VPN Services: Follow rules or leave India: MoS Rajeev Chandrasekhar to VPN service providers
[ad_1]
Chandrasekhar was speaking at the release of the Frequently Answered Questions (FAQs) on the Cert-In guidelines, which were issued on April 28.
VPN service providers must follow the law of the land while operating in the country, he said.
“If you don’t have the logs, start maintaining the logs. If you are a VPN that wants to hide and be anonymous about those who use VPNs to do business in India and do not want to go by these rules, then frankly pull out of India. That is the only opportunity you have,” Chandrasekhar said.
The set of directives and guidelines apply to all companies and enterprises operating in India. These include prompt reporting of cyber-security breaches and maintaining customer data, among others.
Apart from enterprises, VPN service providers were asked to maintain a log of their customers, with details such as their names and the purpose for which the VPN service was used.
Discover the stories of your interest
Some VPN service providers had said that they would not comply with the directives and would instead choose to stop their services in India if they were forced to follow the directives.
Chandrasekhar also said that VPN service providers, data centre operators, cloud service providers, and enterprises had an obligation to know who was using their infrastructure so that if there was an incident of a cyber breach from their side, these service providers would be obliged to make available the relevant data to Cert-In.
“At that point, you cannot say that it is our internal rule that we do not maintain log. If you do not maintain logs, then this is not a good place to do business,” he said.
In the FAQs released on Wednesday, Cert-In said that depending on the sector in which the organization was functioning, logs of firewall, intrusion prevention system, web, database, proxy servers, critical system event, and others must be maintained.
ET has reported previously that enterprise and corporate VPN service providers have, however, been exempt from the requirement of maintaining and reporting these logs.
ET had earlier also reported that the government would, while seeking such data from these service providers follow the right administrative or legal process.
Though it is not necessary for VPN service providers to store the log data in India, such data must be produced by them if asked by Cert-In, according to the FAQ. The directives will be applicable 60 days from April 28, when they were first put out.
[ad_2]
Source link