that satisfy all four checklist items above. For GCC vendors in Chennai and Bangalore preparing for a BFSI client audit, this is the documentation stack that ends the conversation quickly. 

Source: Cisco Duo documentation (duo.com); India DPDP Act, 2023 (meity.gov.in); GCC security mandate observations: Proactive Data Systems, GCC security engagements, Bangalore, Hyderabad, Pune, 2024-2026.

Frequently Asked Questions

Financial services (US and UK banks, insurance firms), technology companies (US and European software firms), and healthcare organisations are the most active. Manufacturing and logistics GCCs are following 12 to 18 months behind. If your GCC client is in BFSI or technology, the mandate is likely already in your next vendor review cycle.
The DPDP Act does not name MFA explicitly. It requires organisations to implement appropriate technical and organisational measures to protect personal data. MFA is the most widely recognised technical control for access security, and most legal and compliance teams treat it as a baseline requirement under the Act's 'appropriate measures' standard.
A phased Duo deployment for a 300-person GCC, covering VPN, admin accounts, and key SaaS applications -- typically takes 3 to 4 weeks from kick-off to full enforcement. The integration with Active Directory or Azure AD is the longest single step. End-user enrolment, using Duo's self-service portal, typically completes within 5 business days once the integration is live.
Microsoft Authenticator covers Azure AD-integrated applications well. The gap it typically leaves is non-Microsoft systems: on-premises applications, RADIUS-based VPN, Linux servers, and legacy applications without SAML or OAuth support. Cisco Duo covers all of these through its RADIUS and SSH integrations. Many GCCs run both Authenticator for Microsoft workloads and Duo for everything else under a unified policy managed through Cisco ISE.
Duo Essentials covers the core compliance requirement: MFA for VPN, remote access, and application login. Duo Advantage adds device health checks and policy-based access -- relevant for GCCs whose HQ mandates endpoint compliance alongside MFA. Duo Premier adds single sign-on and advanced trusted endpoint controls, which is the tier most commonly required by global BFSI HQs that want a unified access policy across the GCC and the parent organisation. For most Indian GCCs, receiving a standard vendor security questionnaire, Duo Essentials or Advantage closes the audit gap. Premier becomes relevant when the HQ wants to extend its own SSO policy to the Indian entity.
Proactive Data Systems is a Cisco 360 Preferred Partner across Security, Networking, Collaboration, Cloud and AI, and Services. We deploy Cisco Duo for GCC operations across Bangalore, Hyderabad, and Pune from initial assessment through full enforcement, with audit documentation included. If your next vendor review is coming up, talk to us before the deadline, not after.
← Previous Post
Streamlining Network Segmentation with Cisco ISE: Beyond Basic VLANs
Next Post →
The False Sense of Security: Why 73% of Indian Companies Think They're Protected (But Aren't)

Whitepapers

Webex Calling Compliance In India
A CTO’s Position Paper On Regulatory-Ready Cloud Calling

The India CISO Incident Response Playbook

The Network Diagnosis No One Talks About

The Proactive Edge: Mastering Observability for Operational Resilience

Achieving Zero Trust with Cisco Duo MFA: A Comprehensive Guide to Strengthening Your Security

The Future of Enterprise Networking: Trends, Challenges, and Solutions

Building a Future-Ready GCC in India: A Roadmap for Success
View all

E-Books

Cloud Calling Implementation Guide: How to Migrate from PBX to Webex Calling

Avoid the 10 Most Common Mistakes in Cybersecurity Projects

Unlock the Power of Cloud Networking with Cisco Meraki

Mastering Cisco Catalyst 9000: Real-World Configuration for IT Teams 

Choosing a Cloud Calling Provider: 10 Questions Indian CTOs and CEOs Must Ask

Future-Proof Your Network: Trends & Solutions for Today's Businesses

From PBX to Cloud Calling – The Playbook for Indian Enterprises

Your Guide to the Cisco: Secure Firewall 1200 Series Discover the Future of Network Security
View all

Contact Us

We value the opportunity to interact with you, Please feel free to get in touch with us.

 

 

 

 

Share a few details to get started.

We'll get back to you shortly.