Financial services
35,000 employeesA Fortune 500 financial services firm
92%
reduction in standing privilege across production
Consolidated 47 regional bastion hosts and three standing VPN paths into a single Wardengate control plane. Privileged sessions for 2,100 operators and 340 third-party contractors now flow through one audited gateway with identity-bound policy and broker-injected credentials.
The challenge
Privileged access had grown across four regions with no single inventory. Bastion hosts multiplied after each acquisition, VPN paths gave contractors standing network reach, and audit evidence required correlating tickets, syslog, and shell history across dozens of systems.
The approach
- Deployed Wardengate in shadow mode alongside existing bastions for three weeks.
- Imported IdP groups and mapped them to identity-bound policy rules in git.
- Cut over SSH first, then RDP and database access, one protocol at a time.
- Retired bastion hosts only after parallel evidence collection matched SOC 2 CC6 requirements.
Results
- 47 bastion hosts decommissioned across 14 months with zero production incidents.
- 2,100 operators and 340 contractors on named, recorded sessions only.
- Quarterly access reviews reduced from three weeks to four days using structured exports.
“We stopped having the argument about who can reach what. The policy answers it, and the policy is in git.”