Case Study: Fortune 500 Bank Reduces Audit Prep Time by 90% with OmniPriv

This case study describes the privileged access management transformation of a Fortune 500 financial services group operating across 22 countries. The organisation manages over £400 billion in assets and employs approximately 28,000 people globally. Due to contractual confidentiality, the organisation is not identified by name.

The bank operated a legacy PAM infrastructure assembled over more than a decade. The environment included three separate PAM platforms serving different business units, acquired through different vendor relationships at different times. Additionally, a significant portion of the environment — particularly in acquired subsidiaries — had no PAM coverage at all, with privileged access managed through shared password spreadsheets and informal processes.

Audit preparation was consuming the team. The bank's information security team spent approximately six weeks preparing for each annual SOC 2 and PCI-DSS audit cycle. Evidence collection across three separate PAM platforms, plus the manually managed areas, required extensive manual effort. Historical session logs were held in multiple formats, making correlation and reporting time-consuming.

Coverage gaps created regulatory risk. The fragmented PAM landscape meant that auditors would periodically identify gaps in privileged access controls — systems or business units where coverage was absent or incomplete. Each gap required a remediation plan and created ongoing regulatory engagement overhead.

Operational overhead was high. Managing three separate PAM platforms required specialists familiar with each system's administration model. Credential rotation was not consistently automated across all platforms. Access reviews were conducted manually, with review request emails managed in basic spreadsheets.

The integration landscape was complex. The bank used ServiceNow for ITSM, Microsoft Sentinel as their primary SIEM, Active Directory and Azure AD for identity, and Oracle and SQL Server for their core banking databases. Each legacy PAM platform had partial or no integration with these systems.

Following a competitive evaluation, the bank selected OmniPriv to replace all three legacy PAM platforms in a phased migration over 18 months. Key selection criteria were: a single platform covering all required asset types (Windows, Linux, databases, cloud, network devices), native integrations with ServiceNow, Microsoft Sentinel, and Active Directory, pre-built compliance report templates for PCI-DSS and SOC 2, and a migration path that did not require all-or-nothing cutover.

The migration followed a phased approach by asset class and business unit. Phase one focused on the highest-risk, highest-scrutiny environments — the Payment Card Industry cardholder data environment and the investment banking systems. Phase two covered the retail banking and operations environments. Phase three addressed acquired subsidiaries and non-standard systems.

Each phase involved: discovery of existing privileged accounts in the target scope, onboarding into the OmniPriv vault, configuration of automated rotation, enablement of session recording, and cutover from direct administrative access to gateway-proxied access.

The database proxy capability was particularly valuable. Oracle database access in the investment banking environment had been a consistent audit gap — the legacy systems did not support native session recording for Oracle. OmniPriv's database proxy provided transparent session recording and query logging for Oracle connections without requiring changes to the Oracle environment.

Audit preparation time reduced from six weeks to under three days. The OmniPriv compliance module generates the complete evidence package for PCI-DSS Requirements 7, 8, and 10 and for SOC 2 CC6 from a single report generation interface. Evidence that previously required manual collection from multiple systems and extensive formatting is produced on demand in auditor-ready format.

Zero audit findings relating to privileged access controls. In the two audit cycles completed since full deployment, no findings related to privileged access management have been issued by external auditors.

Privileged account inventory from 38,000+ to under 12,000. The discovery and reconciliation exercise identified and removed over 26,000 stale or unneeded privileged accounts accumulated across the legacy systems. The 12,000 remaining accounts all have documented owners, business justifications, and are subject to automated lifecycle management.

Operational team capacity freed. The three-platform administration workload that previously required specialists in each legacy system was consolidated to a single OmniPriv administration team, freeing significant capacity that has been redeployed to other security initiatives.