BFSI · Application Security

India · Enterprise · 2026

Mumbai listed bank cut standing privilege 78% in 60 days — pre-inspection IAM tightening with dual-vault rationalisation

A BSE-listed Mumbai private bank engaged Macksofy 90 days before the annual RBI CSITE Cell inspection. BloodHound + ROADrecon enumeration surfaced six kerberoastable tier-0 service accounts and an ESC4 path from junior-RM workstations to Domain Admin. Sixty days later, standing privilege was down 78%, dual PAM vaults were rationalised by scope (not by swap), and the inspection cleared first-pass.

Active DirectoryZero TrustPAMBloodHoundROADreconFIDO2BFSIRBI MD-ITGRCSEBI CSCRFMumbai

Talk to a senior consultant See the Application Security service

Engagement summary

Client: Mumbai-headquartered Listed Private Bank
Sector: BFSI
Region: India
Engagement: Application Security
Year: 2026
Duration: 10 weeks

78%

standing privilege reduction

60-day window

kerberoastable tier-0 svc accts closed

after-hours incidents

during MFA rollout

~₹7 cr

deferred PAM migration spend

18-month deferral

The challenge

What the client was up against.

Inspection clock + dual-vault sprawl

The bank's RBI inspection was 90 days out and the CISO's prior internal audit had flagged 'identity controls' as the single highest-priority remediation theme. Two PAM vaults — a 2014-vintage CyberArk instance owned by IT Ops and a 2019-vintage Delinea instance owned by treasury — sat in unresolved tension, with privileged accounts duplicated, password-rotation cadence inconsistent, and break-glass procedures undocumented in writing. Service-account sprawl was the unspoken backlog: 1,400+ service accounts in the core-banking realm, 30% of which were marked `password-never-expires` and another 12% with domain-admin-equivalent rights.

Three-shift treasury operation

Treasury ran a three-shift operation across BKC HQ and the Mahape DR site. Any tier-0 control change had to survive the shift handover, the SWIFT operator's after-hours break-glass workflow, and the Mahape-site contractor-access path. A previous IAM consultant had attempted a phishing-resistant MFA rollout that triggered three after-hours incidents and had been rolled back; the CISO needed a methodology that wouldn't repeat that failure.

Approach

How we ran the engagement, phase by phase.

Phase 01

01 · Identity inventory + tiering

Authoritative-directory mapping across on-prem AD (5 forests), Entra ID, ADFS and the bank's two third-party IdP federations
Tier-0 / tier-1 / tier-2 classification of 8,200 human + 1,400 service identities
Privileged-account census reconciled against the CyberArk and Delinea vault inventories
Shadow-IAM discovery via SaaS SSO logs + finance-procurement records

Phase 02

02 · Attack-path enumeration

BloodHound CE enumeration across the core-banking forest — 412k edges processed
ROADrecon Azure AD enumeration including dynamic-group rule analysis
ADCS certificate-template path validation (ESC1–ESC8)
Service-account kerberoasting + DCSync rights enumeration

Phase 03

03 · PAM rationalisation (no vendor swap)

Vault-by-vault privileged-account census across CyberArk + Delinea
Scope-by-team consolidation plan — IT keeps CyberArk, treasury keeps Delinea, dual-vaulted accounts collapsed by ownership
JIT / JEA workflow design for break-glass with dual-control + alerting
Service-account migration to gMSAs + LAPS for local-admin sprawl

Phase 04

04 · MFA rollout + tier-0 isolation

FIDO2 phishing-resistant MFA pilot on tier-0 admins (38 users)
Phased rollout sequence aligned to treasury shift schedule and Mahape break-glass workflow
Conditional Access policy redesign in Entra ID with location + risk + device gates
AAD Connect server reclassified as tier-0; hardening checklist applied

Phase 05

05 · Evidence + audit-committee dashboard

RBI MD-ITGRC + SEBI CSCRF clause-mapped evidence pack
Board-level identity-risk dashboard (standing-privilege count, MFA %, JIT activations, trend)
12-month Zero Trust maturity roadmap with CAB-aware change windows
Audit-committee briefing slide for the quarterly cyber review

Findings

What we surfaced — severity, title, real-world impact.

Critical

ADCS ESC4 — junior-RM workstation to Domain Admin

A misconfigured certificate template allowed any domain user to enrol with arbitrary SAN. From a junior-RM workstation we forged a certificate as a Domain Admin in under 4 minutes. Closed pre-disclosure by removing the unsafe enrolment ACL and re-templating.

Critical

Six kerberoastable tier-0 service accounts

Three accounts had `password-never-expires` set, two had passwords last rotated in 2018, one had domain-admin-equivalent rights and was still member of a defunct treasury group. All six surrendered hashes to a standard kerberoasting workflow inside 30 seconds; password complexity allowed offline cracking in under 4 hours for two of them.

Critical

Dual-vault break-glass gap

Neither vault's break-glass procedure was documented for the after-hours SWIFT operator workflow. A live drill surfaced a 22-minute window during a shift handover where a tier-0 break-glass could have been used without dual-control or alerting. Closed with a documented workflow and alerting gates inside two weeks.

High

AAD Connect server reachable from corporate-network tier

The AAD Connect server sat in the corporate-network VLAN with workstation-reachability. Compromise of AAD Connect would have yielded synchronised privileged credentials to the cloud tier. Reclassified as tier-0, isolated to a dedicated VLAN, and added to the protected-systems list.

High

Standing-privilege sprawl in service accounts

168 service accounts with domain-admin-equivalent rights, 312 with cross-realm DCSync. Inventory + tiered remediation cut count to 36 (DA-equivalent) and 71 (DCSync) inside 60 days.

Medium

Stale ADFS administrators

Twelve departed-employee accounts still active in the ADFS administrators group, three of which had not signed-in since 2022. Removed and replaced with a quarterly review workflow tied to HR offboarding.

Outcome

What changed for the client.

First-pass RBI inspection clearance

The annual RBI CSITE Cell inspection cleared on first-pass with no clarification request on identity controls. The inspector explicitly commended the ADCS ESC4 closure and the dual-vault scope-by-team rationalisation as 'mature, documented and demonstrably enforced'.

78% standing-privilege reduction in 60 days

From baseline standing-privilege count (1,712 tier-0/1 standing accounts including service identities) to 376 in 60 days. The remaining 376 accounts have documented business justification, vault custody and quarterly-review cadence.

Phishing-resistant MFA rolled out without after-hours incident

FIDO2 / passkey-based MFA across 4,800 admin and finance accounts in three phases, sequenced against treasury shift schedule. Zero after-hours break-glass incidents during rollout. The prior consultant's failed attempt was specifically referenced by the CISO as the methodology baseline this engagement had to beat.

Dual-vault rationalisation deferred 18 months without operational risk

Rather than the expensive single-vendor migration the bank had been preparing to budget for, the scope-by-team consolidation kept both vaults in production with clean ownership boundaries. The CISO's IT-investment plan deferred a ~₹7 crore vault migration by 18 months.

“The previous IAM consultant rolled back after three break-glass incidents. Macksofy planned around our three-shift treasury, sequenced the changes with our CAB calendar, and got us through the RBI inspection without a single clarification request. That's the methodology we wanted.”

— CISO, Mumbai-listed Private Bank

Related case studies