Updated: 15 Apr 2026
It is 11 PM in Hyderabad. A developer is connected to a US bank's production environment from a personal laptop. The VPN is the company's. The MFA on that VPN covers the connection to the office network. It does not cover the connection beyond it.
The client's production database is open. The session is unlogged at the individual level. The developer's access has not been reviewed since the project onboarded 18 months ago.
In Indian IT services, developer access to client production environments grew organically: project by project, without the formal provisioning process that corporate systems went through.
Developer access to client production environments is the most under-secured access surface in Indian IT services. Corporate MFA policy covers it on paper. In practice, it runs through personal devices, informal tunnels, and client-provisioned accounts the IT services firm does not control.
The corporate MFA policy covers the VPN. It covers Microsoft 365. It does not cover the client-side account the developer uses to access the staging environment. It does not cover the shared admin account on the legacy system the team inherited. It does not cover the laptop running a local development environment seeded with production data.
SOC 2 Type II auditors find this gap in every Indian IT services engagement that has not specifically addressed it: MFA deployed on corporate systems, client-facing access inconsistent.
Indian IT services firms face a compliance pressure no global counterpart does: client-mandated SOC 2 from overseas enterprise clients running simultaneously with CERT-In audit obligations, DPDPA data protection requirements, and ISO 27001 certification demands from multiple clients in parallel.
Cisco Duo, Cisco's identity security platform, extends MFA to every access surface: client-facing VPN tunnels, production environment access, remote desktop sessions to client systems, and developer workstations accessing sensitive environments. Named individual authentication. Session logs attributed to the individual developer, not the team account. Exportable in the format a US enterprise client's SOC 2 auditor will request.
In Proactive's Cisco Duo deployments across IT services and engineering services firms in Bengaluru, Hyderabad, and Pune, the pre-deployment credential audit consistently finds production environment access points outside the existing MFA policy: developer accounts, shared client-side credentials, and legacy access that predates the current security standard.
The SOC 2 auditor finds these too. The difference is timing.
Proactive is a Cisco Preferred Security Partner deploying Cisco Duo for Indian IT services MFA compliance: developer access security, SOC 2 deployments, and client contract requirements across Bengaluru, Hyderabad, and Pune.
The developer is in production right now.
Is that access protected?
Talk to a Proactive Cisco Duo specialist. Write to [email protected].
We'll get back to you shortly.
