Updated: 14 Apr 2026
India's 1,700+ GCCs hold parent-company data and credentials while running identity infrastructure built for a simpler era. This piece covers the three core identity risks every GCC IT leader faces in 2025: credential theft, MFA fatigue, and regulatory non-compliance, and maps how a Cisco Duo deployment addresses each.
Written for IT heads and CISOs managing GCC environments in Bangalore, Hyderabad, Pune, and Delhi NCR.
There's a number that doesn't get talked about enough in Indian IT security circles: 1,700.
That's approximately how many Global Capability Centres are now operating in India — making this country the undisputed GCC capital of the world. Bangalore alone hosts more GCCs than any other city on earth. Hyderabad, Pune, and Chennai are right behind. India is expected to cross 2,500 GCCs by 2030, employing nearly 2 million people, up from roughly 1.3 million today, according to NASSCOM's GCC Landscape Report 2024.
Behind every one of those GCCs is an IT leader carrying a problem that the headcount and the hype rarely mention: how do you secure the identity of thousands of employees, contractors, and partners logging into your most sensitive systems — across time zones, devices, and continents — every single day?
This is the identity security challenge that defines the GCC era. And most GCC IT teams are managing it with infrastructure that was never designed for it.
A GCC is not a call centre. It's not a back-office outsourcing shop. It's the global delivery arm of a Fortune 500 company — running product development, financial operations, legal compliance, cybersecurity, and engineering for a parent organisation headquartered in the US, Europe, or Japan.
That means a GCC in Bangalore is accessing the same Azure Active Directory, the same SAP instance, the same M365 environment as the parent company's team in San Jose or Frankfurt. Same SaaS tools. Same multi-cloud identity management infrastructure. Same privileged access to the same sensitive data.
But they're also operating in a fundamentally different environment:
The security model built for a fixed office in suburban New Jersey does not translate to a hybrid GCC in Whitefield or HITEC City. The perimeter disappeared years ago. What remains is identity — and identity is now the primary attack surface.
The Attacker Already Knows This
Credential-based attacks are not a future threat. They are today's dominant breach vector.
According to the Verizon Data Breach Investigations Report 2024, over 80% of hacking-related breaches involve stolen or weak credentials. Attackers targeting GCCs are not breaking through firewalls. They're logging in — using credentials harvested from phishing emails, credential-stuffing tools, or social engineering.
GCC employees are particularly attractive targets. They're high-value individuals with deep access to parent company systems. They work across time zones, often outside normal monitoring hours. And they communicate constantly with counterparts in the parent organisation — making them the ideal conduit for a lateral movement attack that starts in India and ends in a US data centre.
There is also a specific, growing threat every GCC IT leader needs to understand: MFA fatigue attacks, also called prompt bombing.
Traditional push-notification MFA can be defeated without touching a single firewall. The attacker logs in with a stolen password, triggers an authentication push, then floods the victim with notification requests until they approve one — out of frustration, confusion, or distraction. No malware required. No zero-day exploit. Just persistence.
The Uber breach of 2022 — in which an attacker compromised a contractor's credentials and bypassed MFA through exactly this method — is the most documented example. It is not an outlier. It is a template.
This is why simply having MFA is no longer enough.
1. Securing a Workforce You Don't Fully Control
In a GCC, you have employees, contractors, third-party vendors, and parent-company executives — all needing access to your systems, all with different onboarding and offboarding timelines. Contractors get spun up and wound down rapidly. Vendors need scoped access that expires. Parent-company leaders need seamless access during India visits, but shouldn't carry permanent credentials.
Managing this with manual processes — adding users to AD groups, emailing IT for access tokens, revoking credentials via helpdesk ticket — is how orphaned accounts accumulate. Every orphaned contractor account is an open door with no one watching it.
2. Meeting the Parent Company's Zero Trust Mandate Without Disrupting Operations
Global headquarters are increasingly mandating Zero Trust architectures for their GCC operations in India. For GCC IT leaders, this typically arrives as an unfunded, poorly specified directive: "We need Zero Trust. Figure it out by Q3."
Zero Trust, properly implemented, requires identity verification at every access request — not just at login. Every application, every resource, every transaction must verify who is asking, from what device, under what risk conditions. Getting there without disrupting the daily operations of thousands of employees requires phased deployment, intelligent policy management, and an identity platform capable of real-time, context-based access decisions — not just a password and a push notification from three years ago.
3. Complying With India's Regulatory Framework — Which Is Still Being Written
India's Digital Personal Data Protection Act (DPDPA) has implications that most GCCs are still mapping. The Act places specific obligations on data fiduciaries, and identity access management sits at the centre of any defensible compliance posture — demonstrating control over who accessed what data, on which device, and when.
CERT-In's 2022 directive, mandating incident reporting within six hours of detection, raises the operational stakes further. A credential compromise that goes undetected for 48 hours — routine when authentication systems lack anomaly detection — creates a compliance exposure that no legal team wants to explain to a regulator in New Delhi or the parent company's General Counsel in New York.
The answer is not more VPNs. It is not a more complex password policy. It is a layered identity security architecture built for the way GCCs actually operate.
Here is what that looks like in practice. A 3,000-person GCC in Hyderabad — running engineering and finance operations for a US financial services firm — has three distinct user populations: 2,200 full-time employees, 600 rotating contractors from four different IT outsourcing vendors, and roughly 200 parent-company executives who access systems remotely from the US. Each group carries a different risk profile and a different access lifecycle.
A mature identity architecture handles all three simultaneously:
Phishing-Resistant MFA replaces push notifications for high-risk users and privileged access scenarios. FIDO2-based hardware keys or device-bound passkeys verify the user and the registered device together — eliminating the prompt-bombing vector entirely. Even a stolen password is worthless without the physical device. For GCCs under CERT-In's six-hour reporting mandate, eliminating this attack vector is not optional.
Device Trust ensures that every access request is assessed against a health baseline at the moment of login. Is the OS patched? Is endpoint protection active? Is it a managed device? BYOD policies become manageable when the access decision accounts for device health in real time, not on a quarterly audit schedule — which is the standard most Indian enterprises are still running.
Adaptive Authentication eliminates the false choice between security and friction. A finance team member logging in from their registered laptop at 9 am in Hyderabad clears quickly. The same account logging in from an unrecognised device in a new city at 2 am gets stepped up automatically — no helpdesk ticket, no disruption to the 2,200 employees with routine access patterns.
Zero Trust Network Access (ZTNA) replaces the VPN model that gives compromised credentials network-level access. Under ZTNA, access is granted to specific applications — not the network — and identity is verified at each request. A contractor in a Pune IT outsourcing firm whose credentials are compromised cannot pivot from the payroll application to the source code repository. The blast radius of any breach is contained by design, which is exactly what DPDPA data access controls require.
Centralised Visibility gives the security team a single, real-time view of every authentication event across every application. When anomalies surface — a login spike from an unrecognised geography, a series of failed authentication attempts on a privileged account — the team can respond in minutes. Which matters when CERT-In requires incident reporting in six hours, not six days.
Cisco Duo for GCC environments in India has become the identity platform of choice for enterprises managing distributed teams across multi-cloud infrastructure and complex contractor ecosystems. The reason is straightforward: Duo deploys into the existing stack without requiring the parent organisation to restructure anything.
Duo integrates natively with Active Directory, Azure AD, Microsoft 365, AWS, Okta, SAP, and the other platforms that GCCs typically inherit from their parent organisations. No rip-and-replace. No months-long migration. No negotiation with headquarters about rebuilding their directory because you're adding MFA in India. For GCCs running multi-cloud identity management across AWS and Azure simultaneously — which describes most enterprise GCCs in Bangalore and Hyderabad today — this is the critical differentiator.
Duo's policy engine supports differentiated authentication across all GCC user types — full-time employees, contractors, vendors, and parent-company visitors — with distinct access windows, device trust requirements, and authentication methods for each group. Contractor access can be time-bounded and automatically revoked. Privileged users can be required to use phishing-resistant FIDO2 authentication. Parent-company executives get seamless access from managed devices without permanent credential exposure.
The phishing-resistant layer — FIDO2, WebAuthn, device-bound passkeys — directly addresses the prompt-bombing vulnerability that has made push-based MFA a liability for high-value targets. Duo's real-time dashboard gives GCC security teams the authentication visibility and anomaly detection needed to meet CERT-In's reporting requirements without building a separate monitoring capability. And for Indian GCCs navigating DPDPA compliance, Duo's access logs provide the auditable trail of who accessed what data, from which device, and when — exactly what data fiduciary obligations require.
For GCC IT leaders evaluating identity security options in India.
| Capability | Cisco Duo | Microsoft Authenticator | Legacy Push MFA |
|---|---|---|---|
| Phishing-resistant (FIDO2) | Yes — native | Partial (Entra ID only) | No |
| Prompt bombing protection | Yes — number match + FIDO2 | Partial — number match only | No |
| Device trust enforcement | Yes — all device types | Limited to managed devices | No |
| BYOD support | Full | Partial | Limited |
| Multi-cloud identity (AWS+Azure) | Yes | Azure-first | Vendor-dependent |
| Contractor / vendor access mgmt | Yes — time-bound, auto-revoke | Limited | Manual |
| CERT-In audit trail | Yes — full auth logs | Yes | Partial |
| DPDPA access controls | Yes | Yes | Limited |
| Works without restructuring parent AD | Yes | Requires Azure AD | Yes |
| India deployment partner available | Yes — Cisco Preferred Partners | Varies | Varies |
India's GCC story represents genuinely extraordinary economic ambition. The scale of what has been built in Bangalore, Hyderabad, Pune, and Chennai over the last decade is, by any measure, historic.
But there is a structural vulnerability running through it. GCCs hold parent-company data, parent-company IP, and parent-company access credentials — and most of them are operating identity security architectures that were adequate in 2019 and are insufficient in 2025. The attackers have updated their methods. The compliance environment has tightened. The workforce model has changed permanently.
If your GCC is still relying on legacy push-based MFA, VPN-dependent remote access, or manual processes for contractor credential management, the question is not whether you have exposure. The question is whether you find it before someone else does.
Speak with a Cisco Duo specialist at Proactive Data Systems. We'll assess your current identity security posture and map a phased deployment to phishing-resistant, Zero Trust authentication — designed for your GCC, approved by your headquarters. Schedule a 30-minute assessment.
Quick answers to common questions about this topic.
We'll get back to you shortly.
