Top-tier Brazilian retail bank cuts PAM operational cost 58% — and cleared the next BACEN audit in two weeks
Customer
Top-5 Brazilian retail bank
Sector
Financial Services
Scale
40,000+ employees · 1,200+ privileged accounts in scope
Region
LATAM (HQ São Paulo) · Tier-1 regulated by BACEN
The Challenge
The bank had run an incumbent enterprise PAM stack since 2014. By 2024 the deployment had grown into 14 VMs across two datacenters — vault, session proxy, password rotator, web tier, plus dedicated analytics — and required 4.5 dedicated FTEs to operate. Quarterly BACEN audits consumed 300+ person-hours producing privileged-account inventories, access reviews, and reconstructed session evidence for sampled dates. The straw that broke the camel's back was a January 2025 audit finding that flagged the bank's inability to produce session recordings for two specific dates inside the retention window because of a storage tier migration that had silently broken playback for older recordings.
The Approach
Phase 1 — Parity assessment and migration design (3 weeks)
Joint engineering review of the incumbent PAM configuration. 1,200 privileged accounts inventoried; 380 service accounts found that were no longer in active use and could be retired. The remaining 820 accounts mapped to DataDike's vault structure with no functional gaps. Migration broken into 6 cohorts by blast radius.
Phase 2 — DataDike deployment + first cohort (4 weeks)
HA pair deployed in the bank's primary and secondary datacenters with native cross-site replication. IDP integration with Microsoft Entra ID. SIEM forwarding to the existing Splunk Enterprise. First cohort: 60 Linux jump hosts and SSH bastions. Full audit trail validated by the internal SOC team within the first week.
Phase 3 — Cohort migration (5 weeks)
Cohorts 2–6 onboarded in two-week waves: Windows server admins, database DBAs, network device administrators, vendor-access workflows, and finally the Tier-0 domain controller cohort. Each wave triggered credential rotation, which surfaced 47 hardcoded credentials in legacy scripts that were remediated as part of the wave. No production incidents during cutover.
Phase 4 — Parallel-run + decommission (2 weeks)
Both platforms ran in parallel for 14 days. Audit output reconciled against the incumbent. Operators cut over on a single weekend; incumbent components decommissioned over the following month after the regulatory retention threshold for sessions recorded on the old platform was satisfied via SIEM cold storage.
The Outcome
14 → 2
VMs to operate the PAM stack
4.5 → 1.5
FTEs required to run the platform
58%
Reduction in annual PAM operational cost
2 weeks
To produce clean BACEN audit evidence post-cutover (down from 6 weeks)
< 15 minutes
Average time to reconstruct an arbitrary historical session
Zero
Production incidents during migration
“The audit cycle that used to consume two-thirds of a quarter now consumes one sprint. The operational savings paid for the migration before we even renewed the previous contract. The unexpected win was the credibility we built with the regulator — when BACEN auditors arrived and we produced evidence in front of them in real time, the relationship changed.”
— CISO, Top-5 Brazilian retail bank
Have a similar problem? We will walk through your environment in a 30-minute session and tell you honestly whether DataDike fits.
Book a 30-minute reviewRelated case studies
Global manufacturing group locks down 3rd-party OT access — without breaking maintenance windows
A Fortune 500 manufacturer with 40+ production plants replaced ad-hoc vendor VPN access with DataDike-mediated, recorded, time-bounded sessions. Vendor footprint cut, audit clean.
LATAM healthcare network passes joint HIPAA + LGPD assessment after standing up session recording in 5 weeks
A regional healthcare operator with 18 hospitals and 200 clinics needed clinical-system session recording for a joint HIPAA + LGPD compliance program. DataDike was production for 1,400 clinical staff in 5 weeks.