Updated: 09 Apr 2026
The SOC 2 Type II report is clean. The parent company's information security team reviews it and approves. The GCC's compliance workstream is marked complete. The CTO sends the report to the client relationship managers for use in renewal conversations.
Six months later, a breach investigation starts.
The investigation does not find a missing control. It finds the gap between what the SOC 2 audit scope covered and what the GCC's authentication reality looked like.
SOC 2 Type II certification for GCCs covers the controls around customer and client data as defined in the audit scope. It does not, by default, cover developer access to client production environments, contractor credentials across the GCC's technology estate, or privileged access to infrastructure outside the defined scope boundary.
The audit found that MFA was deployed on corporate email and the primary VPN. The breach found that developer access to a US financial services client's staging environment ran through a separate tunnel with no second factor, that a contractor who completed a data engineering project four months earlier still held active credentials to the GCC's analytics infrastructure, and that three domain administrator accounts belonged to employees who had transferred to another entity within the parent company group without formal offboarding from the GCC's systems.
None of these were in the SOC 2 scope. All of them were in the breach investigation.
GCCs handling data for parent companies in regulated industries face simultaneous SOC 2 obligations from the parent and CERT-In and DPDPA obligations under Indian law, with enforcement arriving from two different regulatory directions. The SOC 2 scope is defined by the parent company's audit requirements. The CERT-In scope covers every system the GCC operates in India.
The gap between those two scopes is where the exposure sits.
In Proactive's Cisco Duo deployments across GCC environments in Bengaluru, Hyderabad, and Pune, the credential audit consistently finds access that falls outside the SOC 2 scope but inside the CERT-In audit perimeter: contractor credentials, developer production access, and privileged accounts the parent company's audit did not examine.
Cisco Duo, Cisco's identity security platform, covers the full GCC authentication surface: corporate systems inside the SOC 2 scope and everything outside it. Client-environment developer access, contractor remote access, privileged administrator accounts, and the legacy systems the SOC 2 auditor did not examine. Named individual authentication. Logs that satisfy CERT-In 180-day retention requirements and SOC 2 evidence standards simultaneously.
Proactive is a Cisco Preferred Security Partner deploying Cisco Duo for GCC environments across Bengaluru, Hyderabad, and Pune: dual compliance deployments, parent company audit evidence, and CERT-In-ready authentication logs.
The SOC 2 report was clean.
The breach found what the audit did not look for.
Talk to a Proactive Cisco Duo specialist for your MFA journey. Write to [email protected].
We'll get back to you shortly.
