ARCON PAM India: a Chennai BPO’s vendor-audit Friday
Last updated: 14 June 2026
09:08 AM Friday. Olympia Tech Park, Guindy. The CISO had a printed audit letter on the desk
I drove into Guindy at 06:30 Thursday. By Friday morning Anand had the US client’s 2026 audit letter open on the table. Two pages. Cat-A finding circled in red pen. ARCON PAM India was the deployment the letter would either accept or send back. “Priya. The MSA option clock starts Monday. Do we close this or do we explain it?”
This is Day 38 of a 56-day ARCON PAM rollout at a 380-seat Chennai BPO. The client base skews US healthcare plus two UK general insurance accounts. Offshore agents have admin access to client CRMs, claims platforms, and a Snowflake reporting tier. The Q1 audit flagged “no privileged session recording for offshore administrative users” as a Category A finding. Anand has been calling me every Tuesday since.
The MSA carries an option renewal in the second week of June. Bas. Either ARCON ships the session-recording control and the report by Monday, or the client uses the open finding to push a 12 percent rate cut at the renewal table.
What ARCON actually does on an Indian estate
PAM read like a Gartner glossary slide for years. CyberArk was the default, BeyondTrust the second answer. Both shipped from US datacentres, priced in dollars, and treated Indian audit shapes as a localisation backlog item.
ARCON is built in Mumbai, sold in INR, and has shipped to Indian BFSI since 2006. The vault holds privileged credentials and rotates them on a schedule the regulator approves. The session manager proxies every RDP, SSH, and HTTPS admin session through a hardened gateway. Every keystroke and file transfer lands in a tamper-evident video plus a searchable transcript. Reports are pre-shaped for the RBI cyber-security circular and the SEBI CSCRF data-asset register. MeitY empanelment is in place for the public sector lane.
On Anand’s estate we wired three layers across the first 30 days. Vault on a high-availability pair in Chennai, replicated to Mumbai DR. Session manager in front of 14 production servers, 6 cloud admin consoles, and 3 database tiers. Arre yaar, the discovery scan was the conversation. 41 standing privileged accounts on cloud consoles. 17 of them belonged to people who left in the last two years.
Day 38 in numbers: the cutover scorecard
By Friday 12:00 IST the cutover board read like a checklist that had earned every tick. The Okta SSO rollout we ran in Pune last quarter hit the same wall on Day 26.
| Asset tier | In scope | Behind ARCON vault | Session-recorded | JIT enabled |
|---|---|---|---|---|
| Production Linux servers | 9 | 9 | 9 | 9 |
| Production Windows servers | 5 | 5 | 5 | 3 |
| AWS admin console | 1 org, 4 accounts | 4 | 4 | 4 |
| Azure admin portal | 1 tenant | 1 | 1 | 1 |
| M365 Global Admin | 1 tenant | 1 | 1 | 1 |
| Salesforce + ServiceNow | 2 orgs | 2 | 2 | 1 |
| Snowflake account admin | 1 | 1 | 1 | 1 |
| PostgreSQL clusters | 2 | 2 | 2 | 2 |
| SQL Server (claims) | 1 | 1 | 1 | 1 |
The vulnerability beat I always name. I had assumed the third-party billing vendor was already behind the vault because we onboarded them in Week 2. The Friday scan showed one root account on the claims SQL Server that still bypassed ARCON. Six weeks of unrecorded SQL sessions. I had taken the answer. I had not re-checked.
10:35 IST. Anand, Suresh from Risk, and the auditor’s representative on speaker
Anand picked up the room phone at 10:20 and asked Suresh to join. Suresh runs Risk and reports to the Board sub-committee that signs off on US client MSAs. The auditor’s representative dialled in from Cincinnati at 10:35. Four voices, one whiteboard.
Suresh started where finance people start. “What is the worst case if the auditor finds the billing-vendor gap in their re-test?” The honest answer is the contract option is at risk, the rate cut is on the table, and the open finding moves to Cat-A in the Q3 re-test. Add the DPDP fiduciary worksheet, where privileged access without session logging is a control failure under CERT-In incident handling guidance. Achha. The risk math wrote itself a second time.
Book my free 4-hour DPDP readiness check
200+ Indian businesses. Response within 8 hours. No card, no contract, no sales call.
Why the ARCON PAM India teams pick fits the BPO audit shape
Most PAM tools quote a global feature matrix. ARCON quotes the RBI cyber-security circular by paragraph number. That difference shows up in three places.
First, the session manager handles BPO floor density. ARCON’s proxy ran 41 concurrent recorded sessions during the Thursday peak without lag. The CyberArk PoC two years ago tapped out at 28 in the same slice.
Second, the report templates land on the auditor’s evidence list without rework. Privileged Account Discovery, Session Recording inventory, JIT access log with approver chain. Yaar, that saves a week of evidence prep.
Third, on-prem deployment kept privileged credentials and session videos inside India. The US client’s DPA insists on data residency for client CRM credentials. Cloud-only PAM tools needed a separate rider. ARCON did not.
Where ARCON sits against the alternatives
I have run paid bake-offs against CyberArk, BeyondTrust, and Delinea Secret Server on Indian estates in the last two years. The honest call depends on shape and book size.
CyberArk fits global Tier-1 BFSI with a US or EU parent. Deepest feature set. INR pricing lands 1.8 to 2.4 times the ARCON quote at the 380-seat band. DPDP and CSCRF reports are a six to ten week services build.
BeyondTrust fits Windows-heavy enterprises with strong endpoint privilege management. Indian reports lag and the on-prem appliance is heavy for a single Chennai datacentre.
Delinea Secret Server fits mid-market cloud-first preference. SaaS is clean. Session recording at BPO concurrency lagged on our last test.
ARCON fits an Indian BPO, fintech, NBFC, or manufacturer in the 200 to 5,000 named-user band, with on-prem datacentre, RBI or SEBI or DPDP audit horizon, and an INR contract.
See the ARCON PAM India scoping call
Free 8-hour scoping call. Written quote in one business day.
What we put on the Day 39 to Day 56 plan
By 11:50 IST we had a sequenced closure queue. Five items, mapped against ISO 27001 A.9 access control objectives.
- Day 39 to Day 41. The billing-vendor SQL root account. Onboard into the ARCON vault. Force session recording. Backfill a written control exception note for the last six weeks, signed by the vendor’s account manager. Suresh files it with the auditor’s evidence pack.
- Day 41 to Day 45. The 17 orphaned cloud admin accounts. Disable. Rotate any shared secrets. Document the offboarding gap and update the leaver checklist so it does not repeat. The HR-IT handoff was the root cause.
- Day 45 to Day 49. JIT workflow extension to the 5 remaining Windows production servers. Approver chain set to two-person rule for any session over 30 minutes.
- Day 49 to Day 53. Break-glass account review. One per cloud console, vaulted, alarmed on any retrieval, retrieval reason logged. Tested on Day 51 with a controlled fire-drill.
- Day 53 to Day 56. Auditor evidence pack. Pre-shared with the auditor’s representative on Day 54 so the Monday re-test is a confirmation, not a discovery.
The Monday re-test gets a document, not a story. The MSA option conversation moves from defensive to neutral. The CFO under-reacted to the original Cat-A finding in February and over-reacted to the ARCON renewal quote last week. The order of those reactions is canonical.
The amber alert nobody had been listening to
Anand asked at 12:15 IST why the billing vendor’s root account slipped. The onboarding checklist had it. The vendor’s account manager confirmed it in Week 2 on email. Nobody re-tested in Week 3 because the standup ran 14 minutes over and the JIT extension to Windows took the time. The amber alert was a single line in the Week 3 cutover report that read “billing vendor onboarding deferred to Week 4”. Week 4 came and the cutover momentum carried us past it.
I have watched this pattern across the seven PAM rollouts we have done in the last three years. The interesting finding is rarely the missing control. It is the small deferral in a status report nobody re-opened. Standing privileged access does not announce itself. It waits inside a third-party contract or a leaver checklist that ran a day late.
For Anand, Monday starts with the re-test. The Day 56 evidence pack lands on Suresh’s desk with the ARCON closure log attached. The Cat-A finding moves from open to remediated.
Key takeaways
- ARCON PAM India is the privileged-access answer most Indian audits already know how to read. The report templates land on the auditor’s evidence list without rework.
- Run the discovery scan before the buying decision. Orphan accounts and standing root on third-party contracts are the typical findings.
- Session recording is the control the auditor asks for first. Concurrency at BPO densities is the spec line most PoCs skip.
- Data residency is a contract clause. On-prem ARCON in an Indian datacentre answers the DPA without a separate rider.
FAQ
How long does an ARCON PAM rollout take in India?
For a 200 to 500 named-user estate, planning runs two weeks, vault and gateway stand-up runs two weeks, asset onboarding runs four to six weeks, and JIT plus break-glass plus reporting closure runs the last two weeks. A clean 56-day window is typical when the discovery scan ran in week one.
Does ARCON replace our existing SIEM and IAM?
No. ARCON sits next to both. Okta or Azure AD owns the IAM tier for employee identity. SIEM correlates events across the estate. ARCON owns the privileged-access tier specifically.
What does ARCON cost in INR?
List ranges from roughly INR 18,000 to 28,000 per named privileged user per year, plus deployment and a hardware appliance if on-prem. Most 200 to 500 user estates land between INR 32 lakh and INR 78 lakh annual. A scoped quote takes one business day.
Is ARCON suitable for DPDP fiduciary readiness?
Yes for the privileged-access tier specifically. ARCON answers the “who touched personal data with elevated rights, when, and what did they do” question that the DPDP fiduciary worksheet requires. Pair with a DSPM for at-rest inventory (we run Aurva on Indian estates).
Can ARCON record SaaS admin sessions like AWS, M365, and Salesforce?
Yes. The HTTPS session proxy records the full admin workflow in the browser. Sessions are stored as video plus a metadata transcript for search. The same approach feeds M365 Global Admin recordings into the auditor’s evidence pack.
Get my ARCON PAM scoping call
200+ Indian businesses. Response within 8 hours. Free scoping call, written quote in one business day, no card and no sales pressure.
P.S. Priya here. We shipped this exact ARCON pattern at a Mumbai cooperative bank in March and a Bengaluru insurance TPA in April. Both audits closed on the first re-test. If the auditor’s letter on your desk reads anything like the one Anand had on Friday, the 60-minute scoping call is the cheapest hour you will spend this quarter. Reply on WhatsApp or click the button above. We will be on the Chennai floor through next Wednesday.
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
