CHALLENGES
What does it take to overhaul local admin access and password control to 50,000 endpoints without disrupting a single user? That’s the critical challenge Northern Trust faced. The company also faced scalability and compliance challenges related to privileged access management and risks related to long-lived SSL certificates, which increased exposure to potential compromise and outdated encryption practices.
As one of the world’s largest and most respected financial institutions, security and compliance are at the core of its operations. However, its existing endpoint privilege management tool presented more problems than protection.
Although technically deployed, it had significant limitations. “The list of challenges before and after we implemented our legacy tool were almost identical,” said Manish Dixit, director of cybersecurity engineering at Northern Trust. “It was like not having a solution at all.” With over 23,000 employees across the globe, they needed better control over user access, more stringent policies and a clearer line of sight into security gaps.
At the time, only 40% of endpoints met basic password rotation requirements. Without centralized control, employees managed their own local admin passwords. This practice led to weak credentials, shared accounts and frequent lockouts when users forgot or mistyped passwords.
With licensing renewal on the horizon — and a complex IT environment that included non persistent VDIs, global remote users and layered regulatory demands — Northern Trust needed a smarter, faster way forward for banking resilience.
Internal alignment would be essential. They had to get the rollout right the first time.
– Manish Dixit
Director of Information Security Engineering, Northern Trust
SOLUTIONS
Joining forces with implementation partner SDG Corporation, Northern Trust chose the Idira Identity Security Platform consisting of: Idira Endpoint Privilege Manager (EPM), Idira Privileged Access Manager (PAM), Self-Hosted, Idira Secrets Manager, Self-Hosted, Idira Code Sign Manager and Idira Certificate Manager, Self-Hosted.
As their largest deployment, what was the plan for implementation without disrupting business workflows? Execute a structured, three-phase rollout designed to reduce disruption, maintain security and improve compliance across the financial services business.
Phase 1: The team deployed Idira EPM and PAM, Self-Hosted in coexistence mode alongside the legacy system to prevent operational impact. They began with the loosely connected devices (LCD) feature, focusing on quick wins and validation. By assigning a specific number of endpoints each day and monitoring them closely, SDG Corporation was able to control the impact and help deliver a seamless experience. “We were able to manage local admin rights using Idira EPM and rotate credentials on a periodic basis to keep them compliant,” said Manish Dixit. “With automated password rotation, we significantly lowered the support burden for IT. We achieved better compliance and fewer tickets,” he added.
Phase 2: A meticulous policy mapping process ensured that all functionality was preserved, while unnecessary complexity was removed. The legacy agent was disabled in place rather than uninstalled, reducing technical risk during the transition. Despite the scale of the change, the financial services organization experienced no disruption to end users. “We went through a thorough round of testing to ensure a seamless cutover, and that’s exactly what we achieved,” said Nikhil Rao, director of endpoint privilege management and privileged access management at SDG Corporation. “We had regression test cases, policy dry runs, and stakeholder reviews — all of which let us deploy with confidence,” he continued.
Phase 3: Northern Trust expanded the capabilities of Idira EPM even further. They introduced just-in-time (JIT) admin access through ServiceNow, supported by a custom two-level approval workflow. Application control was tightened through targeted allow listing and blocking, while new integrations with Azure Sentinel enabled detection of threats that had previously gone unnoticed.
According to Vaibhav Nigam, managing director at SDG Corporation, “Idira EPM (formerly CyberArk) was able to detect attack types that the existing SIEM couldn’t. The simulated attacks triggered alerts in EPM — but not in the existing SIEM. That gave us confidence in the product’s threat detection capabilities.”
To address their privileged access challenges, the company implemented an HID-centric program, significantly expanding their Human identity security footprint. They migrated from a single on-prem instance to two self-hosted instances in Azure — separating Human ID and secrets management for machine identities. They also cleaned up account data, resolved Central Policy Manager (CPM) issues and developed a real-time PowerBI dashboard for compliance reporting.
When it came to tackling machine (non human) identities — the company onboarded nearly 400 applications with Idira Secrets Manager, Self-Hosted, dramatically improving the security of machine identities. Additionally, they integrated Certificate Manager, Self-Hosted to manage their digital certificates more securely, implementing a policy that requires all SSL certificates to be renewed every six months. They also use Idira Code Sign Manager to securely sign both Microsoft code and Java applications.
– Manish Dixit
Director of Information Security Engineering, Northern Trust
RESULTS
Northern Trust was able to onboard all 50,000 endpoints in just 16 days — with zero incidents. Perhaps most notably, password rotation compliance jumped from 40% to over 95%, significantly reducing one of the banking organization’s most pressing risks.
“Idira (formerly CyberArk) EPM has the capability to whitelist, blacklist, JIT access, and more — our risk team loves us for that,” said Manish. “The control granularity and automation saved our support teams hours.” Privilege elevation entitlements were reduced by more than 30%, and critical compliance gaps were closed by extending coverage to parent images of non persistent VDIs. The rollout not only improved security and compliance — it streamlined operations without compromising the user experience. Integration with SIEM and ITSM systems further strengthened governance and reduced support overhead.
“We built custom dashboards using EPM logs, application usage, and AD data,” said Nikhil Rao. “That helped us enforce real controls — not just deploy software,” he affirmed.
The improved PAM program was successfully onboarded and now manages approximately 70,000 accounts — a growth of around 250%. Compliance posture improved significantly through real-time reporting, streamlined data and more reliable credential management. The modernized, scalable architecture in Azure positions the company for continued growth and future security enhancements.
The team’s efforts to secure non human and machine identities led to a 300% increase in application security coverage and a significantly strengthened security posture. By enforcing shorter certificate lifetimes, the company reduced its risk exposure from compromised or outdated certificates and positioned itself for more agile and automated certificate management.
By modernizing its approach to endpoint privilege management, privileged access management and machine identity security, Northern Trust didn’t just meet its security and compliance goals — it raised the bar. The financial institution’s success proves that with the right technology, partners and execution, large-scale transformation can be fast, secure and user-friendly, and ultimately earned them the 2025 Identity Security Impact Award for Cyber Risk Reduction.
- Efficiency: Eliminated overhead caused by legacy EPM licensing and complexity and secured 50,000 endpoints in 16 days.
- User experience: The coexistence model allowed full migration with zero outages or downtime.
- Financial sector compliance and governance: Privilege elevation entitlements reduced by 30% and password rotation improved from 40% to over 95%. Audit-ready controls and detection integrated with ServiceNow and Microsoft Sentinel.
