Updated: 15 May 2026
A Hyderabad-based pharmaceutical manufacturer strengthened authentication controls across validated LIMS, MES, ERP, and remote access systems, without production disruption or revalidation of legacy infrastructure.
47-Day Cisco Duo Deployment Across Pharmaceutical Manufacturing and Research Systems
A 3,200-employee pharmaceutical manufacturer in Hyderabad supplies regulated markets in the United States, the European Union, and Japan. Its facilities hold US FDA approval and EU GMP certification. Its quality management, laboratory information, and manufacturing execution systems are validated under 21 CFR Part 11.
During a US FDA pre-approval inspection, the inspector requested authentication logs for the laboratory information management system covering the previous 90 days: individual records showing who had logged in, when, and with what credentials.
The company could not produce them.
The LIMS (Laboratory Information Management System) had full audit trail capability within the application. The authentication layer, managed through Active Directory, had no second-factor requirement and no individual log export. Quality control analysts shared a single account. Individual identity could not be established from the authentication record.
The inspector issued a warning: controls were insufficient to satisfy 21 CFR Part 11 individual accountability requirements. Remediation was required before the next inspection cycle.
21 CFR Part 11 requires that individual identity be established before access is granted and logged for every electronic record interaction. Proactive's credential audit, conducted before any configuration began, found the following across the LIMS, MES, ERP, quality management platform, and all remote access accounts:
14 shared accounts across the LIMS and MES, used by 23 quality control analysts and production technicians.
8 CRO remote access accounts associated with clinical studies closed between 6 and 18 months earlier. Three had been accessed from IP addresses outside the expected CRO network range in the previous 90 days.
3 vendor maintenance accounts from ended engagements. One had last been used 11 months prior. The vendor had been acquired by a competitor 7 months earlier.
1 administrator account with full LIMS write access belonging to a quality systems manager who had left 7 months earlier. The account had not been deactivated because it held ownership of validation documents in the system.
25 accounts requiring remediation. The audit took four days.
21 CFR Part 11 individual accountability requirements applied through the FDA inspection cycle. CERT-In CISG-2025-02 required MFA for all remote access and 180-day authentication log retention in India. CDSCO's alignment with FDA validation standards created a parallel inspection risk from domestic regulators. All three obligations required resolution through a single authentication architecture.
Every LIMS administrator, MES administrator, and domain administrator enrolled in Cisco Duo with Verified Push. Standard push notification was disabled for this policy group. The 14 shared accounts were replaced with individual named accounts for each of the 23 analysts and technicians. The former quality systems manager's administrator account was deactivated; validation document ownership was reassigned through a formal change request that took one afternoon.
All 8 closed-study CRO accounts were deactivated following written confirmation from each CRO. Active CRO accounts were migrated to time-limited named credentials with 90-day expiry requiring formal renewal. The 3 vendor maintenance accounts were deactivated.
23 analysts and technicians enrolled individually over two days. Shift-based session management was configured: authenticate at shift start, session maintained through the shift, auto-terminate at close. Hardware TOTP tokens were provided for 6 technicians working in ISO Class 5 cleanroom environments where mobile devices were not permitted.
Two helpdesk calls were received. Both resolved within 25 minutes. No production batch was delayed. No line was stopped.
The LIMS, a licensed third-party platform deployed in 2014, did not support SAML or modern authentication protocols. It authenticated via LDAP against Active Directory using a direct bind.
The standard RADIUS integration worked for the VPN and ERP. The LIMS required an LDAP proxy configuration that inserted Cisco Duo's second-factor challenge into the authentication flow without modifying the LIMS application itself. The LIMS was validated software. Any modification to the application would have required a revalidation exercise adding months to the timeline.
Proactive had deployed this configuration in two previous pharmaceutical engagements. The LDAP proxy was classified as a GAMP 5 Category 1 infrastructure component, external to the validated application. IQ and OQ documentation confirmed the LIMS software was not modified. The configuration was tested on a non-production LIMS instance before production deployment.
The configuration took 11 days.
The 21 CFR Part 11 evidence package, built alongside the deployment from day one, included: deployment architecture document covering the Authentication Proxy and LDAP proxy configuration; individual user population register; authentication log exports retained in an India-resident SIEM; CRO and vendor access register with renewal dates; GAMP 5 Category 1 classification documentation for the Authentication Proxy; and the bypass code register covering the full deployment period.
One revision was requested by the quality systems team: explicit reference to 21 CFR Part 11 Part 11.10(d) in the deployment architecture document. Revised and resubmitted within 24 hours. Acceptance sign-off was completed on day 47.
1. FDA inspection outcome: Six months after the deployment, a US FDA pre-approval inspection for a separate manufacturing line requested LIMS authentication logs covering the previous 180 days. Logs were produced within 12 minutes. Individual access records, timestamped, with factor used and device type, for every analyst and technician. Zero 21 CFR Part 11 observations. The manufacturing line received pre-approval.
2. CERT-In audit outcome: The mandatory annual audit found authentication controls in order. The 180-day log retention requirement was satisfied by the India-resident SIEM. Zero findings related to authentication, privileged access, or remote access.
3. Credential findings resolved: 25 non-compliant accounts remediated before deployment began: 14 shared accounts converted to named individual accounts, 8 closed-study CRO accounts deactivated, 3 vendor maintenance accounts deactivated, 1 former-employee administrator account deactivated.
4. The CRO access finding: Three CRO accounts that had shown access from unexpected IP addresses during the credential audit were confirmed, in a subsequent CRO security review, to have been accessed by CRO staff sharing credentials with colleagues. The access was not malicious. It was the category of access 21 CFR Part 11 individual accountability requirements are designed to prevent. It would not have been visible without the credential audit.
5. Operational continuity: Zero production batches delayed. Zero lines stopped. Zero validation reactivations required for the LIMS. Proactive Data Systems, a Cisco Preferred Security Partner, deployed Cisco Duo Advantage across all GxP-connected systems, with the Authentication Proxy on a Windows Server 2019 VM, LDAP proxy for LIMS integration, RADIUS integration for VPN and ERP, hardware TOTP tokens for cleanroom environments, and India data residency through the Mumbai Duo data centre.
This case study is a composite illustration drawn from Proactive's deployment experience across multiple pharmaceutical client engagements. It does not describe a specific named client, facility, or engagement. Statistical and numerical details are illustrative of patterns observed across deployments.
We'll get back to you shortly.
