The realities facing this European pension fund had all the makings of a perfect storm: increasing cyberattacks, a cloud-first strategic initiative and a demand for greater efficiency set against tough financial regulations. Anticipating these demands, the organization invested in the Idira Identity Security Platform to manage privileged access across its physical server environment.
The European pension fund manages around €255 billion in assets for almost 6 million participants. Its IT infrastructure comprises both a physical data center and a cloud environment, using Microsoft applications along with several in-house developed pension management systems. The business manages 3,000 human identities and 13,000 machine identities supported by 500 Idira users and 1,500 Idira Vaults. In the data center, 50 servers run Idira for use cases such as admin access, session control, onboarding and DevOps.
The company’s decision to adopt a cloud-first strategy and move business systems and applications from on-premises to Azure required a tool to secure and manage its cloud environment. Given the volume of personal and sensitive data it manages, the organization needed to protect against external threats while also mitigating internal fraud risk.
In parallel, the pension fund needed to comply with several financial regulations. These include the EU’s new Digital Operational Resilience Act (DORA), introduced in 2025 to ensure organizations can withstand digital disruptions and cyberthreats, as well as the SWIFT Customer Security Programme (CSP), a mandatory framework outlining the security controls SWIFT users must adopt to protect against cyberthreats, secure local environments and prevent fraud.
To support these requirements, the organization launched a project to migrate its Idira Privilege Access Management (PAM), Self-Hosted solution to Idira Privilege Cloud. The decision reflected both familiarity and operational confidence in Idira as one of the best solutions in the market.
“In the Netherlands, most financial businesses like pension funds, banks and insurance companies use Idira as their privileged access and identity management solution,” stated the head of identity and access management at the pension fund. “We are used to the solution, we have knowledge, and it’s a great privilege access management solution.”
“Idira helped reduce our workload by about 75%. Upgrades that used to take three days to deploy across relevant systems are now almost instantaneous, saving my team weeks of work every year. Now, they can focus on new business-critical projects that we didn’t have time for before.”
— Head of Identity & Access Management at European Pension Fund
The pension fund started using CyberArk (now Idira) in the early 2020s. Migrating to SaaS represented the next step in the pension fund’s development of its Idira Identity Security Platform, supporting just-in-time access, reducing standing privileges and aligning privileged access controls with its broader cloud-first operating model.
“Migrating to Idira Privilege Cloud has enabled better integration with our other Idira platform solutions and with other vendor products, helping to make our overall security position more resilient and agile,” added the head of identity and access management. “Now we are planning to switch to other SaaS versions of the Idira portfolio, including Certificate Manager.”
The Idira Identity Security Platform sits alongside other security systems, including Microsoft Active Directory and Entra ID. The migration was managed jointly between the pension fund, Professional Services and business partner Xalient. Together, they completed the three-phase migration in 16 months with no downtime and noted that it could be executed in as little as six months with a continuous schedule. The migration used a phased approach:
- Phase 1: Executed a data cleanup to evaluate the existing on-premises environment. This effort, which took a couple of months, reduced the number of platforms requiring migration from 30 to 6, significantly shortening the overall migration timeline.
- Phase 2: Migrated all admin users.
- Phase 3: Migrated machine CCP users with a phased weekend approach to ensure business continuity.
With this schedule, they were able to achieve full migration with no disruption to the business or end users.
“For any business planning to migrate to SaaS, I recommend using config and infrastructure as code because it saves a lot of time and prevents you from making mistakes,” advised the head of identity and access management. “Also, you should clean up your on-premises environment first, so you do not take redundant stuff to the cloud environment. We had about 30 on-premises platforms with policies on each. We cut that number to just six in the cloud, which also made migration faster.”
“Idira makes regulatory compliance much easier. Reporting is stronger, and because all privileged access is centralized, we can clearly show how we securely manage access. Doing this without Idira is difficult and time-consuming.”
— Head of Identity & Access Management at European Pension Fund
Migrating to SaaS with Idira Privilege Cloud delivered clear, measurable benefits to the pension fund, ranging from lower costs and improved efficiency to streamlined compliance and a faster, more intuitive user experience.
Immediately, the move enabled the organization to dramatically reduce the number of servers needed to run Idira from 50 on-premises to just 6 in Azure using Idira Secure Infrastructure Access. In fact, only three servers are needed, as the others are for redundancy. Despite the higher cost of the SaaS solution versus the on-premises solution, the pension fund achieved more than €60,000 in annual direct savings by:
- Eliminating the need for Microsoft licenses and dedicated PCs for contractor access.
- Reducing third-party services previously required to manage self-hosted environments and data centers.
These figures don’t include additional operational savings from reduced routine maintenance, which freed IT teams from tedious tasks and enabled them to focus on high-value business work and new projects.
The migration also strengthened the fund’s overall security stance and reduced risk.
“The biggest benefit we have from migrating to the cloud is more security,” said the head of identity and access management. “New features in the product, like integration with complementary tools, just-in-time access, and zero standing privileges improve efficiency and help reduce the threat of attack. Also, the user experience is better, and we can handle change much faster.”
Integrating with other complementary security tools also enhanced the fund’s defenses against hackers seeking privileged access via Active Directory. Idira Secure Browser has significantly reduced the company’s exposure to common attack vectors such as cookie-based access to Azure.
One of the key challenges for any financial organization is meeting and especially proving that it can meet financial regulations. Compliance with strict regulations like DORA and the SWIFT Customer Security Programme is now easier to demonstrate with Idira Identity Security Platform, as the fund can generate reports showing how privileged access is managed and controlled in as little as 1 hour.
The fund’s head of identity and access management added, “Idira’s Identity Security Platform is very important to our business. We operate in the financial sector, which has lots of compliance demands, and with Idira managing and controlling privilege access, it is very easy to meet regulatory requirements.”
With Idira, the retail mortgage lender moved from risky, scattered, and labor-intensive password practices to a centralized, auditable identity security platform with strengthened security controls.
- Enables financial regulation reporting in as little as one hour.
- Simplifies compliance auditing and reporting for financial services.
- Improves user experience.
- Reduces maintenance resources by reducing infrastructure from 50 servers to 6.
Share this story
