Lowering the cost of regulatory compliance in public sector with virtual desktop infrastructure

Over the last few years, the Indian government has undertaken widespread digitization of citizen-centric services and governance solutions. The Digital India program has become a model for public sector digitization across the globe. Turnkey initiatives such as Unique Identification Number (UID) and Unified Payments Interface (UPI) have not only enhanced the citizen experience, but also made governance more efficient, transparent, and faster. 

With digitization, however, public sector agencies are expected to function as effective digital organisations. In the absence of prior experience managing digital infrastructure at scale, numerous gaps have surfaced as noted by authorities like MEITY and CERT-in. Key guidelines issued in regulations like the Information Technology Act (ITA) and Digital Personal Data Protection Act (DPDP) require public sector organisations to safeguard sensitive data using a set of prescribed approaches. However, complying with these regulations and guidelines is proving challenging and expensive for government agencies due to a number of factors, which are discussed below. 

These factors point to an urgent need for rethinking legacy approaches to digitising the public sector, especially from the purview of end-user computing. Public sector and government organisations need to ease compliance and management burdens on their IT teams, and also play their part in building safe and citizen-friendly government services. 

Regulatory compliance for government agencies: a 2024 perspective 

With the Digital India initiative, government bodies like SEBI, RBI, and MEITY have issued updated guidelines for public sector agencies to ensure secure and consistent delivery of digital services to users. Here are some of these key guidelines: 

Guidelines for Information Security Practices for Government Agencies 

Issued by CERT-in, this document¹ prescribes key practices for ensuring network, application, and database security in public sector organisations. These include effective network isolation for core apps, enabling logging for network devices, facilitating secure remote access, and implementing role-based access controls (RBAC).  

Guidelines for Indian Government Websites (GIGW 3.0) 

This updated guideline enables government bodies to build secure websites, apps, and portals by applying a lifecycle approach to building and managing digital solutions. Key prescriptions include MFA for database and application security, disabling dormant accounts, encrypting traffic, implementing RBAC, logging and monitoring, and allowing authorised endpoints only. 

Replacing OTP-based 2-factor authentication (2FA) with principle-based authentication This mandate issued by the Reserve Bank (RBI) applies to all banking and financial services organisations. It focuses on principles rather than rigid rules and allows for various approaches based on context and risk. Authentication adapts to the specific context of the transaction and the level of authentication adjusts based on risk factors.   

Similar to this mandate, SEBI requires financial organisations to verify all mutual fund transactions with 2FA. While these regulations and guidelines enable secure and effective administration of digital services, complying with them can prove challenging for the public sector and government organisations. 

Current gaps in the public sector digital infrastructure 

Adopting the approaches prescribed in the above guidelines can prove challenging for PSUs in India, due to their legacy computing infrastructure. Such organisations typically have legacy firmware, data centers, cloud services, and a variety of end-user machines working under the hood of modern web apps and portals. 

In such technology environments, adhering to simple prescriptions, like isolating sensitive apps from WAN network traffic, or implementing MFA can prove expensive. Typically, these organisations use two machines per user – one to deliver core apps, and another to meet their other computing requirements.  

Similarly, enabling remote access for employees requires the configuration of their machines as well as customising their legacy applications, which can prove difficult and expensive, especially as such organisations operate in urban as well as rural, poorly connected areas. Even after configuration, IT administrators rely on the employees to keep their applications and machines up to date.  

Such limitations can result in the following costs: 

1. Provisioning multiple devices to achieve segmentation for core application access. 
2. Transport of devices to and from IT departments for configuration and management. 
3. Manual configuration of each device to ensure compliance with security policies.  
4. Increased IT overheads due to high management workloads on administrators. 
5. Integration & Customization cost for co-existing of new applications along with legacy applications 

This results in high compliance costs, which PSUs may be unable to afford due to limited funding and IT budgets. Ultimately, organisations continue to operate in a non-compliant state and risk the compromise of confidential data and citizen trust. 

Virtual Desktop Infrastructure: a modern approach to compliance 

The good news is that PSUs and government agencies can mitigate the above costs by rethinking their approach to end-user computing. Virtualization is a powerful strategy to meet modern security requirements prescribed by guidelines such as GIGW 3.0 and infosec practices recommended by CERT-in while operating with modest budgets that are characteristic of PSUs.  

More specifically, virtual desktop infrastructure, or VDI, represents an effective approach to delivering computing solutions to end users while maintaining complete control over the user environment and actions. VDI enables employees of government organisations to access key applications on any machine, without requiring IT administrators to provision, manage, or repair their physical machines. In more simple terms, VDI delivers a snapshot of official applications and environments to end-users. 

Here are a few ways in which VDI enables PSUs and government agencies to comply with security regulations: 

1. Standardisation: By adopting VDI, PSUs can ensure that all their security policies are enforced in a uniform manner and that each end-user environment is uniformly configured with least privilege.  
2. Centralised Management & Monitoring: With VDI, IT admins can control user identities, execute security checks, and access privileges in a centralised fashion. This also eliminates the need to configure physical machines in person or manually. 
3. Endpoint control: VDI enables IT admins to restrict the actions that users can take on their endpoints. For instance, they can restrict internet access when a sensitive app is open, or offer restricted and monitored access to 3rd parties. 

However, VDI should not be regarded as a silver bullet that can help PSUs solve all their compliance requirements cost-effectively. Some VDI solutions can be expensive or incompatible with key technologies that might already be present in your stack. 

Acing compliance with Accops VDI for governments 

Accops VDI is a comprehensive solution that has been designed to help government organisations comply with the security requirements of modern regulations. It has been designed to fit seamlessly into mixed and hybrid technology environments of government organisations.  

More importantly, Accops VDI eliminates the need for multiple vendors in your virtualization stack and offers competitive licensing options for PSUs. This makes the VDI infrastructure simpler and cheaper, resulting in 40% lower TCO in the long run. In addition, Accops offers key capabilities that are vital to complying with key security guidelines and regulations. These include: 

1. Secure delivery of modern and legacy apps to users located anywhere and on any network. 
2. Cloud or hypervisor-agnostic VDI solution that can be deployed in any environment. 
3. Zero-trust network access gateway that can be deployed over cloud, on-prem, or hybrid infrastructures.  
4. Monitoring, logging, and endpoint control capabilities, which eliminate all risks of insider threats. 

As government agencies embrace their Digital India horizons, complying with new security regulations will be essential to ensure the safe delivery of services to citizens and businesses. Accops VDI represents a universal and cost-effective approach to security compliance for PSUs in a digital-first era.  

Get in touch with us at contact@accops.com to learn how Accops VDI can transform compliance and end-user computing at your organisation.