Updated: 20 Apr 2026
The email comes from Group Security. Or from the CISO's office in Austin. Or from the compliance team in Amsterdam. The subject line varies. The substance does not.
Multi-factor authentication is now mandatory across all global entities. All remote access. All privileged accounts. All third-party vendor connections. Evidence to be submitted to Group IT by the end of the quarter.
You have 90 days. The GCC entity in Bengaluru, Hyderabad, or Pune has been noted.
The document from Group Security is more specific than it first appears. MFA across all remote access means every VPN connection, every remote desktop session, every third-party vendor login, not just the productivity suite that already has conditional access running.
The privileged accounts requirement means phishing-resistant MFA, not standard push notification. Standard push can be defeated by a fatigue attack: repeated approval requests sent until an exhausted user approves one. The parent company's security team knows this. Verified Push or FIDO2 hardware keys are what the mandate means, even if it doesn't say so explicitly.
The evidence requirement means logs. Individually attributed, timestamped authentication logs demonstrating enforcement across every specified system. A deployment summary will not satisfy a Group IT audit.
A Cisco Duo deployment for an Indian GCC entity satisfies both the parent company mandate and Indian regulatory requirements, CERT-In CISG-2025-02 and DPDPA, from a single platform with a Mumbai data centre confirming India data residency.
GCCs grow fast. Infrastructure accumulates faster than governance. A 2,000-person GCC in Bengaluru is typically running cloud applications provisioned by the product team, on-premises systems inherited from an earlier phase, Active Directory last reviewed in 2021, and vendor remote access managed through a shared spreadsheet.
A GCC entity of 2,000 people typically has between 15 and 30 privileged administrator accounts, the highest-risk population and, critically, the smallest. This population can be fully enrolled in Cisco Duo with phishing-resistant MFA within one week. It closes the highest audit exposure immediately, without touching the broader workforce deployment.
Privileged accounts: week one. Remote access via RADIUS integration with the existing VPN concentrator: weeks two to three. No changes to VPN software required. Workforce enrolment across the GCC: weeks four through eight, with the communication campaign that prevents the Day 1 false-positive flood when employees receive enrolment emails and report them as phishing.
In Proactive's GCC deployments across Bengaluru, Hyderabad, and Pune, the credential audit conducted before configuration consistently surfaces dormant vendor accounts and shared administrator credentials, findings that make the subsequent Cisco Duo deployment more complete and the Group IT evidence package more defensible.
Proactive is a Cisco Preferred Security Partner with specific experience deploying Cisco Duo for GCC entities in India, dual compliance, mixed infrastructure, and parent company audit evidence standard. We have closed the 90-day window for GCC clients before. We know where the time goes.
If the mandate just arrived, the conversation should start now.
Write to [email protected] to discuss with a Proactive Cisco Duo specialist.
We'll get back to you shortly.
