Merck KGaA Centralizes External Access

Secure Remote Access for External Service Providers — Centrally Controlled and Audit-Ready

‍Merck KGaA, one of the world's oldest science and technology companies, works with a large number of external service providers, suppliers, and system vendors who regularly need access to internal systems — for maintenance, support, configuration, and operations. For more than three years, Merck has routed all such external access centrally through VISULOX.

Regulation as the benchmark

‍In the pharmaceutical industry, remote access is not merely a technical issue — it is a regulatory one. Anyone with access to systems touching quality-relevant or GxP-regulated processes must be able to demonstrate at any time who did what and when. Requirements from GMP/GxP, data integrity standards under ALCOA+, and IT security standards such as ISO 27001 demand complete traceability, clear access control, and full logging — especially when third parties are involved.Conventional VPN access for external partners reaches its limits here: it grants broad network access, is difficult to restrict, and provides little in the way of reliable audit trails at the session level. In a regulated environment, this represents avoidable risk.

The solution with Visulox

‍Visulox consolidates all external access at a single, controlled point. Service providers receive no direct network access — they work within clearly defined, monitored sessions with precisely the permissions required for the task at hand. Every activity is logged, can be observed in real time if needed, and is fully auditable after the fact.This enables Merck to meet key requirements for third-party access in a regulated environment: minimized attack surface, continuous access control based on the least-privilege principle, and an audit-ready record of every external session. The solution has been stable in production for more than three years and has become a fixed component of Merck's access strategy for external partners.