Updated: 11 Apr 2026
The contract arrives for renewal. New security addendum. The client, a US financial services firm and a European pharmaceutical company, now requires documented MFA across every environment where their data is accessed. Developer workstations. CI/CD pipelines. Every remote session to their production systems. Evidence of compliance before signature.
The IT services firm's CISO reads it twice.
Most pure-play IT services firms in Bengaluru, Hyderabad, and Pune have MFA on corporate email and VPN. It does not cover everything beyond it. Developer access to client production environments typically runs through a separate tunnel. The shared administrator account on the client's legacy system authenticates with a password. The delivery centre, where three teams work across three client projects on the same infrastructure, has a VPN but not MFA on every client-facing access point.
MFA for Indian IT services firms must cover not just corporate access but every client-facing environment - developer workstations, delivery centre networks, and legacy client system access - to satisfy SOC 2 Type II, ISO 27001, and client contract security clauses.
Indian IT services firms face a compliance pressure no global counterpart does - client-mandated SOC 2 from overseas enterprise clients running simultaneously with CERT-In audit obligations and DPDPA data protection requirements.
SOC 2 Type II certification requires documented evidence of MFA enforcement on all systems with access to client data - including developer workstations, CI/CD pipelines, and production environment access. The audit finds the gap between policy and reality every time. The contract clause is the same finding, arriving earlier and with a commercial deadline.
The client is not asking for an architecture diagram. They are asking for confirmation that every access point to their data is protected by a second factor, and that logs exist to prove it.
Cisco Duo, Cisco's identity security platform, covers every client access environment from a single console without requiring those systems to be replaced. Authentication logs are individually attributed, timestamped, and exportable in the format an enterprise client's security team will request.
In Proactive's Cisco Duo deployments across pure-play IT services firms in Bengaluru, Hyderabad, and Pune, the credential audit consistently finds client environment access points not covered by the existing MFA policy - developer accounts reaching production, shared service accounts with no individual attribution, and vendor connections that predate the current security standard.
The contract clause asks about exactly these access points. The audit finds them first.
Proactive is a Cisco Preferred Security Partner deploying Cisco Duo for Indian IT services firms, engineering services companies, and GCCs - including SOC 2 compliance deployments and client contract MFA requirements across Bengaluru, Hyderabad, and Pune.
The contract renews in 45 days.
The credential audit starts now. Talk to a Proactive Cisco Duo specialist and take the first step.
We'll get back to you shortly.
