India’s complexities with connecting through VPN while working from home: A perspective

India’s IT industry, in its topsy-turvy situation urged by the COVID-19 pandemic, has gone through phases of shock, reconciliation, adjustment, adaptation, and creating new working norms. Ministries, working in tandem, had to create situation-based protocols and policies that had to work its way in setting new uniform working standards across industries. And one such decision taken by the Union Minister for Information Technology (IT), Ravi Shankar Prasad, in response to the IT Industry’s request to facilitate work from home for Other Service Providers (OSPs), is the decision to relax the terms and conditions for connectivity norms for ‘Work From Home’ (WFH), applicable on IT and BPO companies until July 31^st.

In March, DoT had relaxed certain norms for Other Service Providers (OSP) till April 30th to facilitate WFH amid the coronavirus pandemic. But with extensions in lockdowns and social distancing norms setting-in the deadline for the relaxed norms for WFH was extended till July 31^st.

Companies, earlier to revised WFH relaxation, were not allowed to connect office Virtual Private Network (VPN) to home infrastructure, a rule that was subsequently relaxed in view of the pandemic. As the government had already instructed IT/ITeS/BPO and other contact center-based organizations to strategize a process of bringing back its workforce at a strength of 33%, post lifting the lockdown means that companies would still have a large percentage of its employees working out of their homes.

In view of this relaxation, NASSCOM also resonated on the decision to extend the timelines on relaxed norms for Other Service Providers (OSPs) to facilitate work from home, which will help IT and BPO firms to plan their strategy of bringing back workforce to offices, in a gradual and phased manner.

So, with the extension in place, it is for the companies to ascertain that the required infrastructure for employees working from their homes be met. To get a better understanding of how DoT compliant communication-based infrastructure support is exploited with specific focus on VPN, opinions from companies, association bodies, and legal professionals, were sought by Voice&Data.

Feasibility checks on VPN

VPNs are used when an organization has remote employees working outside of a main office and at disparate geographies. When an organization has a remote workforce, VPNs can be used to securely connect the workforce to the organization’s private network. VPNs use encryption to create a secure tunnel in a public or shared network, like the public internet. Although VPNs emphasize creating a secure connection and allow employees working from home to connect to an organization’s network, there are certain limitations. It is known that it works well for few organizations and for others alternative and more secure connectivity systems were relied upon.

Telecom representative bodies’ opinion

Well, if WFH is going to be a new normal then the country must obviously bring in new policies that suit the conditions spelling out new rules and objectives. Both COAI and BIF intend to lend their shoulders in support of the WFH policy-making involving telecommunication services and infrastructure.

Rajan S Mathews, DG, COAI, is in the opinion that during this critical lockdown period, the telecom sector has proved to be the backbone of the country to ensure people remain not only socially connected but are also able to perform their work-related functions, information is processed and disseminated.

“While the telecom infrastructure has enabled the work from home for the last 40 days, it is evident that for further enabling a larger cross-section of the ITeS sector workforce to work from home it is imperative that the enhancement of connectivity in these residential areas is done in a dedicated and focussed manner. This implies giving timely approvals for Right of Way Applications (RWAs) to install digital infrastructure of mobile towers and optical fiber cable by the local administrations. RWAs should also facilitate the enhancement of this infrastructure. Considering that the ITeS sector plays an important role in providing both domestic and international services industry and contributes substantially to the economy, India must form an official policy soon and as the telecom industry, we are ready to support and would be happy to play the enabling role to keep India Always Connected.”

T V Ramachandran, President, Broadband India Forum (BIF) opines that the global Corona outbreak has affected normal life across the globe like never before. While adopting social distancing and physical isolation to contain and prevent further spread of the pandemic, it is equally essential to devise adaptive ways to maintain business continuity and ensure the economy keeps running and jobs and livelihoods are not lost.

“The IT/ITES sector, comprising a strong part of the Indian economic system, has been proactive in adopting the WFH model for their employees, so as to maintain near normalcy in their business operations. The industry as well as the Government, have been extremely supportive in acknowledging this massive shift in broadband usage patterns and related issues around Work-from-Home (WFH) and adapting to the current circumstances.

It would seem that in spite of the impending end of the nationwide lockdown, WFH is likely to be the new norm. And hence, BIF is in complete support of the need for a calibration of the existing policies to support WFH on a long-term basis.

Going forward, this needs to be integrated in the new WFH Policy, so that the relaxation granted on the Corporate VPN may be extended on a permanent basis,” expresses Ramachandran on BIF’s intentions to support DoT’s decisions related to WFH policies.

That the DoT has extended the waiver on the existing policy and regulations to OSPs till the end of July to help maintain operations, is an extremely positive action on their part. There is scope for us to consider this should be made permanent, and BIF will be supporting the discussions in this area.

In the new WFH environment, it is neither feasible at all locations, nor cost-effective to have PPVPN from a TSP/ISP everywhere. Hence, relaxation has been sought on this ground and the same has been granted by the Government during the interim till 31^st July 2020. Going forward, this needs to be integrated in the new WFH Policy, so that the relaxation granted on the Corporate VPN may be extended on a permanent basis,” expresses Ramachandran on BIF’s intentions to support DoT’s decisions related to WFH policies.

But the question is does VPN work for all?

OSPs provide employment to over 4 million agents. These companies usually have a redundancy plan but never a plan for a situation where they would need to have their agents work remotely. The current situation requires building remote working infrastructure including highspeed internet connections and laptops for their agents to work from home.

The WFH regulations require a PPVPN connection from the OSP center to the home of the agent and calls for a bank guarantee of 1 crore which is highly cumbersome. There are 6000 OSPs registered with DOT, with none applied for this license.

Responding immediately to the decision on VPN norms relaxation, Balbir Bora, Founder, Whitewater Solutions, feels that there are the few challenges faced with this government relaxation.

Bora says that there was no readiness from the OSP or their employees at the time of sudden lockdown, they did not have a license to work remotely. DOT in all of this has issued a relaxation for allowing OSP agents to WFH but with the condition, the agents need to use VPN. Bora believes VPN is a redundant technology that not only needs heavy infrastructure but also a good amount of time to deploy. The relaxation also calls for INR 5,00,000 of penalty per home agent in case of non-compliance. He cites this move as draconian and says that all of this created a situation of confusion, panic, and loss of business.

Bora argues that earlier TRAI gave recommendations based on ‘Revised Terms and conditions for OSP registration’ to DoT in October 2019. He feels that so far there has been no action in the recommendation, which could have been prioritized over the temporary relaxation till July 31st.

Bora says  VPN is a redundant technology that not only needs heavy infrastructure but also a good amount of time to deploy. The relaxation also calls for INR 5,00,000 of penalty per home agent in case of non-compliance. He cites this move as draconian and says that all of this created a situation of confusion, panic, and loss of business.

“OSP’s need time to deploy the required infrastructure for remote working. This will include migrating over to the cloud-based data and voice application to accommodate remote and flexible working which in turn will also reduce the overhead cost of maintaining the office infrastructure and logistics. DoT also needs to allow WFH independent of technology by not insisting on the use of a VPN.

These solutions have to be technology-neutral and cannot be just one technology-dependent like DoT-recommended VPN. Cloud technologies have made it possible to work remotely with the zero-trust architecture and omnichannel supporting voice and data in a secure platform. With the advent of secure technologies like VDIs and other endpoint session-based secure technologies give the same security and control to track the agent tasks and do the forensics. The cloud technologies are not Capex intensive and are scalable allowing flexibility to work from anywhere,” voices Balbir Bora.

Well for Bora, VPN might be a compulsive choice, but for Virender Jeet, Senior Vice President, Sales & Marketing/Products of Newgen Software says, “VPN works well for us and is being used to access the internal as well as customer networks for all delivery and support tasks. To enable all users to work from home, Newgen has provided a VPN access to all the users. “Through VPN, users can connect to the network and access their assigned workstations. And after logging into the workstations they can perform all the activities required to deliver such as coding, source code management, and customer support.”

Cloud technologies have made it possible to work remotely with the zero-trust architecture and omnichannel supporting voice and data in a secure platform.

Sify Technologies, on the other hand, is quite comfortable too with VPN. “Yes, the required infrastructure is in place for every one of the employees working from home. This includes secure internet access through company VPN tunnel, security fabric on each of the access points and higher than regular backup of all information. The servers are also purged for any suspicious activity on random visits. As pioneers in the field of network management and security, our VPN tunnel has stood the test of time. Any client information accessed is through a triple layer of security and after due process has been followed for such access grant. As a precautionary measure, access pools of resources for any client critical, mission-critical data is now restricted to only the senior level of managers,” reveals the company spokesperson of Sify Technologies.

Data security – the primary concern with VPN

If WFH is going to be the new norm, then the VPN connection would also be the new norm. While most employees will now be using VPN systems, cybersecurity experts have raised alarm bells on companies falling for phishing attacks that steal VPN account credentials or customer data.

Raising a pertinent question in this association, Balbir Bora, Founder, Whitewater Solutions asks, “How can you ensure that customer data is still not misused with VPN systems? Customer data protection is a business agreement between the customer and the OSP which is determined on country-specific data protection laws. There may be confidential data for which customers may have not allowed to process from home, but of course, there are technologies with capabilities to monitor and control the data and the remote agent.”

Newgen Software’s Virender Jeet says that to ensure data protection, while employees connect to company servers through VPN systems, Newgen has enforced policies such as restriction of USB, copy/paste from the network, no storage drive re-direction, and has even restricted users from adding a printer.

Sharing more details on security measures through VPN, Ananthakrishnan Vaidyanathan, Product Manager at ManageEngine, says, “Depending on the enterprise’s business continuity needs, & security setup, there are different options which must be used individually or in combination to securely access enterprise data. While VPN secures the data during transit, it also allows improperly secured personal devices to indirectly be a part of the enterprise network, giving malicious actors an easier gateway into the enterprise network while letting employees store the enterprise data locally increasing the chances of unauthorized access.”

To tackle all these security issues, Vaidyanathan says that these problems can be addressed using remote desktop sharing (RDS), as employees access the secure work devices and not the data, present in the enterprise, using the former to work on the latter. Virtual desktop interface (VDI) is an advancement over RDS as it provides each employee with a dedicated VM including individual memory & CPU, ensuring additional security, suggests Vaidyanathan.

For organizations dealing with cloud services, SD-WAN provides in-built network security besides application awareness. Another advantage with SD-WAN is that they’re self-healing, ensuring high availability (HA) and minimizing troubleshooting efforts.

“No matter what the means of remote access is, proper management of endpoints is required to ensure data security. These measures will ensure the devices accessing (and storing) the corporate data are reasonably secure minimizing chances of being exploited by malicious actors to gain unauthorized access to enterprise data and/or enterprise networks. With teleworking forcing enterprises to embrace BYOD, enterprises now need to contend with multiple devices types running on different operating systems. This is where endpoint security solutions come into the picture. Enterprises can use such solutions to apply these security measures over-the-air without any hassles,” shares Vaidyanathan.

Ian Shearer, Managing Director, APAC, Park Place Technologies, suggests that before implementing technology controls, one should have well-defined policies around what data can be shared.

Certainly, endpoint security solutions have great advantages. But there are several practical steps an organization can take to enforce data protection while its workforce is in a work-from-home mode. Ian Shearer, Managing Director, APAC, Park Place Technologies, suggests that before implementing technology controls, one should have well-defined policies around what data can be shared, how it can be shared or communicated and where it can be stored?

“Organizations should be wary of allowing employees to share data externally without protection. The use of public Internet-based file sharing such as Google Drive, DropBox, and others outside of enterprise control presents a risk to protection of data. Instead, organizations should control access to these web applications through proxy services or DNS services such as Cisco Umbrella (formerly Open DNS). Also, discussion on data protection cannot include sharing via email. In addition to clear policies of what kinds of information can be sent via email, technology controls can be utilized, such as attachment size and type limitations, enforced encryption and controls around which email domains may be acceptable to send messages,” warns Ian Shearer.

When it comes to data security it is just not enough to gather opinions from enterprise cybersecurity experts. It is also necessary to understand from a legal point of view on what companies must do to ensure that customer data is protected and is securely maintained while employees connect to company servers through VPN.

Sharing a legal opinion, Tony Verghese, Partner, JSA, says, “Ensuring the implementation of a strong work from home policy coupled with timely training of the employees in reminding them of their obligations of compliance as regards to company data and confidentiality is the primary responsibility of the employer. Given the lack of a full-fledged data privacy law being in force at present (other than the Information Technology Act) in India, the employers are dependent on their contracts being robust particularly the employment agreement and the WFH policies. This will allow the employer to have a strong enforcement option, should there be a breach. Further, the employer will also need to ensure that it puts in place appropriate technological infrastructure and firewalls to allow information to only be accessed securely (such as through VPN) towards complying with its obligations of protecting the data of customers.”

It is evident that most organizations are comfortable with VPN. It works for most when the organization's data security protocols are in perfect order. In the days to come, it is certain that much of the world will work from home. Therefore, the onus is on GoI to frame policies bearing VPN as a connectivity option.