Rebuilding Trust: How a Leading Asset Management Services Firm Transformed Identity Security with Zero Trust

For a firm specializing in institutional governance, administration, risk, and compliance services in the asset management industry, security is the foundation of trust. With billions in assets under administration and a client base that includes some of the world’s largest institutional investors, ensuring that only the right people had access to sensitive financial systems was paramount.

Yet, as their digital transformation accelerated, cracks began to appear in their identity and access management approach. The legacy authentication framework, once sufficient, was now a liability. Static credentials, fragmented authentication mechanisms, and outdated privileged access controls left them vulnerable to modern cyber threats. Worse, their existing model relied on implicit trust within the network, making it difficult to detect and contain lateral movement in the event of a breach.

Recognizing the urgency of the situation, leadership made a bold decision: it was time for a fundamental shift to Zero Trust authentication and privileged identity security. The goal was clear - replace legacy solutions, decommission outdated infrastructure, and rebuild a modern, identity-first security model that would not only meet regulatory expectations but set a new standard for security within the asset management sector.

‍

A Security Model That No Longer Worked

The company had grown significantly over the years, but its security architecture had not evolved at the same pace. Authentication was still largely perimeter-based, relying on static passwords and VPN access for remote employees and third parties. Privileged accounts, used by privileged users accessing high-value systems, were not consistently monitored, creating gaps in visibility and control.

When a routine security assessment revealed multiple instances of orphaned privileged accounts and inconsistencies in access management across business units, it became evident that this wasn’t just an operational inefficiency - it was a security risk. Every additional account, every unchecked permission, was an open door for attackers to exploit.

The company needed a new strategy, one that assumed breach as the default state and verified every access request dynamically. It needed Zero Trust.

‍

From Legacy to Leading-Edge: The Zero Trust Transformation

‍

When our team was brought in, the mandate was clear: eliminate implicit trust, modernize authentication, and bring privileged access under strict control. Rather than attempting to patch existing systems, we took a more strategic approach – to replace, decommission, and rebuild from the ground up.

The first step was reimagining how users authenticated. We replaced legacy authentication systems with a federated identity model, ensuring that every login—whether from an employee, contractor, or privileged administrator was verified against a central identity provider. Passwords, long the weakest link in authentication, were gradually phased out in favor of passwordless, phishing-resistant methods such as FIDO2 and certificate-based authentication. Instead of treating every login attempt equally, risk-based policies now determined the level of verification required demanding stronger authentication for high-risk scenarios and streamlining access for low-risk ones.

With authentication modernized, the next challenge was privileged identity security. Gone were the days of static administrator accounts with standing access to critical systems. Instead, we implemented a just-in-time (JIT) privileged access model, where elevated permissions were granted only for the exact time needed and revoked immediately after. Every privileged session was monitored in real time, with AI-driven analytics detecting unusual behavior, whether it was an admin logging in from an unfamiliar location or executing commands that deviated from their normal activity.

In parallel, we tackled the technical debt of legacy identity infrastructure. The reliance on Active Directory for authentication was gradually reduced, making way for a cloud-first identity architecture. VPN-based access to privileged systems, a lingering relic of a bygone era, was replaced with Zero Trust Network Access (ZTNA) ensuring that even inside the corporate network every access request was validated dynamically. Service accounts, once managed through spreadsheets and static credentials, were integrated into a secrets management system, ensuring that credentials were rotated automatically and access was strictly controlled.

‍

The Results: Identity Security Reimagined

The transformation was more than just a technical upgrade, it was a cultural shift. Security was no longer viewed as an obstacle but as an enabler of trust, resilience, and business continuity.

Within months, authentication friction for employees was significantly reduced, thanks to seamless passwordless login experiences. Yet at the same time, security had never been stronger, with every access request continuously verified against real-time risk signals. Privileged account misuse, once a top concern, was now virtually eliminated with just-in-time access ensuring that no user had unnecessary standing privileges.

More importantly, the company had moved beyond compliance checkboxes to a truly modern security posture. With Zero Trust principles deeply embedded into its architecture, it could confidently demonstrate to clients and regulators that security was not just a requirement - it was a competitive advantage.

‍