Identity Security & Zero Trust in Mumbai · BFSI Tier-0

Macksofy delivers identity-security and Zero Trust engagements for Mumbai-headquartered banks, NBFCs, AMCs and listed corporates from our Bandra Kurla Complex base. The Mumbai BFSI identity estate has a distinctive shape: an on-prem Active Directory still authoritative for core-banking and treasury, Entra ID syncing a partial cloud footprint, two parallel PAM tools owned by separate teams (the bank IT team's CyberArk vs the treasury team's Delinea), and a long tail of shared service-accounts created during the last decade of CBS migrations. Every engagement begins by mapping that real-world identity surface — not the org chart's version of it.

Mumbai-headquartered private banks and PSUs face explicit identity-control evidence asks from RBI's CSITE Cell during the annual inspection cycle. RBI Master Direction on IT Governance, Risk, Controls and Assurance (November 2023) demands authentication evidence at the application-tier, JIT/JEA evidence for privileged sessions, and break-glass-with-dual-control evidence for tier-0 access. SEBI CSCRF Annexure-K duplicates the ask for broker-and-AMC subsidiaries, with the addition of OMS-to-exchange-gateway service-account hygiene. Macksofy's engagement output maps line-by-line to both circulars so the inspector's clarification-call ends in one round.

BloodHound + Azure AD attack-path enumeration is the technical heart of phase 1. On a typical Mumbai private bank the first enumeration surfaces five to nine kerberoastable service accounts inside the core-banking realm, a tier-0 ESC1/ESC4 certificate-template path from a junior-RM-class workstation, at least one over-privileged backup-service account with cross-realm DCSync rights, and a stale ADFS-server admin group with departed-employee accounts still membership-active. ROADrecon then enumerates the Azure AD side — the unintended Global Administrator promotion via dynamic-group rule, the AAD Connect server's SYSTEM-to-cloud-admin path, and the OAuth grants made by ex-employees that nobody has ever reviewed.

PAM rationalisation is rarely a clean tool-swap in Mumbai BFSI. The bank's CyberArk vault, deployed in 2014 for IT operations, sits in tension with the treasury team's Delinea instance, deployed in 2019 for SWIFT-edge access, and the recent HashiCorp Vault deployment by the cloud team for AWS secrets. Macksofy maps every privileged identity to the right vault, identifies the standing-privilege accounts that should never have been in a vault to begin with, and produces a phased consolidation plan that survives the bank's CAB calendar without breaking the SWIFT operator shift schedule.

Phishing-resistant MFA rollout — FIDO2 keys, smart-card or certificate-based — is the single highest-ROI tier-0 control. Macksofy's Mumbai engagements include a phased rollout playbook calibrated to the bank's three-shift treasury operation, the after-hours break-glass workflow at the Mahape DR site, and the contractor-access path through the BCP-secondary VPN. The plan accounts for the on-prem ADFS that some Mumbai banks still front-end to SaaS apps — phishing-resistant MFA must work consistently across the on-prem and Entra paths, not just at the cloud edge.

Service-account hygiene is the Mumbai BFSI control that most consistently fails inspector scrutiny. The typical estate has 300-900 service accounts, of which 30-50% are shared, 40-60% have passwords older than the inspector wants to see, and 5-15% have password-never-expires and domain-admin equivalence. Macksofy delivers a service-account inventory in week one, a tiered remediation plan in week two, and the actual rotation execution in weeks three through six — using LAPS for local-admin accounts, gMSAs for service accounts that support them, and managed-secrets in the appropriate vault for the rest.

The deliverable includes the board-level identity-risk dashboard that the bank's audit committee asks for at every quarterly cyber review: standing-privilege count over time, MFA coverage percentage by tier, JIT activation count by quarter, stale-account count, and the trend-line vs the previous quarter. This dashboard is the single most-asked-for artefact from RBI-inspected banks; the same data underpins the inspector's evidence-pack acceptance.

Mumbai engagement scheduling respects the bank's release-train and the regulator's inspection-window. Identity-control changes are sequenced for the calmest operational window — typically post-quarterly-close and pre-RBI-inspection — with a documented rollback per change. The senior consultant on the engagement is physically reachable at the bank's BKC, Lower Parel, Mahape or Andheri MIDC sites inside four hours including a monsoon-traffic buffer; remote sessions for the deep-technical phases happen from the Macksofy BKC office to keep latency to AAD APIs negligible.