G-Drive, Dropbox, VPN services banned for central govt employees: Know why

New Delhi: The Central government has barred employees from using virtual private networks (VPN) as well as third-party non-government platforms such as Google Drive and Dropbox. The move comes just weeks after the Centre announced a policy that directed VPN service providers and data centre companies to store user data for up to five years.

The order passed by the National Informatics Centre (NIC) has been circulated to all ministries and departments and all government employees are required to comply with the directive.

As per reports, the 10-page document ordered employees to "not upload or save any internal, restricted, confidential government data or files on any non-government cloud service," citing an increased number of cyberattacks and threat perception to the government.

The document is titled "Cyber Security Guidelines for Government Employees."

In addition to restricting employees from using the popular cloud services, the government instructed employees through its directive to not use any third-party anonymisation services and VPNs, including NordVPN, ExpressVPN, Tor, and proxies. Additionally, it directed the workforce to refrain from using "unauthorised remote administration tools" such as TeamViewer, AnyDesk, and Ammyy Admin, among others.

Government employees are also directed to not use any "external email services for official communication" and conduct "sensitive internal meetings and discussions" using "unauthorised third-party video conferencing or collaboration tools."

The government additionally ordered employees to not "use any external websites or cloud-based services for converting/ compressing a government document". It also directed the workforce to not use "any external mobile app-based scanner services" including CamScanner for "scanning internal government documents.

Alongside restricting the usage of certain apps, the government's order also directed employees to not 'jailbreak' or 'root' their mobile phones.

The directive also ordered employees to take measures including the use of complex passwords as well as updating passwords once in 45 days and updating the operating system and BIOS firmware with the latest updates and security patches.

"All government employees, including temporary, contractual/ outsourced resources are required to strictly adhere to the guidelines mentioned in this document," the order said. "Any non-compliance may be acted upon by the respective CISOs/ department heads."

The order was released on June 10 after a couple of revisions in the original draft made by the NIC. It included inputs from India's Computer Emergency Response Team (CERT-In) and was approved by the Ministry of Electronics and Information Technology (MeitY) secretary.