Updated: 15 May 2026
A Bengaluru-based lending technology platform needed to enforce MFA across production systems handling customer financial data while continuing to process nearly 8,000 loan applications per day during investor due diligence.
58-Day Cisco Duo Deployment for a Lending Technology Platform
A Bengaluru-based lending technology platform, processing approximately 8,000 loan applications per day, received a Series B term sheet for Rs 285 crore. Section 4.2 of the term sheet required the company to demonstrate, within 60 days of signing, that multi-factor authentication was enforced across all systems with access to customer personal and financial data, with authentication logs retained for a minimum of 180 days in India. The investor's technical due diligence team had reviewed the company's authentication architecture the previous week.
The company's authentication architecture had been built for a 12-person seed-stage team. It had not been reviewed as the company grew to 280 people over five years.
The investor's technical team reviewed policies, architecture documents, and system inventories. They found four issues. The CTO held production database access provisioned at the seed stage. The scope included write access to the customer data repository, the loan origination system, and the payment processing integration. It had not changed in five years.
The developer team of 62 engineers authenticated to the payment processing system with usernames and passwords. The vendor had offered MFA as a configuration option at implementation in 2022. It had not been enabled.
The third-party credit bureau integration ran on shared credentials known to four people, not rotated since 2021. Four contractor accounts from previous engineering engagements remained active. The most recent contractor had completed their engagement 14 months earlier.
Proactive's credential audit, conducted before any configuration began, confirmed the four issues the due diligence team had found. It also found what the due diligence had not examined.
Two domain administrator accounts belonged to engineers who had left the company: one nine months earlier, one four months earlier. Both accounts held full Active Directory rights and had not been deactivated. One had logged in six weeks after the departure date from the engineer's home internet service provider IP address.
A fifth contractor account, provisioned before the company's current contractor management system was implemented and therefore not visible in it, held read access to the full loan portfolio database. 13 accounts required remediation. The due diligence team had found 4. The credential audit found 9 more.
The company was subject to RBI IT Governance Master Direction requirements for MFA on critical information systems, including the loan origination platform, payment processing system, and customer data repositories. DPDPA 2023 required reasonable security safeguards for the personal and financial data processed daily across 8,000 loan applications. Both were unsatisfied at the time of the term sheet.
The CTO's production access was formally scoped down through a documented change management process: write access removed from the customer data repository and payment processing integration, retained for the loan origination system with an approval workflow for write operations. The two former-employee domain administrator accounts were deactivated. The fifth contractor account was deactivated.
All remaining privileged accounts enrolled in Cisco Duo with Verified Push. The shared credit bureau credentials were replaced with individual named accounts for the four people requiring access, each with a 60-day expiry and formal renewal documentation.
Phase 1 took 6 days. The product team shipped a feature release during the same week.
The four known contractor accounts deactivated. Active third-party integrations migrated to time-limited named credentials with 45-day expiry and a formal renewal register. RADIUS integration with the primary VPN concentrator. The payment processing system MFA, offered by the vendor at implementation, was enabled during a 2-hour maintenance window on a Sunday at 3 AM.
62 engineers enrolled in Cisco Duo across development, staging, and production environment access.
On day 23 of Phase 3, three engineers reported that the company's CI/CD pipeline had failed. The pipeline ran under a service account. When the MFA policy was applied to production access, the automated deployments stopped: service accounts cannot receive push notifications.
Cisco Duo's policy framework allows non-interactive service accounts to be governed under a separate access policy: IP restriction to the specific pipeline server addresses, time-limited API tokens in place of push notification, and enhanced individual logging for every automated access event. Human developer accounts retained the standard Verified Push MFA. The pipeline service account was moved to the automated service policy.
The configuration took 4 days. The pipeline was restored. No release was delayed.
The engineers who identified the problem were the most technically precise members of the deployment. Once the solution was in place, they became the clearest internal explainers of how the architecture worked.
The remaining 59 engineers enrolled over 5 weeks following a single pre-enrolment communication from the CTO, sent five days before rollout began. Helpdesk received 7 calls during the enrolment period: 4 resolved immediately, and 3 required token replacements for engineers who changed phones during the rollout window.
Deployment architecture documentation. User population register confirming enrolment for all 280 employees and active contractors. Credential audit report documenting all 13 accounts found and remediation taken. 58 days of authentication logs from an India-resident log management platform. Vendor access register with integration scope, credentials type, expiry dates, and renewal history.
One clarification was requested by the investor's due diligence representative: confirmation that the credit bureau integration renewal register had a defined owner and review cycle. Confirmed with documented ownership assignment within 24 hours.
1. Series B Outcome: Section 4.2 of the term sheet was confirmed satisfied on day 58. The Series B closed on day 61.
2. Credential findings resolved: 13 non-compliant accounts remediated before deployment: 2 former-employee domain administrator accounts deactivated, 5 contractor accounts deactivated, 1 CTO access scope formally restricted, shared credit bureau credentials replaced with 4 individual named accounts.
3. CERT-In assessment outcome: Six months after close, a CERT-In aligned cybersecurity assessment found authentication controls in order. Zero findings related to privileged access, remote access, or log retention.
4. Deployment scalability: The loan portfolio grew 40% in the six months following close. The developer team grew from 62 to 94 engineers. New engineers enrolled through a standard onboarding process. New production systems were integrated through the existing Authentication Proxy configuration. No new MFA project was required.
5. The finding the due diligence missed: The two active accounts belonging to former employees with domain administrator rights, including one with a post-departure login, were not in the investor's due diligence report. They were found by the credential audit before a single policy was configured.
"The due diligence team reviewed our policies," the CTO said. "Proactive reviewed what was actually in the directory. Those are different documents. We are glad we saw the second one before the breach investigation did."
Proactive Data Systems, a Cisco Preferred Security Partner, deployed Cisco Duo Advantage across all production systems, with the Authentication Proxy for VPN and legacy integrations, Verified Push for privileged and developer accounts, an automated service account policy for the CI/CD pipeline, and India data residency through the Mumbai Duo data centre.
This case study is a composite illustration drawn from Proactive's deployment experience across multiple fintech client engagements. It does not describe a specific named client, individual, or engagement. The CTO quote is a representative illustration of client feedback and does not represent a verbatim statement from a named individual. Statistical and numerical details are illustrative of patterns observed across deployments.
We'll get back to you shortly.
