Client Overview
The organisation is a municipal government authority responsible for delivering public services — including permits, licensing, waste management, and urban planning — to a city of around 800,000 residents. The authority employs approximately 2,800 staff across 14 departments. Following a post-pandemic review of its working practices, the authority moved to a hybrid working model and began migrating several departmental applications to cloud-hosted services — creating new access management challenges that the IT team was not equipped to handle with its existing tools.
The Challenge
The move to hybrid working exposed gaps in the authority's access management setup. Employees working from home were accessing applications through VPN using password-only authentication — an arrangement that the IT team considered inadequate but had no immediate means to address. Within the office environment, each department managed its own application access using local administrator accounts, with no group-level visibility into who had access to what. The authority's cybersecurity team had raised the access management situation as a risk item three quarters in a row, noting the absence of MFA for remote access and the lack of a standardised joiner-mover-leaver process across departments. A data incident involving a phishing attack on a staff member's email account — which gave the attacker access to a departmental records system — added urgency to the issue.
“A phishing attack that compromised one employee's password gave the attacker access to a records system they had no business being in. That was the incident that moved access management from the risk register to the action list.”
— Chief Digital Officer
The Solution
eMudhra deployed SecurePass to standardise access management across all 14 departments. A centralised identity directory replaced the departmental administrator accounts, with role-based access profiles defined for each job function across departments. MFA was enforced for all application access — using push notifications for office staff and TOTP for remote access scenarios — directly addressing the vulnerability exposed by the phishing incident. SSO was configured across the authority's cloud-hosted and on-premises applications, giving staff a single authenticated session for all the tools they used. An automated joiner-mover-leaver workflow was integrated with the authority's HR system, ensuring new starters received appropriate access on their first day and access was revoked when staff departed. The IT team gained a consolidated access management dashboard for the first time, replacing the departmental patchwork with a single view across the organisation.
Results
MFA was enforced for all staff within eight weeks of deployment. The phishing-type attack vector that had enabled the earlier incident was eliminated. The cybersecurity team's risk item relating to access management was closed, and the quarterly risk report in the period following deployment noted access governance as a resolved item for the first time in over a year.
Metric | Before | After |
MFA enforcement — all access | Password-only; phishing vulnerability active | MFA enforced for all office and remote access |
Access management model | 14 separate departmental admin setups | Centralised identity with role-based profiles |
Joiner-mover-leaver process | No standardised process across departments | Automated HR-integrated lifecycle management |
SSO coverage | Separate logins per cloud and on-premises app | Single authenticated session across all applications |
Cybersecurity risk register item | Flagged for 3 consecutive quarters | Closed following deployment |
